On 5/10/06, Sea <seaeric at gmail dot com> wrote:
> I havea PIX 506E and am looking at a monowall solution mainly because it
> looks a whole lot esier to configure. Has anyone seen any comparisons to
> the Cisco PIX vs. Monowall?
This has come up several times in the past, but things in the PIX
world have changed dramatically since then with the release of 7.0.
But, things with the 506E haven't changed since it doesn't, and almost
certainly never will, support PIX OS 7.
I've been using PIX's since 5.x, about 5 years now. Longer than I've
been using m0n0wall. I work with about as many PIX's as I do
m0n0walls (i.e. a number of both)
Comparing PIX OS 6.x to m0n0wall, the PIX doesn't have many
advantages. Especially on the 506 hardware. m0n0wall is cheaper by
far, and easier to configure. The PIX has application layer gateways
for services like FTP, H.323, etc. that are NAT broken. m0n0wall has
one for FTP, but none of the remaining protocols. That doesn't matter
in the majority of environments, as the remainder of those protocols
are rarely used.
I run failover PIX's at work, with a half dozen perimeter networks.
There are several reasons I wouldn't switch from PIX OS 7.x to
m0n0wall in that situation, but if we're just talking PIX 6.x, the
only thing would be the failover. Failure isn't an option, and buying
two PIX's and the SmartNet contracts to cover them is a whole lot
cheaper than any down time. Most organizations don't have this kind
of mission critical traffic crossing their firewall though, so
downtime for software upgrades and the potential for hardware failure
isn't a big deal.
Oh, the remote access VPN on the PIX blows away what m0n0wall has to
offer today as well.
I'll leave it at that. Remote access VPN would be the biggest concern
of mine if I were considering m0n0wall vs. PIX for a small company
where the Internet connection isn't mission critical (i.e. a brief
outage won't cost you a huge amount of money).