Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX versus Software based Firewalls.

Reply
Thread Tools

PIX versus Software based Firewalls.

 
 
meme
Guest
Posts: n/a
 
      07-02-2004
Was thinking about this last night, whats the advantage of running PIX
instead of unix firewalls.

PIX
- Hardware Based (Faster)
- Reliablility (OS config isn't left up to you, so less chance of crash)

Those are the only advantages that I can come up with.

On the downside it would be -
- Expensive
- Not as configable, and upgradable.
- License limits concurrent VPN connections?


 
Reply With Quote
 
 
 
 
paul blitz
Guest
Posts: n/a
 
      07-02-2004
> Was thinking about this last night, whats the advantage of running PIX
> instead of unix firewalls.
>
> PIX
> - Hardware Based (Faster)
> - Reliablility (OS config isn't left up to you, so less chance of crash)


How about: "designed as a firewall, with security in mind"? Unix is a good
OS, but is is still a "general" OS.

Depends how paraniod you wish to be, I guess!

> On the downside it would be -
> - Expensive


as are many "professional" solutions

> - Not as configable, and upgradable.


In what way.... ok, as a firewall, you can't also use it as a router, mail
server, DNS etc. But do you REALLY want a *firewall* to do those things?

just my 5c

Paul


 
Reply With Quote
 
 
 
 
Paul S. Brown
Guest
Posts: n/a
 
      07-02-2004
paul blitz wrote:

>> Was thinking about this last night, whats the advantage of running PIX
>> instead of unix firewalls.
>>
>> PIX
>> - Hardware Based (Faster)
>> - Reliablility (OS config isn't left up to you, so less chance of crash)

>
> How about: "designed as a firewall, with security in mind"? Unix is a good
> OS, but is is still a "general" OS.
>
> Depends how paraniod you wish to be, I guess!
>
>> On the downside it would be -
>> - Expensive

>
> as are many "professional" solutions
>
>> - Not as configable, and upgradable.

>
> In what way.... ok, as a firewall, you can't also use it as a router, mail
> server, DNS etc. But do you REALLY want a *firewall* to do those things?
>


Sometimes, yes. It depends on the firewall methodology you want to use.

You have three basic choices

1) Packet Filter - basic IOS ACLs. No in depth inspection, no particular
protection from exploits against a permitted protocol.

2) Stateful Inspection - What a PIX does - permitted protocols are inspected
on the way through and more intelligence is applied to where they go.
Somewhat better than packet filtering.

3) Bastion host. Terminates all connections itself and then re-originates
the connection outbound. In this case then your firewall will be an SMTP
server as it will accept mail and then forward it to an appropriate
direction. This approach can theoretically completely eliminate protocol
exploits against internal hosts. Normally runs a series of proxy servers -
TIS Gauntlet and (a long while ago) the ANS Interlock.

P.
 
Reply With Quote
 
Hugo Drax
Guest
Posts: n/a
 
      07-07-2004

"meme" <(E-Mail Removed)> wrote in message
news:cc2c7l$pfq$(E-Mail Removed)...
> Was thinking about this last night, whats the advantage of running PIX
> instead of unix firewalls.
>
> PIX
> - Hardware Based (Faster)
> - Reliablility (OS config isn't left up to you, so less chance of crash)
>
> Those are the only advantages that I can come up with.
>
> On the downside it would be -
> - Expensive
> - Not as configable, and upgradable.
> - License limits concurrent VPN connections?
>
>


Is it really more expensive? Lets see example office with 150 workstations
and a T1 line

A PIX 506e would cost 960 dollars on the street, is practically plug and
play when using the PDM wizard, you can be up and running quickly

(the 506e falls within the price of a business desktop)

Cheapest Dell desktop is 400 dollars and then you still need the network
card an additional 40 bucks so the total now is 440

Now you have this box with 2 nic cards and no firewall abilities yet, now
you need to download ISO's and spend time installing and configuring the box
to be a firewall and then all the time learning how to make it work and
hoping it is configured securely and hoping that the FW software
(IPCHAINS/IPTABLES etc..) provides enough application inspection capability
to permit seamless passthrough of different flavors of H.323,SQL etc... and
then what about extensive logging. Finally you always have to worry about
new updates to the base OS and associated firewall and hoping nothing
breaks.

Its not worth the minimal if any savings (and longterm higher cost of
ownership) by using the "free" FW software.

Sorry but I would never run a buisness on a hacked firewall running on a
desktop PC.

If you cannot afford the 960 bucks for a proper firewall then you need to
look at your business process because something is wrong, maybe cut one of
the 1000 dollar leather chairs from the budget etc.....




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Mozilla versus IE versus Opera versus Safari Peter Potamus the Purple Hippo Firefox 0 05-08-2008 12:56 PM
equal? versus eql? versus == versus === verus <=> Paul Butcher Ruby 12 11-28-2007 06:06 AM
Systems software versus applications software definitions Matt C Programming 56 06-08-2006 10:09 PM
We need some help installing IP based CRM software.. IP based call center software Leveridge Systems INC C++ 1 05-13-2004 06:33 PM
Software-based VERSUS hardware-based routers JohnNews Cisco 2 12-05-2003 03:00 AM



Advertisments