I am afraid that the statement is true. The lower PIXes (515, 535) are dumb PC except may be the FW module. Look at the console when you reboot the PIX, it will show the BIOS that anyone can see on a Taiwan maker PC. It is a PC. And anyone can build a PIX from a PC also. They called it FrankenPIX.
Anyone have a market research on the firewall segment ? How big is the pie for Cisco`s PIXes compare to Netscreen devices or Nokia+Checkpoint solutions ?
Disclaimer - I am a netscreen shareholder
Netscreen is probably the fastest growing companies in the security space. I don't think Cisco is doing too poorly however. Checkpoint might be losing market share, but market is still probably growing. Cisco and NSCN have been battling it out with small units - 501's vis 5(xp)'s. even the 506e and 515e are interesting low-mid tier refreshes (probably necessary to the tough competition). I think these two companies are selling tons of small units, and I distinctly do not get the impression that Checkpoint has anything comparable.
Back the the original poster - although netscreen pumps out some fascinating ASICS, Cisco has optimised the *heck* out of what is truly just commodity x86 hardware in the PIX OS. For raw throughput, both make good products. Now, if you want your firewall to do lots of things higher up the protocol stack, then you really need to create a feature matrix and decide what is important to you, but at the stateful packet inspecting layers, both companies products fly.
Do you know where I can find out more about this "FrankenPIX" or maybe build my own? Do the 515-535 actually have hard drives and stuff? Are the little 501 and 506es PC based too?
The market research I've done shows PIX & Checkpoint #1 and #2 respectively. Checkpoint owns the application layer and the GUI, but Cisco still owns the enterprise networking market. Netscreen is #3 but is gaining on PIX very fast. If Cisco doesn't start showing a little hustle, Netscreen will problably take thier market share.
Netscreen has a very aggressive sales strategy and it's working. Compared side-by-side, the PIX is slightly better, faster, and cheaper, but the people who are buying firewalls just know that the PIX is hard to manage and they want the flashy web GUI (which is actually quite good) of the Netscreen. Also, the Netscreen ASIC VPN blows the doors off of everyone else, incl. PIX, Checkpoint.
frankenpix are pix 520 clones. which are 3 u high beasts. they use a certain intel branded bx chipset motherboard, with a pentium 2, iirc. all pix use flash memory (old ones booted off of a floppy), no HDD - in fact a 520/frankenpix will allegedly hang at boot if a HDD is plugged in. Frankenpixen use a cisco brand flash card - i forget if it is isa or pci. You want the 16MB version to run current pix os, and that can be pricey. All in all, it can be a cheaper way to build a 3 interface/failover lab than buying used 515s. If you were to use one in a production network, Cisco would probably hit you with a hammer.
Ow, you mean the only packet filter managable via a GUI?
In testresults the PIX completely knocks out the netscreen, especially with NAT enabled, so, I think it's just a stupid statement to conclude that PIX is just a dumb PC. And then, if it was? Then it's one hell of a fast and stable "dumb" PC, with very less security vulnerabilities.
*most evil grin*
But seriously, netscreen is also a good product, although I rather use Cisco PIX. To see for yourself on a good undependent test, look at the testresults of Network Computing at the following URL:
It's in fact an article consisting of 9 pages, so it can take a while to read.
Good luck and kind regards,
I use the Netscreens for VPN purposes, both site-to-site and client. I've used PIX, Nokia/CP and Avaya for VPN as well, and the Netscreen just blows them away in the that arena, as well as in ease of configuration. The PIX GUI is still immature, and if you have an existing cli configuration the PDM seems to want to rewrite it, and in some cases will even apply null rules. Which is bad. But the charts on the home page of the latest version of PDM are pretty!
I know this is off the 'asic vs. PC' topic a bit, but from a pure firewall perspective - the Portus firewall from Livermore Labs bears mentioning. Check it out..
I really like the Netscreen firewalls. Their client VPN solution is a little weak, but they have awesome features like QoS and traffic shaping thrown in.
The lack of ASIC based acceleration in a Pix is true. That doesn't necessarily make the Netscreens better. The 3DES throughput is generally better on a comparable Netscreen than a Pix due to its ASICs. Is that really helpful though for medium and small organizations? Or even most large? For example, what customer with a 515E needs to move more than 63Mbps of 3DES traffic? The new VAC+ can move 140 Mbps of 3DES traffic. A "better" feature isn't "better" unless you can use it.
Of course, the FWSM is the Pix code in a 6500 module that does make use of ASICs to provide it with 5Gbps of throughput. Now that's blazing!
The features are why I still choose a Pix for my customers over Netscreen. The fixup funtionality is second to none to support many applications through PAT/NAT that normally "can't" be supported such as H323 and SCCP. TCP sequence randomization. Bi-directional NAT. Troubleshooting a Pix is a snap due to its excellent logging.
The Netscreens are usually a little cheaper for the low-end models than a comparable Pix. If you're looking to deploy a managed firewall solution for a customer as an ISP or MSP, the Netscreens are much better as you can have many virtual firewalls that can be managed independently per-customer on a single device using their 1000 and higher models.
One test I haven't seen that would be very useful is a measure of latency between the firewalls. With IPT/VoIP, Video conferencing, and iSCSI/FCIP becoming common solutions, this can be a differentiating factor.
If you have a customer that needs a cheap firewall for basic NAT and stateful inspection for basic web surfing, then the Netscreen is probably a better choice because its a little cheaper. NOT because of ASICs. The ASICs get you nothing for the low-end to medium customers. An exception may be a customer with a mutiple ethernet interfaces that moves a lot of traffic between them such as a DMZ with a web server that gets backed up through the firewall or replicates a lot of data.