topic Re: Linux based Firewall replacement in Network Security

Linux based Firewall replacement

venturasuites — Mon, 11 Mar 2019 13:35:52 GMT

I currently manage an office building that has 42 internal networks and I have a single linux firewall/gateway to the internet. I am looking to replace it possibly with an asa 5505 firewall, but I thought I should check with those more familiar with the product if this is a good fit for my network. I don't have a need for vpn, but my linux box is capable of that. The biggest need in my firewall is the ablility for 1-1 Nat translations by port and by IP address. I also need the ability of the device to handle multiple public ip addresses. Does anyone have any thoughts? Will I need a device with a lot of licenses, or is that just for vpn? Thanks in advance for your help.

Re: Linux based Firewall replacement

Farrukh Haroon — Tue, 26 Aug 2008 01:38:02 GMT

To suggest an ASA you would need to tell more about your bandwidth, number of interfaces required, no of concurrent connections, IPS module required? Etc.

This is a quick comparison:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Regards

Farrukh

Re: Linux based Firewall replacement

venturasuites — Tue, 26 Aug 2008 01:56:32 GMT

I currently connect to a 10 Meg connection. I would guess the maximum users on the network would be 100 to 150 computers, none of which require a vpn connection. My linux box currently has intrusion detection and prevention, but I had to disable the prevention side of the software since some users were unable to view certain websites. I'm not sure my network requires this service, but it was a cheap upgrade to my linux operating system so I purchased it. Is the linux box, (I use Clark Connect) a more robust solution, or is and ASA the better way to go?

Re: Linux based Firewall replacement

Farrukh Haroon — Tue, 26 Aug 2008 05:56:16 GMT

I would go for the ASA 🙂

Regards

Farrukh

Re: Linux based Firewall replacement

venturasuites — Fri, 29 Aug 2008 03:04:59 GMT

I noticed that the base model only came with 10 licenses. Are the licenses only for VPN access or do I need a license for every computer in the internal network so that it can access the internet?

Re: Linux based Firewall replacement

andrew.prince — Fri, 29 Aug 2008 07:04:40 GMT

Clark,

They are for simultanious VPN connections, not based on inside machine IP addresses (as with the PIX 501/506)

As Farrukh has suggested for what you are looking for an ASA would fit your requirements, more specifically the 5505.

HTH>

Re: Linux based Firewall replacement

cisco24x7 — Fri, 29 Aug 2008 17:48:40 GMT

"I currently connect to a 10 Meg connection. I would guess the maximum users on the network would be 100 to 150 computers, none of which require a vpn connection. My linux box currently has intrusion detection and prevention, but I had to disable the prevention side of the software since some users were unable to view certain websites. I'm not sure my network requires this service, but it was a cheap upgrade to my linux operating system so I purchased it. Is the linux box, (I use Clark Connect) a more robust solution, or is and ASA the better way to go?"

Here is my 2c:

Your linux box which I suspect runs iptables

and some customization of Snort as IDS/IPS.

Iptables can perform complext NAT with such

ease that I don't think ASA can provide this

function. Furthermore, when it comes to

troubleshooting, tcpdump on Linux is a much

better tool than ASA capture utilities.

That being said, supports for Linux firewalls

like yours are not as great as Cisco TAC

support. In other words, if things do not

go well with the ASA, you can blame it on

Cisco. With your customize linux firewall,

you're ultimately responsible for it.

Re: Linux based Firewall replacement

kmccourt — Sat, 30 Aug 2008 11:56:10 GMT

Andrew, maybe I'm misunderstanding what you're saying, but does an ASA 5505 10 user base license not restrict the total number of outoing 'internet' connections in addition to the number of VPN sessions?

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/specs.html#wp1150495

Re: Linux based Firewall replacement

andrew.prince — Sat, 30 Aug 2008 12:14:44 GMT

Sorry - you are correct, for some reason I when I replied to that particular post I read the table matrix wrong, and confused simultaneous VPN's to concurrent users, my apologies.

For the number of inside users/ip addresses you would need the 5505 - 50 Base License for what you want to achieve.....if you choose the Cisco ASA.

Re: Linux based Firewall replacement

cisco24x7 — Sat, 30 Aug 2008 13:37:58 GMT

you do NOT need a 50-Base License. Even

with a 50-Base license, will it be able to

support 100-150 users on your internal network

if all of them decide to access the Internet

at the same time?

Here is what I would do:

1- Go with the cheapest ASA 5505 and 10 user

license,

2- place the ASA in front of the Linux firewall,

3- Port Address Translation (PAT) or as linux

calls it, IP masquerading, everyone to the

Linux firewall,

5- To the ASA, it will see everything just

from a single IP of the Linux firewall,

6- Everything you need to STATIC nat, you can

place the servers in front of the Linux

firewall but behind the ASA. Think of the

network between the Linux firewall and the

ASA as the DMZ,

That way you're much more secure and have a

two-tier firewall solutions with minimum

cost. Why pay more when you do not have to?

Re: Linux based Firewall replacement

venturasuites — Sat, 30 Aug 2008 15:51:46 GMT

I would prefer to not use the Linux firewall since I feel it is not as reliable as this cisco firewall appliance. The specs say that you can have 10,000 concurrent connections. I figured that was for computers on the internal network and the 10, 50, or unlimited was for VPN. Can anyone clarify this?

Re: Linux based Firewall replacement

andrew.prince — Sat, 30 Aug 2008 16:08:41 GMT

Just to clarify for you

Concurrent Firewall Conns:-

The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.

Users, concurrent:-

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits.

HTH>