cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
841
Views
0
Helpful
4
Replies

Tradeoffs between a PIX firewall/VPN and IOS firewall

millerv
Level 1
Level 1

Customer can either do a pix or a router for VPN &

firewall. Can't do both. ($$$) Whats the tradeoff

from a security standpoint of running IOS FW instead

of a Pix?

4 Replies 4

brian.giaccone
Level 1
Level 1

We use both PIX firewalls and IOS. The main difference between the two devices is: PIX has a much, much higher performance rating, especially throughput. Another advantage is the IDS mechanism. PIX recognize more signatures than the IDS in IOS. For a small company the IOS is perfect, unless you immediately want to begin to terminate VPN 3.0.1 clients, either you can wait until late fall of this year or purchase a 500 series PIX now.

Thanks Much Brian.

rbharania
Level 1
Level 1

Hi millerv -

Here're my personal guidelines for PIX vs IOS in this case. Your mileage with your

local Cisco rep may vary :-)

PIX plusses

1.Dedicated appliance — routers can dedicate their resources to routing, instead of

acting as firewalls.

2.High throughput — the PIX 520 is capable of 385 Mbps aggregate throughput,

while the PIX 515 tops out at 120 Mbps.

3.High LAN port density — PIX 520/515 can accommodate up to 6 FastEthernet

Interfaces. Good when you need multiple protected segments or DMZs. To get

that kind of density in a router may cost you more.

4.Stateful failover capability — PIX in a redundant mode keeps session state during

failover; users may not even know the firewall has failed.

5.Higher IPSec performance for lower cost — For example, the PIX 515 can

outperform a Cisco 17xx in VPN scenarios.

6.Although the PIX isn't a proxy server, it can mimic certain proxy functions, such

as layer seven authentication via "cut-through proxy."

7. Easy initial setup, and no "hardening" required before putting it on the network - it's default

state is deny everything, as opposed to a router who's default state is permit everything.

PIX considerations:

1. No serial interfaces — the PIX's interfaces are LAN-based (FastEthernet/TokenRing/GigEthernet).

2. Limited routing protocol support — only RIP and RIP2. Most installations utilize

static routing instead.

3.No native multicast support — the PIX can only pass unicast IP traffic. Multicast

can be passed via GRE encapsulation on surrounding routers.

4. It ain't IOS. This is only an issue if the technical knowledge onsite is REALLY comfortable

with IOS and is unable or unwilling to learn the PIX. the PIX *looks* enough like IOS

but has enough differences that you can inadvertendly trip yourself up if you're not careful.

Hope this helps.

-rakesh

thanks rakesh,

btw i get about 30mpg with the locals