[olug] Linux versus Cisco PIX

Rob Townley rob.townley at gmail.com
Sat Sep 20 01:14:26 UTC 2008


On Fri, Sep 19, 2008 at 5:31 PM, Shawn Mattingly <smattin at mimezine.org>wrote:

> If you are looking at a firewall appliance, a PIX is fairly inexpensive
> to buy (if you are looking at the small ones at least) and costs less to
> support over time than a Sonicwall, which if you insist on keeping up to
> date with a support contract will cost almost as much per year as the
> initial purchase of the device.  It's a great solution for a small
> business, especially if you have to support IPSEC lan-to-lan or limited
> remote access vpn capability.
>
> I've run linux firewalls too and they are a great "free" solution if you
> happen to have an old machine lying around and have the time to fiddle
> with it.  However, your average 200W power supply in an old white box
> system uses quite a bit more power than an appliance, and generates more
> heat and noise.  Also, though you aren't paying money to an appliance
> manufacturer to keep your box current with fixes for the latest
> vulnerabilities, you will probably spend a whole lot more time monkeying
> around with it to get it to do what you want and keep it up to date.
>
> Both are great solutions, but the best one for you will depend on your
> situation and how much money and/or spare time you have available.
>
> Shawn
>
> Ryan Stille wrote:
> > Michael Peterson wrote:
> >> If IPCop or CentOS or XYZ Linux are configured properly can they provide
> for
> >> a temporary or permanent basis the same basic features as a Cisco PIX
> >> Firewall device?
> >>
> >> Would anyone on the list recommend a specific Linux or Linux Firewall
> Distro
> >> that you have in production or have used in production?
> >>
> >> Or would a basic Sonicwall be a better temporary or permanent solution?
> >>
> >
> > I replaced one of our two pix's with a small device running PfSense
> > (similar to monowall).  Its worked great so far, and has been much
> > easier to administer than the old Cisco box.  The only problem I've had
> > with it is that it can't be a PPTP server *and* allow outbound PPTP from
> > the internal network.  Fairly easy to work around, and its supposed to
> > be fixed in the next version.  It does openVPN and ipsec as well.  We
> > plan to get rid of the second pix eventually and run everything through
> > the one pfSense box.
> >
> > These awesome little boxes with pfSense pre-installed are under $200:
> > http://www.netgate.com/product_info.php?products_id=562
> >
> > But before I got that I was just running it on an old PC and it worked
> > fine there, too.
> >
> > -Ryan
> >
> >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>


Anybody happen to know if any of em do Network Access Control so unpatched
machines are quarantined.

When you start scanning packets for virii, have 10 AES encrypted VPN
sessions, scanning for spam among other things, i don't know how a very low
power system could do it without slowing down your entire network.  But i
would love to proven wrong.



More information about the OLUG mailing list