Re: Comparisons of Firewall-1 vs. PIX

[Jan.Bervar () nil si]

Jan Bervar@NIL
10/01/98 03:30 PM


On 09-30-98 03:16:03 PM "Chris Hughes"  wrote:
> (Check Point:)  True high availability maintains connections in the event

> of
> firewall failure. State information is synchronized between multiple
> FireWall-1 modules to ensure that connections are not dropped when a
single
> FireWall-1 module fails.
>
> (Cisco:) No synchronization of state information. All connections are
> dropped in the event of firewall failure. If failover is configured, load
> balancing is not supported.
> (could someone clarify?)

With the PIX you put two units on the network in parallel. Only one is
active
at any given time. When the active unit dies, the secondary takes over with
no state information transferred between boxes (failover info is transfered
over the serial cable). If you want to do load balancing between two PIXes,
both have to be active (i.e. no failover config) and you have to design the
balancing/routing very carefully, as you cannot have any asymetric routing
or
per packet balancing (distrubuting a single connection between two boxes
with
different state tables defeats the basic SPF principle).

In some situations, stateful failover doesn't really work that well. I've
heard
complaints from people using it in high bandwidth/high transaction rate
environments. The problem is simply that the boxes cannot sync their SPF
tables
fast enough to keep pace with the traffic. Lower-than-LAN rates should be
ok.

> There are other differences, but these stood out.  The problem (for
Cisco)
> is that Firewall1 seems to be the winner in all these points except
price.

The PIX *should* be at least as good as FW-1 (better/ymmv/whatever) in the
below
categories.

> - Bi-directional authentication
> - Number of sessions supported concurrently
> - Encryption key security
> - Performance (using Unix for the FW1 platform instead of WinNT)

Disclaimer: encryption key security applies to the new IPsec/IKE card
(3DES),
not the Private Link. The performance/concurrent sessions thing is also
Cisco's major selling point, as it is supposed to handle about 180 Mbps and
some tens of thousands of concurrent TCP sessions. I believe the throughput
figure applies to full-duplex FastEther. Test and see.

BTW, centralized management is coming with CiscoAssure (COPS) and stateful
failover should be there soon (as it is already there in a very similar
product,
the LocalDirector).

The original poster has also said:

> I
> > think that it's also the most fundamental difference between these
> products:
> > FW1 can be used to control bidirectional traffic between many network
> > interfaces and is designed to allow complex rulesets, while PIX's design

> is simplistic.

With the PIX you can have as complex rulesets as with FW-1 between many
interfaces (currently 4, unofficialy/EFT 16). The only thing with the PIX
is, that you have a predefined policy as you assign a security level on
each
interface (i.e. level of trust). The default policy is then: allow all
outgoing sessions (i.e. higher->lower sec.level) and deny all incoming.
*Then*
you can change those rules in both directions.

As I see it, this default stance prevents many stupid config mistakes.

Best regards,
Jan