Educause Security Discussion mailing list archives

Re: PIX/AS Vs. Linux/IPtables

From: Josh Richard <jrichar4 () D UMN EDU>
Date: Thu, 1 Oct 2009 09:09:20 -0500

I am assuming that the firewall is not on the host you wish to protect,
but on a border of a network or inline in a network path.  On the flip
side, if you are asking if a linux server running iptables is better
than an ASA (L2 or L3) protecting a linux host -- in that case having
the traffic never reach the server is best.  I would recommend both.

We use either Cisco FWSMs (asa like syntax) or iptables.  It depends on
the situation.  The FWSMs are a little soft on resources and when
running in multi-context mode.  Testing shows we could not protect our
border (250M feed) without it running out of xlates.  We use iptables
for all of our wireless traffic and it approaches 950M daily.  We plan
to push that service through hardware with 10G networking.  It may
continue to rise.  I expect an ASA could handle >250M, but we have not
tested one in that configuration.

In either case, the correctness of the ruleset is what matters.  For
anything sophisticated (SNAT,DNAT,dynamic rule creation) iptables is far
easier to interface with because you have the presence of optional
programmatic manipulation on the box (Perl, ruby, etc).  

Depending on the need, there are easy to use appliance based disk image
projects available.  You can stand up a box with more features than an
ASA on commodity hardware and purchase commercial support if that makes
you comfortable. [1]  We do not use [1], but prefer to run GNU/Linux to
avoid the possible license restrictions.

Regarding feature set parity, iptables is more feature rich as you can
mark, mangle, and filter at many different points in the packet path
through the box.  I find NAT is much easier using iptables than on the
Ciscos.  

To balance the argument, in summary both work well for common case
filtering scenarios.  If you need to perform sophisticated packet
manipulation or handle more complex logic in a traffic path (PBR, SNAT,
DNAT, dynamic rule creation) on a single box iptables on GNU/Linux (or
pf on some BSD) should be considered.

Regards,

Josh Richard
University of Minnesota Duluth

[1] pfsense, BSD license: http://www.pfsense.org

On Wed, 2009-09-30 at 06:42 -0400, Gary Dobbins wrote:

Hello,  

 


Does anyone know of a good paper on the merits of using PIX/ASA


instead using Linux/iptables?


 


Thanks


Ron

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: PIX/AS Vs. Linux/IPtables Josh Richard (Oct 01)
- <Possible follow-ups>
- Re: PIX/AS Vs. Linux/IPtables Kevin Wilcox (Oct 01)
- Re: PIX/AS Vs. Linux/IPtables Josh Richard (Oct 01)
- Re: PIX/AS Vs. Linux/IPtables Kevin Wilcox (Oct 01)