Just wondering what you lot would prefer and why: a Cisco PIX 501 firewall or a Linux firewall? If any of can mention the pros and cons it would be very helpful.
Thanks in advance.
Printable View
Just wondering what you lot would prefer and why: a Cisco PIX 501 firewall or a Linux firewall? If any of can mention the pros and cons it would be very helpful.
Thanks in advance.
The Cisco Pix firewall seems to be an actual hardware firewall built specifically for this purpose, while a linux firewall is an actual computer that acts as a gateway/firewall to the internet in a similar fashion. Both would seem to provide very good protection if set up correctly. The main advantage of the linux firewall would have to be cost. For more info on the Cisco Pix go to
http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/
I'd choose the PIX. It's an appliance. May cost more but it's much harder to get through.
I'd say wichever your more familiar with.
Getting a PIX and then ****ing the config is no more secure than a Linux box.
Plus there are needs.
Do you need auth and crypt in PIX? or is just basic packet filtering + stateful inspection..
Anyways, if you wanna go for a rock-solid appliance get the Nokia series with CPNG pre-installed. Those come with a really hardened OS and allow the installation of other software <actually, only ISS's RealSecure> and are setup for routing purposes along side with a cute and handsome 'lil web-based configurator called Voyager :)
etsh911
What exactly is PIX? Is it a fancy packet filter? Is the PIX vulnerable to spoofing attacks?
thanks
The Cisco PIX is hardware firewall that can do NAT, IP filtering and depending on the model IPSec connections. The major problem I've seen with the PIX is the lack of true port filtering rules. The PIX comes out of the box denying all inbound, which is nice for a security but unless your really familiar with the CLI that cisco has it can be confusing on how to set everything up on it.
first of all...the PIX is a stateful firewall just like any other.
With the Pix, you can do anything any other firewall can do. So vittu, you are incorrect in saying that there is a lack of port filtering rules. You use access-lists that can be used to specify ANY port.
and YES...of course the PIX come out of the box denying all traffic. This is what you want. Why would you want to close every port you dont need instead of just opening the ports you do. Besides even if you wanted to change that, you could just issue the following commands.
access-list acl-out permit IP any any
*defines all traffic to be permitted
accesgroup acl-out in interface outside
*applies the access-list rules to the outside interface
The PIX501 is also a small SOHO device that has a very simple configuration interface, so you would not have to worry about the CLI stuff anyway. It is a very good product.
I know mrwall is a very big CP advocate, and so am I, but the PIX is also a very good firewall and I think he would agree with me.
Bottom Line: either CP soho or PIX 501....i would probably stay away from the linux firewall for the sake of simplicity..
Hey ive noticed something thats called frankin pix.....someone has taken the cisco ios and ripped so that you can flash it into a intel based mother board. :)When you but up it looks just like the pix firewall.Its supposed to be way cool I haven't had a chance to mess with it yet.
Here is my experience in case you care ;)
Pix is extremely secure and easy to use iffffff and only ifffff you have a set of ip addresses under the same subnet ...
Now ... trouble started when my network started growing and when i had to divide my network in zones , now that is the shitty part, configuration jumped from being a nice 1/2 an hour experience into a 4 days nightmare ...
The manual is useless when having a not so typical network ;) like most people i know...
Now with a linux based firewall things were just like heaven again ,
i got the phoenix adaptive firewall ... and if i get assigned another subnet i just add another nic into the box ... voila ... add it on the linuxconf, add it on the firewall and im a happy guy.
I've had a couple security companies try to pop my linux firewalls 3 times already ;) no luck baby ... i can sleep at nights... just install a plain copy of linux ... stop all the services you dont need and install your firewall ... it will be a steady hard-ball-breaking firewall as the pix lovers describe the pix.
I just think Cisco is over rated, over priced, over ordered, over known ...
again ... just my opinion.
Felo
Configuring a PIX is no different whether you have one subnet or 1000 subnets. If you had problems due to multiple subnets, it is more than likely a routing issue. i would like to hear more specifics of exactly where you had problems with the multiple subnet issue.
I have configured the PIX on networks with literally hundreds of subnets, and never once had any issues (other than the fact that access-lists can get a bit long and confusing). But you still have the same problem on linux FW's