11-02-2016 01:19 PM - edited 03-12-2019 01:28 AM
I am proposing a security solution for one of my customers with one of the options below
· Firepower 4120 Bundle
· FPR9300 SM-24 Bundle
· FPR9300 SM-36 Bundle
He had a few concerns
· They are looking to use Firewalls to be the security node to gate access between VRFs
· There will be web filtering product and bandwidth management unit in between
· Each business units have their own firewalls with their own web filtering solution and aggregate in the Core
· They desire a single check point for security between VRFs
My concerns is the ability for an ASA to handle bandwidth since Firewalls are no routers especially in this case since VRFs are involved where firewalls may be a bottleneck.
Is there any information regarding routing specs, or do the tech specs on CCO apply to stateful inspection apply to routed traffic? The traffic actually is routed through the firewall and is supposed to meet those specs.
I am thinking of proposing a high-end Catalyst switch to handle VRF routing.
Any thoughts!
Thanks,
11-02-2016 04:17 PM
Stateful inspection throughput matches up to the cisco published throughput imo. Multiprotocol stateful inspection throughput should be considered for sizing in case only l4 features are used and the workload consists of the typical enterprise mix of traffic.
To make a general assumption of how much the device will be able to handle also consider looking into 3rd party test results. NSS Labs publishes a yearly NGFW report that includes Cisco ASA. Apart from security viability they also check the vendors throughput claims and verify them.
Reading through your requirements I would question if they even need central firewalling. You mentioned that every customer already uses their own firewall solution and you are only connecting between them - is that correct, or is there some central service involved that is exposed to the customers and should be protected centrally?
11-02-2016 11:35 PM
Thanks Kaisero!
To answer your question, The client is a parent company and provide the core services. The other divisions have their own firewalls just to protect their internal LAN, but they do access Internet via parent Core Network.
11-08-2016 09:18 AM
Is there anything else you would like to know? Since your question was very open I am not sure you got all the info you are looking for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide