Re: Considering Cicso Pix 501 for home firewall---need info
- From: Ken <ken@xxxxxxxxxxx>
- Date: Sun, 18 Dec 2005 10:19:05 -0800
Walter Roberson wrote:
Wow! Thank you for the very extensive information. One thing that I should have asked for is the cost of the software. And, I suppose, the other question is whether this product is WAY over the top for home security. The cost is not an issue, only the problems with configuration. I suspect that once I have it set up, it should not need tweaking, and I can ask my IT fellow to set it up at my home.In article <9KOdnSC5KelN6TneRVn-qg@xxxxxxxxxxx>, Ken <ken@xxxxxxxxxxx> wrote:
I am interested to know how difficult the 501 is to set up and understand, whether there are licenses that need to be purchsed, do they need to be purchased each year, and is there any special software that needs to be purchased?
Addressing the questions a bit out of order: - There is no special software required for PIX.
- If you want to use the graphical interface to configure the PIX, then that is java based, so you would need Java 5 (I think it is); the graphical interface is no extra cost, though.
- Once you have bought a PIX, you have the right to keep using it indefinitely; there are no yearly license fees required
- The PIX 501 has a fairly short warrantee (90 days or so), during which time you are entitled to software updates and to create support cases.
- If you want support after that time, you would need to obtain a support contract. Most vendors sell those in one year chunks, but there is also a 3 year contract part number, and the better vendors can arrange a support contract for any arbitrary period of time (up to 5 years) -- e.g., you could buy 42 days of support starting on Feb 28th if you wanted to go through the trouble.
- After the end of your warrantee, if you are not under support, then you are not certain to receive any software upgrade for free.
- The Cisco -policy- (i.e., something subject to change) has been that if a security problem is found in a release, then customers are given free updates to the first subrelease of the same minor release that fixes that security problem. For example, if you had 6.3(1) then you would have been given 6.3(3) because that fixed security problems in 6.3(1). However, if the same security problem had been found in 6.2(3) and that was the release you had, you would probably not be given the 6.3(3) update: Cisco would instead likely create a new 6.2 minor release (e.g., 6.2(4)) and give you that. Cisco distinguishes "updates" (same minor version, e.g., 6.3(*)) from "upgrades" (different minor versions, e.g., 6.2(*) vs 6.3(*)), and it is quite uncommon for Cisco to give a free "upgrade". So if you buy in at 6.3(something) and do not obtain support, and 6.4 comes out 100 days after your purchase, then you are likely to be stuck at 6.3 unless you pay for an "upgrade" or support contract. [It isn't -unheard of- for Cisco to allow a free "upgrade", but it is decidely -uncommon-.]
- There are different support contracts, distinguished mostly by the hours during which you can open new support cases, by the response time that Cisco promises, and by whether you have onsite support or not. The 4-hour response time and 2-hour response time contracts are only available in areas that are within limited distances of existing Cisco parts depots.
- As the other poster alluded to, the Cisco PIX 501 is available with a 10 user license, a 50 user license, or an unlimited license. None of the other PIX models have per-user licenses. The PIX 506E is available only with a single license type, permitting unlimited users. The PIX 515/515E, 525, and 535 are available with several types of licenses, most notably "Restricted" or "Unrestricted", but also "Failover", and there are a few new license types added in PIX 7.0 (which is available for those models but not the 501 or 506E). Restricted licenses have stronger limits on the number of physical and logical interfaces, and do not support dual-firewall "failover" configurations; Unrestricted have more generouse interface restrictions and support failover. The price difference between the two is steep.
- The difficulty of the PIX 501 to set up and understand depends a *lot* on what you want to do with it. There are a lot of different configuration parameters possible, most of which are completely irrelevant to someone who just wants to keep other people out. The graphical interface has a "VPN Wizard" which makes it relatively easy to configure simple secure remote access.
- But to really understand the PIX software and how all the different parameters interact with each other takes literally -years- of hard study. I've put in those years, and there are still lots of things I don't know, [e.g., the proper arragnement in order to authenticate users against remote Windows RAS.]
WRT to the cost of software, is there any extra cost for VPN software (or is that included) and how much are software upgrades that have come out in the past?
I am considering purchasing a unit on eBay. Would that be a big gamble because of the warranty being so short?
Any perhaps the last question is whether I should be considering any other product for my home LAN?
Thanks Ken Krone .
- Follow-Ups:
- Re: Considering Cicso Pix 501 for home firewall---need info
- From: Jerry Gardner
- Re: Considering Cicso Pix 501 for home firewall---need info
- References:
- Considering Cicso Pix 501 for home firewall---need info
- From: Ken
- Re: Considering Cicso Pix 501 for home firewall---need info
- From: Walter Roberson
- Considering Cicso Pix 501 for home firewall---need info
- Prev by Date: Re: config ipcop firewall
- Next by Date: ftp behind nat
- Previous by thread: Re: Considering Cicso Pix 501 for home firewall---need info
- Next by thread: Re: Considering Cicso Pix 501 for home firewall---need info
- Index(es):
Relevant Pages
|
