Solved

open source replacement for PIX needed

Posted on 2006-11-22
8
417 Views
Last Modified: 2013-11-16
Hi,

I have a PIX firewall

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

For financial reasons my boss wants it replaced with an open source one.

i want to know the following

1. Should i buy a server hardware like dual core machine with 4 Gb memory etc or just buy a dell machine and install the firewall on it.

2. The PIX right now has three DMZs and a setup for VPN connections so that others can connect to it remotely. so i would need a firewall which has DMZ support and VPN support as well.

3. What the are the various different good software based firewalls in open source world. i know about iptables and some others but is there any which provides the same facilities as PIX in terms of features. it would be great if the command line configuration is also the same.

0
Comment
Question by:zorawar_bahadur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18001297
Sorry if this is a pompous sounding view but nothing out in the 'free' area is going to match the capabilities/functions/performance etc provided by 'probably' the best firewall in the world.
0
 
LVL 3

Expert Comment

by:bugsaif
ID: 18001468
>1. Should i buy a server hardware like dual core machine with 4 Gb memory etc or just buy a dell machine and install the firewall on it.
     
      A firewall is not entirely about horsepower...

>2. The PIX right now has three DMZs and a setup for VPN connections so that others can connect to it remotely. so i would need a firewall which has DMZ support and VPN support as well.
>3. What the are the various different good software based firewalls in open source world. i know about iptables and some others but is there any which provides the same facilities as PIX in terms of features. it would be great if the command line configuration is also the same.

    Try these... they have what you're looking for...

    Recommended
    IPCop: http://www.ipcop.org/
    SmoothWall: http://www.smoothwall.org/

    Others
    ClarkConnect: http://www.clarkconnect.com/community/
    m0n0wall: http://m0n0.ch/wall/
    Shoreline Firewall: http://shorewall.net/


    You may find an open source firewall with a somewhat comparable featureset to the PIX... but it is unlikely you'll find an open source firewall with a similar CLI... Huawei tried imitating the Cisco IOS cli and got sued...
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 18002802
If you have to buy a server platform to run the "free" software - the you've still spent MORE money than you would to buy Smarnet maintenance on the PIX that you already own for the next 3 years.

Argument  - "for financial reasons" is invalid

Sorry, but I just don't get it...

There is no such thing as a free software based PIX. The only open source software is linux based iptables/ipchains, then find a different solution for the VPN component - I'm sure they're out there.

You already own the best firewall on the market. I'm assuming it is still functioning and doing its job.
You already know how to use it
Your skill set is geared toward the pix command line. If you try to change gears and re-learn everything you know about firewalls, learning linux, ipchains and other opensource vpn software (and the open source vpn clients as well), then you have a steep learning curve to become proficient. No firewall is any better than the skills of the individual that configures it. You may leave gaping holes in your security posture without ever knowing it - simply because you don't know the product. And because it was 'free' - you get what you paid for and the support that goes along with it.
Don't forget your VPN users. They will have to be re-trained on a new, probably much more complicated VPN client because the Cisco client that they are using won't work with anything else.

Just buy the damned SmartNet and go have a beer to celebrate. Job done.



 
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 20

Accepted Solution

by:
calvinetter earned 125 total points
ID: 18003717
Heartily agree w/ lrmoore & keith_alabaster, not only for the financial reasons, but from security & deployment/maintenance aspects.

>No firewall is any better than the skills of the individual that configures it.
  Absolutely!  And a good warning that needs to be taken seriously by everyone.
  Sure there are good solid open-source firewall solutions available, but none that I've seen have as clean & 'simple' VPN implementation, & they all require a general-purpose OS to run it, whether Linux or one of the free BSD flavors.  Don't get me wrong, I'm a great fan of Linux/Unix (have a few *nix boxes myself & in the past have used both Linux & *BSD as a home firewall), but all firewalls running on a regular OS are only as good as the underlying OS & just as importantly, how that OS is configured.  There can be an awful lot of work involved in hardening your particular OS to be considered safe enough to use as a production firewall & *keeping* it that way - this requires quite a lot of knowledge about the OS & your firewall implementation (iptables, ipfw, pf etc), & may require a lot of maintenance time on your part.

>...you have a steep learning curve to become proficient.
   Example is iptables: very capable & can be configured to be very secure, but PIX is overall simpler & out of the box correctly handles stateful inspection for not only all your regular traffic, but also for some problematic protocols.  You can setup DMZs & allow access to internal public servers quickly & easily, & don't have to wonder if it protects you from traffic with weird TCP options or specially-crafted packets.

   Some other major benefits of the PIX:
- *Entire config* can be exported to file, which can be imported to a new box if in the *rare* event you have hardware die
- PIX doesn't have a traditional hard drive that may fail - config & OS reside in flash memory; yes there are some open-source platforms that come preconfigured with a compact flash drive, but these are pretty rare; some can run from CD, but there again is another storage medium running on moving parts that can & do fail.
- Entire PIX OS can be upgraded in 3-5 min flat, typically with no config changes whatsoever
- PIX 515 & above supports failover, with 7.x supporting active/active failover - features I daresay you won't find in an open-source platform
- Having SmartNet support entitles you to free software upgrades & free support - you can get 24/7 support with PIX experts always available.
- PIX OS is purpose-built to run a dedicated firewall appliance, with no support for many services w/ potential security risks found in a general-purpose OS.
- PIX 515 or above supports a VAC (VPN Accelerator Card) - try & find hardware-based encryption for an open-source platform!

  I had a client who had several Linux-based firewalls in place & at first were 100% against getting "an expensive commercial firewall", but when I pointed out the benefits of the PIX, they were immediately convinced & after getting the PIXes, they were extremely pleased, & some of the things that particularly impressed them was the client- & site-site VPN (stability & easy setup of the VPN client), the ease of upgrading the OS, etc.
  So as lrmoore said, bottom line is your best bet is to have SmartNet support on your PIX.

cheers
0
 

Author Comment

by:zorawar_bahadur
ID: 18004986

Thanks for all the wonderful input.

I am a little confused as to who to give the points to. :)

Can I buy Smartnet support directly from Cisco or that is done by resellers?

how is it different from normal upgrade contract of cisco?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18005015
We are always glad to help. Split the points amongst the other three contributors Zorawar as I simply passed on my view.

Regards
keith
0
 

Author Comment

by:zorawar_bahadur
ID: 18005076
oh sorry I didnt see the "Split points" option.

any views about SmartNet support?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18005388
> buy Smartnet support directly from Cisco or that is done by resellers?
If you don't already have it, you can purchase it from a reseller like cdw.com
If you already have a support contract you can extend it directly with Cisco
Smartnet is Cisco's normal extended maintenance support.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question