PIX versus Software based Firewalls.

Discussion in 'Cisco' started by meme, Jul 2, 2004.

  1. meme

    meme Guest

    Was thinking about this last night, whats the advantage of running PIX
    instead of unix firewalls.

    - Hardware Based (Faster)
    - Reliablility (OS config isn't left up to you, so less chance of crash)

    Those are the only advantages that I can come up with.

    On the downside it would be -
    - Expensive
    - Not as configable, and upgradable.
    - License limits concurrent VPN connections?
    meme, Jul 2, 2004
    1. Advertisements

  2. meme

    paul blitz Guest

    Was thinking about this last night, whats the advantage of running PIX
    How about: "designed as a firewall, with security in mind"? Unix is a good
    OS, but is is still a "general" OS.

    Depends how paraniod you wish to be, I guess!
    as are many "professional" solutions
    In what way.... ok, as a firewall, you can't also use it as a router, mail
    server, DNS etc. But do you REALLY want a *firewall* to do those things?

    just my 5c

    paul blitz, Jul 2, 2004
    1. Advertisements

  3. Sometimes, yes. It depends on the firewall methodology you want to use.

    You have three basic choices

    1) Packet Filter - basic IOS ACLs. No in depth inspection, no particular
    protection from exploits against a permitted protocol.

    2) Stateful Inspection - What a PIX does - permitted protocols are inspected
    on the way through and more intelligence is applied to where they go.
    Somewhat better than packet filtering.

    3) Bastion host. Terminates all connections itself and then re-originates
    the connection outbound. In this case then your firewall will be an SMTP
    server as it will accept mail and then forward it to an appropriate
    direction. This approach can theoretically completely eliminate protocol
    exploits against internal hosts. Normally runs a series of proxy servers -
    TIS Gauntlet and (a long while ago) the ANS Interlock.

    Paul S. Brown, Jul 2, 2004
  4. meme

    Hugo Drax Guest

    Is it really more expensive? Lets see example office with 150 workstations
    and a T1 line

    A PIX 506e would cost 960 dollars on the street, is practically plug and
    play when using the PDM wizard, you can be up and running quickly

    (the 506e falls within the price of a business desktop)

    Cheapest Dell desktop is 400 dollars and then you still need the network
    card an additional 40 bucks so the total now is 440

    Now you have this box with 2 nic cards and no firewall abilities yet, now
    you need to download ISO's and spend time installing and configuring the box
    to be a firewall and then all the time learning how to make it work and
    hoping it is configured securely and hoping that the FW software
    (IPCHAINS/IPTABLES etc..) provides enough application inspection capability
    to permit seamless passthrough of different flavors of H.323,SQL etc... and
    then what about extensive logging. Finally you always have to worry about
    new updates to the base OS and associated firewall and hoping nothing

    Its not worth the minimal if any savings (and longterm higher cost of
    ownership) by using the "free" FW software.

    Sorry but I would never run a buisness on a hacked firewall running on a
    desktop PC.

    If you cannot afford the 960 bucks for a proper firewall then you need to
    look at your business process because something is wrong, maybe cut one of
    the 1000 dollar leather chairs from the budget etc.....
    Hugo Drax, Jul 7, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.