[olug] Linux versus Cisco PIX

Christopher Cashell topher-olug at zyp.org
Fri Sep 19 21:25:58 UTC 2008


On Fri, Sep 19, 2008 at 4:02 PM, Michael Peterson
<mpeterson at mail.charlesfurniture.com> wrote:
> If IPCop or CentOS or XYZ Linux are configured properly can they provide for
> a temporary or permanent basis the same basic features as a Cisco PIX
> Firewall device?

Absolutely.  From a features and capabilities standpoint (particularly
at the lower end) a PIX has little over a Linux box.  In fact, as of
the PIX/ASA 8.0 software release, it's running on top of a Linux
kernel (much like the Nexus switches).  Is there a specific model of
PIX/ASA that you're looking to replace, or substitute a Linux box for?

> Would anyone on the list recommend a specific Linux or Linux Firewall Distro
> that you have in production or have used in production?

There are a lot of distributions oriented towards use as a firewall
(see http://en.wikipedia.org/wiki/List_of_Linux_router_or_firewall_distributions).
 The primary benefit you'll get from using a pre-packaged firewall
distribution is convenience.  They tend to have the software required
for common firewall and similar features packaged in, sometimes with a
special GUI or web based interface.  I played with IPcop back a few
years ago, and it seemed decent.  I've also been toying with Vyatta's
Open Router (which also has Firewall and VPN features), and so far it
looks quite good.

If you're comfortable and knowledgeable with Linux and iptables, you
can definitely build your own.  I've done this myself, both for
personal and professional purposes, and I've always had very good luck
with it.

> Or would a basic Sonicwall be a better temporary or permanent solution?

Depends on what you're requirements are, and what your assets are.

If you want a commercially supported solution, you're looking at
either a hardware appliance, or one of the companies that will offer
support on a software appliance (like Vyatta).  If you've got good
in-house technical skills, then commercial support might not be a
requirement.

At the same time, unless you have someone with a lot of experience
with Linux, iptables, and setting up a Linux box as a firewall, it is
likely to take at least a little more time to set that up, compared to
an appliance.  If you have more time than money in your asset bucket,
that'd be a win.  If it's the other way around, then you'd likely be
better off with an appliance.

Lastly, going back to requirements, make sure you decide what your
uptime requirements are, and how critical it is if the device goes
down.  Some devices/software/configurations support fail-over, if
that's needed, while some don't.  Hardware support may also be a
concern if you roll your own solution, depending on who you get the
hardware from, and what kind of support services they offer.

-- 
Christopher



More information about the OLUG mailing list