February 25th, 2002, 05:21 PM
PIX vs. Linux
Just wondering what you lot would prefer and why: a Cisco PIX 501 firewall or a Linux firewall? If any of can mention the pros and cons it would be very helpful.
Thanks in advance.
February 25th, 2002, 05:29 PM
The Cisco Pix firewall seems to be an actual hardware firewall built specifically for this purpose, while a linux firewall is an actual computer that acts as a gateway/firewall to the internet in a similar fashion. Both would seem to provide very good protection if set up correctly. The main advantage of the linux firewall would have to be cost. For more info on the Cisco Pix go to
February 25th, 2002, 05:33 PM
I'd choose the PIX. It's an appliance. May cost more but it's much harder to get through.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
February 25th, 2002, 06:06 PM
I'd say wichever your more familiar with.
Getting a PIX and then ****ing the config is no more secure than a Linux box.
Plus there are needs.
Do you need auth and crypt in PIX? or is just basic packet filtering + stateful inspection..
Anyways, if you wanna go for a rock-solid appliance get the Nokia series with CPNG pre-installed. Those come with a really hardened OS and allow the installation of other software <actually, only ISS's RealSecure> and are setup for routing purposes along side with a cute and handsome 'lil web-based configurator called Voyager
February 26th, 2002, 10:19 AM
What exactly is PIX? Is it a fancy packet filter? Is the PIX vulnerable to spoofing attacks?
February 26th, 2002, 02:02 PM
The Cisco PIX is hardware firewall that can do NAT, IP filtering and depending on the model IPSec connections. The major problem I've seen with the PIX is the lack of true port filtering rules. The PIX comes out of the box denying all inbound, which is nice for a security but unless your really familiar with the CLI that cisco has it can be confusing on how to set everything up on it.
February 26th, 2002, 03:33 PM
first of all...the PIX is a stateful firewall just like any other.
With the Pix, you can do anything any other firewall can do. So vittu, you are incorrect in saying that there is a lack of port filtering rules. You use access-lists that can be used to specify ANY port.
and YES...of course the PIX come out of the box denying all traffic. This is what you want. Why would you want to close every port you dont need instead of just opening the ports you do. Besides even if you wanted to change that, you could just issue the following commands.
access-list acl-out permit IP any any
*defines all traffic to be permitted
accesgroup acl-out in interface outside
*applies the access-list rules to the outside interface
The PIX501 is also a small SOHO device that has a very simple configuration interface, so you would not have to worry about the CLI stuff anyway. It is a very good product.
I know mrwall is a very big CP advocate, and so am I, but the PIX is also a very good firewall and I think he would agree with me.
Bottom Line: either CP soho or PIX 501....i would probably stay away from the linux firewall for the sake of simplicity..
February 26th, 2002, 03:51 PM
Hey ive noticed something thats called frankin pix.....someone has taken the cisco ios and ripped so that you can flash it into a intel based mother board. When you but up it looks just like the pix firewall.Its supposed to be way cool I haven't had a chance to mess with it yet.
February 28th, 2002, 08:33 PM
February 28th, 2002, 09:30 PM
Configuring a PIX is no different whether you have one subnet or 1000 subnets. If you had problems due to multiple subnets, it is more than likely a routing issue. i would like to hear more specifics of exactly where you had problems with the multiple subnet issue.
I have configured the PIX on networks with literally hundreds of subnets, and never once had any issues (other than the fact that access-lists can get a bit long and confusing). But you still have the same problem on linux FW's