Choose a firewall

otnj2ee · ‎10-10-2005

My case is like this: an (web)applcation server hosts multiple web apps for the public to access. Moderate traffic. The server is located in a Commercial Hosting Company's server room. So the server can directly plug into the LAN (which is connected to the internet).

1) Among the PIX 50x series, which firewall fits this situation better? (I'll need the firewall to support the NAT, DMZ and VPN). Or I may even need other firewalls (budget sensitive).

2) Is the double firewall necessary to build the DMZ? (i.e. PIX --DMZ-- PIX)

3) Any opinion or comment on the Microsoft ISA Server 2004 (which claims to be a better firewall).

Many thanks.

Scott

mark.planck · ‎10-11-2005

Hi

Firstly is this firewall going to replace the existing one? If so how many connections are you going to be allowing outbound.

Now to the config.

If I had billions to spend I would implement the 515E with three interfaces and lock the server down. Not too difficult.

However we don't so I can recommend the following.

Use a 506E and apply the normal NAT/Security statements. And then secure the server in it's own VLAN (set up on the PIX). As long as your security is good (ACL,NAT,STATIC), there is no need for the internal FW.

BTW. You could do this on a normal Cisco router. If you want to look at this try the Cisco 1711 Security Router. Will work a treat, and you get the added functions of the router.

I would bypass the ISA route. I feel it does not allow the granularity of the PIX, also it does some wierd things at times. I have worked on a lot of FW's. The PIX/command line has always proven the best route as you will need to be granular at some stage so why limit your self.

Hope that helps.

Mark