From: Jiann-Ming Su <sujiannming@gmail.com>
To: "Netfilter lista (iptables)" <netfilter@lists.netfilter.org>
Subject: Re: Iptables vs. Cisco PIX
Date: Fri, 8 Apr 2005 13:28:34 -0400 [thread overview]
Message-ID: <561dc326050408102860ab8b4b@mail.gmail.com> (raw)
In-Reply-To: <038201c53c4c$6e94e540$0200a8c0@ale>
On Apr 8, 2005 11:05 AM, Alejandro Cabrera Obed <sisdis@tournet.com.ar> wrote:
> Hi people !!!
>
> This time I want to know your opinion about iptables vs. Cisco PIX....where
> would you use each of them ????
> Is it the same using iptables or PIX in big corporations with heavy Internet
> traffic ???? Which is considered the "best" and why ???
>
> I use iptables since a long time, but my network is under 50 workstations.
>
> Thanks for your comments, they're welcome.
>
From personal experience, iptables shrugs off syn flood attacks better
than anything out there. You can't beat it for the price. A
colleague tested a PIX 550(?) and his Nokia running Checkpoint. We've
tested Checkpoint running on Quad Xeon Dell PowerEdge 6650. A DDoS
attack from a irc bot will render them useless. Checkpoint is just
bad architecture. Even though you explicitly tell Checkpoint to drop
certain packets, Checkpoint will still add those dropped packets to
its connection table. You can try reducing the timeout, but we
haven't found it to be terribly useful. He also found that
SmartDefense just chokes HTTP traffic. The only Checkpoint product to
do better was SecurePlatform using Corrent's Turbocards. While the
connection table doesn't fill up on the PIX, the CPU still gets
overloaded, so you can't make new legitimate connections easily. I
don't know how the more industrial versions of PIX will do, though.
We have a quad PIII Dell PowerEdge 6450 running iptables protecting
the residence halls on a college campus. It gets syn flooded
constantly, handles 90k peak connections, load average of 1.0, all on
1GB of RAM. The only short coming of iptables is the lack distributed
management and lack of a high availability solution. Distributed
management is only a problem if you're managing more than several
firewalls. And, lack of HA makes it harder to deploy iptables fully
on the enterprise.
--
Jiann-Ming Su
"I have to decide between two equally frightening options.
If I wanted to do that, I'd vote." --Duckman
next prev parent reply other threads:[~2005-04-08 17:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-08 15:05 Iptables vs. Cisco PIX Alejandro Cabrera Obed
2005-04-08 17:28 ` Jiann-Ming Su [this message]
2005-04-08 18:59 ` John A. Sullivan III
2005-04-08 19:42 ` Taylor, Grant
2005-04-09 18:10 ` Francesco Ciocchetti
2005-04-09 19:07 ` Grant Taylor
2005-04-10 11:06 ` Francesco Ciocchetti
-- strict thread matches above, loose matches on Subject: below --
2005-04-11 13:41 Iptables
2005-04-13 10:33 ` Moritz Gartenmeister
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=561dc326050408102860ab8b4b@mail.gmail.com \
--to=sujiannming@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.