Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1174
Views
0
Helpful
8
Replies

What is most recommended at perimeter, Cisco or Juniper?

ciscobigcat
Level 1
Level 1

‎12-23-2010 11:07 AM - edited ‎03-11-2019 12:27 PM

I have a customer who is being paranoid about their security and has asked me to point him in the right direction. Currently, they have dual ISPs and a single 2800 at the perimeter and nothing else. So the WAN interface is directly on the internet and the LAN is the gateway IP for all internal hosts. Client has a bunch of citrix servers, exchange 2010, etc., all in one single LAN.

What do you guys recommend to streghten the security of this network? He mentioned that someone told them that it is better if they have a mix of vendor equipment, meaning, cisco at the edge, juniper in the back, netgear as the L3 core switches, etc.  I really doubt this is a best practices but I'd like to get the input from you guys.

Is it best to change the 2800 and deploy 2 ASAs at the edge, move the 2800 behind, get another for redundancy and then get a core switch? Will this be good and follow best practices with regards to security?

Labels:
0 Helpful
8 Replies 8

Kureli Sankar
Cisco Employee
Cisco Employee

‎12-23-2010 11:15 AM

Very interesting thread.  I'd say Cisco.  What else can you expect from me? We love Cisco.

I would leave the 2800 on the outside with dual ISP and do route tracking on that and implement an ASA failover pair on the inside.

If you have many networks on the inside then, a router on the inside would be a must.

topology:

inside network---Inside-router---ASA(pair)---Outside-Router---Internet

Dont' miss my ATE event Starts January 3, 2011: https://supportforums.cisco.com/community/netpro/ask-the-expert

-KS

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-23-2010 03:44 PM

I would suggest you to talk to your account team. Cisco can provide good solutions for all your network demands.

But your account team would be able to carve out what is the best design for you.

As for vendor comparison I would suggest looking for guides that compare same scale boxes for different vendors taking multiple aspects into consideration. It is more accurate and helpful to compare "specific things that I want to do with my device" than generally deciding "what box is better".

I hope it helps, and happy holidays.

PK

0 Helpful

sean_evershed
Level 7
Level 7
In response to Panos Kampanakis

‎12-23-2010 06:31 PM

Working in a mixed vendor environment has it's own challenges since you need skills across all these vendors.

It can also be challenging to find IT staff who have skills in all these areas if the network grows.

Sometimes interopability between these vendors can also be an issue. When this happens you are often left on your own since vendor A says there is nothing wrong with their equipment and vendor B blames vendor A. Murphy's Law dictates that this will happen to you just as you about to rollout a critical project.

When selecting equipment I would also look at things like what types support agreements are on offer, the quality of the vendor support forums and the availability of in-depth technical documentation.

0 Helpful

ciscobigcat
Level 1
Level 1
In response to sean_evershed

‎12-28-2010 07:45 AM

We've made the decision and we will stick with Cisco all accross, as, advised, there are more disadvantages to having a mixed-vendor environment. I totally agree with this.

The number one goal here is security, so what do you guys recommend? Again, the customer has a single 2800 at the edge. What are my options here? I am thinking on deploying a second 2800 for redundancy purposes, 2 ASA 5500 behind the routers and 2 L3 switches to serve as the core stuff. This way, I can DMZ the Citrix farm, the Exchange stuff and everything that need more security off the ASAs.

Since the budget will permit, I will also have room to deploy IDS/IPS systems to mitigate any risks.

Can you please advise if this is good enough or what better alternatives do I have? Again, the number one priority is security. What other equipment or system is out there to enforce security?

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to ciscobigcat

‎12-28-2010 06:40 PM

Good decision.  Sounds like a plan. Regarding sizing the ASA module for your traffic requirement and also the routers, pls. hash this out with your local Cisco account team.

-KS

0 Helpful

ciscobigcat
Level 1
Level 1
In response to Kureli Sankar

‎12-28-2010 09:18 PM

but what are the reccommendations though? I know we have already made a god decision, but now we are looking for the specific products... can you please help? can anybody give us some input as to how to deploy a good network with good security?

0 Helpful

sean_evershed
Level 7
Level 7
In response to ciscobigcat

‎12-28-2010 11:42 PM

A good starting point for choosing an ASA model that suits your business requirements can be found here:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

You also need to consider what sort of license to purchase for the ASA, for example do you want to support multiple remote access SSL and VPN clients? Do you want to support multiple L2L tunnels over the Internet?

You could purchase an IPS module and install it within the ASA. The downside of this decision however is that I don't think that the module is hot swappable if it fails in the future and needs to be replaced. This means that you would need to schedule downtime for the ASA to install a replacement.

Alternatively if you had the correct version of IOS on your 2800 you could run the IOS version of IPS on this device. However you need to consider what sort of additional load this would put on the CPU and memory of the router.

The choice of switches depends things like:

- Do you plan to support VOIP now or in the future?

- Do you want 10 G capability?

- Do you want to stack them etc?

Cheers

Sean

0 Helpful

hobbe
Level 7
Level 7
In response to ciscobigcat

‎12-30-2010 05:43 AM

Since this case is left as unanswered ill give it a go.

I have worked a bit with organisations that are quite "security aware", and some that has no clue.

First of all.

Its a Cisco forum, of course Cisco!

Second of all.

The key to security is knowledge,

You can have all the right equipment but no knowledge = disaster

but the opposit is also true, knowledge without the correct equipment = disaster.

So lets start with what type of security are you looking at ?

Reliability, ie to keep the network up and running at all times ?

Logical access security, ie noone will be able to access systems/information they are not entitled to

Physical access security ie locks, cameras, gates, bars over windows and stuff like that.

Reliability issues are fx dual powersupplys dual power into the building ups power, disel power, redundant network design and so on

Logical access security is encryption of information that is to be sent over the shared network, firewalls, access credentials, access-lists, proxies, IDS/IPS systems, logging, and so on.

Physical access is the base of it all, ie where are the systems stored, how is access to the systems regulated, surroundings and so on.

And all of this is down to one thing, who/how many / what resources are to be involved in the day to day monitoring of the systems.

it is one thing to install a lot of systems, that does a lot of important things, but someone has to watch them and make intelligent decisions about what to do about the information they generate.

My guess is that you want to know more of logical security, ie how to defend the network and the systems on it.

Ok I would start up with network design, make a fully redundant network.

some things you can look at for perimeter defence is add another router, add switches outside of the firewalls towards the "Internet" start logging and making baselines for normality,

you want specifics.

ok this is not easy since you have delivered very few yourself, but start with another router for failover purposes.

If you do not have it set up one or more syslog servers, depending on the level of paranoia of the customer and the ammount of logging that takes place, design and  so on, it can be a good thing to install the syslog server behind a 5505 that only lets syslog through. after all the syslog server will be a prime target for anyone trying to access something they are not supposed to. to make shure that noone knows they where there and what they where doing and so on. Maybe the CS-MARS can be of interest here, or maybe just a kiwi syslog server.

The ASA 5510 sec plus is nice, but since we do not know what size of what type of traffic and so on maybe 5520 is a better choise.

IDS/IDP there are some nice types out there.

NAC might be a good thing to take a look into to make shure people do not connect computers that are not up to standard,

IRONPORT for your mail/www needs.

CS-MARS as mentioned above

Switches: well I just love the new 3750x switches. they have a nice combo of features of both power and reliability aswell as some nice security features. but maybe they are to small for your requirements.

This above is just some cisco alternatives of course there are several others from other vendors also out there.

Good luck

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card