Re: [fw-wiz] PIX firewall licensing and beyond (newbie)

From: David Lang (david.lang_at_digitalinsight.com)
Date: 09/08/05

  • Next message: mason_at_schmitt.ca: "Re: [fw-wiz] stopping bots from phoning home"
    To: Victor Williams <vbwilliams@neb.rr.com>
    Date: Wed, 7 Sep 2005 18:43:51 -0700 (PDT)
    
    

    > Vahid Pazirandeh wrote:
    >> Hello everyone,
    >>
    >> I come from a linux admin background and have an assignment to setup a pix
    >> firewall. This is new territory and will be my first time playing with pix
    >> os
    >> instead of iptables. Please excuse my newb questions, but we all start
    >> somewhere. :-)

    I'm just having to deal with pix firewalls again after ~5 years of linux
    boxes, boy do I wish I could just use linux (it does what I tell it to
    do, not what it assumes I want to do ;-)

    I would say definantly run with the OS at version 7, especially if you
    don't nessasarily want the NAT configuration that they assume that you
    will, it's an incredible pain to disable on lower revs.

    >> 1. Which model? Our servers are in a co-location with a 100mbit drop.
    >> Would
    >> that make the 515E the right choice if we actually want to make use of our
    >> bandwith? The pix becomes the bottleneck?

    note that the network cards are plugged into 32 bit PCI slots on the 515
    and 525 which limits it's total I/O to ~330Mb, but this is the combined
    inbound and outbound traffic so I would take the rateing of a 515 at 180Mb
    with a very large dose of salt (the 525 is rated at 300Mb, which given the
    PCI limits would be ~150Mb in one interface and ~150Mb out a second
    interface)

    I don't know what the 535 boxes have for true I/O capacity, but they start
    to get _really_ expensive.

    >> 4. How many physical ports do the pix firewalls typically come with? It
    >> seems
    >> like it's 2: one uplink, one downlink. I can already think of 3 security
    >> levels that I want my servers separated into. Does that mean I have to buy
    >> expansion slots? Or should I use VLANs instead?

    they do sell a quad 100Mb card for these machines, but watch the total
    throughput.

    -- 
    There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
      -- C.A.R. Hoare
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: mason_at_schmitt.ca: "Re: [fw-wiz] stopping bots from phoning home"