Educause Security Discussion mailing list archives
Re: PIX/AS Vs. Linux/IPtables
From: Josh Richard <jrichar4 () D UMN EDU>
Date: Thu, 1 Oct 2009 09:09:20 -0500
I am assuming that the firewall is not on the host you wish to protect, but on a border of a network or inline in a network path. On the flip side, if you are asking if a linux server running iptables is better than an ASA (L2 or L3) protecting a linux host -- in that case having the traffic never reach the server is best. I would recommend both. We use either Cisco FWSMs (asa like syntax) or iptables. It depends on the situation. The FWSMs are a little soft on resources and when running in multi-context mode. Testing shows we could not protect our border (250M feed) without it running out of xlates. We use iptables for all of our wireless traffic and it approaches 950M daily. We plan to push that service through hardware with 10G networking. It may continue to rise. I expect an ASA could handle >250M, but we have not tested one in that configuration. In either case, the correctness of the ruleset is what matters. For anything sophisticated (SNAT,DNAT,dynamic rule creation) iptables is far easier to interface with because you have the presence of optional programmatic manipulation on the box (Perl, ruby, etc). Depending on the need, there are easy to use appliance based disk image projects available. You can stand up a box with more features than an ASA on commodity hardware and purchase commercial support if that makes you comfortable. [1] We do not use [1], but prefer to run GNU/Linux to avoid the possible license restrictions. Regarding feature set parity, iptables is more feature rich as you can mark, mangle, and filter at many different points in the packet path through the box. I find NAT is much easier using iptables than on the Ciscos. To balance the argument, in summary both work well for common case filtering scenarios. If you need to perform sophisticated packet manipulation or handle more complex logic in a traffic path (PBR, SNAT, DNAT, dynamic rule creation) on a single box iptables on GNU/Linux (or pf on some BSD) should be considered. Regards, Josh Richard University of Minnesota Duluth [1] pfsense, BSD license: http://www.pfsense.org On Wed, 2009-09-30 at 06:42 -0400, Gary Dobbins wrote:
Hello, Does anyone know of a good paper on the merits of using PIX/ASA instead using Linux/iptables? Thanks Ron
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: PIX/AS Vs. Linux/IPtables Josh Richard (Oct 01)
- <Possible follow-ups>
- Re: PIX/AS Vs. Linux/IPtables Kevin Wilcox (Oct 01)
- Re: PIX/AS Vs. Linux/IPtables Josh Richard (Oct 01)
- Re: PIX/AS Vs. Linux/IPtables Kevin Wilcox (Oct 01)