Firewall, what better? ASA or Linux?

Unanswered Question
Oct 4th, 2009

Hello, i want to compare two schemes of firewalls, one with two Linux (Fedora), firewall1, DMZ, firewall2 and other with Cisco ASA 5500 series (DMZ in a port), what is better for a bank institution?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Mon, 10/05/2009 - 00:13


That's a bit of a loaded question :-)

There are a number of issues that will help you in the decision

1) Cost - usually top or near the top of the list.

2) Support within company - do you have people within the organisation who can support Linux or support ASA

3) Support from vendor. Many enterprise environments are still unhappy using a "free" distribution and would be happier and feel more comfortable using a vendor like Cisco. Your organisation may or may not be one of them

4) Features - what exactly do you need your firewall to do. Not all firewalls are equal. There will be some things the ASA can do well and some things the linux firewall can do well. You need to draw up a list of all the technical requirements and then match them against the capabilities of the firewalls.

5) Closely tied to 4) is extra capabilities other than just firewalling ie. would you like inbuilt IDS/IPS for example

6) Performance - how much performance in terms of throughput etc. do you need from your firewall.

Those are some of the more important criteria. There is very rarely a simple "this is better than that" answer. You need to work out your requirements both technical and non-techical as per the list above and then decide which one most meets those requirements.


Collin Clark Mon, 10/05/2009 - 05:44

Just to add one thing to Jon's comprehensive post,

7) Being a financial institution, you may be required to have a FIPS compliant firewall. Your audit team can help with the network device requirements. When in doubt I would refer to the DISA standards.

FullTimeWebHosting Tue, 10/06/2009 - 14:12

instead of pointing a solution like Vidyalal_2009, i told you my experience.

in my company i have 12 firewalls.

few in linux, 1 mcafee, 1 junniper, 2 watchguard, and the rest on Cisco Pix 515E, ASA 5510 and ASA5520 with SSM-20.

The thing is i'm not preffer one solution than others.

in the case of the linux i need to have this because in linux i could create rules with BOUNCE target, it's means, if one computer inside of the lan network resolve a site it's located in the same zone, the firewall in the case of pix can't route this packet, in the case of linux it's only requiered to make 2 packet re-writes and it's works.

and so over, pix, asa it's much better firewall than linux in rude mode, when a host attack the perimmeter, only asa, pix with ios 7.2+,8.0+, 8.1+, 8.2+ with mode shun, could stop attacks, try to do with linux the same thing, it's barely impossible.

IMHO, just you need to take approaches what need to do, what need to protect, how much knowledge you got to stablish a good solution, how much money you have to spend in a solution, like hardware or software, but all the time, check all requierements from customers before point a solution.



cisco24x7 Tue, 10/06/2009 - 14:21

"when a host attack the perimmeter, only asa, pix with ios 7.2+,8.0+, 8.1+, 8.2+ with mode shun, could stop attacks, try to do with linux the same thing, it's barely impossible."

I beg to differ, this can be done with Linux via "iptables". Something like this:

iptables -A INPUT -s -j DROP

What is so difficult about it?

Like everything in life, the answer is "it depends". It is not always a black and white answer. Much of it depends on what you're comfortable with.

FullTimeWebHosting Wed, 01/15/2014 - 15:42

i meant try to do the same without see the firewall, ASA could do standalone without any intervention, even with DDoS..

try to put the ipt -A PREROUTING -t nat -s ????? -d ?????? -j DROP ....

what do you put in ????? fields ?

that's what a hardware firewall do.. and a linux box can't do.


This Discussion