Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX firewall licensing and beyond (newbie)

From: Victor Williams <vbwilliams () neb rr com>
Date: Wed, 07 Sep 2005 10:48:58 -0500
1. This depends on your expected traffic. Are you serving stuff on the internet? Or are you trying to separate two networks that really shouldn't see each other on the same LAN? I've never had performance issues with a PIX 515 or higher, but then I've never had more than 10 meg of available bandwidth on it's outside (internet-facing) interface. Your mileage is going to vary based on your application.
2. It's not the licensing really. You need to check out cisco.com and see which package of which firewalls are available. Cisco sells the same units, with the same software on all of them. Your activation keys are what limit what you can do with them. I never run lower than PIX 515E unrestricted packages. Restricted licences limit the functionality of the unit. Unrestricted licenses basically let you do what you want, with the confines of the unit only being limited by it's throughput and other such factors. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_models_home.html
3. 6.3 and forward. PIX OS is up to 7.0(2) now. All of the PIX firewalls support vlans to an extent except the PIX 501 I believe. Again, check Cisco's website from above. 

4.  Depends on the package.  Consult point 2 for the link.
5. www.cdw.com is the cheapest that I've found hands down. When you buy support, you buy them from Cisco. So, if something goes wrong, you will be calling Cisco, not CDW. That's how it works.
6. I suggest reading any/all sections of the Cisco website pertaining to the PIX firewalls...since it is their product.
Additionally, www.tek-tips.com has a section dedicated to PIX firewall setup. However, I would read Cisco's website first and foremost. They have over 100 articles just in their configuration and setup section that will tell you how to do lots of simple as well as advanced things. Cisco is very good about supporting their product. If you cannot find configurations on their website and you have a support contract, if you call them, they will walk you through whatever you want to do, and worst case, they will get remote access to your environment and do it for you. I've never had them on the phone and they not solve whatever issue I have...but I've only ever needed to call them maybe 3-4 times. 


Vahid Pazirandeh wrote:

Hello everyone,

I come from a linux admin background and have an assignment to setup a pix
firewall.  This is new territory and will be my first time playing with pix os
instead of iptables.  Please excuse my newb questions, but we all start
somewhere. :-)

1. Which model?  Our servers are in a co-location with a 100mbit drop.  Would
that make the 515E the right choice if we actually want to make use of our
bandwith?  The pix becomes the bottleneck?

2. I'm a little uneasy about the licensing.  What are the typical features I
should make sure that are included (e.g., 3DES)?  What should I watch out for.

3. I read somewhere that vlan support is only in pix os 6.3.  Is vlan support
also based on which model I'm using, or do all pix firewall models have this
feature?

4. How many physical ports do the pix firewalls typically come with?  It seems
like it's 2: one uplink, one downlink.  I can already think of 3 security
levels that I want my servers separated into.  Does that mean I have to buy
expansion slots?  Or should I use VLANs instead?

5. Any recommendations on a location to order the pix firewall and licensing
from?  Good deals, good support, etc.

6. Any recommendations on some online reading that will help with implementing
the pix firewall?  It would help to see some example network layouts to get a
better idea of how the components should be pieced together.

Here are a few places that I've already scoped out:
http://www.netcraftsmen.net/welcher/papers/pix01.html   (also:
pix02-pix04.html)
http://www.examcram2.com/articles/article.asp?p=101741&seqNum=1

Your guidance would be very helpful.  Thanks for a great mail list!

A PIX student in training,
-Vahid

=============================================
 "Make it better before you make it faster."
=============================================


        
                
______________________________________________________
Click here to donate to the Hurricane Katrina relief effort.
http://store.yahoo.com/redcross-donate3/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: