|In article , |Brian Bergin wrote: | |:I for |:one am actively looking for a new vendor given the long lack of support for |:common protocols like ESMTP in the PIX. Too many other vendors like Juniper |:with their Netscreen brand have highly regarded firewalls at 1/2 the cost of a |:similar PIX and more features than 6.3.4 offer. | |Which Netscreen model would that be? | |According to the netscreen-5 comparison chart: | |HSC: 5 internal IPs, 2 VPN tunnels, ?? mapped IPs, 1000 sessions, |50 Mbit/s cleartext, 10 Mbit/s 3DES | from $US328 street (according to | |5GT: 10 internal IPs, 10 VPN tunnels, 32 mapped IPs, 2000 sessions, |75 Mbit/s cleartext, 20 Mbit/s 3DES | from $US412 street (according to | | |My accumulated notes have: | |PIX 501: 10 internal IPs, 10 VPN tunnels, mapped IPs not limited, |sessions not limited, 60 Mbit/s cleartext, 3 Mbit/s 3DES | from $US337 (according to | | |The street price difference between the PIX 501 and Netscreen HSC is small |enough to be negligable, less than the range of a typical corporate |discount. The PIX 501 is, though, faster than the HSC, supports twice |the number of internal users, 5 times as many tunnels, and unlimited |sessions. Essentially the Netscreen HSC's is trying to compete |at about the level of the Cisco VPN 3002 or Linksys BEFSX41. | |The closet comparison to the PIX 501 would appear to be the |Netscreeen 5GT, which is a bit faster (especially on 3DES), but |has the 2000 session limit and the 32 mapped IP limit. And it isn't |"half the cost" of the 501, it is 25% higher cost. | |What does the difference in "sessions" mean in practice? |I'm not sure -- but I just checked a PIX 501-50 (50 user |license) that was last rebooted Thursday evening |(with Friday and today (Monday) both being holidays for us |and no regularily scheduled work on weekends.) It shows 1792 |sessions peak over that non-busy time. A different 501-50 |which was last rebooted a couple of months ago shows |a peak of over 5000 sessions. | |The PIX 501 has optional licenses for 50 users or |unlimited users; the Netscreen 5GT has an optional license |for unlimited users, and a different optional license |to double the sessions -- up to 4000. | |After that one starts getting into the Netscreen 25, which |is probably best compared to the PIX 506E. But even the |Netscreen 25 Baseline (stripped-down software) starts at |$US1800 street, compared to $US800 for the PIX 506E. | | |If you want to get into a "how many physical interfaces" |discussion, then you are talking about the PIX 515E, |525, or 535 -- all of which -are- supported in PIX 7.0. | | |The Netscreen series does appear to have some nice features, but down |at the end of the market where the 501 and 506E live, I do not think |you are going to find a Netscreen with comparible or better features |for "half of the price" of the corresponding PIX.

Prices have changed since we bought our PIX's. At the time Netscreen, not part of Juniper at the time, were much less expensive than PIX but we bought the PIX based on reputation and the 501 only supported 50 users at the time. I've not seen the unlimited 501 license. It'd have to be very cheap as the cost of 50 users brings the 501 to almost the cost of a 506E with more RAM and a faster CPU (I'm not even sure why they sell a 50 user 501 when the 506E is so close, other than to upgrade an existing one, but I'd sell and buy new before I did that I believe).

Now, I'm told that Cisco is planning on 50x support by 7.1 (TAC told me this last night). The concern is how long before 7.1 ships? They've not answered that yet. I truly hope it's not as long as 6.3.4 to 7.0. ESMTP support is what we're after. Cisco has ignored it for far too many years.

In article , Brian Bergin wrote: :I've not seen the unlimited 501 license.

I find references dating back to about June 2003, with support from PIX 6.3(1).

:It'd have to be very cheap as the cost of 50 :users brings the 501 to almost the cost of a 506E with more RAM and a faster CPU

I have said pretty much the same thing several times -- that by the time you would want a 501 unlimited, you should probably want a 506E instead.

:I truly hope it's not as long as 6.3.4 to 7.0.

I would expect longer. 6.3(4) was end of July 2004. Cisco is fond of late-July release dates; their cycle appears to be at least one year per generation. I have no inside information at all on this matter, but past history suggests to me that 7.1 will not show until at least the end of February 2006 -- not unless 7.0.x itself is very short lived.

:ESMTP support is what :we're after. Cisco has ignored it for far too many years.

We turned off the smtp fixup long ago, and simply put in a mail system we had source to and could update at need. There has been not been much activity in the way of holes in email systems that would have been proactively prevented by an ESMTP fixup -- most of the holes I can recall for the last couple of years either would have gotten through anyhow, or else required inside access (e.g., privilege elevations by creative .forward files.)

Would I have concern about an Exchange server? Sure, but I don't run Exchange servers for a variety of reasons. If ESMTP fixup was high on my priority list, then I'd just drop in a BSD box that acted as a mail relay and filter in front of the untrusted mail server. Unless, that is, the untrusted mail server needed a secret Microsoft handshake or decoder ring or sea monkeys or something like that, (in which case I'd be asking myself serious questions about why that feature was being relied upon.)

