Why do I need a PIX when I have a Cisco router??

I can put access-list on my routers to deny traffic that I don't want
i can configure NAT on my router
I can install a wireless module in my router
I can setup an IPSEC/VPN on my cisco router with cisco vpn client authentication
i can deploy any routing protocol that I want on my cisco router!

So my question is why do I need a PIX? I want to start playing with a PIX but I want to find good reasons why I need it.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dtlokee

If your're running the IOS firewall they will have lots in common between the features, but a PIX with a current operating system will have benefits to the way it handles traffic inbound and outbound in the way it prevents unwanted inbound traffic down to tracking the sequence numbers in a TCP connection (which a static access list can't do). Also depending on the router model the PIX may provide far more performance than the router which may not be needed if you have somthing like a t-1

nice343

my router is a 3745 with an advanced security ios 12.4

Ahriakin

Stateful firewalling reduces administration, reduces risk through incorrect configuration and increases efficiency (once a stateful connection is made it is no longer processed by the ACL's which depending on your environment and amount of ACEs can be a major performance saver). Also more sophisticated protocols that open new ports dynamically from the target need application layer inspection tied into the stateful functions or dynamic ACE's to keep working, static ACL's can't hack it and even if your IOS has some inspection capabilities they will not be as efficient as those of a dedicated firewall.

Mishra

Doesn't a PIX have built in intrusion blocking techniques like you can't DoS a PIX and other things like that?

Also you could think of the firewall as the first hop and the security device. After things get filtered through the PIX THEN they hit your router which has the gateway to your internal network. This prevents unwanted intrusive traffic from hitting the router which is more sensitive than the pix from a security stand point.

Pash

Overhead is a massive factor also, let the PIX deal with the secuirty algorthims and let the routers deal with.....routing.