There are also some things that, by the way the PIX is configured, are much
more difficult, if not impossible, to do. I recall running into several
cases where building nat rules on a PIX to do what I wanted was completely
impossible, where it would have been trivial with a netfilter box. Also,
there is more flexibility in the possible rulespace of netfilter. A pix can
filter based on any combination of: source IP, destination IP, protocol,
source port, destination port. Nothing beyond that (i.e, psd, recent, ttl,
tos, bizarre tcp flag combinations {up until a reasonably recent version,
pixos would cryptically drop any tcp syn with ecn set, because it was a tcp
packet with more than just syn set. Newer versions accept such packets. It
has never been and will probably never be possible to *configure* whether or
not to accept such packets and from where.})
Another point, ssh 3des is only available if you buy a 3des crypto license.
Which makes sense if you're using this thing as a crypto endpoint, but is
harder to stomach if you're looking at plopping down a few grand just so you
can manage this thing in a reasonably secure manner. I believe it's cheaper
to buy a low-end linux box, put it next to the pix with a console cable, and
then ssh (3des) into the linux box to manage the pix.
Then, there's routing. On a pix, you can do very simple static routes.
network, mask, gateway, metric. No policy routing, routing protocols
(althoug it's generally a bad idea to run routing protocols on a firewall,
but sometimes it's nice if you *can* even if you *shouldn't*), or even
moderately complex static routing. None of that. You can sometimes work
around this by surrounding your pix with routers that *can* do this stuff,
but that's just more money down the drain (although I'm sure Cisco's happy
about it)
There's also packet mangling. Pix does some, whether you want it to or not.
Netfilter can do more, but only if you tell it to. Not a lot to say on that
point. :)
Now, on the good side. I would stress even more, pix failover is a breeze
to set up, and works beautifully (although, if you've got spare interfaces,
make sure you've got something to plug them into. There's no way(I believe)
to tell the pix not to use an interface, and if it notices that one is down
it will consider itself failed and failover - back and forth in a ping pong
sort of manner)
Also, pixos is *hard* to break. You can strip a linux box down to where
there's not much to it, but basically linux was designed to be *usefull*.
With pixos they started with nothing and added what was necessary. Cisco
doesn't much *care* whether it's usefull as an os, but it *is* secure.
Also, there's some nice integration stuff. I just recently put WebSense URL
filtering support on a pix. That works well. There's some cool and funky
stuff you can do with context-based access controls. The logging is nice.
And the Unity VPN client is really slick (and there's even a version for
Linux.)
Also, there are some things that are more easily tweakable (timeouts,
clearing nat translations, etc.)
Overall, I would say that Netfilter is the weapon of choice for the
Packet-Fu master. But a PIX is definitely worthy of respect. And both are
far superior to the pain that is Checkpoint. (I just started working on a
Checkpoint installation. I swear, if I have any say in the matter
whatsoever, I will never touch one of their products again.)
But, that's just my opinion. I could be wrong. :)
-Joe
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Joerg Mayer
> Sent: Wednesday, March 20, 2002 4:54 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Netfilter vs. Cisco PIX
>
>
> On Tue, Mar 19, 2002 at 12:21:29PM +0000,
> [EMAIL PROTECTED] wrote:
> > I'm looking for some comparison between the featureset found in
> the Cisco
> > PIX vs. Iptables. Anyone have any pointers? :)
>
> OK, I'm too lazy to actually look things up for either iptables or PIX,
> so any additions and corrtections are more than welcome.
>
> PIX better:
> - failover, and if you want it, even stateful failover
> - DNS content inspection (don't accept additional answers)
> - always change tcp sequence numbers (even without changing addresses)
> - additional protocols (not sure here)
> + h323 (is iptables support complete?)
> + sqlnet
> + sip
> + sccp (ciscos ip phone version of sip)
> + netbios/smb/pipe$ support
> + rtsp (?)
> + probably more
> - good integration with snmp
> - hardware support for ipsec (?)
>
> Iptables better:
> - subroutines (or -tables :) -> easier to manage
> - additional protocols (not sure here either)
> + irc
> + talk/ntalk
> - source available, so you may add your own modules for conntrack
> and or nat (but the PIX still has support for many more protocols)
> - more supported interface types, including wan/dialup interfaces
> - ssh v2
> - load balancer
> - traffic shaping/QoS
>
> Both:
> - IDS sensor
> - IPSEC
> - snmp
> - lots of interfaces
> - rule updates without loosing connections
> - ssh access
> - good support on bugs
>
> Ciao
> J�rg
> --
> Joerg Mayer <[EMAIL PROTECTED]>
> I found out that "pro" means "instead of" (as in proconsul). Now I know
> what proactive means.
>
>
