RE: [m0n0wall] PIX vs m0n0wall testing -- requesting input (was: Re: [m0n0wall] Re: Re: Re: to Wrap or to Soekris that is my question? What about VIA?)

From:	"Chris Bagnall" <m0n0wall at minotaur dot cc>
To:	"'Chris Buechler'" <cbuechler at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] PIX vs m0n0wall testing -- requesting input (was: Re: [m0n0wall] Re: Re: Re: to Wrap or to Soekris that is my question? What about VIA?)
Date:	Sat, 18 Dec 2004 14:35:55 -0000

> http://m0n0.ch/wall/docbook/faq-performancespecifications.html

Has anyone done similar tests using generic PC hardware? I noticed all of
the m0n0 box specifications on that page are WRAP/Soekris boxes, which,
let's be honest, are lower specifications than even PCs of 4 or 5 years ago.

> From 'sh ver':
> Hardware:   PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
> But match them up dollar for dollar (that's a ~$2500 USD 
> firewall)

Seems to me that with nearly all Cisco stuff you're paying 75% of the price
for the little badge on the front that says "Cisco". The hardware isn't
anything spectacular, and based on my (admittedly rather limited)
experience, the things are a bitch to program compared to a m0n0wall, which
I'd feel quite happy about guiding a client through rule configuration over
the phone. Don't think I'd want to guide them through editing a PIX's config
over the phone.

> > So, I'm asking this list, what testing should we do?

I must confess to being rather cynical about these Soekris and WRAP
platforms. If you shop around you can find very compact PCs these days that
still run on mostly standard hardware (just about all the
Biostar/Iwill/Shuttle SFF boxes, for example). Given that Sempron chips in
the 2200+ to 2600+ range are currently around £40 (that's probably around
$70 - no doubt they're cheaper over the other side of the pond anyway), for
under £200 you'd have an SFF box with an onboard NIC (some of them have 2
onboard, shop around). Nearly all these SFF boxes have at least one PCI
slot, so shove a dual-port Intel Pro/100+ card into there and you've got a
*very* fast platform to work with. For about the same price as a complete
Soekris/WRAP configuration you've got a compact PC with many times the
processing power, and the ability to upgrade to gigabit cards in the future
if/when required.

I'd be very interested to see how m0n0wall performs using a reasonable
budget on standard PC hardware (not dissimilar from what I've listed above).
If the PIX still beats it on routing performance I'd be quite surprised (and
somewhat upset ;-) ).

It might also be interesting to see how m0n0wall performs on $2500 USD of
hardware (i.e. standard PC in a 19" 1U or 2U chassis, which is what most
"enterprise" clients are probably after). Perhaps one of those Supermicro
P4-based 1U servers might be a good test platform? But even they're only
about $1000 for something fairly near the top of the range.

On the other hand, when most organizations are still running with net
connections under 10mbps, does raw throughput really matter all that much?

To my mind m0n0wall's greatest advantage is its ability to run quite happily
on standard PC hardware. That's good for my clients in that they can use an
old, retired PC for the task with just a few modifications (mainly a couple
of extra NICs) and good for the environment (fewer PCs being dumped). There
must be thousands of old PCs out there that have gone past their usefulness
as office machines but would still make perfect firewall/routers. Software
like m0n0wall gives them a new lease of life.

Regards,

Chris
-- 
C.M. Bagnall, Partner, Minotaur
Tel: (07010) 710715   Mobile: (07811) 332969   ICQ: 13350579
AIM: MinotaurUK   MSN: minotauruk at hotmail dot com   Y!: Minotaur_Chris
This email is made from 100% recycled electrons