Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
4
Replies

PIX versus Firewall Feature Set

bjames
Level 5
Level 5

‎06-30-2005 08:28 AM - edited ‎02-21-2020 12:14 AM

I have searched everywhere, but am unable to find the answers I seek. Is there a decision matrix on the differences between the PIX(s) versus a 2800/3800 with Firewall Featureset (Advanced Security) I have a client that would like to know which platform to choose, and the sales brochures don't do a good job comparing them.

Thanks in advance

0 Helpful
4 Replies 4

johansens
Level 4
Level 4

‎07-01-2005 06:56 AM

Check this link and scroll down to the "WHEN TO DEPLOY EACH CISCO INTEGRATED FIREWALL SOLUTION" section:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_data_sheet09186a00801daa53.html

0 Helpful

scottmac
Level 10
Level 10

‎07-02-2005 06:26 AM

I believe it will boil down to the anticipated role of the device: If you only want firewall functionality (plus maybe a little VPN traffic), then the PIX is probably a better choice.

If you want the firewall, and you're going to do a lot of VPN AND you're interested in the IDS/IPS functionality or are also running Cisco VoIP, then the X800 router is probably a better choice.

The X800 series is well-suited for SRST and / or Callmanager Express, and does deep(er) packet inspection associated with the IDS/IPS.

It already has a VPN encryption co-processor on the mainboard, activated with the Advanced Security IOS.

If you are still uncertain, I'd say go with the X800 router. It's newer in the product line and probably has a longer product life ahead. It's also a more dynamic platform and can be set up for a much broader suite of services down the road.

Running IOS Firewall on the older routers was a pain, and they tended to be underpowered. The X800s have a much stronger processor and handle the Firewall and other functions without breaking a sweat.

I have both: several PIX and a new (~3 months) 2811, I love 'em both .... but any additional expansion will probably with X800 ISRs.

FWIW

Scott

0 Helpful

bjames
Level 5
Level 5
In response to scottmac

‎07-04-2005 10:01 AM

Thanks guys, both good point and an interesting "comparison" buy Cisco. Really they don't answer the question either. With version 7 PIX OS, and 12.4x IOS both the router and PIX platforms are so close to each other that there are only certain reasons (other than costs) I can see going to one or the other.

I was hoping there would be a silver bullet difference, but I can't see one.

I guess the routing aspect (if you are using other than OSPF) along with costs, would be the main push for one or the other. You have a valid point about the "newer" platform, and I'm sure Cisco is going to phase out the PIX shortly, especially with the introduction of the ASA platforms. Just my thoughts.

It's going to be harder and harder to convince a client to deploy a tens of thousands of dollars product on the perimeter when they can spend 1/4 of that and get almost exactly the same performance/security/capability....

Bob

0 Helpful

nomanbari
Level 1
Level 1
In response to bjames

‎07-11-2005 08:41 PM

Hi,

The way I see your dilemma my analysis is that you have to rethink your strategy to sell this idea to your client..

I understand your point as the technology progresses, the fine line which exists between the specialized devices and the multipurpose devices which can "also" perform more or less the same way the specialized device can and will further diminish...

It boils down to us techies how do we sell a vision to the prospective client which is also in sync with what they have in mind...

My suggestion is instead of focusing on comparing product A with product B, you should more focus on the overall design requirements of your client's network. For example ask them a simple question such as do they have a requirment of DMZ ?(may be you already have done that)... The answer to this question should help you better decide whether to go for a router based solution or specialized firewall such as pix... There are so many things which can also be written here but it all depends the size and needs of your client.

If the answer is yes to dmz and they want certain number of dmzs then you can go ahead recommend the pix model which suits your client's requirment..or may be if you have a Linux box and inhouse linux expertise available then with iptables and few nics you can get pretty functional firewall box with dmzs..

Having shared these views, I must say that I have written what I have written based on what you have said... If you think still your queries are unanswered then I would recommend you to further eloborate the network design requriments of your client...This will take you closer to an answer.

I hope this helps.

Regards,

Noman Bari

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card