Firewall Wizards mailing list archives

RE: How AAA in PIX Firewall ?

From: Adel Guia Cruz <aguia () fifomi gob mx>
Date: Thu, 4 Dec 2003 14:32:31 -0600

Hello WES


I check Websense and N2H2 and this is exactly what I need for Filter HTTP in
PIX Firewall. The Pix and the software use IFP protocol (Internet Filter
Protocol) to communicate.

The problem is that this software are very expensive, you know another
solution less expensive. 

So I need to buy PIX Firewall and a content filtering software (That support
IFP to communicate with PIX ), and for authentication I can use Microsoft
IAS ?

Thanks for the advises

-----Mensaje original-----
De: Wes Noonan [mailto:mailinglists () wjnconsulting com]
Enviado el: miércoles, 03 de diciembre de 2003 20:04
Para: 'Adel Guia Cruz'; firewall-wizards () honor icsalabs com
Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?


1) Not necessarily. You could go netopia or something similar for the remote
sites. If not, the cost of 15 PIX 501's would be somewhere in the $6000-7000
range which is about $3000 more give or take what a 515E-UR would cost.
2) I would recommend setting up a content filtering server as that sounds
more in line with what you really need. PIX supports Websense and N2H2 for
content filtering.

Don't sweat the English. It's better than my Spanish. :-)

HTH

Wes Noonan
mailinglists () wjnconsulting com
http://www.wjnconsulting.com

-----Original Message-----
From: Adel Guia Cruz [mailto:aguia () fifomi gob mx]
Sent: Wednesday, December 03, 2003 17:51
To: mailinglists () wjnconsulting com; 'Adel Guia Cruz'; firewall-
wizards () honor icsalabs com
Subject: RE: [fw-wiz] How AAA in PIX Firewall ?

1) The problem of use site-to-site VPN is that I need to buy 1 PIX
Firewall
peer remote office (Total of 15 PIX 501) and this is more expensive that
individual VPN, or not ?

2)I need AAA for controlling users access to the Internet. My network is
Microsoft Windows Network with 2 Domain Controller and I need to
Authenticate, filter URL and log the activity of the user that will use
NAT
trough the PIX , How can I do that ? I know that exist RADIUS server
software, but the problems is if they do that, and what of this SERVER do
it
?
In case of controlling remote access to the firewall I only need
authentication.

Thanks and I´m sorry because my  English is not good, my native language
is
Spanish

ADEL

-----Mensaje original-----
De: Wes Noonan [mailto:mailinglists () wjnconsulting com]
Enviado el: miércoles, 03 de diciembre de 2003 14:55
Para: 'Adel Guia Cruz'; firewall-wizards () honor icsalabs com
Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?

1) The PIX 506 should work fine, as long as you don't need more than 2
interfaces, failover or more than 25 VPN peers. You mention that you need
75, but you might be better served using site-to-site VPN connections
instead of individual VPNs for each user. If you really need 75 VPN peers
though, then you have to go with a 515 or larger.
2) Are you wanting AAA for controlling access to the firewall or
controlling
user access to the internet. If the prior you can use local usernames or
RADIUS for authentication. If the latter, you can still use RADIUS for
authentication though I believe that you largely give up the ability to do
authorization or accounting without TACACS+.

HTH

Wes Noonan
Mailinglists () wjnconsulting com
http://www.wjnconsulting.com

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-

wizards-

admin () honor icsalabs com] On Behalf Of Adel Guia Cruz
Sent: Wednesday, December 03, 2003 13:45
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] How AAA in PIX Firewall ?

I need to implement a Firewall, VPN and IDS solution in my Central

Office

network. The network structure  is one Central Office with 150 nodes (50
nodes need Internet access) and 15 Remote Small Office with 5 node peer
Remote Office.

The Central Office have only one internet connection HDSL 256Kbps and

the

remote office are connected to Central Office thought Internet.

I think that Cisco PIX Firewall is a good choice but I need some advise:

1-     How to implement AAA (Authentication, Authorization, Accounting)

in

PIX firewall. I now that Cisco have the "Cisco Secure Access Control
Server"
for AAA but is very expensive. Is possible to implement AAA without

"Cisco

Secure ACS" in PIX firewall, if is possible what will bee the

limitations

?
2-     Is PIX 506 sufficient to me, or I need the next PIX 515-UR? I

need

at
less 75 concurrent VPN   connections.

Thanks
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

How AAA in PIX Firewall ? Adel Guia Cruz (Dec 03)
- RE: How AAA in PIX Firewall ? Wes Noonan (Dec 03)
- <Possible follow-ups>
- RE: How AAA in PIX Firewall ? Melson, Paul (Dec 03)
- RE: How AAA in PIX Firewall ? Adel Guia Cruz (Dec 06)
  - RE: How AAA in PIX Firewall ? Wes Noonan (Dec 06)
    - RE: How AAA in PIX Firewall ? Ray Burkholder (Dec 11)
- RE: How AAA in PIX Firewall ? Adel Guia Cruz (Dec 06)
  - RE: How AAA in PIX Firewall ? Wes Noonan (Dec 06)