hi!
i cannot resist to give a few comments on the PIX/ASA...
but first you should have a look at
http://www.openbsd.org/lyrics.html#35
about the Monopoly of Cizzz-coeee.
On Mon, Nov 05, 2007 at 02:26:48PM -0500, Brian A Seklecki (Mobile) wrote:
> - PIX/ASA is going to get you a default packet "ASA" forwarding based on
> interface weights
this concept of interface levels is something that is causing
headaches to generations of PIX admins... there are certain
limitations between interfaces of different levels then the PIX
doesn't even support VLANs, you have to use a physical interface per
LAN.
> - PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH
> VPN Road-warrior clients
OpenBSD's isakmpd does not support XAUTH yet but the IPsec
configuration on PIX is neither easy nor functional; this concept of
using access lists for phase 2 policies (flows) and all the
dependencies of different types of cli rules for IPsec is just really
bad.
> - PIX has functional object-groups/group-object inheritance
it is not functional, it is an attempt to make the access lists more
useable. OpenBSD's tables, macros, etc. provide a much better
interface.
> - PIX/ASA has proprietary serial console fail-over (which is marginally
> faster than waiting for CARP)
yeah, and you have to run both systems in the same rack impossible to
put the systems in physically different locations.
> - PIX/ASA has some magical black-box inline transparent protocol
> "fixups"
this should only matter in the NAT case and is provided by our pf
proxies and relayd(8), but they're not magical. we're working on
supporting more protocols in this case.
> - PIX has a 4 hour SmartNet support contract option
there are OpenBSD-based appliances with suitable support contracts.
> - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on)
>
snmpd(8) will support a few more MIBs, but it is still the goal to
keep it small.
> I don't know about ASA, but the 5xx PIX doesn't support IPv6
>
like the lucent boxes and many other systems. and even if they
support IPv6, they do it in a very basic way sometimes not even
statefully.
>
> Otherwise they're both software-based stateful IP packet forwarding
> engines running on i386 with NAT and IPSec and 802.1q support.
>
> OpenBSD will always scale better because you can run it on the harwdare
> platform of your choice.
>
and more
- PIX/ASA require additional licenses for more users/cryptos/keystrokes/...
- Newer releases of ASA (8+) are based on Linux 2.6... it turned into
just another Linux UTM box.
reyk
> ~BAS
>
> > 1. VPN is computationally heavy -- is your hardware fast enough?
> >
> > 2. Try playing with queueing in PF to handle some types of traffic
> > faster than others. AFAIK, it is normal to find this kind of
> > configuration in commercial, black-box solutions, disguised as buzzy
> > slogans like "Built-in QoS Super-Routing" :-)
> >
> > Just my two cents.
> >
> > Martin
