[olug] Linux versus Cisco PIX

Shawn Mattingly smattin at mimezine.org
Sat Sep 20 04:37:34 UTC 2008


The PIXes are capable of offloading the content scanning of web traffic
to an outboard Websense or N2H2 server but they don't do it themselves,
the server makes all of the proxy decisions.   The ASA5510 and larger
have an accessory slot that you can install a content scanning module,
but I think it's pretty pricey,  I've never used the module but I've
done a few Websense installations (and they are kind of a pain in the
butt to maintain, its a good gig if you are billing the work hourly
though).  For NAC the PIXes will also integrate with a Cisco MARS server
both to act as perimeter IDS sensors with the capability of doing
adaptive port shunning and as interior network access control, but again
the brains of that operation is handled by the outboard server and not
the PIX.  You'd probably have to use the Cisco Secure agent on the
workstation if you wanted to limit interior host access to the internet
based on host software patchlevels, and the agent would be talking to
the MARS server and working with your switches via 802.1x to prevent
network access, not the PIX.

In either of these cases you are substantially out of the realm of free
and open source software :-)  Cisco is quite proud of their software
solutions and price them accordingly (regardless of weather or not they
function as advertised). In my experience, most of their standalone
applications are deeply hated by the people tasked with administrating
them.

VPN capablility of the PIX/ASA family is heavily dependent on the
individual model.  The smallest PIX 501 is limited to 10 connections
with a base license while an ASA5580 will supposedly do 10000.  It all
depends on what you are willing to pay for.

Shawn

Rob Townley wrote:
> On Fri, Sep 19, 2008 at 5:31 PM, Shawn Mattingly <smattin at mimezine.org>wrote:
> 
>> If you are looking at a firewall appliance, a PIX is fairly inexpensive
>> to buy (if you are looking at the small ones at least) and costs less to
>> support over time than a Sonicwall, which if you insist on keeping up to
>> date with a support contract will cost almost as much per year as the
>> initial purchase of the device.  It's a great solution for a small
>> business, especially if you have to support IPSEC lan-to-lan or limited
>> remote access vpn capability.
>>
>> I've run linux firewalls too and they are a great "free" solution if you
>> happen to have an old machine lying around and have the time to fiddle
>> with it.  However, your average 200W power supply in an old white box
>> system uses quite a bit more power than an appliance, and generates more
>> heat and noise.  Also, though you aren't paying money to an appliance
>> manufacturer to keep your box current with fixes for the latest
>> vulnerabilities, you will probably spend a whole lot more time monkeying
>> around with it to get it to do what you want and keep it up to date.
>>
>> Both are great solutions, but the best one for you will depend on your
>> situation and how much money and/or spare time you have available.
>>
>> Shawn
>>
>> Ryan Stille wrote:
>>> Michael Peterson wrote:
>>>> If IPCop or CentOS or XYZ Linux are configured properly can they provide
>> for
>>>> a temporary or permanent basis the same basic features as a Cisco PIX
>>>> Firewall device?
>>>>
>>>> Would anyone on the list recommend a specific Linux or Linux Firewall
>> Distro
>>>> that you have in production or have used in production?
>>>>
>>>> Or would a basic Sonicwall be a better temporary or permanent solution?
>>>>
>>> I replaced one of our two pix's with a small device running PfSense
>>> (similar to monowall).  Its worked great so far, and has been much
>>> easier to administer than the old Cisco box.  The only problem I've had
>>> with it is that it can't be a PPTP server *and* allow outbound PPTP from
>>> the internal network.  Fairly easy to work around, and its supposed to
>>> be fixed in the next version.  It does openVPN and ipsec as well.  We
>>> plan to get rid of the second pix eventually and run everything through
>>> the one pfSense box.
>>>
>>> These awesome little boxes with pfSense pre-installed are under $200:
>>> http://www.netgate.com/product_info.php?products_id=562
>>>
>>> But before I got that I was just running it on an old PC and it worked
>>> fine there, too.
>>>
>>> -Ryan
>>>
>>>
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
> 
> 
> Anybody happen to know if any of em do Network Access Control so unpatched
> machines are quarantined.
> 
> When you start scanning packets for virii, have 10 AES encrypted VPN
> sessions, scanning for spam among other things, i don't know how a very low
> power system could do it without slowing down your entire network.  But i
> would love to proven wrong.
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug




More information about the OLUG mailing list