RE: PIX firewall licensing and beyond (newbie)

["Paul Melson" <pmelson () gmail com>]

1. That depends on how much bandwidth you'll actually use and what you're
doing with the PIX.  If, for example, the actual pipe is a frac T3 burstable
to 45Mbps and your servers are going to pass primarily TCP traffic across
the PIX, a 515E is a fine choice.  Want to do large volume VPN tunnels or
use the full 100Mb link for sustained periods, you may be looking for
something bigger.

2. There's no more licensing for 3DES/AES.  Any PIX can get a key free from
Cisco, and anything you buy new should come with it.  The big choice you're
looking at is R-BUN vs. UR-BUN.  If you only need 2-3 interfaces, are just
sticking tens of servers behind it (and not an office full of users), and
don't need fail-over, then the R-BUN is perfect for you.  Otherwise, UR-BUN.

3. Nope.  PIX OS is PIX OS no matter the model. (unless it's 7.x)

4. Depends on the model, but the 515E comes with at least 2 ports but can be
configured for 3, 4, or 6 interfaces as well.  You buy either 1-port (1FE)
cards, or a 4-port card (4-FE).  Remember that 4 or 6 interfaces requires a
UR license.

5. I probably shouldn't give VAR/reseller names on-list.  But at the end of
the day, everybody that resells Cisco is subject to the same availability
issues and delivers the same products.  And if the only support you buy is
Cisco SmartNet, then you get all of your support from them also.  Shop on
price is my advice.  Or call Cisco.  If it's a big enough order (a handful
of 515E's won't qualify), they'll gladly hand over the lead to a channel
partner who's going to get stuck with a tiny margin because Cisco brought
them the lead and wants the sale.  This works especially well if it's a
scenario where the Cisco products are up against another competitor (like
Juniper or Symantec).  :-)

6. Cisco's website is actually pretty good as a support/reference resource.
Better than most.  Also, this list's archives.  And before you get too far
into your new firewall, I recommend:
http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html

If nothing else it's a good introduction to the PIX paradigm, if you will.

PaulM


-----Original Message-----
Subject: [fw-wiz] PIX firewall licensing and beyond (newbie)

I come from a linux admin background and have an assignment to setup a pix
firewall.  This is new territory and will be my first time playing with pix
os instead of iptables.  Please excuse my newb questions, but we all start
somewhere. :-)

1. Which model?  Our servers are in a co-location with a 100mbit drop.
Would that make the 515E the right choice if we actually want to make use of
our bandwith?  The pix becomes the bottleneck?

2. I'm a little uneasy about the licensing.  What are the typical features I
should make sure that are included (e.g., 3DES)?  What should I watch out
for.

3. I read somewhere that vlan support is only in pix os 6.3.  Is vlan
support also based on which model I'm using, or do all pix firewall models
have this feature?

4. How many physical ports do the pix firewalls typically come with?  It
seems like it's 2: one uplink, one downlink.  I can already think of 3
security levels that I want my servers separated into.  Does that mean I
have to buy expansion slots?  Or should I use VLANs instead?

5. Any recommendations on a location to order the pix firewall and licensing
from?  Good deals, good support, etc.

6. Any recommendations on some online reading that will help with
implementing the pix firewall?  It would help to see some example network
layouts to get a better idea of how the components should be pieced
together.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards