Security Basics mailing list archives
RE: HW firewall for LAN
From: "Dan Duplito" <danduplito () techie com>
Date: Wed, 03 Dec 2003 12:23:52 +0800
hi Shawn, Lachlan and Justin! i really appreciate all your invaluable inputs :) your combined suggestions will help me and my boss decide on how to choose the right appliance for our setup. i've also Googled for resources on the Net. we're now also considering other appliances (e.g., Sonicwall and NetScreen products), but we're initially leaning towards Cisco PIX (we had a 515e installed for the DMZ and it's running smoothly), and have active correspondence with the vendors on the items you all raised. thanks guys and best regards, dan ----- Original Message ----- From: "Justin F. Knox" <jknox () indexzero org> Date: Tue, 2 Dec 2003 21:09:47 -0500 To: "Dan Duplito" <danduplito () techie com> Subject: RE: HW firewall for LAN
hi dan, I'm a systems integrator, and we typically deal with Cisco products. The best way to start sizing for a firewall solution involves looking at the whole picture. You mention a DMZ, but what is your total network layout? Internet connection? perimeter router(s)? dmz firewall? Core interior? WAN, is this a private WAN that terminates in the core of your network (a la hub-spoke, or a private frame cloud)? Do you offer VPN connectivity for remote sites or tele-commuting? are all of your 3000+ users going through one internet point of presence? <- that question is probably the most important one for you. That and how fast is your internet connection. From the work I've done with PIX firewalls, I can say that they're quick. The CLI is nice (sufficiently different from IOS to make some commands a pain sometimes though). It used to be that there was a 'restricted' PIX license and an 'unrestricted' on the 515E's I have recently deployed I have not noticed such a distiction, thus I think they're all 'unrestricted' now. I would definitely confirm that with your vendor though. I'm a Cisco fan, but for comparison: Netscreen offers some decently priced hardware firewall devices. Additionally, Checkpoint running on Nokia appliances is probably the most robust firewall platform money can buy. All of that depends upon your network and needs though. good luck, hope my rambling has helped. --justin -----Original Message----- From: Dan Duplito [mailto:danduplito () techie com] Sent: Tuesday, December 02, 2003 3:57 AM To: security-basics () securityfocus com Subject: HW firewall for LAN hi, forgive me if this is a newbie query -- i'm relatively new to the security industry. we're looking to getting a HW firewall between our LAN and internal servers, similar to the one we have for our DMZ. i'm just wondering if a Cisco PIX (515 or 525) firewall is not overkill for a 3000+ user-base LAN/WAN network (i've read the specs from Cisco site but nothing was mentioned regarding user-base limit/capacity for each firewall). traffic will mostly constitute the usual Internet, mail, dns and telnet/ssh access to the servers. is there a rule-of-thumb for determining the appropriate firewall CPU speed and memory for a particular number of users? TIA for the help and inputs, dan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- HW firewall for LAN Dan Duplito (Dec 02)
- <Possible follow-ups>
- RE: HW firewall for LAN Shawn Jackson (Dec 02)
- RE: HW firewall for LAN McGill, Lachlan (Dec 02)
- RE: HW firewall for LAN Dan Duplito (Dec 03)
- Secure RPC Darragh O'Brien (Dec 03)