RE: [fw-wiz] PIX firewall licensing and beyond (newbie)

From: Paul Melson (pmelson_at_gmail.com)
Date: 09/07/05

  • Next message: Paul Melson: "RE: [fw-wiz] Cisco Remote Access VPN Problem" 
    To: "'Vahid Pazirandeh'" <vpaziran@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 7 Sep 2005 13:49:35 -0400

    1. That depends on how much bandwidth you'll actually use and what you're
    doing with the PIX. If, for example, the actual pipe is a frac T3 burstable
    to 45Mbps and your servers are going to pass primarily TCP traffic across
    the PIX, a 515E is a fine choice. Want to do large volume VPN tunnels or
    use the full 100Mb link for sustained periods, you may be looking for
    something bigger.

    2. There's no more licensing for 3DES/AES. Any PIX can get a key free from
    Cisco, and anything you buy new should come with it. The big choice you're
    looking at is R-BUN vs. UR-BUN. If you only need 2-3 interfaces, are just
    sticking tens of servers behind it (and not an office full of users), and
    don't need fail-over, then the R-BUN is perfect for you. Otherwise, UR-BUN.

    3. Nope. PIX OS is PIX OS no matter the model. (unless it's 7.x)

    4. Depends on the model, but the 515E comes with at least 2 ports but can be
    configured for 3, 4, or 6 interfaces as well. You buy either 1-port (1FE)
    cards, or a 4-port card (4-FE). Remember that 4 or 6 interfaces requires a
    UR license.

    5. I probably shouldn't give VAR/reseller names on-list. But at the end of
    the day, everybody that resells Cisco is subject to the same availability
    issues and delivers the same products. And if the only support you buy is
    Cisco SmartNet, then you get all of your support from them also. Shop on
    price is my advice. Or call Cisco. If it's a big enough order (a handful
    of 515E's won't qualify), they'll gladly hand over the lead to a channel
    partner who's going to get stuck with a tiny margin because Cisco brought
    them the lead and wants the sale. This works especially well if it's a
    scenario where the Cisco products are up against another competitor (like
    Juniper or Symantec). :-)

    6. Cisco's website is actually pretty good as a support/reference resource.
    Better than most. Also, this list's archives. And before you get too far
    into your new firewall, I recommend:
    http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html

    If nothing else it's a good introduction to the PIX paradigm, if you will.

    PaulM

    -----Original Message-----
    Subject: [fw-wiz] PIX firewall licensing and beyond (newbie)

    I come from a linux admin background and have an assignment to setup a pix
    firewall. This is new territory and will be my first time playing with pix
    os instead of iptables. Please excuse my newb questions, but we all start
    somewhere. :-)

    1. Which model? Our servers are in a co-location with a 100mbit drop.
    Would that make the 515E the right choice if we actually want to make use of
    our bandwith? The pix becomes the bottleneck?

    2. I'm a little uneasy about the licensing. What are the typical features I
    should make sure that are included (e.g., 3DES)? What should I watch out
    for.

    3. I read somewhere that vlan support is only in pix os 6.3. Is vlan
    support also based on which model I'm using, or do all pix firewall models
    have this feature?

    4. How many physical ports do the pix firewalls typically come with? It
    seems like it's 2: one uplink, one downlink. I can already think of 3
    security levels that I want my servers separated into. Does that mean I
    have to buy expansion slots? Or should I use VLANs instead?

    5. Any recommendations on a location to order the pix firewall and licensing
    from? Good deals, good support, etc.

    6. Any recommendations on some online reading that will help with
    implementing the pix firewall? It would help to see some example network
    layouts to get a better idea of how the components should be pieced
    together.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Melson: "RE: [fw-wiz] Cisco Remote Access VPN Problem"

    Relevant Pages

    • RE: Server Response 550 5.7.1 Message Rejected even though we auth
      ... I would've never thought to look at the PIX as the problem. ... My brother-in-law works for Cisco and in chatting with him tonight he said ... I cannot log on the SMTP server. ... > Microsoft Online Partner Support ...
      (microsoft.public.exchange2000.admin)
    • Re: PIX 506E vs NetScreen 5XP/5XT
      ... I work for reseller that sells both Cisco and NetScreen. ... although PIX OS 6.3 is suppose to fix a lot of these ... Both the OS, VPN Client, and ICMP support. ... > because its a Cisco and seems solid, but I like the Netscreens because ...
      (comp.security.firewalls)
    • Re: Considering Cicso Pix 501 for home firewall---need info
      ... - If you want to use the graphical interface to configure the PIX, ... - If you want support after that time, you would need to obtain a support ... probably not be given the 6.3update: Cisco would instead likely ... with a 10 user license, a 50 user license, or an unlimited license. ...
      (comp.security.firewalls)
    • [NEWS] Cisco PIX Firewall Manager Password Disclosure Vulnerability
      ... Cisco PIX Firewall Manager Password Disclosure Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... standard Windows NT workstation or server that serves as the management ...
      (Securiteam)
    • Vulnerability: Cisco PIX Firewall Manager
      ... Subject: Vulnerability: Cisco PIX Firewall Manager ... saved in plaintext on the management station. ...
      (Bugtraq)