On Mon, Nov 05, 2007 at 02:26:48PM -0500, Brian A Seklecki (Mobile) wrote:
this concept of interface levels is something that is causing
headaches to generations of PIX admins... there are certain
limitations between interfaces of different levels then the PIX
doesn't even support VLANs, you have to use a physical interface per
LAN.
> - PIX/ASA is going to guarantee easily setup and functional Hybrid-XAUTH
OpenBSD's isakmpd does not support XAUTH yet but the IPsec
configuration on PIX is neither easy nor functional; this concept of
using access lists for phase 2 policies (flows) and all the
dependencies of different types of cli rules for IPsec is just really
bad.
> - PIX has functional object-groups/group-object inheritance
it is not functional, it is an attempt to make the access lists more
useable. OpenBSD's tables, macros, etc. provide a much better
interface.
> - PIX/ASA has proprietary serial console fail-over (which is marginally
yeah, and you have to run both systems in the same rack impossible to
put the systems in physically different locations.
> - PIX/ASA has some magical black-box inline transparent protocol
this should only matter in the NAT case and is provided by our pf
proxies and relayd(8), but they're not magical. we're working on
supporting more protocols in this case.
> - PIX has a 4 hour SmartNet support contract option
there are OpenBSD-based appliances with suitable support contracts.
> - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on)
snmpd(8) will support a few more MIBs, but it is still the goal to
keep it small.
> I don't know about ASA, but the 5xx PIX doesn't support IPv6
like the lucent boxes and many other systems. and even if they
support IPv6, they do it in a very basic way sometimes not even
statefully.
>
and more
- PIX/ASA require additional licenses for more users/cryptos/keystrokes/...
- Newer releases of ASA (8+) are based on Linux 2.6... it turned into
just another Linux UTM box.
