Solved

open source replacement for PIX needed

Posted on 2006-11-22
8
398 Views
Last Modified: 2013-11-16
Hi,

I have a PIX firewall

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

For financial reasons my boss wants it replaced with an open source one.

i want to know the following

1. Should i buy a server hardware like dual core machine with 4 Gb memory etc or just buy a dell machine and install the firewall on it.

2. The PIX right now has three DMZs and a setup for VPN connections so that others can connect to it remotely. so i would need a firewall which has DMZ support and VPN support as well.

3. What the are the various different good software based firewalls in open source world. i know about iptables and some others but is there any which provides the same facilities as PIX in terms of features. it would be great if the command line configuration is also the same.

0
Comment
Question by:zorawar_bahadur
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18001297
Sorry if this is a pompous sounding view but nothing out in the 'free' area is going to match the capabilities/functions/performance etc provided by 'probably' the best firewall in the world.
0
 
LVL 3

Expert Comment

by:bugsaif
ID: 18001468
>1. Should i buy a server hardware like dual core machine with 4 Gb memory etc or just buy a dell machine and install the firewall on it.
     
      A firewall is not entirely about horsepower...

>2. The PIX right now has three DMZs and a setup for VPN connections so that others can connect to it remotely. so i would need a firewall which has DMZ support and VPN support as well.
>3. What the are the various different good software based firewalls in open source world. i know about iptables and some others but is there any which provides the same facilities as PIX in terms of features. it would be great if the command line configuration is also the same.

    Try these... they have what you're looking for...

    Recommended
    IPCop: http://www.ipcop.org/
    SmoothWall: http://www.smoothwall.org/

    Others
    ClarkConnect: http://www.clarkconnect.com/community/
    m0n0wall: http://m0n0.ch/wall/
    Shoreline Firewall: http://shorewall.net/


    You may find an open source firewall with a somewhat comparable featureset to the PIX... but it is unlikely you'll find an open source firewall with a similar CLI... Huawei tried imitating the Cisco IOS cli and got sued...
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 18002802
If you have to buy a server platform to run the "free" software - the you've still spent MORE money than you would to buy Smarnet maintenance on the PIX that you already own for the next 3 years.

Argument  - "for financial reasons" is invalid

Sorry, but I just don't get it...

There is no such thing as a free software based PIX. The only open source software is linux based iptables/ipchains, then find a different solution for the VPN component - I'm sure they're out there.

You already own the best firewall on the market. I'm assuming it is still functioning and doing its job.
You already know how to use it
Your skill set is geared toward the pix command line. If you try to change gears and re-learn everything you know about firewalls, learning linux, ipchains and other opensource vpn software (and the open source vpn clients as well), then you have a steep learning curve to become proficient. No firewall is any better than the skills of the individual that configures it. You may leave gaping holes in your security posture without ever knowing it - simply because you don't know the product. And because it was 'free' - you get what you paid for and the support that goes along with it.
Don't forget your VPN users. They will have to be re-trained on a new, probably much more complicated VPN client because the Cisco client that they are using won't work with anything else.

Just buy the damned SmartNet and go have a beer to celebrate. Job done.



 
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 125 total points
ID: 18003717
Heartily agree w/ lrmoore & keith_alabaster, not only for the financial reasons, but from security & deployment/maintenance aspects.

>No firewall is any better than the skills of the individual that configures it.
  Absolutely!  And a good warning that needs to be taken seriously by everyone.
  Sure there are good solid open-source firewall solutions available, but none that I've seen have as clean & 'simple' VPN implementation, & they all require a general-purpose OS to run it, whether Linux or one of the free BSD flavors.  Don't get me wrong, I'm a great fan of Linux/Unix (have a few *nix boxes myself & in the past have used both Linux & *BSD as a home firewall), but all firewalls running on a regular OS are only as good as the underlying OS & just as importantly, how that OS is configured.  There can be an awful lot of work involved in hardening your particular OS to be considered safe enough to use as a production firewall & *keeping* it that way - this requires quite a lot of knowledge about the OS & your firewall implementation (iptables, ipfw, pf etc), & may require a lot of maintenance time on your part.

>...you have a steep learning curve to become proficient.
   Example is iptables: very capable & can be configured to be very secure, but PIX is overall simpler & out of the box correctly handles stateful inspection for not only all your regular traffic, but also for some problematic protocols.  You can setup DMZs & allow access to internal public servers quickly & easily, & don't have to wonder if it protects you from traffic with weird TCP options or specially-crafted packets.

   Some other major benefits of the PIX:
- *Entire config* can be exported to file, which can be imported to a new box if in the *rare* event you have hardware die
- PIX doesn't have a traditional hard drive that may fail - config & OS reside in flash memory; yes there are some open-source platforms that come preconfigured with a compact flash drive, but these are pretty rare; some can run from CD, but there again is another storage medium running on moving parts that can & do fail.
- Entire PIX OS can be upgraded in 3-5 min flat, typically with no config changes whatsoever
- PIX 515 & above supports failover, with 7.x supporting active/active failover - features I daresay you won't find in an open-source platform
- Having SmartNet support entitles you to free software upgrades & free support - you can get 24/7 support with PIX experts always available.
- PIX OS is purpose-built to run a dedicated firewall appliance, with no support for many services w/ potential security risks found in a general-purpose OS.
- PIX 515 or above supports a VAC (VPN Accelerator Card) - try & find hardware-based encryption for an open-source platform!

  I had a client who had several Linux-based firewalls in place & at first were 100% against getting "an expensive commercial firewall", but when I pointed out the benefits of the PIX, they were immediately convinced & after getting the PIXes, they were extremely pleased, & some of the things that particularly impressed them was the client- & site-site VPN (stability & easy setup of the VPN client), the ease of upgrading the OS, etc.
  So as lrmoore said, bottom line is your best bet is to have SmartNet support on your PIX.

cheers
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:zorawar_bahadur
ID: 18004986

Thanks for all the wonderful input.

I am a little confused as to who to give the points to. :)

Can I buy Smartnet support directly from Cisco or that is done by resellers?

how is it different from normal upgrade contract of cisco?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18005015
We are always glad to help. Split the points amongst the other three contributors Zorawar as I simply passed on my view.

Regards
keith
0
 

Author Comment

by:zorawar_bahadur
ID: 18005076
oh sorry I didnt see the "Split points" option.

any views about SmartNet support?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18005388
> buy Smartnet support directly from Cisco or that is done by resellers?
If you don't already have it, you can purchase it from a reseller like cdw.com
If you already have a support contract you can extend it directly with Cisco
Smartnet is Cisco's normal extended maintenance support.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now