RE: [fw-wiz] How AAA in PIX Firewall ?

From: Adel Guia Cruz (aguia_at_fifomi.gob.mx)
Date: 12/04/03

  • Next message: Wes Noonan: "RE: [fw-wiz] How AAA in PIX Firewall ?"
    To: mailinglists@wjnconsulting.com, 'Adel Guia Cruz' <aguia@fifomi.gob.mx>, firewall-wizards@honor.icsalabs.com
    Date: Thu, 4 Dec 2003 14:32:31 -0600
    
    

    Hello WES

    I check Websense and N2H2 and this is exactly what I need for Filter HTTP in
    PIX Firewall. The Pix and the software use IFP protocol (Internet Filter
    Protocol) to communicate.

    The problem is that this software are very expensive, you know another
    solution less expensive.

    So I need to buy PIX Firewall and a content filtering software (That support
    IFP to communicate with PIX ), and for authentication I can use Microsoft
    IAS ?

    Thanks for the advises

    -----Mensaje original-----
    De: Wes Noonan [mailto:mailinglists@wjnconsulting.com]
    Enviado el: miércoles, 03 de diciembre de 2003 20:04
    Para: 'Adel Guia Cruz'; firewall-wizards@honor.icsalabs.com
    Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?

    1) Not necessarily. You could go netopia or something similar for the remote
    sites. If not, the cost of 15 PIX 501's would be somewhere in the $6000-7000
    range which is about $3000 more give or take what a 515E-UR would cost.
    2) I would recommend setting up a content filtering server as that sounds
    more in line with what you really need. PIX supports Websense and N2H2 for
    content filtering.

    Don't sweat the English. It's better than my Spanish. :-)

    HTH

    Wes Noonan
    mailinglists@wjnconsulting.com
    http://www.wjnconsulting.com

    > -----Original Message-----
    > From: Adel Guia Cruz [mailto:aguia@fifomi.gob.mx]
    > Sent: Wednesday, December 03, 2003 17:51
    > To: mailinglists@wjnconsulting.com; 'Adel Guia Cruz'; firewall-
    > wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] How AAA in PIX Firewall ?
    >
    > 1) The problem of use site-to-site VPN is that I need to buy 1 PIX
    > Firewall
    > peer remote office (Total of 15 PIX 501) and this is more expensive that
    > individual VPN, or not ?
    >
    > 2)I need AAA for controlling users access to the Internet. My network is
    > Microsoft Windows Network with 2 Domain Controller and I need to
    > Authenticate, filter URL and log the activity of the user that will use
    > NAT
    > trough the PIX , How can I do that ? I know that exist RADIUS server
    > software, but the problems is if they do that, and what of this SERVER do
    > it
    > ?
    > In case of controlling remote access to the firewall I only need
    > authentication.
    >
    > Thanks and I´m sorry because my English is not good, my native language
    > is
    > Spanish
    >
    > ADEL
    >
    > -----Mensaje original-----
    > De: Wes Noonan [mailto:mailinglists@wjnconsulting.com]
    > Enviado el: miércoles, 03 de diciembre de 2003 14:55
    > Para: 'Adel Guia Cruz'; firewall-wizards@honor.icsalabs.com
    > Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?
    >
    >
    > 1) The PIX 506 should work fine, as long as you don't need more than 2
    > interfaces, failover or more than 25 VPN peers. You mention that you need
    > 75, but you might be better served using site-to-site VPN connections
    > instead of individual VPNs for each user. If you really need 75 VPN peers
    > though, then you have to go with a 515 or larger.
    > 2) Are you wanting AAA for controlling access to the firewall or
    > controlling
    > user access to the internet. If the prior you can use local usernames or
    > RADIUS for authentication. If the latter, you can still use RADIUS for
    > authentication though I believe that you largely give up the ability to do
    > authorization or accounting without TACACS+.
    >
    > HTH
    >
    > Wes Noonan
    > Mailinglists@wjnconsulting.com
    > http://www.wjnconsulting.com
    >
    >
    > > -----Original Message-----
    > > From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-
    > wizards-
    > > admin@honor.icsalabs.com] On Behalf Of Adel Guia Cruz
    > > Sent: Wednesday, December 03, 2003 13:45
    > > To: firewall-wizards@honor.icsalabs.com
    > > Subject: [fw-wiz] How AAA in PIX Firewall ?
    > >
    > > I need to implement a Firewall, VPN and IDS solution in my Central
    > Office
    > > network. The network structure is one Central Office with 150 nodes (50
    > > nodes need Internet access) and 15 Remote Small Office with 5 node peer
    > > Remote Office.
    > >
    > > The Central Office have only one internet connection HDSL 256Kbps and
    > the
    > > remote office are connected to Central Office thought Internet.
    > >
    > > I think that Cisco PIX Firewall is a good choice but I need some advise:
    > >
    > > 1- How to implement AAA (Authentication, Authorization, Accounting)
    > in
    > > PIX firewall. I now that Cisco have the "Cisco Secure Access Control
    > > Server"
    > > for AAA but is very expensive. Is possible to implement AAA without
    > "Cisco
    > > Secure ACS" in PIX firewall, if is possible what will bee the
    > limitations
    > > ?
    > > 2- Is PIX 506 sufficient to me, or I need the next PIX 515-UR? I
    > need
    > > at
    > > less 75 concurrent VPN connections.
    > >
    > > Thanks
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Wes Noonan: "RE: [fw-wiz] How AAA in PIX Firewall ?"

    Relevant Pages

    • RE: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason
      ... Well, after researching, configuring, reconfiguring, and just a bit ... the vpn client through the SecureWay firewall. ... The PiX is outside the firewall, on its own line/lines (explained in a ... the vpn eventually) can access the internet fine. ...
      (Firewall-Wizards)
    • Re: Internet Access policy
      ... these IPs (deny access to the internet for the specific IP pool). ... Second option is like I mentioned before to create RRAS filter on internal ... > The server itself is NATted behind a PIX 506. ...
      (microsoft.public.windows.server.general)
    • Re: netmasks and subnets
      ... I assume you are talking about the internet. ... so the whole network loks like this then? ... filter ip packets and redirect them through the filter code, ... Is your linux box configured as a firewall? ...
      (comp.os.linux.networking)
    • Re: NAT vs. True Firewalls
      ... Kerio) has facility to perform NAT, Packet Filtering, ... > computer acccess to the internet, ... Is it not possible to run a firewall on the machine directly ... > connected to the internet and filter the traffic in- and out-bound on ...
      (comp.security.firewalls)
    • RE: [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason
      ... Can you send the configuration for your PIX? ... do you have a Smartnet contract on your PIX? ... the vpn client through the SecureWay firewall. ... the vpn eventually) can access the internet fine. ...
      (Firewall-Wizards)