On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <br...@2mbit.com> wrote:
> My partner Tammy says a PIX could probably accomplish the same task (we have > some here for the corp lan stuff, including spares). Yes, a PIX/ASA would stop this cold. The TCP state tracking would not allow traffic to pass unless the whole 3-way handshake was observed by the box. Only recently did Cisco add features to make tracking the TCP connection state optional. (http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf) The larger ASA-5580 machines can be virtualized into dozens (or more) security contexts as needed. I imagine it would take some effort to figure out how to cleanly integrate such a configuration into a POP. --D
