1. Home
  2. Cisco Systems
  3. PIX vs OpenBSD

PIX vs OpenBSD

In article , goooo wrote: :This question has probably been asked many times.

:Im trying to justify purchasing a 3-nic'ed dmz 515e against a openBSD :firewall.

As you note, PIXes are basically slightly-specialized PCs. The NICs and VPN accelarators are not magic ASICs: they are cards that Cisco has bought from other manufacturers. Cisco is not necessarily using the manufacturer's drivers, though -- indeed, that is unlikely.

The main functional difference between a PIX and a PC running Windows or a Unix, is that in the Windows or Unix case, the operating system is designed to pass packets unless the packets are blocked. In the PIX case, the [real-time] operating system is designed to block packets unless the packets pass muster. The PIX is "deny upon failure" whereas the PC/Unix case is "permit upon failure".

According to the product literature (somewhere buried), the PIX does not simply forward on packets after re-writing, but instead actively builds new packets and sends those to the destination.

Another important consideration is that the PIX software is already built and has years of testing put into it. In the case of a low-end PIX such as a 501 or 506e or 515e, you probably could not duplicate the functionality for less money [in salaries] than it would cost to buy one of the devices.

To take a brief example: if you were to try to do security via RSA-type device certificates, you would find that the open source CA project 'openCA' is not configured for *BSD, and that it needs to be wacked into submission to get it to compile... and then you have to figure out how to run it.

On the other hand, if you really only need a small fraction of the facilities in a PIX, or if you are going to be deploying -lots- of the devices, then it might be worth the salary investment to build all the pieces yourself, put it through all the tests you can think of, and then deploy. Mind you, if you have -lots- of devices, then chances are you have lots of "value" to protect, and you should balance out a fair assessment of the security expertise of your programmers/designers against the cost-weighted risks that a [well-tested] PIX would have withstood an attack that a home-brew would not.

Reply to
Walter Roberson
Loading thread data ...

This question has probably been asked many times.

Im trying to justify purchasing a 3-nic'ed dmz 515e against a openBSD firewall. Configuring a OBSD firewall is no brainer, the only problems I've had in the past is trying to get reliable hardware or debug some kernel panic of a newly installed box. (well it doesn't help when your using left over hardware) Thats the only reason why Im considering PIX, due to the reliablility. I've been researching the PIX architecture, and it seems like its made from regular x86 hardware. With that fact, would there be not much of a speed difference between a OBSD box and PIX? For some reason I kept on thinking PIX had ASIC (application specific technology)

Reply to
goooo

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.