PIX versus Software based Firewalls.

Discussion in 'Cisco' started by meme, Jul 2, 2004.

  1. meme

    meme Guest

    Was thinking about this last night, whats the advantage of running PIX
    instead of unix firewalls.

    PIX
    - Hardware Based (Faster)
    - Reliablility (OS config isn't left up to you, so less chance of crash)

    Those are the only advantages that I can come up with.

    On the downside it would be -
    - Expensive
    - Not as configable, and upgradable.
    - License limits concurrent VPN connections?
     
    meme, Jul 2, 2004
    #1
    1. Advertising

  2. meme

    paul blitz Guest

    > Was thinking about this last night, whats the advantage of running PIX
    > instead of unix firewalls.
    >
    > PIX
    > - Hardware Based (Faster)
    > - Reliablility (OS config isn't left up to you, so less chance of crash)


    How about: "designed as a firewall, with security in mind"? Unix is a good
    OS, but is is still a "general" OS.

    Depends how paraniod you wish to be, I guess!

    > On the downside it would be -
    > - Expensive


    as are many "professional" solutions

    > - Not as configable, and upgradable.


    In what way.... ok, as a firewall, you can't also use it as a router, mail
    server, DNS etc. But do you REALLY want a *firewall* to do those things?

    just my 5c

    Paul
     
    paul blitz, Jul 2, 2004
    #2
    1. Advertising

  3. paul blitz wrote:

    >> Was thinking about this last night, whats the advantage of running PIX
    >> instead of unix firewalls.
    >>
    >> PIX
    >> - Hardware Based (Faster)
    >> - Reliablility (OS config isn't left up to you, so less chance of crash)

    >
    > How about: "designed as a firewall, with security in mind"? Unix is a good
    > OS, but is is still a "general" OS.
    >
    > Depends how paraniod you wish to be, I guess!
    >
    >> On the downside it would be -
    >> - Expensive

    >
    > as are many "professional" solutions
    >
    >> - Not as configable, and upgradable.

    >
    > In what way.... ok, as a firewall, you can't also use it as a router, mail
    > server, DNS etc. But do you REALLY want a *firewall* to do those things?
    >


    Sometimes, yes. It depends on the firewall methodology you want to use.

    You have three basic choices

    1) Packet Filter - basic IOS ACLs. No in depth inspection, no particular
    protection from exploits against a permitted protocol.

    2) Stateful Inspection - What a PIX does - permitted protocols are inspected
    on the way through and more intelligence is applied to where they go.
    Somewhat better than packet filtering.

    3) Bastion host. Terminates all connections itself and then re-originates
    the connection outbound. In this case then your firewall will be an SMTP
    server as it will accept mail and then forward it to an appropriate
    direction. This approach can theoretically completely eliminate protocol
    exploits against internal hosts. Normally runs a series of proxy servers -
    TIS Gauntlet and (a long while ago) the ANS Interlock.

    P.
     
    Paul S. Brown, Jul 2, 2004
    #3
  4. meme

    Hugo Drax Guest

    "meme" <> wrote in message
    news:cc2c7l$pfq$...
    > Was thinking about this last night, whats the advantage of running PIX
    > instead of unix firewalls.
    >
    > PIX
    > - Hardware Based (Faster)
    > - Reliablility (OS config isn't left up to you, so less chance of crash)
    >
    > Those are the only advantages that I can come up with.
    >
    > On the downside it would be -
    > - Expensive
    > - Not as configable, and upgradable.
    > - License limits concurrent VPN connections?
    >
    >


    Is it really more expensive? Lets see example office with 150 workstations
    and a T1 line

    A PIX 506e would cost 960 dollars on the street, is practically plug and
    play when using the PDM wizard, you can be up and running quickly

    (the 506e falls within the price of a business desktop)

    Cheapest Dell desktop is 400 dollars and then you still need the network
    card an additional 40 bucks so the total now is 440

    Now you have this box with 2 nic cards and no firewall abilities yet, now
    you need to download ISO's and spend time installing and configuring the box
    to be a firewall and then all the time learning how to make it work and
    hoping it is configured securely and hoping that the FW software
    (IPCHAINS/IPTABLES etc..) provides enough application inspection capability
    to permit seamless passthrough of different flavors of H.323,SQL etc... and
    then what about extensive logging. Finally you always have to worry about
    new updates to the base OS and associated firewall and hoping nothing
    breaks.

    Its not worth the minimal if any savings (and longterm higher cost of
    ownership) by using the "free" FW software.

    Sorry but I would never run a buisness on a hacked firewall running on a
    desktop PC.

    If you cannot afford the 960 bucks for a proper firewall then you need to
    look at your business process because something is wrong, maybe cut one of
    the 1000 dollar leather chairs from the budget etc.....
     
    Hugo Drax, Jul 7, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnNews
    Replies:
    2
    Views:
    2,056
    Bernie
    Dec 5, 2003
  2. Chris Salter

    What hardware based Firewalls are you using?

    Chris Salter, Jun 28, 2005, in forum: Computer Security
    Replies:
    1
    Views:
    519
    Winged
    Jun 30, 2005
  3. =?Utf-8?B?Q2FuYWRhX0d1eU0=?=

    Certification - MCP versus MCSA versus MCSE

    =?Utf-8?B?Q2FuYWRhX0d1eU0=?=, Aug 24, 2006, in forum: Microsoft Certification
    Replies:
    1
    Views:
    795
    =?Utf-8?B?TW9udHJlYWwgTUNTQQ==?=
    Aug 24, 2006
  4. Replies:
    3
    Views:
    736
  5. Peter Potamus the Purple Hippo

    Re: Mozilla versus IE versus Opera versus Safari

    Peter Potamus the Purple Hippo, May 8, 2008, in forum: Firefox
    Replies:
    0
    Views:
    891
    Peter Potamus the Purple Hippo
    May 8, 2008
Loading...

Share This Page