Don't forget cost. Cisco=left arm, IPTables=zippy Brian Vosburgh WHS Network Engineering Work: 703-614-4888 Cell: 703-867-2317
"Life isn't about success. It's about significance." - Michael Slaughter -----Original Message----- From: Joerg Mayer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 4:54 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Netfilter vs. Cisco PIX On Tue, Mar 19, 2002 at 12:21:29PM +0000, [EMAIL PROTECTED] wrote: > I'm looking for some comparison between the featureset found in the Cisco > PIX vs. Iptables. Anyone have any pointers? :) OK, I'm too lazy to actually look things up for either iptables or PIX, so any additions and corrtections are more than welcome. PIX better: - failover, and if you want it, even stateful failover - DNS content inspection (don't accept additional answers) - always change tcp sequence numbers (even without changing addresses) - additional protocols (not sure here) + h323 (is iptables support complete?) + sqlnet + sip + sccp (ciscos ip phone version of sip) + netbios/smb/pipe$ support + rtsp (?) + probably more - good integration with snmp - hardware support for ipsec (?) Iptables better: - subroutines (or -tables :) -> easier to manage - additional protocols (not sure here either) + irc + talk/ntalk - source available, so you may add your own modules for conntrack and or nat (but the PIX still has support for many more protocols) - more supported interface types, including wan/dialup interfaces - ssh v2 - load balancer - traffic shaping/QoS Both: - IDS sensor - IPSEC - snmp - lots of interfaces - rule updates without loosing connections - ssh access - good support on bugs Ciao J�rg -- Joerg Mayer <[EMAIL PROTECTED]> I found out that "pro" means "instead of" (as in proconsul). Now I know what proactive means.
