internal firewall suggestions required

hummm...at first glance even if you went to a VLAN w/acl configuration would you not still have to maintain it? Would it not still be unwieldy? Cisco I think has a management suite that might make this easier to maintain. If VLAN w/acls is the option you like I would check out their security management suite for this.

Michael

: > Hi : > : > We have a network with a external firewall and many internal firewalls : > which segregate the various departments which are in seperate subnets. : > The common servers are in a seperate subnet. : > : > THe internal firewalls are all running linux with IP tables while the : > external firewall is running a commercial product. : > : > The traffic between network segments is tightly regulated using the : > firewalls. : > : > Now as the network has grown to nearly 1000 users, we find managing the : > many internal firewalls unwieldy. Hence we are contemplating 2 options: : > : > 1. Implement a single hardware appliance (eg Cisco PIX) for the : > internal firewall : > 2. Implement a Layer 3 switch with Firewalling capabilities (I presume : > some exist). : > : > What are the pros and cons of these 2 options.

: hummm...at first glance even if you went to a VLAN w/acl configuration would : you not still have to maintain it? Would it not still be unwieldy? Cisco I : think has a management suite that might make this easier to maintain. If : VLAN w/acls is the option you like I would check out their security : management suite for this.

Bear in mind that Cisco offers a blade that is for all intents and purposes a PIX that integrates directly into a 6500 switch or 7600 router [FWSM].

Rick

In article , Richard H. Miller wrote: :Bear in mind that Cisco offers a blade that is for all intents and purposes a :PIX that integrates directly into a 6500 switch or 7600 router [FWSM].

There are noticable differences between the FWSM and PIX.

The first and most obvious one is the speed -- there is nothing in the PIX line which is more than a fraction as fast as a FWSM.

The second, but major one, is that the FWSM does not do VPNs. There is a VPN services module (for another cool $40K :( ).

There were a number of functional differences between FWSM and PIX having to do with ability to create virtual routers and ability to have traffic exit back out the same interface it came in. Those differences persist in PIX 6.x, but the month-old PIX 7.0(1) incorporates many of those features. PIX 7.0(1) is available for the

515/515E, 525, and 535, and will be ported "this year" to the 501 and 506/506E but possibly with reduced functionality for those boxes.

FWSM is also more flexible in the order of operations viz a viz routing.

In article , Walter Roberson wrote: :There are noticable differences between the FWSM and PIX.

Ah, I should have had a point #0: a very noticable difference between the two is in price! If you -need- the speed then you need it ... but it is certainly high enough to lead one to ask whether perhaps another vendor's product might be more cost effective.

Walter Roberson ( snipped-for-privacy@ibd.nrc-cnrc.gc.ca) wrote: : In article , : Richard H. Miller wrote: : :Bear in mind that Cisco offers a blade that is for all intents and purposes a : :PIX that integrates directly into a 6500 switch or 7600 router [FWSM].

: There are noticable differences between the FWSM and PIX.

: The first and most obvious one is the speed -- there is nothing in the : PIX line which is more than a fraction as fast as a FWSM.

: The second, but major one, is that the FWSM does not do VPNs. There : is a VPN services module (for another cool $40K :( ).

And the command syntax is slightly different. However, the differences are small enough that you can teach FWSM configuration by teaching PIX configuration and then adding the differences between the two.

And in the environment these guys operate in, [even though I suspect marketing played some role in the decision to seperate] having the VPN in a separate module is not a bad idea. Many of the other firewalls that exist as perimeter firewalls are moving to off-loading some of the more CPU intensive tasks to auxilary processors. Since the days of 3DES and MDA/SHA1 are probably numbered and we move towards more complex crypto methods, having a separate VPN module makes sense

: There were a number of functional differences between FWSM and PIX : having to do with ability to create virtual routers and ability to : have traffic exit back out the same interface it came in. Those : differences persist in PIX 6.x, but the month-old PIX 7.0(1) : incorporates many of those features. PIX 7.0(1) is available for the : 515/515E, 525, and 535, and will be ported "this year" to the 501 : and 506/506E but possibly with reduced functionality for those boxes.

: FWSM is also more flexible in the order of operations viz a viz routing. : -- : Any sufficiently old bug becomes a feature.

Yes..well aware that there are differences between the two. However, the original poster was discussing how to collapse seven internal firewalls into potentially a layer 3 switch or replacing with PIX firewalls. The FWSM comes pretty close to doing both

This is where a FWSM also is a good player since it will allow you to define separate security contexts (sort of virtual firewalls) with separate policies. It also allows you to create virtual internal secured perimeters.

However, this approach is not a trivial design change and needs to be looked at very carefully. It also is available for larger sites [using 6500 switches].

Also, you probably would want to make sure you buy two blades for redundancy/faul tolerance purposes.

Hi All

Thank you all for your suggestions.

Regards Venkat