On Thu, 16 Dec 2004 18:04:30 +0100, Robert Depenbrock <robert at bay13 dot de> wrote:
> > I'm a Cisco nut myself, but I'll take a m0n0wall over a PIX any day.
> Why? :)
Rule re-ordering is a huge pain on the PIX, though not nearly as bad
as it used to be before implementing line numbers in ACL's, but still
not as easy as click up or down in m0n0wall (or the new method in
1.2b3, which is even better).
Initial setup of a PIX, while not difficult for those of us that have
done it dozens of times, is still much more work than getting m0n0wall
up and going.
m0n0 to m0n0 IPsec is more stable in my experience than Cisco to
Cisco, though that could be ISP differences as much as the software,
not sure on that.
PIX Device Manager (PDM), the web GUI, is the biggest piece of crap
I've seen. It may have improved recently (I haven't touched it in a
year), but I've reconfigured (from scratch) PIX'es for a couple
clients because they got into PDM and ended up trashing their
configuration to the point that I wasn't sure what had changed to
break it. I'm sure some of them did some things they shouldn't have,
but the only time I ever seriously messed around with PDM (without
changing much of anything), it also completely trashed the config. I
haven't touched PDM since.
PIX actually has some of the same limitations, like this specifically.
http://m0n0.ch/wall/docbook/faq-lannat.html Cisco calls that
limitation a "security feature". Hah, talk about a load of crap.
Maybe I should change that FAQ page to say it's a "security feature"
in m0n0wall. :) I've heard rumors that's going to be fixed in the
upcoming PIX OS 7.
Only major advantage the PIX has is its ALG's, i.e. 'fixup protocol'
stuff. There are other features, but the vast majority of
installations don't use or need them.
Overall, the PIX is a really overpriced box for what you get. Nothing
really spectacular about it. But slap Cisco on something and it's
instantly 3* more expensive than it should be, and trusted
unconditionally in enterprise environments.
All this from the guy that's usually the first to defend Cisco. :)