On Tue, Mar 19, 2002 at 12:21:29PM +0000, [EMAIL PROTECTED] wrote:
> I'm looking for some comparison between the featureset found in the Cisco
> PIX vs. Iptables. Anyone have any pointers? :)
OK, I'm too lazy to actually look things up for either iptables or PIX,
so any additions and corrtections are more than welcome.
PIX better:
- failover, and if you want it, even stateful failover
- DNS content inspection (don't accept additional answers)
- always change tcp sequence numbers (even without changing addresses)
- additional protocols (not sure here)
+ h323 (is iptables support complete?)
+ sqlnet
+ sip
+ sccp (ciscos ip phone version of sip)
+ netbios/smb/pipe$ support
+ rtsp (?)
+ probably more
- good integration with snmp
- hardware support for ipsec (?)
Iptables better:
- subroutines (or -tables :) -> easier to manage
- additional protocols (not sure here either)
+ irc
+ talk/ntalk
- source available, so you may add your own modules for conntrack
and or nat (but the PIX still has support for many more protocols)
- more supported interface types, including wan/dialup interfaces
- ssh v2
- load balancer
- traffic shaping/QoS
Both:
- IDS sensor
- IPSEC
- snmp
- lots of interfaces
- rule updates without loosing connections
- ssh access
- good support on bugs
Ciao
J�rg
--
Joerg Mayer <[EMAIL PROTECTED]>
I found out that "pro" means "instead of" (as in proconsul). Now I know
what proactive means.
