Slashdot Mirror

← Back to Stories (view on slashdot.org)

Build a Cisco PIX for 800 Australian Dollars

Posted by timothy on from the but-what-about-real-money dept.

tallguy_wt writes: "Why fork out thousands of dollars to learn Cisco's PIX firewalling product when you can build your own for under 800 Australian Dollars, as shown in this article by Routermonkey."

5 of 394 comments (clear)

  1. cheaper, better and even legal by bob@dB.org · · Score: 5, Informative

    Linux iptables HOWTO
    How to Build a FreeBSD-STABLE Firewall with IPFILTER
    The OpenBSD Packet Filter HOWTO

    --
    Acts@core.mailboks.com Acrux@core.mailboks.com Adam@core.mailboks.com Adar@core.mailboks.com Ada@core.mailboks.com
  2. Re:Why not use Smoothwall v2.0 by perlyking · · Score: 5, Informative

    I recommend avoiding smoothwall (search usenet for "richard morrell smoothwall" for more info..).
    Try IPCOP for a GPL fork of smoothwall that is not a hidden attempt at selling things and is GPL in spirit, not just name.
    This article shouldnt have been how to make a pix it should be how to make a legal,cheap,open source alternative to one.

    --
    no sig.
  3. Stupid!!!! by FreeLinux · · Score: 5, Informative

    As stated before, this "hack" is piracy and therefore illegal. Furthermore it is a stupid waste of money.

    Why spend $800 for a amateurish, rigged up, pirated Pix when you can have the real thing for less. If what you really want is to learn about the Pix and its configuration simply hop on to eBay and buy the real thing. On eBay Pix 501s and 520s can be had for $400 and $500 respectively.

  4. OK, but why would you really WANT to? by Malor · · Score: 5, Informative

    This has been mentioned above, but not very clearly. As far as I know, the PIX software also requires an activation key, which costs money. You might be able to get one from a warez utility, but it is an extra step, and it is illegal. Also note that Cisco charges extra for the ability to just secure shell into your firewall(!). Unless you cough up a whole bunch of extra money, you have to use TELNET to configure a FIREWALL. This is really lame.

    Further, the PIX just isn't a very good firewall.

    The hardware is well-built but incredibly underpowered. The one we have at work is only 200mhz. I don't know how far that will scale, but, personally, I don't think I'd want to be putting more than about 5 megabits through it. And Cisco charges about 12,000 dollars for the PIX.(!)

    The command syntax is really hard to figure out. It just makes no sense at all. The documentation on Cisco's site is excellent, but I always have to resort to cookbook examples, because I don't use it every day.

    The default configuration is 'allow all outbound traffic and all inbound replies'. It is very hard to change this. If you want a fairly secure network, you shouldn't allow direct outbound connections, but rather only through a proxy device of some kind. If your security policy requires outbound connection restrictions, this is really awkward to implement with the PIX.

    The PIX isn't a very good router, either. It doesn't support most of the 'real' IOS commands. You can do some routing with it, but it's not very flexible.

    I've worked with a lot of firewalls and have done a lot of firewalling, and in my opinion, Linux with iptables is about the best thing going. You will have to spend significant learning time to figure it out, as the documentation is not very good, but once you do, you can do pretty much anything with it. Linux has always been a great router, and with the introduction of iptables, became a great firewall too. If you don't want to build rules by hand, there's a program called 'fwbuilder' that gives you a Checkpoint-like GUI. FWBuilder also speaks OpenBSD's pf and I *think* Checkpoint's firewall language, but I'm not sure about that last.

    OpenBSD has a good reputation as a firewall. I used it at home for a couple years, but I have moved to Linux since then. The PF language is very clean and easy to read, and if you're just starting with firewalling, it can be a good first opensource firewall. However, there were big performance problems with OpenBSD's bridging firewall code in 3.0; it choked hard over about 25K connections, and past about 30 megabits it just froze up for random periods of time. Very frustrating. Linux on the same hardware (with the iptables bridging patch) handles over 60 megabits flawlessly. And going over 30k connections is trivial; you simply echo a large number into a variable in the /proc filesystem. I searched and searched and could NOT find any way to do this on BSD. It may exist, but I couldn't find it.

    They may have fixed the performance problems in more recent revs of OpenBSD. 3.0 was the first release of pf, and I threw it into a monster production environment based on the OpenBSD team's reputation. The later revs may be much better, but as of 3.0, Linux absolutely destroys OpenBSD as a firewall.

    There's one cool thing the PIX does that I haven't figured out how to duplicate manually. It has an 'established' command, which allows you to say: "If I open a command on port X, allow a return connection on port Y for a short period of time." This is useful, for example, for IRC, where you connect on port 6667 and an ident connection comes back in on port 113.

    I asked about this feature on the OpenBSD newsgroups, and got scoffed at... according to them, it's more secure to leave the port open all the time to everyone than just to allow return connections from a host to which you have connected and only for a short period of time. Frankly, I think that's just stupid. It's the typical apologist reaction... "that's a dumb feature to ask for because it's hard to do". They'll say it's stupid until someone takes the time to implement it, and then suddenly that's the only way to go and any system that doesn't do that is obviously broken.

    I haven't found that capability in the Linux iptables stuff either, FWIW. As far as I know, only the PIX does this, and I consider it a very useful feature. (you can sort of simulate it with some of the kernel modules for different protocols, but I haven't found a way to do an arbitrary set of ports).

    If you can live without the 'established' command, though, I'd probably, overall, recommend the Linux/FWBuilder combo. If you want to learn more about firewalling, OpenBSD's pf language is a nice simple way to start.

    And if you really want to spend money on a firewall, Checkpoint is a much better solution than the PIX. It has many enterprise-class features that the free alternatives lack, like good VPN support and great support for managing clusters of firewalls. The Nokia Checkpoint boxes are *really* cool; they are based on a custom BSD-derived kernel. They cost more than the PIX, but in my opinion are wildly better and well worth the extra. (when I last looked, the prices on the Nokia boxes were in the 20K+ range. They may have dropped since the dotcom blowup.) The administration is easy, you get the power of BSD, and the hardware is really well-built. Very, very cool boxes.

  5. Re:Stupid question ... by rob_from_ca · · Score: 4, Informative

    1. You can't get familiar with a PIX by using a free firewall, so it has some educational benefit (although if you "get" what firewalls do, the rest is mostly just syntax).

    2. Stateful failover. I don't think any of the free options support this. With the PIX, you can plug two in via a serial cable in a master/slave configuration, and the master constantly sends it's state to the slave. If the master dies, the slave takes over and no TCP sessions are dropped. Only you can decide if this feature is important to you.