I am considering replacing my present Netgear RT314 router + Zone Alarm Pro with a hardware firewall. My IT chief at work tells me my home network would be much more secure that way.
I am interested to know how difficult the 501 is to set up and understand, whether there are licenses that need to be purchsed, do they need to be purchased each year, and is there any special software that needs to be purchased? I like the fact that I could set up a VPN with ny system without having a port open all the time so that I could access my oomputer on trips.
Obviously, I am a newbie at this so please be gentle...!
Also consider a Netscreen firewall such as the 5GT. About the same price as a PIX 501, but easier to setup and configure. The 5GT is roughly equivalent to the PIX 506E.
Most of the higher-end firewalls have two licensed versions: 10 users and unlimited users. This is the case with the PIX and the Netscreen (although the PIX also offers a 50 user license).
- If you want to use the graphical interface to configure the PIX, then that is java based, so you would need Java 5 (I think it is); the graphical interface is no extra cost, though.
- Once you have bought a PIX, you have the right to keep using it indefinitely; there are no yearly license fees required
- The PIX 501 has a fairly short warrantee (90 days or so), during which time you are entitled to software updates and to create support cases.
- If you want support after that time, you would need to obtain a support contract. Most vendors sell those in one year chunks, but there is also a 3 year contract part number, and the better vendors can arrange a support contract for any arbitrary period of time (up to 5 years) -- e.g., you could buy 42 days of support starting on Feb 28th if you wanted to go through the trouble.
- After the end of your warrantee, if you are not under support, then you are not certain to receive any software upgrade for free.
- The Cisco -policy- (i.e., something subject to change) has been that if a security problem is found in a release, then customers are given free updates to the first subrelease of the same minor release that fixes that security problem. For example, if you had 6.3(1) then you would have been given 6.3(3) because that fixed security problems in 6.3(1). However, if the same security problem had been found in 6.2(3) and that was the release you had, you would probably not be given the 6.3(3) update: Cisco would instead likely create a new 6.2 minor release (e.g., 6.2(4)) and give you that. Cisco distinguishes "updates" (same minor version, e.g., 6.3(*)) from "upgrades" (different minor versions, e.g., 6.2(*) vs 6.3(*)), and it is quite uncommon for Cisco to give a free "upgrade". So if you buy in at 6.3(something) and do not obtain support, and 6.4 comes out 100 days after your purchase, then you are likely to be stuck at 6.3 unless you pay for an "upgrade" or support contract. [It isn't -unheard of- for Cisco to allow a free "upgrade", but it is decidely -uncommon-.]
- There are different support contracts, distinguished mostly by the hours during which you can open new support cases, by the response time that Cisco promises, and by whether you have onsite support or not. The 4-hour response time and 2-hour response time contracts are only available in areas that are within limited distances of existing Cisco parts depots.
- As the other poster alluded to, the Cisco PIX 501 is available with a 10 user license, a 50 user license, or an unlimited license. None of the other PIX models have per-user licenses. The PIX 506E is available only with a single license type, permitting unlimited users. The PIX 515/515E, 525, and 535 are available with several types of licenses, most notably "Restricted" or "Unrestricted", but also "Failover", and there are a few new license types added in PIX 7.0 (which is available for those models but not the 501 or 506E). Restricted licenses have stronger limits on the number of physical and logical interfaces, and do not support dual-firewall "failover" configurations; Unrestricted have more generouse interface restrictions and support failover. The price difference between the two is steep.
- The difficulty of the PIX 501 to set up and understand depends a *lot* on what you want to do with it. There are a lot of different configuration parameters possible, most of which are completely irrelevant to someone who just wants to keep other people out. The graphical interface has a "VPN Wizard" which makes it relatively easy to configure simple secure remote access.
- But to really understand the PIX software and how all the different parameters interact with each other takes literally -years- of hard study. I've put in those years, and there are still lots of things I don't know, [e.g., the proper arragnement in order to authenticate users against remote Windows RAS.]
Wow! Thank you for the very extensive information. One thing that I should have asked for is the cost of the software. And, I suppose, the other question is whether this product is WAY over the top for home security. The cost is not an issue, only the problems with configuration. I suspect that once I have it set up, it should not need tweaking, and I can ask my IT fellow to set it up at my home.
WRT to the cost of software, is there any extra cost for VPN software (or is that included) and how much are software upgrades that have come out in the past?
I am considering purchasing a unit on eBay. Would that be a big gamble because of the warranty being so short?
Any perhaps the last question is whether I should be considering any other product for my home LAN?
I've heard unconfirmed reports (rumors?) that Cisco plans to release new low-end PIX boxes in mid-January. These boxes supposedly have faster processors, more memory, and are capable of running 7.x.
So if you're considering a PIX, and time isn't of the essence, you may want to wait a month.
Regarding other firewall products, I suggest you take a look at the Netscreen and Fortigate products. Many people find these easier to configure than the PIX. I have a Netscreen 5GT and also have experience with the PIX, and I found the Netscreen easier to set up. There is not nearly as much third-party documentation available for these as the Cisco, and the only one that I'm aware of ("Configuring Netscreen Firewalls") isn't worth the paper it's written on, but the Juniper documentation is quite good and freely available on their web site
Pix is a very hard device to configure for a non-cisco user. The GUI in 6.x is about worthless. Anyone who uses the pix will tell you "COMMAND LINE", forget the GUI.
There was some mention to bring the Pix OS 7.x down to the 501, but it might not happen. Also rumors that the PIX is going to be phased out and replaced with their other security appliances.
The cyberguard 580 can do mulit-load balancing across two IPs connections, failover across multiple ISP's and more. Cyberguard's
3.1x firmware is finally easy to use and understand.
I would recommend ANYTHING but a pix for a home user, unless you want to learn PIX for a security position or a cert.
I have no desire to make a career out of learning to setup a hardware firewall, I assure you!!!
I want something that is excellent security, that will be easy to set up and which will allow me to easily and reliably get through it with a VPN. As it will only be used at my home with a single IP connection, the load balancing will be wasted on me.
Thanks for the reference--I will check out the Cyberguard.
I checked out the product line and I am wondering if the SG300 would work for my situation as mentioned in the first response to this post, namely as a hardware firewall that would allow me to get through it with a VPN and that would be easy to set up. The price is certainly acceptable.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.