Re: [fw-wiz] PIX firewall licensing and beyond (newbie)

From: David Lang (
Date: 09/08/05

  • Next message: "Re: [fw-wiz] stopping bots from phoning home"
    To: Victor Williams <>
    Date: Wed, 7 Sep 2005 18:43:51 -0700 (PDT)

    > Vahid Pazirandeh wrote:
    >> Hello everyone,
    >> I come from a linux admin background and have an assignment to setup a pix
    >> firewall. This is new territory and will be my first time playing with pix
    >> os
    >> instead of iptables. Please excuse my newb questions, but we all start
    >> somewhere. :-)

    I'm just having to deal with pix firewalls again after ~5 years of linux
    boxes, boy do I wish I could just use linux (it does what I tell it to
    do, not what it assumes I want to do ;-)

    I would say definantly run with the OS at version 7, especially if you
    don't nessasarily want the NAT configuration that they assume that you
    will, it's an incredible pain to disable on lower revs.

    >> 1. Which model? Our servers are in a co-location with a 100mbit drop.
    >> Would
    >> that make the 515E the right choice if we actually want to make use of our
    >> bandwith? The pix becomes the bottleneck?

    note that the network cards are plugged into 32 bit PCI slots on the 515
    and 525 which limits it's total I/O to ~330Mb, but this is the combined
    inbound and outbound traffic so I would take the rateing of a 515 at 180Mb
    with a very large dose of salt (the 525 is rated at 300Mb, which given the
    PCI limits would be ~150Mb in one interface and ~150Mb out a second

    I don't know what the 535 boxes have for true I/O capacity, but they start
    to get _really_ expensive.

    >> 4. How many physical ports do the pix firewalls typically come with? It
    >> seems
    >> like it's 2: one uplink, one downlink. I can already think of 3 security
    >> levels that I want my servers separated into. Does that mean I have to buy
    >> expansion slots? Or should I use VLANs instead?

    they do sell a quad 100Mb card for these machines, but watch the total

    There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
      -- C.A.R. Hoare
    firewall-wizards mailing list

  • Next message: "Re: [fw-wiz] stopping bots from phoning home"

    Relevant Pages

    • Re: Firewall recommendations?
      ... I've worked with Netscreen, PIX, Borderware, Linux IPCHAINS, Linux ... IPTABLES, Firewall Toolkit, Socks, and Raptor...not to mention the SOHO ... PIX is a good first layer firewall. ... Borderware is based on a hardened BSDi, so it runs on Intel hardware. ...
    • Re: Opening UDP ports
      ... >Your comment regarding getting a new firewall is not so out of line. ... I don't think you'll have to throw your Linux solution away - just ... Linux with ipchains or iptables, Cisco PIX, or even ACLs on a simple ... Cisco router can all do it. ...
    • RE: Firewall Costs
      ... Subject: Firewall Costs ... We provide linux based firewalls at roughly $2k per install. ... If we were to offer you a pix solution, you'd get a similar quote from ...
    • Re: Linux or BSD alternative to Windows Home Server
      ... My questions were about Gentoo vs. Linux for a sever, ... I will probably eventually have a dedicated firewall ... if you were to have a file server which is accessible ... I'm aware that I could probably create scripts to regularly backup ...
    • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
      ... as opposed to in Windows. ... this is not a software firewall as in Windows. ... firewalling code in GNU/Linux is actually part of the Linux kernel ... Kubuntu, Xubuntu et al, the first user account created at installation ...