Hi, Darren,

> So what you're really comparing is the default configuration
> of packet based firewalls with proxy based firewalls.

Well, yes.

When engaged in selling Secure Computing gear, I always
put an emphasis on the "more reasonable default configuration"
and the fact that it's more complicated if not impossible to do
something stupid by accident.
I also take my time to carefully explain the concept of egress

E.g. does PIX still have these implied rules that say: if I
configure port X from here to there, this automatically implies
the same access to all interfaces with a lower security level than
'there'? This is the case in 6.x - now, whoever at Cisco came
up with this concept should be shot.

I have not looked at 7.x or ASA, yet.

Kind regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit

P.S. I know that PIX access lists do not implement stupid things like
the above, but PIX Device Manager does. Now, which is a customer
with limited time and knowledge more likely to use?
-- =

punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de http://www.punkt.de
Gf: J=FCrgen Egeling AG Mannheim 108285
firewall-wizards mailing list