Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

PIX vs. Router solution

My concern is scalability. Our company is growing very fast and I don’t want to be locked into a system that won’t allow us all of the flexibility we need. How does a PIX firewall solution compare to Cisco-IOS based (router) VPN solution? Which is more scalable?

4 REPLIES
New Member

Re: PIX vs. Router solution

Both have their advantages. Depending on what platform you have for the router, the PIX may or may not be the faster box. Please look at the following doc for PIX performance figures:

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/cspix_dg.pdf

Coming back to your question, if you have a 7100, the posted performance figures for that with hardare acceleration are around 90 MBPS with esp 3DES. That is pretty fast; faster than the PIX 520. So it really depends what router you have in mind. If your needs are to have a PIX in pace as a firewall anyways, and your VPN usege is minimal based on the PIX performace figures in the URL above, then you should go for the PIX. Otherwise, the Altiga concentrator or the compatible concentrator or the 7100 ith the accelerator card may be the answer to your needs.

New Member

Re: PIX vs. Router solution

I think the PIX solution is just as good and an IOS based IPSEC solution. On one hand, IOS is definitely more scalable for raw processing power and integrating all network solutions on a single type of network device. On the other hand, the PIX allows you to separate out control of security based services, leaving your routers to route packets (what they do best). So I think it is mostly an organizational decision. IPSEC on the PIX and under IOS are similar in functionality, however you can setup Baltimore digital certificates under the PIX, and IOS IPSEC only supports VeriSign, Entrust, Microsoft CA, and iPlanet/Netscape CMS.

New Member

Re: PIX vs. Router solution

On the other hand, what you may be worried about is support for IPSEC under Windows 2000. The PIX currently (software version 5.2.1) does not support IPSEC under Windows 2000 (L2TP support for the PIX is slated in version 5.3 software) nor does the Cisco VPNClient software work under Windows 2000 (it is slated to be released by EOY 2k as the Cisco Universal VPN Client). So, if you want to use your IPSEC client as Windows 2000 to the PIX, this is not an option.

What you can do at this point is either:

a) Use Windows 2000 L2TP and IPSEC with Cisco IOS 12.0(6.0.1)T and above. Make sure you use the T train of IOS, and get the 3DES encryption feature set. Use a CA and digital certificates for you key management as ISAKMP/IKE is weak/vulnerable to cookie-based and other attacks.

b) Setup Windows 2000 to act as a native PPTP client to the PIX. If you choose to do this, it is highly reccomended that you turn on MS-CHAP v2 (only) and use MPPE as the data encryption. For passwords, you may be vunerable if you do not use a highly aggressive password scheme to at least meet the following criteria:

14 characters minimum

Using at least 2 of each: lowercase letter, uppercase letter, number, number symbols !@#$%^&*() and other symbols `~-_=+[{]};:'",<.>/?\|

Containing no words found in any dictionary

For futher details and reasoning, see http://www.counterpane.com/pptp.html

New Member

Re: PIX vs. Router solution

Hi,

Both solution are very reliable. If you have only IP based network the PIX solution is a very good solution and allows a lot of functions. But if you want a really scalable solution, I think a router-IOS based VPN is more scalable, based on:

1. PIX doesn't support multicast or broadcast traffic on IPSEC tunnels,

2. GRE tunneling supported by IOS-based VPN solution is more powerful than IPSEC tunneling,

3. Router permit also the use of MPLS, RSVP, DLSW+ for QoS,

4. Router support routing protocols like EIGRP or OSPF,

And I think that's it.

If you want more analysis feel free to send me an email.

Gilles

195
Views
0
Helpful
4
Replies
CreatePlease login to create content