[VPN] Re: Need Advice on a start point..
Jean-Francois Dive
jef at linuxbe.org
Wed Mar 24 04:38:15 EST 2004
PIX less scalable ? well, really depends on how you build your
configuration ..
As of the problem discussed, i'd say that any decent up to date soho
router/firewall should do, especially for 15 vpn users only /
speed-traffic requiremnts. I suppose it all depends on how much money
you want to spend if any. I personnaly would put a plain stupid PC
(ok a couple) and openbsd/linux on it but...
J.
On Tue, Mar 23, 2004 at 01:30:30AM -0800, Michael Batchelder wrote:
> Good things about PIX:
>
> Simplicity of having an appliance, rather than separate o/s and
> firewall software. Some fw's say they're appliances, but PIX is
> the most convenient of the major fw vendors in this regard. One
> tftp and you're done.
>
> Performance. I'm going to assume your internet connection,
> based on your company size, is a T1 or maybe a couple mux'd
> T1's. Your 515 should be able to pass packets in its sleep on
> that. VPN performance should be fine, but if you find it
> lacking, you can throw in a PCI crypto accelerator for a mere
> grand...
>
> Fail-over. Very simple to do fail-over on a PIX 515. Buy
> another PIX. Plug in the serial fail-over cable or use a
> dedicated ethernet (don't use cross-over, though--obey the
> install guide!). Although buying the 2nd PIX won't be cheap...
>
> Support. Cisco support is good, including documentation.
> Better than Checkpoint. Oh, did I mention better than
> Checkpoint? And btw, it's better than Checkpoint.
Yeah, they rocks (cisco support) !
>
> Administration. Everything that a PIX can do can be config'd
> thru a command line UI, either on the console or via secure
> network connection (AES encrypted SSH).
>
> Bad things about PIX:
>
> Administration. If you don't like command line UI's, you're not
> going to love the PIX. There are graphical tools to manage it,
> but I find them all pretty lacking in one way or another. I
> happen to not care about GUI tools. You may. Particularly
> because the PIX has its own... logic about how to set up rules.
> Once you get into the mindset of PIX, it's fine. But that takes
> some bending of your brain. Someone wise once said to me, while
> I was learning PIXish: "The PIX is not a router. It's a...
> NAT'ing... thing."
>
> Doesn't scale well to more than a few remote sites, unless you
> like writing Expect scripts or perl w/similar modules.
>
> You'll pay for VPN clients on a per-seat basis.
>
> Doesn't do SSL VPN if you want a "clientless" VPN solution.
>
> Can't have a packet enter and exit the same interface. Just the
> way the PIX packet forwarding code works. So for example, no
> "secondary" interfaces for multiple layer 3 networks on a single
> layer 1/2 network. Or whatever you're trying to do... This has
> implications for hub-and-spoke VPN topologies.
> ---
>
> That's what's off the top of my head. Feel free to ask me
> specifics. In general, as stateful packet filters go, it's a
> fine choice.
>
> Michael
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
--
-> Jean-Francois Dive
--> jef at linuxbe.org
I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde
More information about the VPN
mailing list