Firewall Wizards mailing list archives
Re: Comparisons of Firewall-1 vs. PIX
From: Jan.Bervar () nil si
Date: Thu, 1 Oct 1998 15:30:26 +0200
Jan Bervar@NIL 10/01/98 03:30 PM On 09-30-98 03:16:03 PM "Chris Hughes" wrote:
(Check Point:) True high availability maintains connections in the event
of firewall failure. State information is synchronized between multiple FireWall-1 modules to ensure that connections are not dropped when a
single
FireWall-1 module fails. (Cisco:) No synchronization of state information. All connections are dropped in the event of firewall failure. If failover is configured, load balancing is not supported. (could someone clarify?)
With the PIX you put two units on the network in parallel. Only one is active at any given time. When the active unit dies, the secondary takes over with no state information transferred between boxes (failover info is transfered over the serial cable). If you want to do load balancing between two PIXes, both have to be active (i.e. no failover config) and you have to design the balancing/routing very carefully, as you cannot have any asymetric routing or per packet balancing (distrubuting a single connection between two boxes with different state tables defeats the basic SPF principle). In some situations, stateful failover doesn't really work that well. I've heard complaints from people using it in high bandwidth/high transaction rate environments. The problem is simply that the boxes cannot sync their SPF tables fast enough to keep pace with the traffic. Lower-than-LAN rates should be ok.
There are other differences, but these stood out. The problem (for
Cisco)
is that Firewall1 seems to be the winner in all these points except
price. The PIX *should* be at least as good as FW-1 (better/ymmv/whatever) in the below categories.
- Bi-directional authentication - Number of sessions supported concurrently - Encryption key security - Performance (using Unix for the FW1 platform instead of WinNT)
Disclaimer: encryption key security applies to the new IPsec/IKE card (3DES), not the Private Link. The performance/concurrent sessions thing is also Cisco's major selling point, as it is supposed to handle about 180 Mbps and some tens of thousands of concurrent TCP sessions. I believe the throughput figure applies to full-duplex FastEther. Test and see. BTW, centralized management is coming with CiscoAssure (COPS) and stateful failover should be there soon (as it is already there in a very similar product, the LocalDirector). The original poster has also said:
Ithink that it's also the most fundamental difference between theseproducts:FW1 can be used to control bidirectional traffic between many network interfaces and is designed to allow complex rulesets, while PIX's design
is simplistic.
With the PIX you can have as complex rulesets as with FW-1 between many interfaces (currently 4, unofficialy/EFT 16). The only thing with the PIX is, that you have a predefined policy as you assign a security level on each interface (i.e. level of trust). The default policy is then: allow all outgoing sessions (i.e. higher->lower sec.level) and deny all incoming. *Then* you can change those rules in both directions. As I see it, this default stance prevents many stupid config mistakes. Best regards, Jan
Current thread:
- Re: Comparisons of Firewall-1 vs. PIX Chris Hughes (Oct 01)
- <Possible follow-ups>
- Re: Comparisons of Firewall-1 vs. PIX Paul D. Robertson (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Kevin Steves (Oct 07)
- Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Mark Horn [ Net Ops ] (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jan . Bervar (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Woody Weaver (Oct 14)