We are going to replace our external PIX 525 pair soon. Along with our IPS. We are looking at the 6513 internal firewall and IPS module vs an external ASA and IPS.
What are the pro and cons of going each route. Some have stated to keep options open and keep the FW and IPS separate. Wouldn't the internal modules give greater flexabilty in there use within your network. We are a small campus using the 6513 as our core routing switch.
I can suggest you to gor for FWSM and IDSM2.
Lots of pros, and might be a few cons here.
You get high bandwidth connectivity, lower power consumption, reduced rack space, common management etc. Cos can be too uncommon to occur like everything going down to the whole chassis going down or power supplies going bad etc.
I think its a smart decision and the way to go.
Just to put another point of view. We use the FWSM in out data centres and it has proved to be very good in that scenario. If you are looking to firewall all your vlans or you need multiple virtual firewalls it is a very good option. And you do get greater flexibility in provisioning DMZ's and greater throughput.
However with this increased flexibility/scalability comes a cost. The FWSM/IDS-M modules are significantly more expensive than their standalone counterparts especially as you may be paying for performance/throughput you don't need.
You say you are a small campus environment and this is what makes me think these modules may be overkill in your scenario.
However cost may not be an issue for you or you may have plans for a significant upgrade to your environment. I'm not saying you shouldn't buy these modules, just that there may be other alternatives.
Something else to add to the mix here is that the FWSM doesn't support VPNs, whereas the ASA (& PIX) do. If you are intending to use the Firewall to support VPN clients or remote site VPNs then this isn't possible with the FWSM and you would need to get another device to perform this function.
We are going to order the firewall services module as well as the IDSM-2 module. I have a question. The quote contains IOS advanced IP services. We currently run IP services only on the 6513 with the 720 SUP. All of our routing is static. Is the advanced IP services a requirement for one or both of these modules we are purchasing?
Ask your Cisco sales person (or VAR) about the future of the FWSM and the IDSM-2's. I've heard from various sources that it may soon be discontinued, especially the IDSM-2.
I talked to our Cisco sales rep. We are having a conference call on the matter. He said the modules have not reached end of life as yet. The one we need to talk about is the IDSM-2. He said one option is go FWSM and external IPS. The way things sound I'm inclined to go external ASA with IPS module.