Re: [Full-disclosure] Suggestion for IDS

Valdis.Kletnieks_at_vt.edu
Date: 09/28/05

  • Next message: Michael Holstein: "Re: [Full-disclosure] Suggestion for IDS" 
    To: "Paul S. Brown" <pol@geekstuff.tv>
Date: Wed, 28 Sep 2005 13:42:49 -0400

    On Wed, 28 Sep 2005 17:48:59 BST, "Paul S. Brown" said:

    > I suspect the argument here has to be cost-for-cost - in the price range for a
    > decent beefy OpenBSD box you aren't going to be using FWSMs, and I can quite
    > believe that the PIXen in that price range don't perform - the PIX 501 is
    > specced at 60MB/s throughput and the cheapest retail price I can find for it
    > is $678 for the unlimited license version - for the same money you can get a
    > beefy PC which will push quite a bit more than 60MB/s

    http://www.dealtime.com/xPO-Cisco_PIX_Firewall_501_PIX_501_BUN_K9
    has at the moment 4 quotes from $449 all the way down to $382 including shipping.
    That's the first non-CISCO, non-sponsored link I got googling for 'PIX-501'.

    http://stores.tomshardware.com/search_getprod.php/masterid=515798//
    has a 50 user bundle for $489.

    http://stores.tomshardware.com/search_getprod.php/masterid=923020
    has a 50->unlimited upgrade for $158. Add to previous for $647.

    A lot of sites don't need the "unlimited" license, because they don't have
    over 50 IPs on the LAN.

    And remember to calculate the TCO - you roll-your-own PC for under $400, you're
    not going to be getting as much beefy, and I didn't see any discussion of what
    a PIX admin will cost you versus the expense of finding an OpenBSD person -
    especially down in the "We only have 10-25 people with PCs" arena where you'll
    be lucky to have a budget for a McSE (you want fries with that?)

    (In the interests of fairness, you don't need much beefy if you're Cisco -
    the listed technical specs on the innards of the PIX-501:

    Processor: 133-MHz AMD SC520 Processor
    Random access memory: 16 MB of SDRAM
    Flash memory: 8 MB
    System bus: Single 32-bit, 33-MHz PCI

    Comparing the rated 60Mbytes/sec with that system bus, and the fact that
    traditional designs will require at least 2 PCI accesses per (one inbound
    from ethernet to memory, and one outbound from memory to the ethernet), and
    it becomes clear that there's some major black magic - 2 PCI cycles per only
    leaves them 6MBytes/second of PCI bandwidth (and more importantly, also means
    that you need to have enough smarts to keep the inbound pipe drained and the
    outbound pipe full all the time....)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Michael Holstein: "Re: [Full-disclosure] Suggestion for IDS"