Re: [nsp] Cisco PIX feedback request

From: A Routerman (routerman@briefcase.com)
Date: Sun Jan 07 2001 - 22:46:31 EST


Couple of comments for you all. I've only worked with Checkpoint FW-1 and PIX so that's the only area I can speak from with experience. Many other fine products out there I'm sure.

Ultimately it depends on what features you need and what performance level you are looking for.

The PIX is ok - it works great most of the time but has it's share of problems.

A couple of specifics - debugs for any period of time will kill the outbound interface, you'll have to reboot the PIX to fix it. While SSH is included in the 5.23 series - you can't use it in certain configurations (mine being one of them).

The failover PIX is inexpensive and very nice. The only issue which we have with it is the VPN tunnels do not reestablish between remote sites and the PIX that fails over. It's a security issue/feature - helps ensures someone can't take over your VPN tunnel. I.E. when a PIX fails over - we have to manually clear out the Security Associations and let the tunnels reestablish. Also upgrading the IOS requires rebooting the PIX and breaking out of the boot sequence - then tftp'ing.

The IOS has a few bugs. The biggest for us was the SMTP fixup and the alias command breaking in 5.2.X - The alias problem is supposed to be fixed in the 6.0.x code just released. The VPN part works great but a bit slow!!!

The management of the PIX is only so-so. They make a manager that doesn't work on W2K, no traceroute capabilities on the PIX, difficult to track free memory and other similar helpful items...

Aside from our outbound interface not transferring traffic 4 times over the past 6 months - the system has been rock solid.

Performance wise - the 515 is a dog. It slows down traffic for just a T1 and 30 people. The 525 and 530 are much nicer PC's with more horsepower and more memory.

As for Checkpoint - have had great success with it. Quite stable unless you start adding things like Websense and other add-ons.

Great management interface, nice product overall. Some worry about it running on Solaris and feel that makes it less secure. Debatable either way. If you get a fast Solaris box and Checkpoint - it's quite scalable. Haven't worked with it on NT - but have an aversion to NT for security related products :)

That's it for now. Good luck hunting for a product.

-----Original Message-----
From: Jason Vanick jason@oaknet.com
Sent: Fri, 5 Jan 2001 23:10:20 -0500
To: cisco-nsp@puck.nether.net
Subject: Re: [nsp] Cisco PIX feedback request

        You no longer have to upgrade via floppy... As of the 5.1(1) code,
you can do a 'copy tftp flash' much like on a standard ios router. However,
the only way to upgrade the activation key is to load with the floppy image.

Also, the 5.2(3) code supports ssh server support, so you can 3des into your
pix adding another layer of security.

- Jason

> Regarding upgrading the PIX OS via floppy: This is a VERY secure way of
> upgrading software for the PIX. Having to physically touch the PIX as
> opposed to just doing an FTP or TFTP load is better IMHO (where a secure
> firewall is concerned.)
>
> My $.02
>
> At 10:31 PM 1/4/01 -0500, Christopher Neill wrote:
> >On Thu, Jan 04, 2001 at 03:57:11PM -0800, Karyn Ulriksen wrote:
> > > Hey all...
> > >
> > > I'm looking at Cisco Pix 535/525 as a firewall solution and was looking
> > > for some feedback on things to look for in evaluating the system and any
> > > experience with the product. Please feel free to contact me offline at
> > > kulriksen@publichost.com.
> >
> >Here's my opinion.. Cisco PIX is a piece of garbage. It's slow and unweildy,
> >the way it's put together leaves alot to be desired. I'll get into more
> >specifics when TAC can tell me why i get stalled transfers from interface to
> >interface. I've had problems with failover in some cases as well. The defaults
> >are, of course, idiotic. The "fixups" immediately broke my SMTP AUTH on
> >sendmail. One code revision of the OS -- 5.1(1) -- broke every 48-72 hours
> >until I updated it. With a floppy, for chrissake!..
> >
> >I'm told the Nokia Checkpoint system is the top of the line but I haven't had
> >a chance to check it out. I am very dissapointed with the quality of PIX. I
> >could put together a FreeBSD with some quad cards and end up with the same
> >thing but easier to manage.
> >
> >--
> >$Id: .sig,v 1.39 2000/11/21 06:58:32 noise Exp $
> >otopico: fuq 'puree' and 'chop'
> >und1sk0: puree and chop is for pussies without knive skills
>
>

___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:24 EDT