Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Oliver Humpage <oliver () watershed co uk>
Date: Sun, 28 May 2006 10:59:54 +0100
I don't know, the network-buying community doesn't seem that simply stratified. There are lots of levels in between, and at the very least there is one in the middle where you don't have the expertise to deploy fully open-source nor the desire to go completely mega-corp.
Just to weigh in on this discussion, which started the day after my new Cisco ASA5510 + AIP-SSM module arrived... :) We're not huge (about a 60 person charity operating out of one site), but a lot of our stuff is based online and we're connected to a fast metropolitan area network, hence we host our servers in-house. I'm a strong advocate of open source solutions (until now, my various routers/firewalls were OpenBSD based), and hacked-together-out-of- parts-and-custom-scripts stuff (like my anti spam gateway). However, what I wanted was a full on filter, that would spot viruses and network/protocol attacks *and* block them in real time. Snort and its add-ons just didn't quite seem up to scratch. So I wanted something that would protect our various public servers, and also provide a layer of AV/malware defense for the internal networks (protected as well by an OpenBSD box, which is staying in place), and settled on the Cisco - it seemed that the basis of the PIX OS, plus the AIP-SSM card (with its AV protection), was a pretty good combination. I agree absolutely that an all-in-one solution breaks the ideal of "defense in depth" - however, since what I wanted was a mostly a border router (we have 3 routes out) and application-level IPS (not just IDS), the ASA seemed like it would do the job at a price we could afford, throw in a handy VPN endpoint for a few home workers, and let me get on with configuring rules rather than making lots of boxes work together. I suppose I'm posting because I wanted to throw a real world example into the debate: although theoretically the ASAs are a "bad" idea, it seemed that they suited us perfectly. If anyone does break into it, hopefully the tripwire style sensors on the servers themselves will spot any dodgy stufft hat happens as a result, and I've got a separate router protecting the more sensitive private networks. I reckon it works out as a reasonable balance between cost, managability and security. Oh, and if anyone has any tips/hints on configuration, I'd love to hear them, since I'm pretty new to the PIX OS. Cheers, and sorry for the long post, Oliver. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG), (continued)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Carson Gaspar (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Oliver Humpage (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Tina Bird (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Mark (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 29)