RE: [fw-wiz] How AAA in PIX Firewall ?
From: Adel Guia Cruz (aguia_at_fifomi.gob.mx)
To: firstname.lastname@example.org, 'Adel Guia Cruz' <email@example.com>, firstname.lastname@example.org Date: Thu, 4 Dec 2003 14:32:31 -0600
I check Websense and N2H2 and this is exactly what I need for Filter HTTP in
PIX Firewall. The Pix and the software use IFP protocol (Internet Filter
Protocol) to communicate.
The problem is that this software are very expensive, you know another
solution less expensive.
So I need to buy PIX Firewall and a content filtering software (That support
IFP to communicate with PIX ), and for authentication I can use Microsoft
Thanks for the advises
De: Wes Noonan [mailto:email@example.com]
Enviado el: miércoles, 03 de diciembre de 2003 20:04
Para: 'Adel Guia Cruz'; firstname.lastname@example.org
Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?
1) Not necessarily. You could go netopia or something similar for the remote
sites. If not, the cost of 15 PIX 501's would be somewhere in the $6000-7000
range which is about $3000 more give or take what a 515E-UR would cost.
2) I would recommend setting up a content filtering server as that sounds
more in line with what you really need. PIX supports Websense and N2H2 for
Don't sweat the English. It's better than my Spanish. :-)
> -----Original Message-----
> From: Adel Guia Cruz [mailto:email@example.com]
> Sent: Wednesday, December 03, 2003 17:51
> To: firstname.lastname@example.org; 'Adel Guia Cruz'; firewall-
> Subject: RE: [fw-wiz] How AAA in PIX Firewall ?
> 1) The problem of use site-to-site VPN is that I need to buy 1 PIX
> peer remote office (Total of 15 PIX 501) and this is more expensive that
> individual VPN, or not ?
> 2)I need AAA for controlling users access to the Internet. My network is
> Microsoft Windows Network with 2 Domain Controller and I need to
> Authenticate, filter URL and log the activity of the user that will use
> trough the PIX , How can I do that ? I know that exist RADIUS server
> software, but the problems is if they do that, and what of this SERVER do
> In case of controlling remote access to the firewall I only need
> Thanks and I´m sorry because my English is not good, my native language
> -----Mensaje original-----
> De: Wes Noonan [mailto:email@example.com]
> Enviado el: miércoles, 03 de diciembre de 2003 14:55
> Para: 'Adel Guia Cruz'; firstname.lastname@example.org
> Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?
> 1) The PIX 506 should work fine, as long as you don't need more than 2
> interfaces, failover or more than 25 VPN peers. You mention that you need
> 75, but you might be better served using site-to-site VPN connections
> instead of individual VPNs for each user. If you really need 75 VPN peers
> though, then you have to go with a 515 or larger.
> 2) Are you wanting AAA for controlling access to the firewall or
> user access to the internet. If the prior you can use local usernames or
> RADIUS for authentication. If the latter, you can still use RADIUS for
> authentication though I believe that you largely give up the ability to do
> authorization or accounting without TACACS+.
> Wes Noonan
> > -----Original Message-----
> > From: email@example.com [mailto:firewall-
> > firstname.lastname@example.org] On Behalf Of Adel Guia Cruz
> > Sent: Wednesday, December 03, 2003 13:45
> > To: email@example.com
> > Subject: [fw-wiz] How AAA in PIX Firewall ?
> > I need to implement a Firewall, VPN and IDS solution in my Central
> > network. The network structure is one Central Office with 150 nodes (50
> > nodes need Internet access) and 15 Remote Small Office with 5 node peer
> > Remote Office.
> > The Central Office have only one internet connection HDSL 256Kbps and
> > remote office are connected to Central Office thought Internet.
> > I think that Cisco PIX Firewall is a good choice but I need some advise:
> > 1- How to implement AAA (Authentication, Authorization, Accounting)
> > PIX firewall. I now that Cisco have the "Cisco Secure Access Control
> > Server"
> > for AAA but is very expensive. Is possible to implement AAA without
> > Secure ACS" in PIX firewall, if is possible what will bee the
> > ?
> > 2- Is PIX 506 sufficient to me, or I need the next PIX 515-UR? I
> > at
> > less 75 concurrent VPN connections.
> > Thanks
> > _______________________________________________
> > firewall-wizards mailing list
> > firstname.lastname@example.org
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> firewall-wizards mailing list
firewall-wizards mailing list