If you could have a PIX 501 or Smoothwall as your firewall/NAT device which would you choose? Main concern being security and configurability, not price or ease of use.

I am thinking of replacing my Smoothwall and just wondering if it is a step up?

A PIX is a high end firewall which can do some pretty neat stuff, not to mention the software has been regiously tested for performance and security.

Smoothwall is a Linux distro hacked together by some people in their basements.

What I'm trying to say is that we need more information about the network you want to put this infront of so that we can make an educated suggestion instead of blindly recommending things.

A linux firewall & nat is a layer 4 filter... you can permit or deny traffic based on any layer 2 (MAC), 3(IP) or 4(TCP) info. For non-IP protocols, you have very little control... usually allow or deny. Linux firewall & nat is somewhat hardened against network-based attacks, but occasionally has issues with flodding, and too many half-open connections, depending on the kernel.

Cisco PIX's are layer 7 filters. They can detect attacks on applications and react to them. They also filter out known vulnerabilities and attacks (fix-ups). Cisco PIX's are very hardened against network-based attacks, there are imposed limits to flooding or half-open connections, so the system can continue operating while closing the invalid connections.

I'd say PIX hands-down. Cisco has some new ASA models that are quite nice as well, ASA is PIX+shiny new features. Third place would be a Cisco router with a IOS Firewall. In my books, Linux firewall & nat gets beat out every time if I can use expensive Cisco gear :)

Yes My Vote would be for the PIX, we have a few of those PIX 501s at the company i work for. We use them for some of our customers and they are very nice, and are suppricingly easy to setup and maintain. But the one problem you will have if you want to view the logs, you will need a Syslog server as it does not keep its logs locally.

PIX hands down due to you listing configurability. You can make a PIX do anything you want in terms of filtering, it all depends on how much time and money you have to throw at it. There is also a heck of a lot of support for Cisco equipment.

Linux can filter up to Layer7 too: http://l7-filter.sourceforge.net/

If cost was no concern, I would go with the PIX.

I've grown to like Microsoft ISA Server. I haven't played with everything yet, but it does tons of stuff. It also does some pretty good layer 7 filtering. Block specific applications, spam, viruses, etc.

Linux can filter up to Layer7 too: http://l7-filter.sourceforge.net/
Ooh, this looks interesting.

Still, I'd go with a PIX.. this looks like it can only identify packets of certain protocols, the PIX can do that (perhaps not as well on new or changing protocols, but has more experience with older ones), and has the ability to detect application-layer attacks, some known exploits, etc, and stop them. This is a big step forward for Linux though.

Really it is only for my home network. I am currently using a Smoothwall for routing between my LAN and the net, NAT, firewall, etc. I know a PIX can do all of that stuff for me too, and I wanted to get some experience with them as I am moving into a position where I will need to work with them.

So I guess I will be looking into buying a 501 when I have the cash. Does look pretty simple to setup, connect the WAN to port 0 and uplink to a switch on one of the built in switch ports. Does it work well with dynamic IPs from the ISP? I will need it to grab an IP, mask, and DNS server for me. Anything else that I should know before hooking it up to a home cable service in terms of odd configurations?

Thanks again

I would highly recommend getting some training on it instead of buying one and diving right in. At least know how to:
* Name an interface and set it's security level
* Bring up an interface
* Assign an IP to an interface
* Save, view, and restore configurations
* Enable/disable and configure telnet/ssh/console port access
* Enable password encryption
* Configure NTP or set the clock
* Disable unneeded services (cdp, multicast, mroute-cache, proxy-arp, route-cacheing, source-routing, ip redirects, finger, tcp and udp small-services, etc)
* Enable/disable HTTP and SNMP servers
* Create a basic ACL and apply it to an interface
* Configure NAT
* Configure Statics & Conduits

And that's only the tip of the iceburg.. there's also configuring DHCP, creating firewall rules, application filtering, fix-ups, users & privileges, logging, vnc, remote authentication sources, etc, etc, etc.

I'd highly recommend using the command line for as much as possible, as that's likely what you'll be using on the job.. I know of no-one who takes the web gui seriously as a configuration method. If you haven't used one before, then I'd recommend either getting training, or just testing and playing with it first... not actually using it until you understand how it works and how to configure it.

http://www.amazon.com/gp/product/0782142877/sr=8-10/qid=1149702044/ref=pd_bbs_10/002-1889673-6606401?%5Fencoding=UTF8
http://www.amazon.com/gp/product/1597490040/sr=8-1/qid=1149702044/ref=pd_bbs_1/002-1889673-6606401?%5Fencoding=UTF8

I would look into getting a book to help you learn more about what you want to do. I have/ am using the CCNA book written by the same guy on the top and I have found it rather good, but we will know when I sit down and take the CCNA exam.

The one on the bottom is 2 years newer than the top. So that top should get you started on configuring a PIX and the bottom will take beyond that.

Personally, I would play with both systems. I have all kinds of stuff that I use and having it and getting your hands on it is important. I would also get the Layer 7 up and running on SW or Ipcop. And start playing around with setting new filtering rules, adding services, etc. Finally, I would also try m0n0wall or pfSense as firewalls/ routers. Last but not least, I would keep both encase you want to switch the PIX and then something goes wrong or you have a bad rule written, or you forgot to put in no shut after configuring an interface, you forgot that for a /30 network it is .252 etc. That way, you can have smoothywall back up in no time while you work on fixing the PIX

on a router, to bring up and down an interface run these on the line or IF:
Up: no shutdown
Down: shutdown

on the PIX, run these in general config:
Up: interface ethernet0 100full
Down: interface ethernet0 100full shutdown

Yeah, I am pretty comfortable with the CLI. I have my CCNA and spent plenty of time messing around with routers and doing all sorts of configurations. Only problem is as mentioned the PIX uses different commands, although just reading thorugh some samples on Cisco I was able to have a pretty good idea of what was going on.

I will buy a book on it first, read up on Cisco.com all I can find, and then buy the device. Basically my goal is to have a fully Cisco network for my home network. Right now that means getting a PIX (maybe another router too to go before it) and a AP. I just need to get studying on those devices as they aren't covered for CCNA.

I think it is a shame that they aren't as in todays network they are pretty standard devices and one should be familiar with them. Wish Cisco would include them in the material.

Cisco has another line of training and certification specifically for PIXes and security (CCSP). They went and rearranged the netacad site since I've last logged in, but it looks like the netacad course is "Network Security".

The PIX is very different from a router... a router uses the IOS operating system and it's chief job is to route packets. (Firewall IOS's are more tuned to do filtering, but still a routing system). The PIX uses the Finesse operating system, it does not route packets, instead it NAT's them (or PAT's them, or Proxyarps them, depending on the configuration).

It's a whole new set of commands, and a different CLI. Cisco AP's also have a different configuation method.. left over from a previous purchase, it's a menu-based CLI (you can still get to the IOS-style CLI though).

Yeah I realize that. I still think it would be nice if the CCNA had a brief mention of the devices, even if just to mention some very basic things.

I will check out the netacad and see what the course has about Pixes. I will defenitely be replacing my Smoothwall with one in the near future.

Pixy baby!