[VPN] Re: Need Advice on a start point..
Michael Batchelder
piranhabros at yahoo.com
Tue Mar 23 04:30:30 EST 2004
Good things about PIX:
Simplicity of having an appliance, rather than separate o/s and
firewall software. Some fw's say they're appliances, but PIX is
the most convenient of the major fw vendors in this regard. One
tftp and you're done.
Performance. I'm going to assume your internet connection,
based on your company size, is a T1 or maybe a couple mux'd
T1's. Your 515 should be able to pass packets in its sleep on
that. VPN performance should be fine, but if you find it
lacking, you can throw in a PCI crypto accelerator for a mere
grand...
Fail-over. Very simple to do fail-over on a PIX 515. Buy
another PIX. Plug in the serial fail-over cable or use a
dedicated ethernet (don't use cross-over, though--obey the
install guide!). Although buying the 2nd PIX won't be cheap...
Support. Cisco support is good, including documentation.
Better than Checkpoint. Oh, did I mention better than
Checkpoint? And btw, it's better than Checkpoint.
Administration. Everything that a PIX can do can be config'd
thru a command line UI, either on the console or via secure
network connection (AES encrypted SSH).
Bad things about PIX:
Administration. If you don't like command line UI's, you're not
going to love the PIX. There are graphical tools to manage it,
but I find them all pretty lacking in one way or another. I
happen to not care about GUI tools. You may. Particularly
because the PIX has its own... logic about how to set up rules.
Once you get into the mindset of PIX, it's fine. But that takes
some bending of your brain. Someone wise once said to me, while
I was learning PIXish: "The PIX is not a router. It's a...
NAT'ing... thing."
Doesn't scale well to more than a few remote sites, unless you
like writing Expect scripts or perl w/similar modules.
You'll pay for VPN clients on a per-seat basis.
Doesn't do SSL VPN if you want a "clientless" VPN solution.
Can't have a packet enter and exit the same interface. Just the
way the PIX packet forwarding code works. So for example, no
"secondary" interfaces for multiple layer 3 networks on a single
layer 1/2 network. Or whatever you're trying to do... This has
implications for hub-and-spoke VPN topologies.
---
That's what's off the top of my head. Feel free to ask me
specifics. In general, as stateful packet filters go, it's a
fine choice.
Michael
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
More information about the VPN
mailing list