Slashdot Mirror
Build a Cisco PIX for 800 Australian Dollars
tallguy_wt writes: "Why fork out thousands of dollars to learn Cisco's PIX firewalling product when you can build your own for under 800 Australian Dollars, as shown in this article by Routermonkey."
← Back to Stories (view on slashdot.org)
According to the Universal Currency Convertor, AU$800 is about US$443.
"All art is quite useless." -- Oscar Wilde
800 AUS = 441.36 USD.
:)
Watson still has a few tricks on Sherlock.
I know I'm going to hell, I'm just trying to get good seats.
Indeed.
If you've ever ordered a PIX from Cisco (or a reseller), you'll notice that the software license costs considerably more than the hardware. While building a hardware clone of a PIX perfectly legal, taking a free copy of the software to run on your clone most certainly isn't.
Or you could just buy an 806 with the SPI firewall package for around $500.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
PIX is Cisco's firewall product. If you don't know, then you shouldn't try this at home ;-)
Linux iptables HOWTO
How to Build a FreeBSD-STABLE Firewall with IPFILTER
The OpenBSD Packet Filter HOWTO
Acts@core.mailboks.com Acrux@core.mailboks.com Adam@core.mailboks.com Adar@core.mailboks.com Ada@core.mailboks.com
Everybody in the Cisco gig knows that the PIXs are nothing more than basic PCs, complete with floppy drive for software upgrades, this really is no revelation.
This guy just comes across as some network wanna be. Learning the commands is the simple bit, RTFM, (or just reverse normal IOS commands for a PIX) know when to use these commands and exactly what they do and how this will affect the enterprise is the bit that makes you CCIE material.
No doubt Cisco will get there own back when he does the CCIE lab.
A journey of a thousand miles starts with a brutal anal raping at airport security
I recommend avoiding smoothwall (search usenet for "richard morrell smoothwall" for more info..).
Try IPCOP for a GPL fork of smoothwall that is not a hidden attempt at selling things and is GPL in spirit, not just name.
This article shouldnt have been how to make a pix it should be how to make a legal,cheap,open source alternative to one.
no sig.
The other way to learn the PIX OS for close to the same price is to pick up a PIX 501. These little boxes run for $400-$600 depending on where you find them and they run the full PIX OS. You're limited to 2 interfaces (no playing with a DMZ) but there really is a lot of stuff you can learn and do with these things.
I see a lot of "stealing" comments. So, instead, go the Open Source route and build your own firewall with the NetBSD/i386 Firewall Project
Yes, yes, I know, blatant plug
-John
NetBSD/i386 Firewall Project
-John
I found one on ebay here .
As stated before, this "hack" is piracy and therefore illegal. Furthermore it is a stupid waste of money.
Why spend $800 for a amateurish, rigged up, pirated Pix when you can have the real thing for less. If what you really want is to learn about the Pix and its configuration simply hop on to eBay and buy the real thing. On eBay Pix 501s and 520s can be had for $400 and $500 respectively.
This has been mentioned above, but not very clearly. As far as I know, the PIX software also requires an activation key, which costs money. You might be able to get one from a warez utility, but it is an extra step, and it is illegal. Also note that Cisco charges extra for the ability to just secure shell into your firewall(!). Unless you cough up a whole bunch of extra money, you have to use TELNET to configure a FIREWALL. This is really lame.
/proc filesystem. I searched and searched and could NOT find any way to do this on BSD. It may exist, but I couldn't find it.
Further, the PIX just isn't a very good firewall.
The hardware is well-built but incredibly underpowered. The one we have at work is only 200mhz. I don't know how far that will scale, but, personally, I don't think I'd want to be putting more than about 5 megabits through it. And Cisco charges about 12,000 dollars for the PIX.(!)
The command syntax is really hard to figure out. It just makes no sense at all. The documentation on Cisco's site is excellent, but I always have to resort to cookbook examples, because I don't use it every day.
The default configuration is 'allow all outbound traffic and all inbound replies'. It is very hard to change this. If you want a fairly secure network, you shouldn't allow direct outbound connections, but rather only through a proxy device of some kind. If your security policy requires outbound connection restrictions, this is really awkward to implement with the PIX.
The PIX isn't a very good router, either. It doesn't support most of the 'real' IOS commands. You can do some routing with it, but it's not very flexible.
I've worked with a lot of firewalls and have done a lot of firewalling, and in my opinion, Linux with iptables is about the best thing going. You will have to spend significant learning time to figure it out, as the documentation is not very good, but once you do, you can do pretty much anything with it. Linux has always been a great router, and with the introduction of iptables, became a great firewall too. If you don't want to build rules by hand, there's a program called 'fwbuilder' that gives you a Checkpoint-like GUI. FWBuilder also speaks OpenBSD's pf and I *think* Checkpoint's firewall language, but I'm not sure about that last.
OpenBSD has a good reputation as a firewall. I used it at home for a couple years, but I have moved to Linux since then. The PF language is very clean and easy to read, and if you're just starting with firewalling, it can be a good first opensource firewall. However, there were big performance problems with OpenBSD's bridging firewall code in 3.0; it choked hard over about 25K connections, and past about 30 megabits it just froze up for random periods of time. Very frustrating. Linux on the same hardware (with the iptables bridging patch) handles over 60 megabits flawlessly. And going over 30k connections is trivial; you simply echo a large number into a variable in the
They may have fixed the performance problems in more recent revs of OpenBSD. 3.0 was the first release of pf, and I threw it into a monster production environment based on the OpenBSD team's reputation. The later revs may be much better, but as of 3.0, Linux absolutely destroys OpenBSD as a firewall.
There's one cool thing the PIX does that I haven't figured out how to duplicate manually. It has an 'established' command, which allows you to say: "If I open a command on port X, allow a return connection on port Y for a short period of time." This is useful, for example, for IRC, where you connect on port 6667 and an ident connection comes back in on port 113.
I asked about this feature on the OpenBSD newsgroups, and got scoffed at... according to them, it's more secure to leave the port open all the time to everyone than just to allow return connections from a host to which you have connected and only for a short period of time. Frankly, I think that's just stupid. It's the typical apologist reaction... "that's a dumb feature to ask for because it's hard to do". They'll say it's stupid until someone takes the time to implement it, and then suddenly that's the only way to go and any system that doesn't do that is obviously broken.
I haven't found that capability in the Linux iptables stuff either, FWIW. As far as I know, only the PIX does this, and I consider it a very useful feature. (you can sort of simulate it with some of the kernel modules for different protocols, but I haven't found a way to do an arbitrary set of ports).
If you can live without the 'established' command, though, I'd probably, overall, recommend the Linux/FWBuilder combo. If you want to learn more about firewalling, OpenBSD's pf language is a nice simple way to start.
And if you really want to spend money on a firewall, Checkpoint is a much better solution than the PIX. It has many enterprise-class features that the free alternatives lack, like good VPN support and great support for managing clusters of firewalls. The Nokia Checkpoint boxes are *really* cool; they are based on a custom BSD-derived kernel. They cost more than the PIX, but in my opinion are wildly better and well worth the extra. (when I last looked, the prices on the Nokia boxes were in the 20K+ range. They may have dropped since the dotcom blowup.) The administration is easy, you get the power of BSD, and the hardware is really well-built. Very, very cool boxes.
1. You can't get familiar with a PIX by using a free firewall, so it has some educational benefit (although if you "get" what firewalls do, the rest is mostly just syntax).
2. Stateful failover. I don't think any of the free options support this. With the PIX, you can plug two in via a serial cable in a master/slave configuration, and the master constantly sends it's state to the slave. If the master dies, the slave takes over and no TCP sessions are dropped. Only you can decide if this feature is important to you.
From the EULA before you can download the images on CCO:
License. License. Subject to the terms and conditions of and except as otherwise provided in this Agreement, Cisco Systems, Inc. or the Cisco Systems, Inc. subsidiary licensing the Software, if sale is not directly by Cisco Systems, Inc. ("Cisco"), and its suppliers grant to Customer ("Customer") a nonexclusive and nontransferable license to use the specific Cisco program modules, feature set(s) or feature(s) for which Customer has paid the required license fees (the "Software"), in object code form only. In addition, the foregoing license shall also be subject to the following limitations, as applicable:
* Unless otherwise expressly provided in the documentation, Customer shall use the Software solely as embedded in, for execution on, or (where the applicable documentation permits installation on non-Cisco equipment) for communication with Cisco equipment owned or leased by Customer;
*snip* And this:
General Limitations. Except as otherwise expressly provided under this Agreement, Customer shall have no right, and Customer specifically agrees not to:
(i) transfer, assign or sublicense its license rights to any other person, or use the Software on unauthorized or secondhand Cisco equipment, and any such attempted transfer, assignment or sublicense shall be void;
I understand you may think you are exempt from EULAs because you don't want to pay for something, but the company's lawyers might see it a different way. Using any of those images on non-Cisco hardware is prohibited. Period.
I own a PIX 506 box and have worked on the 515 and 525 as well.
Both the PIX 506 and 515 use an Intel socket 7 200Mhz MMX processor without a cooling fan, they just have a heat sink. The system board is just an Intel, nothing special there. PIX expansion slots are PCI slots. The Ethernet interfaces use Intel eepro i82557 (or was it i82559?) chips, just like your Intel NIC in your desktop. Everything is really standard, except for the software that runs on the box.
For people who know Cisco hardware, they seem to recognize that the PIX series of firewalls are far faster than say a 3600 series router, or any of the older Cisco hardware. The PIX firewalls were acquired by Cisco when they bought Network Translation. Reference;
http://www.cisco.com/warp/public/146/
So when you are buying that $4000 3640 with 128MB of RAM to handle the 100K or so of Internet BGP routes, you are buying something with the processing power of an Pentium computer or less.
Here are some facts on the Cisco 3600 series;
3620 64MB RAM maximum, 80Mhz RISC processor
3640 128MB RAM maximum, 100Mhz RISC processor
3660 256MB RAM maximum, 225Mhz RISC processor
One of the major considerations for Cisco is that their equipment has to be really stable and heat tolerant. People love to treat Cisco hardware like old telco hardware and keep it out in a barn and stuff, in the damp air, with a bunch of dust, whatever. We should all know how Intel processors are in regards to heat. But even an old 200Mhz Intel MMX processor can run without a cooling fan.
Cisco router hardware, in general, is really slow and sucks for processor speed. Juniper has mopped Cisco all over the floor in the core Internet market in the last few years because of port density, processing speed, and packet forwarding latency. In comparison, you look at a Juniper M40 versus a Cisco 12012, and the 12012 looks like a huge POS, and I don't mean packet over Sonet.
One of the things about the Juniper routers is that they use Intel processors and SDRAM -- not much special there. The hardware is all completely custom, but they choose to ditch the Motorola and IBM processors for Intel. Packet forwarding processors are totally different than the core processors that we are talking about here, so I will leave them out for the most part. Still, Cisco uses a lot of off the shelf stuff in their routers and companies like Juniper have manufactured their own or applied existing stuff better to get the wire speed forwarding rates on all interfaces, with a backplane speed that is greater than the sum of all possible interfaces on a router.
Cisco does not really see themselves as a hardware manufacture, but instead as a software company. However, if they do not shape up and start making some really good hardware, they are going to get kicked out by Juniper as they start to climb down the ladder and come out with smaller more affordable boxes and spread out from their core and big-box offerings (think M-5).
Lately Cisco has released a few good new hardware. The 10000 series aggregation boxes can mux Sonet down to fractional DS1s, which is pretty hot, but these boxes are really hard to use these days because of the serious downturn in the market and the fact that a lot of DS1 customers have gone away. Old 7513s that ISPs have in stock with fractional PA-2T3s work fine.
In switches, Cisco has come out with the 3500XL and 3550XL switches, which are really great.
But most people out there have 2600s and 3600s. There are a lot of 2500s still in use too. Some things are starting to hurt Cisco though. It can take a minute or two for all of those BGP routes to get filtered out when interfaces flap. Cisco does not even offer any kind of SSH2 capability with ANY of their routers (to my knowledge), they only support SSH1 on special IOS versions and platforms. I really wonder if these routers, with their slow processors, can handle new stuff.
I wonder how this will effect an IP6 roll out. I remember working on some 3600s and IP6 some time back. They had issues, but I understand that Cisco has worked a lot of those out.
Oh well.
The moral of the story is that Cisco hardware is kind of slow and it shows. On the other hand, it usually gets the job done.
I need to go back to finding myself a job. Posting on Slashdot ain't paying the rent.
Anyone out there have a Juniper Olive image? I would not mind having one of those in my lab.
God, this is so full of crap I just HAD to rebut.
First, cisco uses NORMAL ethernet cards in their PIX products. It's just an intel chip for example (RTFA or open the cover on your pix). Second, the pix uses a normal intel processor, and a slow one at that. It is NOT specialized. Their Routers and switches are DIFFERENT from their Pixs and LocalDirectors.
Read this carefully: A PIX IS A PC. THAT'S IT. They put some flash on it, a custom BIOS, and Ta Da! The difference in PIX products is how much memory they have, number and type of interfaces, processor speed, and availability of encryption co-processor boards (standard PCI cards, BTW.) Cisco is using more standard PC parts because it reduces their costs dramatically.
Unless you have a REALLY f-ing fast net connection, a standard linux box will handle all the packet mangling you want at full wire speed. Anything OC3 or slower can be EASILY handled by a standard PC. Beaf it up a bit and it can handle OC12 or more.
People use cisco hardware because of BRANDING, the fact that it works (and quite reliably at that), the great support, etc. Yeah, in a middle to large corporate environment I'm gonna use Cisco or some other brand of dedicated network hardware for a variety of reasons (hell, I have a PIX 515UR at home even), but it's NOT because a PC based firewall can't handle the load. That excuse is just plain WRONG.
To clarify what the Private Link card does - it's basically Cisco's proprietary PIX-to-PIX VPN tunneling method, before IPSEC was out.