Check out this post from the Windows Vista Team Blog for more information…
Archives for March 2008
Cisco IOS routers have a new firewall configuration method. Ok so its not so new (Feb 2006), but I tend to let drastic new technologies like this “cook” for a while before I’ll partake. Plus I finally got a handle on the Inspect/CBAC way of doing things!! BTW the “old” method is now called the IOS Classic Firewall 😉
The new method is called Zone Based Firewall, or Zone Based Policy Firewall if you want, and definitely improves the simplicity of configuring a firewall policy.
If you’re used to working with the PIX/ASA firewalls, the learning curve is not as high because they work off the concepts of Zones also.
This document shows a very simple example of what the new ZBF configuration looks like. They also provide some performance numbers, but what is absent is a comparison of performance from the previous Inspect/CBAC method.
That all being said SDM 2.5 builds ZBF configurations by default. If you have an existing Inspect/CBAC configuration however SDM will continue to support it (at least for now).
I’ll be honest, when I first saw SDM build a ZBF firewall configuration I immediately pulled it out, put in my own Inspect/CBAC configuration, and then went on happily.
But times are changing, and if you need to firewall more than two interfaces, with varying degrees of lock-down, the ZBF truly looks like the way to go. Managing multiple ACL’s and Inspect/CBAC configurations gets really tedious after a while, which makes it easy to screw something up inadvertently.
Here are a few other overview links to get you started:
Excerpt from Microsoft.com:
… By having two types of Windows CALs, you are able to use the model that makes sense for your organization. For example, purchasing a Windows User CAL might make more sense if your company has a need for employees to have roaming access using multiple devices. Windows Device CALs may make more sense if your company has multiple-shift workers who share devices. Similarly, Terminal Server (TS) will offer both device-based and user-based CALs: TS Device CAL and TS User CAL.
In summary, User CAL (Unlimited Device under One User), Device CAL (Unlimited Users under One Device).
As of this posting date, the per CAL MSRP for both types of CAL’s are the same.