Firewall

engmohamad1980 · ‎01-23-2010

Hello I have 3 sites and Core sites , i want to ask which better place in each site Firewall blade on 6509 switch or place central Firewall on the core sites

and applay the police on all site on this firewall .

i want choose the best practical design to do that , any one better and why ??

the design 1 and design 2 in the attachments

vilaxmi · ‎01-23-2010

To design a network, you will first need to analyze how much traffic will be flowing throughout the LAN, then figure out which sites needs to be given restriced access or how much security is needed, and of course how much money you are willing to put in this whole operation.

Design 1 looks costly, as you are planning to install firewall at each site, (assuming each core site needs a high end device like 5540/5580). But again this approach is very secure, as you can restrict access for devices behind each core more granularly, with help of INDIVIDUAL firewall ACL rules, MPF, etc.

Design 2 at the other hand may be cheaper. Here you may not have as granular control over security of each core network. You can definitely achieve more control over traffic going out to internet from all core n/w, as they all will need to pass through the single firewall (gateway) in picture.

So, here I am including datasheet of all Cisco ASAs which you may go through to find out the best one that suits the needs of your network:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

HTH

Vijaya

Ganesh Hariharan · ‎01-24-2010

Hello I have 3 sites and Core sites , i want to ask which better place in each site Firewall blade on 6509 switch or place central Firewall on the core sites

and applay the police on all site on this firewall .

i want choose the best practical design to do that , any one better and why ??

the design 1 and design 2 in the attachments

Hi,

For your query if you deploy a firewall at each sites it will be better because only controlled traffic will be coming from remote sites to central site and you can manage those firewall from central site also.In these type of design you are doing two level security layer one at local site firewall and other at central site.so traffic will be filtered at two area before entering into central site.

If you deploy only at central site that is also a recommended design to control traffic to enter into central site but you cannot controll traffic which will be routed between site to site as there no firewall at remote sites.

Both the design only be differ in cost areas as one firewall blade ate central site will low cost and at all location blade will be bit higher.

Hope to help

Regards

Ganesh.H

engmohamad1980 · ‎01-24-2010

Cost is the subject of budget, the project to an international university, the number of those employed in 6000, consisting of several sites, each site contains approximately 1500 consumers,
I am currently convinced design No. 1, but are there two questions.

1 - Is there a similar project is to convince the world of Director.
2 - What is the best to use the Blade firewall on switch 6509 or use ASA Firewall standalone .

thanks all

Ganesh Hariharan · ‎01-25-2010

Cost is the subject of budget, the project to an international university, the number of those employed in 6000, consisting of several sites, each site contains approximately 1500 consumers,
I am currently convinced design No. 1, but are there two questions.

1 - Is there a similar project is to convince the world of Director.
2 - What is the best to use the Blade firewall on switch 6509 or use ASA Firewall standalone .

thanks all

Hi,

Check out the below link for feature set between ASA and FWSM hope it will help out your query !!

http://docwiki.cisco.com/wiki/Feature_Differences

If helpful do rate the valaubale post.

Regards

Ganesh.H