02-14-2008 06:55 AM - edited 03-11-2019 05:02 AM
Hello. We are in the middle of building a data center at a co-location facility, and are planning on using FWSM modules in our redundant 6500' to "zone" the network there. Basically what we are being told is that each subnet in this new data center will be treated as a separate security zone, with each zone not being able to access the other except on specified ports.
Our server access layer will consist of 4 4948-10G switches (we think), trunked into the core 6500'. This will force traffic through the FWSM, allowing it to be policed.
All of a sudden the company has brought in a "senior" guy to oversee the entire project, and he tells us that it is not best practice to have the FWSM zoning the networks, because if the core switch/FWSM is hacked, the entire network is exposed. We are arguing that this is indeed the case with whatever FW you use.
This is only for the internal side of the network, as we will have a pair of checkpoint firewalls on the perimeter protecting us from public traffic. He has proposed an ASA 5510 instead of the FWSM, with each subnet being on a different DMZ/interface. This immediatley throws up two red flags, throughput and scalability. The ASA has a maximum of 8 ports, and we currently have 8 different subnets that need to be separated. Also, backups will run through this network, and having that amount of traffic traversing the ASA doesn't seem realistic.
Is there any merit in what he is saying? I've always been under the impression that the FWSM was designed almost for this exact situation.
Solved! Go to Solution.
02-16-2008 12:35 PM
To whoever rated this a 1. Could you try reading the Original poster's response to my answer. He found it helpful and it was to him that my answer was directed.
If you don't agree with what i have said try doing something a little more constructive and present a rational argument as to why.
The vast majority of people in these forums do a great job of helping people offering advice for free.
Sometimes i wonder why we bother
Jon
02-14-2008 07:18 AM
I agree to what he says to some extent, its good to have a dedicated ASA 5500 rather than the addon FWSM card on 6k
I am not sure whats your connection rate n throughput , however this is what ASA can support
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
02-14-2008 07:58 AM
Throughput and connection will be the limitation
of ASA. ASA does NOT do Active/Active whereas
checkpoint firewall can cluster up to 32 nodes
(i.e 32 servers dual quad-core Intel processors)
where you can push an insane amount of traffics.
ASA is not designed for large scale datacenter.
Iamgine you can scale up to 32 servers in
Active/Active...32Active nodes.
Budget is another matter.
You may want to look at NGx R65 CoreXL. I've
used it and really like a lot.
02-14-2008 08:05 AM
checkpoint is not safe at all...it was designed in Isreal..and then once it got obsolete there it was distributed in all other countries...I haven't seen small soho checkpoints being used in data centres..
ASA can do active/active failover..if ASA 5510 is not coping up try high end models
02-14-2008 08:14 AM
are you telling me that ASA can cluster 32
nodes together? ASA Active/Active is not
really active/active. Are you telling me that
ASA can do load sharing for let say network
192.168.1.0/24 on both ASA right out of the box?
"checkpoint is not safe at all.."
Say who? If it is not safe then how come a lot
of government agencies including most financial
services use checkpoint?
02-14-2008 08:08 AM
One requirement I did not mention was the need for different vendor firewalls protecting us from the Internet. On the outside we currently use clustered Nokia IP390's, therefore the thought was that since we already had the 6509' for the internal side, why not just add the FWSM, giving us the second vendor as required. I believe the FWSM has a firewalled throughput of 5Gb, way way over and above the ASA.
We are likely talking about hundreds of GB's of data that needs to be backed up weekly.
02-14-2008 08:19 AM
yes checkpoint not safe at all..Isarelis have the source code of this product since they are the ones who designed this...I haven't see checkpoint installed in any US govt agencies.
Now coming back to what requester asked..see if your throughput is higher than 5GBps...then yes either FWSM or ASA 5580s
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
02-14-2008 10:21 AM
"I haven't see checkpoint installed in any US govt agencies."
Perhaps you need to get out more and stop
putting on the Cisco blinder.
ISS, Verio and just about every MSSP uses
checkpoint. As far a US Gov. agencies, there
are many that use checkpoint. DOA, DOT and HHS,
just to name a few.
02-14-2008 10:54 AM
Not sure what difference it makes where it was developed (hopefully you mean that differently than it sounds), and we are indeed a financial organization who uses Checkpoint.
Anyway, back to the issue at hand; any idea how much the 5580 costs?
02-14-2008 11:18 AM
checkpoint is cheap but unsecure., ISPs that uses it only use it on peripharies and not in core.
Coming back to your Query requester, you may check the price of ASA 5580 in pricing tool
02-14-2008 12:12 PM
"checkpoint is cheap but unsecure"
I would like to know where you get the fact to backup your claims.
If cisco is so great and secure, then let me ask you this:
In Cisco Pix or ASA, BY DEFAULT, hosts residing behind higher security
level interface can traverse the firewall to communicate with hosts
residing behind lowever security level interface. That is a fact,
correct.
Based on that argument, if a host behind a higher security level
interface is infected with viruses, it can then infect other hosts
residing behind lower security level interfaces.
With Checkpoint, nothing is allowed between interfaces unless
it is EXPLICITLY allowed.
If checkpoint is cheap but un-secure, then why Gov. agencies and
financial organizations use checkpoint. These guys must be dumb right?
"ISPs that uses it only use it on peripharies and not in core."
You are right. They don't use checkpoint at the core. They do not
use Cisco either. They use Juniper.
02-14-2008 02:59 PM
Hi
If you have multiple vlans within your 6500 and you want to firewall between them with a requirement for high throughput and flexible configuration then that is one of the main uses of the FWSM. To my thinking it makes perfect sense if you are merely looking to do internal firewalling between your server subnets.
If you use a standalone pair of ASA's and they are hacked then you have the same issue. Key thing here is all vlans are terminating on firewall interfaces whether that be FWSM or standalone ASA's so either way your firewall is hacked you are in trouble.
Perhaps this guy could go into a bit more detail as to why it is different with the FWSM than the ASA.
One thing that is worth bearing in mind is that the FWSM is only a firewall whereas ASA devices can do more, IPS etc. But this may not be an issue for you.
HTH
Jon
02-15-2008 02:53 AM
OK, thanks Jon. That was what I was hoping to hear.
Maybe this other guy could also come back and explain a couple of his other comments as well.
02-15-2008 05:58 PM
I think the FWSMs are good for segmenting a specific portion of your data center and not every single subnet or host. Put them in front of your high-value servers (PCI, Finance databases, secret formula to Coca-Cola, plans to Area 51, whatever) where you don't want to have to go 'outside' your 6500's and where throughput isn't a factor.
Just my .02; don't want to get in the middle of a flame war :-)
02-16-2008 12:35 PM
To whoever rated this a 1. Could you try reading the Original poster's response to my answer. He found it helpful and it was to him that my answer was directed.
If you don't agree with what i have said try doing something a little more constructive and present a rational argument as to why.
The vast majority of people in these forums do a great job of helping people offering advice for free.
Sometimes i wonder why we bother
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide