On Apr 8, 2005 11:05 AM, Alejandro Cabrera Obed <sisdis@xxxxxxxxxxxxxx> wrote: > Hi people !!! > > This time I want to know your opinion about iptables vs. Cisco PIX....where > would you use each of them ???? > Is it the same using iptables or PIX in big corporations with heavy Internet > traffic ???? Which is considered the "best" and why ??? > > I use iptables since a long time, but my network is under 50 workstations. > > Thanks for your comments, they're welcome. > >From personal experience, iptables shrugs off syn flood attacks better than anything out there. You can't beat it for the price. A colleague tested a PIX 550(?) and his Nokia running Checkpoint. We've tested Checkpoint running on Quad Xeon Dell PowerEdge 6650. A DDoS attack from a irc bot will render them useless. Checkpoint is just bad architecture. Even though you explicitly tell Checkpoint to drop certain packets, Checkpoint will still add those dropped packets to its connection table. You can try reducing the timeout, but we haven't found it to be terribly useful. He also found that SmartDefense just chokes HTTP traffic. The only Checkpoint product to do better was SecurePlatform using Corrent's Turbocards. While the connection table doesn't fill up on the PIX, the CPU still gets overloaded, so you can't make new legitimate connections easily. I don't know how the more industrial versions of PIX will do, though. We have a quad PIII Dell PowerEdge 6450 running iptables protecting the residence halls on a college campus. It gets syn flooded constantly, handles 90k peak connections, load average of 1.0, all on 1GB of RAM. The only short coming of iptables is the lack distributed management and lack of a high availability solution. Distributed management is only a problem if you're managing more than several firewalls. And, lack of HA makes it harder to deploy iptables fully on the enterprise. -- Jiann-Ming Su "I have to decide between two equally frightening options. If I wanted to do that, I'd vote." --Duckman
