Re: [fw-wiz] PIX firewall licensing and beyond (newbie)

From: Ryan Steinmetz (rpsfa_at_rit.edu)
Date: 09/07/05

  • Next message: Victor Williams: "Re: [fw-wiz] PIX firewall licensing and beyond (newbie)" 
    To: Vahid Pazirandeh <vpaziran@yahoo.com>
Date: Wed, 7 Sep 2005 11:33:45 -0400

    On (09/05/05 20:40), Vahid Pazirandeh wrote:
    > Hello everyone,
    >
    > I come from a linux admin background and have an assignment to setup a pix
    > firewall. This is new territory and will be my first time playing with pix os
    > instead of iptables. Please excuse my newb questions, but we all start
    > somewhere. :-)
    >
    > 1. Which model? Our servers are in a co-location with a 100mbit drop. Would
    > that make the 515E the right choice if we actually want to make use of our
    > bandwith? The pix becomes the bottleneck?

    The 515E should suffice, it is capable of handling about 180mbit of traffic.

    >
    > 2. I'm a little uneasy about the licensing. What are the typical features I
    > should make sure that are included (e.g., 3DES)? What should I watch out for.

    3DES/AES licenses are free from cisco.com. Details about the licensing options are available at:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

    It breaks down to either a Restricted (R) license or an Unrestricted (UR) license.
    There is also a seperate license for Failover units (see above URL).

    The Restricted license is limited to 3 physical ports and a maximum of 5 ports (via an 802.1q trunk).
    In order to add more ports, you will need the UR license.

    >
    > 3. I read somewhere that vlan support is only in pix os 6.3. Is vlan support
    > also based on which model I'm using, or do all pix firewall models have this
    > feature?

    All PIXs running 6.3 or above that are equal to or higher in model than the 515 will support 802.1q trunks.
    >
    > 4. How many physical ports do the pix firewalls typically come with? It seems
    > like it's 2: one uplink, one downlink. I can already think of 3 security
    > levels that I want my servers separated into. Does that mean I have to buy
    > expansion slots? Or should I use VLANs instead?

    There are 2 restricted bundles available, one has 3 ports, the other has 2.
    The PIX has 2 expansion slots, one of which would be in use if you purchased the model with 3 ports.

    You could use VLANs, the only thing you need to keep in mind is that the interface itself is still limited to 100mbit.
    >
    > 5. Any recommendations on a location to order the pix firewall and licensing
    > from? Good deals, good support, etc.

    CDW (www.cdw.com) is always a safe bet, however, you may be able to find it cheaper elsewhere.
    Support is typicall handled through Cisco via a SMARTnet contract (which is also available from the place you choose to buy the PIX from).
    >
    > 6. Any recommendations on some online reading that will help with implementing
    > the pix firewall? It would help to see some example network layouts to get a
    > better idea of how the components should be pieced together.

    Cisco's documentation can be helpful. Check out their website at www.cisco.com
    >
    > Here are a few places that I've already scoped out:
    > http://www.netcraftsmen.net/welcher/papers/pix01.html (also:
    > pix02-pix04.html)
    > http://www.examcram2.com/articles/article.asp?p=101741&seqNum=1
    >
    > Your guidance would be very helpful. Thanks for a great mail list!
    >
    > A PIX student in training,
    > -Vahid
    >
    > =============================================
    > "Make it better before you make it faster."
    > =============================================
    >
    >
    >
    >
    > ______________________________________________________
    > Click here to donate to the Hurricane Katrina relief effort.
    > http://store.yahoo.com/redcross-donate3/
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards 

    -- 
Ryan Steinmetz
Systems Administrator
Finance & Administration
Systems & Technology
Rochester Institute of Technology
585.475.5663
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Victor Williams: "Re: [fw-wiz] PIX firewall licensing and beyond (newbie)"
    • Quantcast