cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
802
Views
0
Helpful
3
Replies

ACE as primary firewall

lxcollin1
Level 1
Level 1

I am thinking of deploying the ACE module as my primary firewall device. Has anyone had issues with this? I am only looking for basic firewall functionality. Are there any issues with this?

Thanks in advance!


-Lee

1 Accepted Solution

Accepted Solutions

UHansen1976
Level 1
Level 1

When you're saying "primary firewall device", do you mean edge-firewall or internal datacenter-firewall?

As far as deploying the ACE as my internal datacenter, I'd have no problems with that. In my work with the ACE, I've seen, that it can match for instance, the fwsm on most of the features needed for datacenter-fw's. This includes NAT/PAT, statics (class-maps), protocol inspection, access- and object groups, TCP-normalization and much more. Rather than me enumerating all of the ACE's feautes, I think you would be better off outlining your requirements and then comparing your firewall platform of choice with the ACE module, to see which serves you best.

Again, if comparing to the fwsm, the ACE scales to a significant highler throughput, 16Gbps depending on your license. And as far a the number of concurrent connections, translations, inspections etc etc, in my experience, the ACE has no problem rising to the occasion.

But if you need some kind of integrated IDS/IPS, VPN-features etc, I'm not sure the ACE shoudl be your first choice. This is often the case with edge-firewalls, where most newer firewall-platforms provide for either integrated features or modular/license based expansion of the basic firewall featureset. Although the ACE has support for a wide range of protocol inspections and rfc-2616 for http-requests, I'd hesitate to use as an IDS/IPS device.

Anyway, just my thoughts, hth.

/Ulrich

View solution in original post

3 Replies 3

UHansen1976
Level 1
Level 1

When you're saying "primary firewall device", do you mean edge-firewall or internal datacenter-firewall?

As far as deploying the ACE as my internal datacenter, I'd have no problems with that. In my work with the ACE, I've seen, that it can match for instance, the fwsm on most of the features needed for datacenter-fw's. This includes NAT/PAT, statics (class-maps), protocol inspection, access- and object groups, TCP-normalization and much more. Rather than me enumerating all of the ACE's feautes, I think you would be better off outlining your requirements and then comparing your firewall platform of choice with the ACE module, to see which serves you best.

Again, if comparing to the fwsm, the ACE scales to a significant highler throughput, 16Gbps depending on your license. And as far a the number of concurrent connections, translations, inspections etc etc, in my experience, the ACE has no problem rising to the occasion.

But if you need some kind of integrated IDS/IPS, VPN-features etc, I'm not sure the ACE shoudl be your first choice. This is often the case with edge-firewalls, where most newer firewall-platforms provide for either integrated features or modular/license based expansion of the basic firewall featureset. Although the ACE has support for a wide range of protocol inspections and rfc-2616 for http-requests, I'd hesitate to use as an IDS/IPS device.

Anyway, just my thoughts, hth.

/Ulrich

Thanks again Ulrich.

To answer your first question... I am looking to leverage the ACE as an edge firewall. In various areas of my networks, I have them deployed behind FWSMs, ASAs, and other firewalls. I'm exploring the idea of getting rid of my current firewalls and replace them with the ACE. In my experience with the ACE, it can be an FWSM replacement (and really a drastic upgrade) if basic firewall functionality is required (ACLs, NAT, application inspection, multi-context). I was just wondering if anyone else has the ACE deployed as their sole firewall and their thoughts about it.

Thanks!

Lee

We do have customers who are using ACE as an edge firewall. Works perfectly fine.
But they choose this model due to cost constrains.

If you already have FWSM and ASA in front of your ACE, I would not move them.
Best practice is 

  • Loadbalancing functionality on the ACE
  • Firewall functionality on the FWSM/ASA

Again this is my opinion.

Jack

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: