Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Linux Vs. PIX

Status
Not open for further replies.
StarTAC

StarTAC

ISP
Jun 23, 2000
424
0
0
GH
hi all...

i would like to know the key differences between installing a Linux firewall, or installing a Cisco PIX firewall...

the main areas of contrast i would like a suggestion on are:

o cost
o reliability
o feature set
o scalability
o total cost of ownership

any extra piece of information is very welcome..

all help appreciated..
 
Sort by date Sort by votes
In fact, you have differents kind of Cisco Pix :
Pix 506.
Pix 515.
Pix 525.
Pix 535.

Cisco Pix is easy to configure. It offers some possibilities
in the fault tolerance disaster. For example, if you buy two
with a failover licence, yours two Pix are going to work in actif-passive mode, One master and one slave. I think, but i'm not sure, Cisco make now Actif-Actif Mode. If you heard
something about it, just tell me.

When the master fail, the slave one will become the master.
Becareful, I don't mind Pix is a Statefull Firewall. I mean,
that if the master fail, all the users connected throught the Pix will be disconnected.

As i remember, the Pix operates at the layer 5.
Depending of the licence you buy, you can have more than 3 interfaces, VPN and failover.

If you buy a restricted licence, you will have at maximum 3 interfaces, no VPN and no Failover.

Advantage of the Pix, it's that it doesn't have any hard drive. No trojan can be upload on.

I'm trying to build an ipfilter firewall with Linux Slackware 8.1 on Compaq DL380.

AS i see, Ipfilter offers to many features very interesting
but it's pretty hard to configure unless you have time. You can define source and destination nat, check TCP-Flags, filter on the mac-address source, block port. It's very interesting.

If you are looking on a firewall for your enterprise, both
are good but ipfilter has no support unless Internet. If there is a security problem on the Pix, Cisco will give you
the patch. You will have regulary new IOS Pix you can download and upgrade your Pix without recompiling anything.

For, the cost, Linux is cheaper.

At least, you should use in front Cisco Pix, and an back, the Linux firewall. This architecture is very secure unless
your filters rules are good.

Best regards,

Ultrix.
 
Upvote 0 Downvote
Netfilter is a lot more customizable then a Pix. Yet it does have a learning curve (read: it's quicker to get a pix going then to learn netfilter). However if you stick it out and become a Netfilter Ninja I think you could firewall circles around a Pix.



Not to dis Cisco or the Pix of course, it's a great product but it's a lot easier to do a Netfilter box "your way". Heck, you can alter your Netfiler boxes TCP stack so an OS probe thinks you run Windows95, while the Cisco stack is locked away from you.


Redundant Netfilter boxes can be done with another Pentium 233 box and some clever scripting. The cost is pocket scrapings compared to the some $20k you'll spend on two licensed Pix's (with redundant license, Smartnet... etc).


Pix can do VPN, http refering, cryto and loads of other things I can't even remember out of the box (your license may vary). You'll have to install and learn each component you want on your Netfilter firewall. This isn't especially bad, but might not fit your job.


Depending on what your work environment is and who's on your security team you might not be able to use Linux as a firewall. This is my current problem. You'll hear things like 'There's no commercial support for linux' (which there is) or 'There's no commercial linux firewall product' (we run one now, thank you) and countless others.

The problem is the Pix has the reputation of a huge established company and is a proven product.

Netfilter, while developed and supported by thousands(?) of people doesn't really get recognized as a comparable product and is only as secure and tightly-knit as the guy who installed it (same for a pix, but I digress). Netfilter boxen can easily vary from company to company, so it's hard to rank it alongside something like a pix. So if your serious then do your homework and be ready.



This probably isn't very helpful, but some food for thought at least.
 
Upvote 0 Downvote
i agree with Verland.... Linux can do everything the PIX can, at the cost of only time and learning....

i've had a look at all the features available on the PIX, and realised i have run all these at some point in my career... not necessarily on a single box, but yes, i have run all these before....

i guess, from a cost, licensing and scaling angle, Linux + IPTables would fit the bill just fine..

cheers all...
 
Upvote 0 Downvote
Of course, the same question in the Cisco forum might warrant an oppositly-aimed barrage of replies. Your decision might be right, but to keep things interesting you might try posting there. Good luck with it all...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kristiandg
  • Locked
  • Question
Linux, "port mirror" between two boxes...
Replies
0
Views
67
kristiandg
kristiandg
Phi_1.618
  • Locked
  • Question
Linux server
Replies
2
Views
87
SamBones
SamBones
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
54
bhuv560
bhuv560
SamBones
  • Locked
  • Question
Linux 7 Installation Failures 1
Replies
3
Views
74
SamBones
SamBones
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
64
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top