RE: HW firewall for LAN

["Dan Duplito" <danduplito () techie com>]

hi Shawn, Lachlan and Justin! i really appreciate all your invaluable inputs :)

your combined suggestions will help me and my boss decide on how to choose the right appliance for our setup. i've also 
Googled for resources on the Net. we're now also considering other appliances (e.g., Sonicwall and NetScreen products), 
but we're initially leaning towards Cisco PIX (we had a 515e installed for the DMZ and it's running smoothly), and have 
active correspondence with the vendors on the items you all raised.

thanks guys and best regards,
dan


----- Original Message -----
From: "Justin F. Knox" <jknox () indexzero org>
Date: Tue, 2 Dec 2003 21:09:47 -0500
To: "Dan Duplito" <danduplito () techie com>
Subject: RE: HW firewall for LAN

> hi dan,
>
> I'm a systems integrator, and we typically deal with Cisco products. The
> best way to start sizing for a firewall solution involves looking at the
> whole picture. You mention a DMZ, but what is your total network layout?
>
> Internet connection?
> perimeter router(s)?
> dmz firewall?
> Core interior?
>
> WAN, is this a private WAN that terminates in the core of your network (a la
> hub-spoke, or a private frame cloud)?
>
> Do you offer VPN connectivity for remote sites or tele-commuting?
>
> are all of your 3000+ users going through one internet point of presence? <-
> that question is probably the most important one for you. That and how fast
> is your internet connection.
>
> From the work I've done with PIX firewalls, I can say that they're quick.
> The CLI is nice (sufficiently different from IOS to make some commands a
> pain sometimes though). It used to be that there was a 'restricted' PIX
> license and an 'unrestricted' on the 515E's I have recently deployed I have
> not noticed such a distiction, thus I think they're all 'unrestricted' now.
> I would definitely confirm that with your vendor though.
>
> I'm a Cisco fan, but for comparison: Netscreen offers some decently priced
> hardware firewall devices. Additionally, Checkpoint running on Nokia
> appliances is probably the most robust firewall platform money can buy. All
> of that depends upon your network and needs though.
>
> good luck, hope my rambling has helped.
>
> --justin
>
> -----Original Message-----
> From: Dan Duplito [mailto:danduplito () techie com]
> Sent: Tuesday, December 02, 2003 3:57 AM
> To: security-basics () securityfocus com
> Subject: HW firewall for LAN
>
>
> hi, forgive me if this is a newbie query -- i'm relatively new to the
> security industry.
>
> we're looking to getting a HW firewall between our LAN and internal servers,
> similar to the one we have for our DMZ.
>
> i'm just wondering if a Cisco PIX (515 or 525) firewall is not overkill for
> a 3000+ user-base LAN/WAN network (i've read the specs from Cisco site but
> nothing was mentioned regarding user-base limit/capacity for each firewall).
> traffic will mostly constitute the usual Internet, mail, dns and telnet/ssh
> access to the servers.
>
> is there a rule-of-thumb for determining the appropriate firewall CPU speed
> and memory for a particular number of users?
>
> TIA for the help and inputs,
> dan
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------