I'm not an expert in this area, but it looks like OpenBSD can do some parts too and for much more lower price.
DHCP snooping >From info on Cisco page it looks like simple combination of lists/macros for blocking/allowing certain ports. Tables are possible with OpenBSD too and you can limit flow rate of packets too Dynamic ARP Inspection If I'm not wrong then pf(4) don't operate on this layer, but then good, secure and simple design come to game IP Source Guard sounds like antispoof quick for Unicast Reverse Path Forwarding (URPF) sounds like block in quick from urpf-failed to any # use with care Access Control Lists something like SELinux and similar? It's first thing which every good sysadmin turn off because of unneeded complexity and often bugs too. If I read this : More generally, security ACLs can be used to protect against source address spoofing or to restrict network access to only legitimate sources, networks, and applications. For example, ACLs should be used to deny private address space at the ingress of the Internet and perform some filtering in the campus such that packets can only originate from customer-assigned addresses. ACLs should also be used to deny unused multicast addresses, to prevent multicast DoS attacks. Another interesting example is that of MAC ACLs which could be used to deny packets with invalid IP versions. then I can say that all of this is possible with pf(4) without need for ACL Quality of Service don't know much about this in OpenBSD, but sounds like at least something similar is possible with this http://www.openbsd.org/faq/pf/queueing.html Port security buy HW which is capable to avoid CAM overflow CONTROL PLANE AND MANAGEMENT PLANE PROTECTION some parts looks like possible with pf(4) some not, but as I said this must be confirmed by someone who knows much more Built-In "Special-Case" CPU Rate Limiters read users' stories and try pf(4) you will see that it can handle DoS very well It's quite long reading, but for me it looks like it's not needed to spend so much money in most cases. On Wed, Feb 17, 2010 at 2:21 PM, Pete Vickers <p...@systemnet.no> wrote: > On 17. feb. 2010, at 08.47, Claudio Jeker wrote: > >> On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote: >>> On 17/02/10 03:16, FRLinux wrote: >>> >>>> Mmmh, you picked my interest here. You mentioned your cisco 6500 but I >>>> guess you are going to use only gigabit NICs, so you have no need on >>>> the 10gb range? Just asking, not trying to start a war :) >>>> >>>> Cheers, >>>> Steph >>> >> >>> ps. the cisco crawled when I enabled IOS firewall features (statefull). >>> Firewall interface == $35K.... come one now... Too much money! >>> >> >> The 6500 and 7600 cisco systems are not able to do stateful firewalling >> in HW and have also issues with stuff like netflow exports. Unless you buy >> the super expensive line cards. Even the big SUP boards come with a tiny >> CPU running at the speed of a loongson -- those can be killed with a few >> Mbps of multicast traffic. >> >> -- >> :wq Claudio >> > > Just to balance the anti-cisco viewpoint: > > If you want to do deep packet stuff in HW, then Cisco offer the FWSM & ACE & > NAM modules for 6500/7600. > > The SUPs (meant for switching/routing, not FWing) support CoPP (control-plane > policing) in HW, which should be configured to prevent abusive traffic hitting > the CPU, this (amongst a large list of others) includes high PPS multicast. > For example see: > > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_p > aper0900aecd802ca5d6.html > > > /Pete
