I have seen way too many Linux firewalls hacked as a result of
mis-administration. Now, I'm not assuming anything about your abilities as
the last confirmed hack that I was notified about was a Linux FW setup by 2
guys that I know to be excellent Linux admins. The problem is the inherent
nature of the beast. A PIX is totally secure right out of the box. The
last Linux hack I speak of was hacked based on an exploit within BIND and
had nothing to do with the FW policy.
I also find the PIX to be MUCH easier to configure and setup. I can do in
only a few lines of code what could possibly take pages and pages of code in
Linux. When talking about firewalls, simplicity is a critically important
concern. One compromise could easily remove any upfront cost advantage
Linux has over Cisco. Also, you don't have to be concerned with shutting
down unused services on a PIX as you would on Linux.
Go with the PIX. It was designed from the ground up to do just what it
does: protect your network. Cisco claims that a properly configured PIX has
never been compromised. I believe them.
Rik
""Sean Young"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi Everyone,
>
> My company is putting me in charge in implementing a Firewall for our
> company. One guy in my networking group is recommending PIX Firewall.
> Furthermore, he also recommends a Cisco Web-caching engine. His reason
> is that not only Cisco is good Firewall but it also provides VPN
> connectivity to our remote sites. Myself, on the other hand, would
> like to implement Linux-based OS firewall along with FreeS/WAN VPN
> features set. My reason is that a linux firewall can provide everything
> a Cisco PIX does and even more. In term of hardware, the linux Firewall/
> VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM.
> I just feel that I can get a lot more for the amount that we are going
> to spend with linux than with Cisco PIX. I also feel that I tweak the
> source code on the LINUX kernel to increase the performance and security.
> Also, instead of purchasing the Cisco web-caching engine, I am thinking
> of building another linux box that will be running squid (web-caching)
> server. Don't get me wrong, I think Cisco has a lot of good products
> in the area of routing; however, I just don't think it is necessary to
> throw away money at Cisco when I know that Linux or BSD can do the same
> job that PIX and Cisco web-caching engine do but for much less and also
> I can control the source code. Has anyone has experiences with both
> the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that
> you can give advice on what I should do. I am open to your suggestions.
>
> Many thanks.
> Sean
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
