Walter Roberson ( snipped-for-privacy@ibd.nrc-cnrc.gc.ca) wrote: : In article , : Richard H. Miller wrote: : :Bear in mind that Cisco offers a blade that is for all intents and purposes a : :PIX that integrates directly into a 6500 switch or 7600 router [FWSM].
: There are noticable differences between the FWSM and PIX.
: The first and most obvious one is the speed -- there is nothing in the : PIX line which is more than a fraction as fast as a FWSM.
: The second, but major one, is that the FWSM does not do VPNs. There : is a VPN services module (for another cool $40K :( ).
And the command syntax is slightly different. However, the differences are small enough that you can teach FWSM configuration by teaching PIX configuration and then adding the differences between the two.
And in the environment these guys operate in, [even though I suspect marketing played some role in the decision to seperate] having the VPN in a separate module is not a bad idea. Many of the other firewalls that exist as perimeter firewalls are moving to off-loading some of the more CPU intensive tasks to auxilary processors. Since the days of 3DES and MDA/SHA1 are probably numbered and we move towards more complex crypto methods, having a separate VPN module makes sense
: There were a number of functional differences between FWSM and PIX : having to do with ability to create virtual routers and ability to : have traffic exit back out the same interface it came in. Those : differences persist in PIX 6.x, but the month-old PIX 7.0(1) : incorporates many of those features. PIX 7.0(1) is available for the : 515/515E, 525, and 535, and will be ported "this year" to the 501 : and 506/506E but possibly with reduced functionality for those boxes.
: FWSM is also more flexible in the order of operations viz a viz routing. : -- : Any sufficiently old bug becomes a feature.
Yes..well aware that there are differences between the two. However, the original poster was discussing how to collapse seven internal firewalls into potentially a layer 3 switch or replacing with PIX firewalls. The FWSM comes pretty close to doing both
This is where a FWSM also is a good player since it will allow you to define separate security contexts (sort of virtual firewalls) with separate policies. It also allows you to create virtual internal secured perimeters.
However, this approach is not a trivial design change and needs to be looked at very carefully. It also is available for larger sites [using 6500 switches].
Also, you probably would want to make sure you buy two blades for redundancy/faul tolerance purposes.