Re: PIX firewall licensing and beyond (newbie)

[Ryan Steinmetz <rpsfa () rit edu>]

On (09/05/05 20:40), Vahid Pazirandeh wrote:
> Hello everyone,
>
> I come from a linux admin background and have an assignment to setup a pix
> firewall.  This is new territory and will be my first time playing with pix os
> instead of iptables.  Please excuse my newb questions, but we all start
> somewhere. :-)
>
> 1. Which model?  Our servers are in a co-location with a 100mbit drop.  Would
> that make the 515E the right choice if we actually want to make use of our
> bandwith?  The pix becomes the bottleneck?

The 515E should suffice, it is capable of handling about 180mbit of traffic.

> 2. I'm a little uneasy about the licensing.  What are the typical features I
> should make sure that are included (e.g., 3DES)?  What should I watch out for.

3DES/AES licenses are free from cisco.com. Details about the licensing options are available at:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

It breaks down to either a Restricted (R) license or an Unrestricted (UR) license.
There is also a seperate license for Failover units (see above URL).

The Restricted license is limited to 3 physical ports and a maximum of 5 ports (via an 802.1q trunk).
In order to add more ports, you will need the UR license.

> 3. I read somewhere that vlan support is only in pix os 6.3.  Is vlan support
> also based on which model I'm using, or do all pix firewall models have this
> feature?

All PIXs running 6.3 or above that are equal to or higher in model than the 515 will support 802.1q trunks.
> 4. How many physical ports do the pix firewalls typically come with?  It seems
> like it's 2: one uplink, one downlink.  I can already think of 3 security
> levels that I want my servers separated into.  Does that mean I have to buy
> expansion slots?  Or should I use VLANs instead?

There are 2 restricted bundles available, one has 3 ports, the other has 2.
The PIX has 2 expansion slots, one of which would be in use if you purchased the model with 3 ports.

You could use VLANs, the only thing you need to keep in mind is that the interface itself is still limited to 100mbit.
> 5. Any recommendations on a location to order the pix firewall and licensing
> from?  Good deals, good support, etc.

CDW (www.cdw.com) is always a safe bet, however, you may be able to find it cheaper elsewhere.
Support is typicall handled through Cisco via a SMARTnet contract (which is also available from the place you choose to 
buy the PIX from).
> 6. Any recommendations on some online reading that will help with implementing
> the pix firewall?  It would help to see some example network layouts to get a
> better idea of how the components should be pieced together.

Cisco's documentation can be helpful.  Check out their website at www.cisco.com
> Here are a few places that I've already scoped out:
> http://www.netcraftsmen.net/welcher/papers/pix01.html   (also:
> pix02-pix04.html)
> http://www.examcram2.com/articles/article.asp?p=101741&seqNum=1
>
> Your guidance would be very helpful.  Thanks for a great mail list!
>
> A PIX student in training,
> -Vahid
>
> =============================================
>  "Make it better before you make it faster."
> =============================================
>
>
>       
>               
> ______________________________________________________
> Click here to donate to the Hurricane Katrina relief effort.
> http://store.yahoo.com/redcross-donate3/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
Ryan Steinmetz
Systems Administrator
Finance & Administration
Systems & Technology
Rochester Institute of Technology
585.475.5663
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards