Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX v. Symantec

Can anyone give me an opinion on the PIX vs. the Symantec Enterprise Firewall? I prefer the PIX but I need to convince some others why it's better...

New Member

Re: PIX v. Symantec

Are Symantec now distributing the Raptor product?

If so PIX is a hardware appliance with hardened unknown OS. Operates at L4 - basically wirespeed.

Raptor is application layer firewall running on NT - slow (more features like Proxy and other *rap) but NT riddled with holes. Application Layer firewalls will always be outperformed by a L4 appliance.

Need I say more?

New Member

Re: PIX v. Symantec

Application firewalls are slower, but they are more secure, since they can inspect at application level. Properly locked down, it's a safer bet -even on NT. That's why they cost so much. PIX is much faster, and it does a good enough job. You may want to look at where you are placing the firewall. If it is protecting the perimeter internet connection, then you would probably want to go w/ PIX, but if you are looking at protecting a sensitive LAN from the rest of the internal network, then a proxy/app. firewall is a good idea.

New Member

Re: PIX v. Symantec

The PIX firewall is built from the ground up to be secure (i.e. it doesn't suffer from vulnerabilities inherent in a 3rd party operating system). With Symantec, everytime Windows or Solaris comes out with a new security patch you'll have to schedule downtime on your firewall to apply the patch. Also anytime you need to bounce your firewall it will require several minutes to shut down and come back up. Even though you will rarely need to, the PIX can be bounced in 15 seconds! In a production environment, this can be a lifesaver. If you need to move it, for example.

Another thing, I recently built a VPN between a PIX and a Symantec firewall. We had a router between the two boxes that was performing NAT. This was not a problem for the PIX VPN, but according to Symantec, it was a show stopper. We had to redesign our network and IP routing to accomodate the Symantec firewall.

Speaking of VPN, Symantec as of a month ago still did not have a VPN client for Windows XP, Cisco has had a VPN client available for XP since last year. And another thing, the Symantec VPN client crashed two Windows 2000 notebooks that we tried to install it on, so we switched to the Cisco VPN client and connected to our PIX instead (no problems on the same notebooks).

And lastly, in case it comes up, the PIX does have a GUI interface now that can be access via a web browser. Just in case it's the command line that is scaring your co-workers.

Good luck, I sincerely hope you get a PIX so you don't have to go through some of the headaches I have had with Symantec.

CreatePlease to create content