Recently we started working with a client that had been advised by another consulting firm that one of the newer Cisco routers, specifically a Series 1841 model, would be a better than a Cisco PIX for their firewall and VPN requirements.
Why would a Cisco router be better for a firewall and VPN application than a device, like a PIX, that was designed as a firewall from the beginning? Our client had no details on why one was better than the other—just a recommendation from another consulting firm without much explanation. There is plenty of information on the web about Cisco’s newer routers and how they compare to dedicated firewall units, like Cisco’s well established PIX range.
Which device would be a better choice for your company?
If you are like most IT managers we work with, you might run some quick Yahoo! searches looking for a quick breakdown that explains the differences between both ranges. Unless you have some very specific ideas figured out ahead of time on what’s important to you in terms of comparing the model types, you are likely to be overwhelmed by the usual problem of “too much information.�
Here’s a tip… If you are working with a consultant, ask them to explain themselves in terms that you feel comfortable with. A short written explanation is best because it forces a consultant to sit down and organize his ideas perhaps more carefully than a quick verbal discussion might allow.
You shouldn’t spend money or accept recommendations that you don’t have at least a basic understanding of. Very often, when technical issues go wrong, hindsight will make misunderstandings that should have been cleared up early in a project very apparent. Misunderstandings often stem from following recommendations or project paths that are poorly explained in the earliest part of a project.
Of course it’s not always appropriate to ask a consultant for a detailed explanation of everything, as that can be an expensive practice that has the potential to slow down progress. Still if you don’t feel like your consultant explains himself well, on a level that you can understand, you might need to find a better consultant.
Chances are good that if you routinely don’t understand your consultant’s recommendations, or if very little supporting detail is provided with recommendations, then a misunderstanding and unnecessary trouble is on the way.
So, back to the Cisco router vs PIX discussion…
Our consultant David Madole, wrote a very thoughtful and concise explanation on the differences between the Cisco ISR series routers and PIX range units. I think it’s one of the best high altitude explanations I have seen on the differences between these product lines.
I think David’s explanation helped our client get pointed in the right direction—and it is typical of the way that we try to explain our technology recommendations to our clients.
David’s message to our client follows:
For the last few years Cisco has been working on converging the firewall feature sets of their router and firewall products. I would guess that at this point they are probably something like 80% complete, covering the most commonly used features on either platform. In that sense, <other consulting firm> is correct, either will probably work fine for what you need to accomplish (which I say without knowing all the details of what you might have planned).
However, the products take a different approach to security. The PIX was developed as a firewall product, that is, something to block traffic. The routers were designed as a routing product, that is, something to pass traffic. That basic core functionality is still true. A PIX pretty much out of the box will be completely secure, a router out of the box will be completely insecure. The PIX premise is to block everything that you do not allow, the router premise is to allow everything that you do not block.
That said, the PIX is somewhat easier to configure as a firewall than a router is, and less prone to making dangerous configuration errors than a router. You can certainly shoot yourself in the foot with either product, but it’s a bit harder with the PIX. Because the PIX was designed as firewall, it also has a higher capacity in terms of amount of traffic that it can handle compared to a similar priced router.
I’m having a hard time imagining any sense in which the 1841 would make a better firewall than the PIX as your other consultants said. You could argue that it would be as good, or maybe you could say it’s better just because you could get by with one box instead of two. But feature-wise, it’s not a superior firewall.
David
Our client ultimately chose to go with a PIX firewall for their application which we setup for them.
If your consultants can’t or won’t explain themselves to you in terms that you understand then it might be time to find a different consultant.