[VPN] Re: Need Advice on a start point..

Jean-Francois Dive jef at linuxbe.org
Wed Mar 24 04:38:15 EST 2004


PIX less scalable ? well, really depends on how you build your
configuration ..

As of the problem discussed, i'd say that any decent up to date soho
router/firewall should do, especially for 15 vpn users only /
speed-traffic requiremnts. I suppose it all depends on how much money 
you want to spend if any. I personnaly would put a plain stupid PC 
(ok a couple) and openbsd/linux on it but...

J.

On Tue, Mar 23, 2004 at 01:30:30AM -0800, Michael Batchelder wrote:
> Good things about PIX:
> 
> Simplicity of having an appliance, rather than separate o/s and
> firewall software.  Some fw's say they're appliances, but PIX is
> the most convenient of the major fw vendors in this regard. One
> tftp and you're done.
> 
> Performance.  I'm going to assume your internet connection,
> based on your company size, is a T1 or maybe a couple mux'd
> T1's.  Your 515 should be able to pass packets in its sleep on
> that.  VPN performance should be fine, but if you find it
> lacking, you can throw in a PCI crypto accelerator for a mere
> grand...
> 
> Fail-over.  Very simple to do fail-over on a PIX 515.  Buy
> another PIX.  Plug in the serial fail-over cable or use a
> dedicated ethernet (don't use cross-over, though--obey the
> install guide!).  Although buying the 2nd PIX won't be cheap...
> 
> Support.  Cisco support is good, including documentation. 
> Better than Checkpoint.  Oh, did I mention better than
> Checkpoint?  And btw, it's better than Checkpoint.

Yeah, they rocks (cisco support) !

> 
> Administration.  Everything that a PIX can do can be config'd
> thru a command line UI, either on the console or via secure
> network connection (AES encrypted SSH).
> 
> Bad things about PIX:
> 
> Administration.  If you don't like command line UI's, you're not
> going to love the PIX.  There are graphical tools to manage it,
> but I find them all pretty lacking in one way or another.  I
> happen to not care about GUI tools.  You may.  Particularly
> because the PIX has its own... logic about how to set up rules. 
> Once you get into the mindset of PIX, it's fine.  But that takes
> some bending of your brain.  Someone wise once said to me, while
> I was learning PIXish: "The PIX is not a router.  It's a... 
> NAT'ing... thing."
> 
> Doesn't scale well to more than a few remote sites, unless you
> like writing Expect scripts or perl w/similar modules.
> 
> You'll pay for VPN clients on a per-seat basis.
> 
> Doesn't do SSL VPN if you want a "clientless" VPN solution.
> 
> Can't have a packet enter and exit the same interface.  Just the
> way the PIX packet forwarding code works.  So for example, no
> "secondary" interfaces for multiple layer 3 networks on a single
> layer 1/2 network.  Or whatever you're trying to do...  This has
> implications for hub-and-spoke VPN topologies.
> ---
> 
> That's what's off the top of my head.  Feel free to ask me
> specifics.  In general, as stateful packet filters go, it's a
> fine choice.
> 
> Michael
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

-- 

-> Jean-Francois Dive
--> jef at linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
  -- Oscar Wilde



More information about the VPN mailing list