Hi Kevin:
Consider using an open source firewall like the one from freebsd, or
the many that are linux-based. some are easy to configure and
administer and are well supported by their creators. just google for
bsd and linux firewall and you'll find some strong contenders. the
pix box is nice if you want a basic firewall with an expandable
feature set, but the performance is fairly limited compared any
pc-based OS+firewall combination. plus with an open source firewall
you'll have the ability to add IDS (snort) and TCPDUMP and other tools
on the same box (it's ok if you do this for a T-1...you shouldn't have
any performance problems. finally, the other win with an open source
firewall/IDS box is that you can use multiple interfaces to segment
your DMZ onto a different network supported by a different interface
vs. your lan. harder to do that with a pix 501 (you'd have to add
another box behind the 501 to support multiple network interfaces,
etc.)
as for the config, go with router (with ACLs) -> FW+IDS box -> switch.
you're on the right track. if you use multiple interfaces, use one
switch for each interface so that your dmz hosts can't "see" your lan
users/hosts (unless your firewall is compromised of course.)
hope that helps.
cheers-
peter
cheers-
peter
On Mon, 21 Feb 2005 14:01:06 -0600, Kevin Russell <kevin@retail-tech.com> wrote:
list
I think I will get to pick up a pix 501, that's all the budgets going to let
me have you know how these bean counters are...
any way how bout network layout..
internet -> router --> firewall --> switch--> pcs
or something else...
like I said I kinda new to this and still learning...
thx
Chuck,
Nice attempt at FUD sale there. ;-) You didn't point out that the PIX has
been selling since 1995; years before a couple of guys left Cisco and
started Juniper (and years before NetScreen got started also by former
Cisco employees).
Why don't you tell the list more about running deep packet inspection on a
5GT? What kind of throughput should one expect with any kind of rules
defined? How many vendors supply AV signatures? Where does that URL
filtering come from?
And while you're at it why don't you cover vulnerabilities on NetScreen
(and all other Firewall vendors) products.
I guess we'll tie today for the posts with the least real value on list.
Liberty for All,
Brian
charles antrim wrote:
Take a look at all the vulnerabilities on the Cisco site on the PIX.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_security_advisories_list.html
The competing Juniper product is the same price. The 5-GT also has an
option for built in anti-virus and web filtering as well as Deep
Inspection.
If you want to take a look let me know.
Chuck
On 2/16/05 7:11 AM, "Kevin Russell" <kevin@retail-tech.com> wrote:
I do appreciate all the replies,
Cisco pix 501 I think. 400$ loaded out of box secure as hell
this sounds like something I can get in the budget...
Upgrade the router to the current support OS (Cisco IOS, or ???),
lock down the router security, and add ACLs to block inbound and
outbound spoofed IPs, "junk" traffic, and ports and IP
protocols which
you do not use between the Internet and your DMZ/private LAN.
e.g. if
you don't have an IPSEC VPN, drop and log all ESP and AH traffic
at the router.
would the pix 501 have some of these features
collate your FTP and webserve into one, preferably a Linux box
Ë with >the box you gain from the migration you could build
another Linux box >and stick squid and snort on that.
this sounds like what I would like to do, but my Linux box is
a 350 proc, from AMD and only got either 64 or 128mb of ram do
you think this will hold up to the abuse of being a web/ftp
server and not fail...
I would avoid using a 2KPro box as a web server, since
you will be limited on the number of connections... Use
2KServer for any server based services.
didn't know that, will defiantly look into other options now...
as for basic office maintenance I have the corp. ed. of trend
AV, it lets me do all the updates across the office, also I
have a routine about updates and patches for the offices,
ipcop is another thing to add to my list of things to do,
after I get the apache up and working..
thx for all your help and suggestions
you make it seem easy...
--
========================================================
Brian Ford
Consulting Engineer, Consulting Engineering Group
Cisco Systems, Inc.
Direct: 212-714-4288
e-mail: brford@cisco.com
http://www.cisco.com
The content of this message represent the views of the author and not
necessarily those of their employer.
