Iptables vs. Cisco PIX

Iptables vs. Cisco PIX

[Alejandro Cabrera Obed]

Hi people !!!

This time I want to know your opinion about iptables vs. Cisco PIX....where
would you use each of them ????
Is it the same using iptables or PIX in big corporations with heavy Internet
traffic ???? Which is considered the "best" and why ???

I use iptables since a long time, but my network is under 50 workstations.

Thanks for your comments, they're welcome.

At last, I suggest the tutorial from Jose Negreira at www.iptableslinux.com,
it's really good for persons who start into iptables world.

Thnking in advance,

Alejandro

Re: Iptables vs. Cisco PIX

[Jiann-Ming Su]

On Apr 8, 2005 11:05 AM, Alejandro Cabrera Obed <sisdis@tournet.com.ar> wrote:
> Hi people !!!
> 
> This time I want to know your opinion about iptables vs. Cisco PIX....where
> would you use each of them ????
> Is it the same using iptables or PIX in big corporations with heavy Internet
> traffic ???? Which is considered the "best" and why ???
> 
> I use iptables since a long time, but my network is under 50 workstations.
> 
> Thanks for your comments, they're welcome.
>
 
From personal experience, iptables shrugs off syn flood attacks better
than anything out there.  You can't beat it for the price.  A
colleague tested a PIX 550(?) and his Nokia running Checkpoint.  We've
tested Checkpoint running on Quad Xeon Dell PowerEdge 6650.  A DDoS
attack from a irc bot will render them useless.  Checkpoint is just
bad architecture.  Even though you explicitly tell Checkpoint to drop
certain packets, Checkpoint will still add those dropped packets to
its connection table.  You can try reducing the timeout, but we
haven't found it to be terribly useful.  He also found that
SmartDefense just chokes HTTP traffic.  The only Checkpoint product to
do better was SecurePlatform using Corrent's Turbocards.  While the
connection table doesn't fill up on the PIX, the CPU still gets
overloaded, so you can't make new legitimate connections easily.  I
don't know how the more industrial versions of PIX will do, though.

We have a quad PIII Dell PowerEdge 6450 running iptables protecting
the residence halls on a college campus.  It gets syn flooded
constantly, handles 90k peak connections, load average of 1.0, all on
1GB of RAM.  The only short coming of iptables is the lack distributed
management and lack of a high availability solution.  Distributed
management is only a problem if you're managing more than several
firewalls.  And, lack of HA makes it harder to deploy iptables fully
on the enterprise.
-- 
Jiann-Ming Su
"I have to decide between two equally frightening options. 
 If I wanted to do that, I'd vote." --Duckman

Re: Iptables vs. Cisco PIX

[John A. Sullivan III]

On Fri, 2005-04-08 at 13:28 -0400, Jiann-Ming Su wrote:
> On Apr 8, 2005 11:05 AM, Alejandro Cabrera Obed <sisdis@tournet.com.ar> wrote:
<snip>
> We have a quad PIII Dell PowerEdge 6450 running iptables protecting
> the residence halls on a college campus.  It gets syn flooded
> constantly, handles 90k peak connections, load average of 1.0, all on
> 1GB of RAM.  The only short coming of iptables is the lack distributed
> management and lack of a high availability solution.  Distributed
> management is only a problem if you're managing more than several
> firewalls.  And, lack of HA makes it harder to deploy iptables fully
> on the enterprise.
Distributed management for iptables (and other firewalls) is exactly the
goal of the ISCS project (http://iscs.sourceforge.net).  The project
provides a more efficient administration tool than the most expensive
management frameworks like Solsoft, SmartPipes or Provider1 and is
entirely open source.

As my hours available for the project have reduced dramatically over the
last eight months, we (the seven other volunteers plus myself) could use
as much help as anyone can give.  If you are in need of distributed
management capability for iptables (as well as *swan, kernel IPSec,
iproute2, network level user authentication and some PKI management) or
have an academic interest and some time available, please contact me via
e-mail or phone.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Iptables vs. Cisco PIX

[Taylor, Grant]

I personally would not claim to know Cisco PIX in any way shape or form as I
have done VERY little work with them.  That being said I have done a little
bit of work on PIXies (is that how you would say PIX plural?) and found it
to be more than a little bit odd.  I'm not saying that there is any thing
wrong with them, I'm just not very comfortable working with them.  IMHO if
my money is on the line I'm going ot use a Linux box running IPTables
IPRoute2 every time that I can.



Grant. . . .

> Hi people !!!
>
> This time I want to know your opinion about iptables vs. Cisco
PIX....where
> would you use each of them ????
> Is it the same using iptables or PIX in big corporations with heavy
Internet
> traffic ???? Which is considered the "best" and why ???
>
> I use iptables since a long time, but my network is under 50 workstations.
>
> Thanks for your comments, they're welcome.
>
> At last, I suggest the tutorial from Jose Negreira at
www.iptableslinux.com,
> it's really good for persons who start into iptables world.
>
> Thnking in advance,
>
> Alejandro

Re: Iptables vs. Cisco PIX

[Francesco Ciocchetti]

Alejandro Cabrera Obed wrote:

>Hi people !!!
>
>  
>
Hi :)

I would say that while Iptables is a set of Block to build a Wall ,
Cisco PIX is a pre-built Wall you just have to paint and let it shine.

Iptables gives for sure a lot of opportunities of configuration and
traffic control that a Cisco Pix does not and i think is not possible to
forget that Iptables-Firewall is a complete Linux system with all the
advantages this can gives, for example a cron-tab, scripting , and so on.

I think that , as always, the choice depends on your needs from the device.
If you need a statefull firewall failover your choose is done because
iptables is not ready to do it yet while Cisco PIX does it in a clear
and fast way.

I would always use a Cisco Pix as Border Firewall because of its
reliability and performance, also because i would not do specific or
particular filter at this level of network. I would instead use a
Linux/Iptables firewall at 'User Level' because it would let me to do
ANYTHING i want and because at this level i could , maybe, leave the
statefull failover out to have the maximum flexibility possible.

bye
<P>

 

Re: Iptables vs. Cisco PIX

[Grant Taylor]

You make some very good points.  You are also correct in the fact that at your border firewall you need to be more liberal in what you let through as you don't have the flexibility to shut down what comes in on a bulk pattern, but you could shut things down based on their destination, or have a small sub chain set aside for each system and redirect traffic in to each sub chain depending on what system it is destined for.  As far as the redundancy / fail over you can accomplish much the same thing via VRRP in Linux with two firewalls configured identically.  In this case you would have two firewalls with their IP on the network both of which would be imulating a 3rd IP which would be the IP that all systems would use as their gateway.  This way the VRRP enabled Linux nodes would constantly pole each other to make sure that they are alive and functional.  If one of them goes down the other
  takes up the slack in a very short amount of time (I'm not sure what it is, I think it's 
less than 30 seconds).  Granted I have never messed with VRRP my self but from the reading that I have done on it this is EXACTLY what it is meant for.  Virtual Router Redundancy Protocol (VRRP) is the industry standard of Cisco's Hot Standby Router Protocol (HSRP).  You can also look at some of the Linux clustering technologies but I don't think they are exactly appropriate here.

Of course there is also the fact that there are a LOT of people that know how to work with PIXies and could come in after you are hit by a Greyhound buss and take over, where there are relatively few people that could walk in and take over a complex Linux IPTables, IPRoute2, VRRP firewall.  But to each his own.



Grant. . . .

Francesco Ciocchetti wrote:
> Alejandro Cabrera Obed wrote:
> 
> 
>>Hi people !!!
>>
>> 
>>
> 
> Hi :)
> 
> I would say that while Iptables is a set of Block to build a Wall ,
> Cisco PIX is a pre-built Wall you just have to paint and let it shine.
> 
> Iptables gives for sure a lot of opportunities of configuration and
> traffic control that a Cisco Pix does not and i think is not possible to
> forget that Iptables-Firewall is a complete Linux system with all the
> advantages this can gives, for example a cron-tab, scripting , and so on.
> 
> I think that , as always, the choice depends on your needs from the device.
> If you need a statefull firewall failover your choose is done because
> iptables is not ready to do it yet while Cisco PIX does it in a clear
> and fast way.
> 
> I would always use a Cisco Pix as Border Firewall because of its
> reliability and performance, also because i would not do specific or
> particular filter at this level of network. I would instead use a
> Linux/Iptables firewall at 'User Level' because it would let me to do
> ANYTHING i want and because at this level i could , maybe, leave the
> statefull failover out to have the maximum flexibility possible.
> 
> bye
> <P>
> 
>  
> 
> 

Re: Iptables vs. Cisco PIX

[Francesco Ciocchetti]

Grant Taylor wrote:

> You make some very good points.  You are also correct in the fact that
> at your border firewall you need to be more liberal in what you let
> through as you don't have the flexibility to shut down what comes in
> on a bulk pattern, but you could shut things down based on their
> destination, or have a small sub chain set aside for each system and
> redirect traffic in to each sub chain depending on what system it is
> destined for.


What i tried to imagine is a situation where you can have both solution
(Pix and Iptables) without looking at money or Knowledge. In Such a
situation i would choose what i said, a PIX Firewall to manage an
'higher level' filtering , static configuration for Public IP and
filtering for the 'internet' access to public services.
I think that an iptables based firewall is much more usable in the
opposite situation where you need to filter traffic 'from users' to
'Internet or Internal Serivces', where you would like to use features
that PIX has not as Transparent Firewall, Schedulers (Linux Rulez;) ) ,
Special Target as TARPIT, Port Scan detection, filtering on TIME or
Connection/IP, Byte/IP and so on ...
The power of chains in iptables is something that is Unreachable for PIX
& C. and there resides the flexibility of a Netfilter firewall but is
not so simple to understand and implement as is an 'access-list ...
access-group....' commands.

>   As far as the redundancy / fail over you can accomplish much the
> same thing via VRRP in Linux with two firewalls configured
> identically.  In this case you would have two firewalls with their IP
> on the network both of which would be imulating a 3rd IP which would
> be the IP that all systems would use as their gateway.  This way the
> VRRP enabled Linux nodes would constantly pole each other to make sure
> that they are alive and functional.  If one of them goes down the
> other takes up the slack in a very short amount of time (I'm not sure
> what it is, I think it's less than 30 seconds).  Granted I have never
> messed with VRRP my self but from the reading that I have done on it
> this is EXACTLY what it is meant for.  Virtual Router Redundancy
> Protocol (VRRP) is the industry standard of Cisco's Hot Standby Router
> Protocol (HSRP).  You can also look at some of the Linux clustering
> technologies but I don't think they are exactly appropriate here.
>
VRRP , and all the implementaion that in linux are available, could
gives redundancy but not a Statefull one.
In Fact HSRP is used on Cisco Routers but not on PIX Firewall. With the
ctnetlink libs will be possible to have a statefull failover also on
linux/iptables but is not ready yet (unlucky).

> Of course there is also the fact that there are a LOT of people that
> know how to work with PIXies and could come in after you are hit by a
> Greyhound buss and take over, where there are relatively few people
> that could walk in and take over a complex Linux IPTables, IPRoute2,
> VRRP firewall.  But to each his own.
>
Yep, i think that there is a reverse relationship beetween Iptables and
PIX Firewalls and i've seen it a lot of time ...
who know how to work with a complex environment such Iptables + iproute2
+ VPN + VRRP will find PIXOS Simple and fast but the reverse will not ;)
as usual ... Linux/Netfilter open your mind , the 'OTHERS' teach you how
to open or close a port ;)

>
>
> Grant. . . .
>
Bye
<P>

RE: Iptables vs. Cisco PIX

[Iptables]

Both (all) firewalls have their ups and downs... as an enterprise user,
I have used check point, Cisco PIX and IPTables. The biggest difference
in all of them is learning curve, and a few features. Each firewall
works differently in everyones environment (to a point), which basically
means, eval the firewall and see how it performs in your environment. I
run 22 IPTable firewalls on Fedora Core 2 across 22 of my 35 remote
sites, and the rest are scheduled to have one installed by July. My
sites run from T1's to a Full 45mb DS3 with 24/7 connections that
includes customers and support personnel. All of my sites except for the
1 DS3, run on Dell poweredge 700 servers ranging from P4 2.4Ghz - P4
2.8Ghz and all with 512mb memory and 4 Nics and small 40-80gb hd's. The
1 DS3's is connect to 2 Dell Dual Xeon 2.8ghz cpu poweredge 2650 with
1ghz memory. All of my firewalls IPtables configures are configured
manually by a file. I could not find a management console that would do
advanced IPTables configuration and/or use the POM/POM-NG features. Most
were just vanilla program that did basic NAT and packet filtering. I
also run multiple Cisco PIX around my enterprise for different purposes
(some for ISP connections, others to block and dmz customer connections,
and some to protect sensitive systems). Most are PIX 515's and a couple
of 525's. I have not seen any significant performance difference in
either system. The PIX has mgmt consoles, but I use the command line to
configure mine, which is pretty simple.

The only real difference is configuration, troubleshooting connectivity
problems, maintenance, and High availability. You have to take
everything into consideration when considering which firewall to deploy.
The cost of running a Pix versus running Linux on a dell or custom
server is higher, especially if you want high availability (10-15k),
then you have to think of maintenance costs. 

There are no "best" just firewalls with different feature sets for
different environments. To help, at my last company, we migrated from 2
Cisco PIX HA to 2 HA Check Points on Nokia IPSO (NG FP2). We saw no
difference in performance, but a great improvement in rule management
and easy configuration. But upgrades from 4.1 to NG sucked as well as
initial configuration and setup of all systems (mgmt server and 2
nokias). All these were just firewalls with no VPN connections, because
there we had 2 cisco concentrators. 
 
I would choose a Linux system with IPTables, before choosing a PIX or
Check point solution. I can run things like NTOP, packet sniff with
ethereal, run Snort and so much more... I like PIX and I like Check
Point and they will continue to be recommended firewalls from me for the
respected environment and cost benefit.

I am in the middle of implementing HA to my 2 Firewalls here that are
connected to the DS3 on 2 Dell 2650s. I was at first using a shell
script I made to ping the interface and "do" based on the responses. I
am now getting ready to convert them over to VRRP and provide HA that
way. Next after that is to get Zebra installed and provide some extra
routing capabilities (BGP).

http://www.imagestream.com/VRRP.html

http://sourceforge.net/projects/vrrpd/

http://www.zebra.org/


Thanks,
Michael Brown, CISSP-ISSMP, ISSAP
Sr. Security Analyst
Fidelity IFS Security Operations

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Alejandro
Cabrera Obed
Posted At: Friday, April 08, 2005 11:06 AM
Posted To: Iptables
Conversation: Iptables vs. Cisco PIX
Subject: Iptables vs. Cisco PIX

Hi people !!!

This time I want to know your opinion about iptables vs. Cisco
PIX....where
would you use each of them ????
Is it the same using iptables or PIX in big corporations with heavy
Internet
traffic ???? Which is considered the "best" and why ???

I use iptables since a long time, but my network is under 50
workstations.

Thanks for your comments, they're welcome.

At last, I suggest the tutorial from Jose Negreira at
www.iptableslinux.com,
it's really good for persons who start into iptables world.

Thnking in advance,

Alejandro

Re: Iptables vs. Cisco PIX

[Moritz Gartenmeister]

hi

i'm using a pix at my border. i'm using it for NAT (as it is built for this) and for simple access 
control. behind the pix i run iptables for logging, shaping, filtering etc...

i would recommend cisco, if you need support, high avaibility, but no nice features.

if you need extra features as shaping, logging, scripting etc, then i would recommend iptables. you 
can do much more with iptables, but this brings up some problems (as compatibility, dependicies 
etc.), but if you are not happy with one feature, you can change it ;-)

cheers
moritz