Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

[Oliver Humpage <oliver () watershed co uk>]

> I don't know, the network-buying community doesn't seem that simply  
> stratified.  There are lots of levels in between, and at the very  
> least there is one in the middle where you don't have the expertise  
> to deploy fully open-source nor the desire to go completely mega-corp.

Just to weigh in on this discussion, which started the day after my  
new Cisco ASA5510 + AIP-SSM module arrived... :) We're not huge  
(about a 60 person charity operating out of one site), but a lot of  
our stuff is based online and we're connected to a fast metropolitan  
area network, hence we host our servers in-house.

I'm a strong advocate of open source solutions (until now, my various  
routers/firewalls were OpenBSD based), and hacked-together-out-of- 
parts-and-custom-scripts stuff (like my anti spam gateway). However,  
what I wanted was a full on filter, that would spot viruses and  
network/protocol attacks *and* block them in real time. Snort and its  
add-ons just didn't quite seem up to scratch.

So I wanted something that would protect our various public servers,  
and also provide a layer of AV/malware defense for the internal  
networks (protected as well by an OpenBSD box, which is staying in  
place), and settled on the Cisco - it seemed that the basis of the  
PIX OS, plus the AIP-SSM card (with its AV protection), was a pretty  
good combination.

I agree absolutely that an all-in-one solution breaks the ideal of  
"defense in depth" - however, since what I wanted was a mostly a  
border router (we have 3 routes out) and application-level IPS (not  
just IDS), the ASA seemed like it would do the job at a price we  
could afford, throw in a handy VPN endpoint for a few home workers,  
and let me get on with configuring rules rather than making lots of  
boxes work together.

I suppose I'm posting because I wanted to throw a real world example  
into the debate: although theoretically the ASAs are a "bad" idea, it  
seemed that they suited us perfectly. If anyone does break into it,  
hopefully the tripwire style sensors on the servers themselves will  
spot any dodgy stufft hat happens as a result, and I've got a  
separate router protecting the more sensitive private networks. I  
reckon it works out as a reasonable balance between cost,  
managability and security.

Oh, and if anyone has any tips/hints on configuration, I'd love to  
hear them, since I'm pretty new to the PIX OS.

Cheers, and sorry for the long post,

Oliver.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards