Full Disclosure mailing list archives

Re: Suggestion for IDS

From: Valdis.Kletnieks () vt edu
Date: Wed, 28 Sep 2005 13:42:49 -0400

On Wed, 28 Sep 2005 17:48:59 BST, "Paul S. Brown" said:

I suspect the argument here has to be cost-for-cost - in the price range for a 
decent beefy OpenBSD box you aren't going to be using FWSMs, and I can quite 
believe that the PIXen in that price range don't perform - the PIX 501 is 
specced at 60MB/s throughput and the cheapest retail price I can find for it 
is $678 for the unlimited license version - for the same money you can get a 
beefy PC which will push quite a bit more than 60MB/s


http://www.dealtime.com/xPO-Cisco_PIX_Firewall_501_PIX_501_BUN_K9
has at the moment 4 quotes from $449 all the way down to $382 including shipping.
That's the first non-CISCO, non-sponsored link I got googling for 'PIX-501'.

http://stores.tomshardware.com/search_getprod.php/masterid=515798//
has a 50 user bundle for $489.

http://stores.tomshardware.com/search_getprod.php/masterid=923020
has a 50->unlimited upgrade for $158.  Add to previous for $647.

A lot of sites don't need the "unlimited" license, because they don't have
over 50 IPs on the LAN.

And remember to calculate the TCO - you roll-your-own PC for under $400, you're
not going to be getting as much beefy, and I didn't see any discussion of what
a PIX admin will cost you versus the expense of finding an OpenBSD person -
especially down in the "We only have 10-25 people with PCs" arena where you'll
be lucky to have a budget for a McSE (you want fries with that?)

(In the interests of fairness, you don't need much beefy if you're Cisco -
the listed technical specs on the innards of the PIX-501:

Processor: 133-MHz AMD SC520 Processor
Random access memory: 16 MB of SDRAM
Flash memory: 8 MB
System bus: Single 32-bit, 33-MHz PCI

Comparing the rated 60Mbytes/sec with that system bus, and the fact that
traditional designs will require at least 2 PCI accesses per (one inbound
from ethernet to memory, and one outbound from memory to the ethernet), and
it becomes clear that there's some major black magic - 2 PCI cycles per only
leaves them 6MBytes/second of PCI bandwidth (and more importantly, also means
that you need to have enough smarts to keep the inbound pipe drained and the
outbound pipe full all the time....)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

IDS features (was: Suggestion for IDS), (continued)
- - - IDS features (was: Suggestion for IDS) Alejandro Barrera (Sep 28)
    - Re: IDS features (was: Suggestion for IDS) Kevin Pawloski (Sep 28)
    - Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS J. Oquendo (Sep 28)
  - Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
    - Re: Suggestion for IDS Paul Schmehl (Sep 28)
    - Re: Suggestion for IDS Michael Holstein (Sep 28)
    - Re: Suggestion for IDS Paul S. Brown (Sep 28)
    - Re: Suggestion for IDS Michael Holstein (Sep 28)
    - Re: Suggestion for IDS Paul S. Brown (Sep 28)
    - Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
    - Re: Suggestion for IDS Michael Holstein (Sep 28)
    - Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
    - Re: Suggestion for IDS Paul Schmehl (Sep 28)
    - Re: Suggestion for IDS Michael Holstein (Sep 29)
    - RE: Suggestion for IDS Jan Nielsen (Sep 28)
    - RE: Suggestion for IDS Paul Schmehl (Sep 28)
- RE: Suggestion for IDS Vitor Ventura (Sep 28)
- RE: Suggestion for IDS Brown, James (Sep 28)
- Re: Suggestion for IDS arif . jatmoko (Sep 28)
  - Re: Suggestion for IDS Michael Holstein (Sep 29)

(Thread continues...)