Iptables vs. Cisco PIX

Iptables Iptables at InterCept.Net
Mon Apr 11 15:41:07 CEST 2005


Both (all) firewalls have their ups and downs... as an enterprise user,
I have used check point, Cisco PIX and IPTables. The biggest difference
in all of them is learning curve, and a few features. Each firewall
works differently in everyones environment (to a point), which basically
means, eval the firewall and see how it performs in your environment. I
run 22 IPTable firewalls on Fedora Core 2 across 22 of my 35 remote
sites, and the rest are scheduled to have one installed by July. My
sites run from T1's to a Full 45mb DS3 with 24/7 connections that
includes customers and support personnel. All of my sites except for the
1 DS3, run on Dell poweredge 700 servers ranging from P4 2.4Ghz - P4
2.8Ghz and all with 512mb memory and 4 Nics and small 40-80gb hd's. The
1 DS3's is connect to 2 Dell Dual Xeon 2.8ghz cpu poweredge 2650 with
1ghz memory. All of my firewalls IPtables configures are configured
manually by a file. I could not find a management console that would do
advanced IPTables configuration and/or use the POM/POM-NG features. Most
were just vanilla program that did basic NAT and packet filtering. I
also run multiple Cisco PIX around my enterprise for different purposes
(some for ISP connections, others to block and dmz customer connections,
and some to protect sensitive systems). Most are PIX 515's and a couple
of 525's. I have not seen any significant performance difference in
either system. The PIX has mgmt consoles, but I use the command line to
configure mine, which is pretty simple.

The only real difference is configuration, troubleshooting connectivity
problems, maintenance, and High availability. You have to take
everything into consideration when considering which firewall to deploy.
The cost of running a Pix versus running Linux on a dell or custom
server is higher, especially if you want high availability (10-15k),
then you have to think of maintenance costs. 

There are no "best" just firewalls with different feature sets for
different environments. To help, at my last company, we migrated from 2
Cisco PIX HA to 2 HA Check Points on Nokia IPSO (NG FP2). We saw no
difference in performance, but a great improvement in rule management
and easy configuration. But upgrades from 4.1 to NG sucked as well as
initial configuration and setup of all systems (mgmt server and 2
nokias). All these were just firewalls with no VPN connections, because
there we had 2 cisco concentrators. 
 
I would choose a Linux system with IPTables, before choosing a PIX or
Check point solution. I can run things like NTOP, packet sniff with
ethereal, run Snort and so much more... I like PIX and I like Check
Point and they will continue to be recommended firewalls from me for the
respected environment and cost benefit.

I am in the middle of implementing HA to my 2 Firewalls here that are
connected to the DS3 on 2 Dell 2650s. I was at first using a shell
script I made to ping the interface and "do" based on the responses. I
am now getting ready to convert them over to VRRP and provide HA that
way. Next after that is to get Zebra installed and provide some extra
routing capabilities (BGP).

http://www.imagestream.com/VRRP.html

http://sourceforge.net/projects/vrrpd/

http://www.zebra.org/


Thanks,
Michael Brown, CISSP-ISSMP, ISSAP
Sr. Security Analyst
Fidelity IFS Security Operations

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Alejandro
Cabrera Obed
Posted At: Friday, April 08, 2005 11:06 AM
Posted To: Iptables
Conversation: Iptables vs. Cisco PIX
Subject: Iptables vs. Cisco PIX

Hi people !!!

This time I want to know your opinion about iptables vs. Cisco
PIX....where
would you use each of them ????
Is it the same using iptables or PIX in big corporations with heavy
Internet
traffic ???? Which is considered the "best" and why ???

I use iptables since a long time, but my network is under 50
workstations.

Thanks for your comments, they're welcome.

At last, I suggest the tutorial from Jose Negreira at
www.iptableslinux.com,
it's really good for persons who start into iptables world.

Thnking in advance,

Alejandro








More information about the netfilter mailing list