[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200509281742.j8SHgnhh030581@turing-police.cc.vt.edu>
Date: Wed Sep 28 18:43:23 2005
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Suggestion for IDS
On Wed, 28 Sep 2005 17:48:59 BST, "Paul S. Brown" said:
> I suspect the argument here has to be cost-for-cost - in the price range for a
> decent beefy OpenBSD box you aren't going to be using FWSMs, and I can quite
> believe that the PIXen in that price range don't perform - the PIX 501 is
> specced at 60MB/s throughput and the cheapest retail price I can find for it
> is $678 for the unlimited license version - for the same money you can get a
> beefy PC which will push quite a bit more than 60MB/s
http://www.dealtime.com/xPO-Cisco_PIX_Firewall_501_PIX_501_BUN_K9
has at the moment 4 quotes from $449 all the way down to $382 including shipping.
That's the first non-CISCO, non-sponsored link I got googling for 'PIX-501'.
http://stores.tomshardware.com/search_getprod.php/masterid=515798//
has a 50 user bundle for $489.
http://stores.tomshardware.com/search_getprod.php/masterid=923020
has a 50->unlimited upgrade for $158. Add to previous for $647.
A lot of sites don't need the "unlimited" license, because they don't have
over 50 IPs on the LAN.
And remember to calculate the TCO - you roll-your-own PC for under $400, you're
not going to be getting as much beefy, and I didn't see any discussion of what
a PIX admin will cost you versus the expense of finding an OpenBSD person -
especially down in the "We only have 10-25 people with PCs" arena where you'll
be lucky to have a budget for a McSE (you want fries with that?)
(In the interests of fairness, you don't need much beefy if you're Cisco -
the listed technical specs on the innards of the PIX-501:
Processor: 133-MHz AMD SC520 Processor
Random access memory: 16 MB of SDRAM
Flash memory: 8 MB
System bus: Single 32-bit, 33-MHz PCI
Comparing the rated 60Mbytes/sec with that system bus, and the fact that
traditional designs will require at least 2 PCI accesses per (one inbound
from ethernet to memory, and one outbound from memory to the ethernet), and
it becomes clear that there's some major black magic - 2 PCI cycles per only
leaves them 6MBytes/second of PCI bandwidth (and more importantly, also means
that you need to have enough smarts to keep the inbound pipe drained and the
outbound pipe full all the time....)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050928/b07bcecc/attachment.bin
Powered by blists - more mailing lists