Cisco PIX versus any other VPN/Firewall combos - any input?

Discussion in 'OT Technology' started by Sloshua, Nov 10, 2004.

  1. Sloshua

    Sloshua New Member

    Joined:
    Nov 4, 2003
    Messages:
    8,553
    Likes Received:
    0
    Location:
    Evansville, IN
    Here is my setup:

    2 DSL lines - one for regular traffic, other for VPN and Web Server.

    I need one firewall/VPN appliance with two public interfaces.

    I currently am only using one DSL line for everything running through a PIX 506.

    The first PIX model that has 2 public interfaces is a 515, which of course, is very expensive. However, I know the PIX is a very good product.

    Are there any other products that will be competitive with the PIX?

    I have looked at the Symantec Gateway Security appliance (360R) that has: firewall, VPN, AV policy enforcement (I currently use Symantec Enterprise AV), intrusion detection, intrusion prevention, and content filtering. It also is significantly cheaper than a PIX 515. :hs: But, I will not put my network at risk to save a little money.

    Any suggestions? :x:

    Also, I will only have at most 10 concurrent VPN users and at most 50 internal LAN users. Fairly small network. :)
     
    Last edited: Nov 10, 2004
  2. DemisE

    DemisE Active Member

    Joined:
    Oct 17, 2003
    Messages:
    6,337
    Likes Received:
    0
    Location:
    Memphass
  3. Sloshua

    Sloshua New Member

    Joined:
    Nov 4, 2003
    Messages:
    8,553
    Likes Received:
    0
    Location:
    Evansville, IN
    Details of what you are recommending?

    Is this just software where I add my own server?
     
  4. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    Something like IPCop or Smoothwall which are Linux versions/distros that have multiple 'RED' networks. You can also look into Watchguard SOHO TC6's with upgrade for users and VPN upgrades. (I currently have 100 users and 14 VPN's running off one).

    BUT I do not think either of the above options will allow you to have two RED networks going to two SEPERATE GREEN networks, they work in tandom or redundant for the same internal network (you can have more than one internal network but the lines will not be specific to each.) If you need to have each RED network to a specific GREEN or YELLOW network then you might as well get two firewalls (WatchGuard SOHO's can be as cheap as $200 without the listed options and you have a good connection at the retailer)
     
  5. ez4me2c3d

    ez4me2c3d Guest

    www.securecomputing.com

    I administer a sidewinder firewall on my network. It has VPN capabilities and, who knew, firewall capablilities too.

    you can get an appliance o rthe software to load on a standalone machine.
     
  6. DemisE

    DemisE Active Member

    Joined:
    Oct 17, 2003
    Messages:
    6,337
    Likes Received:
    0
    Location:
    Memphass
    Astaro is a chopped up Linux distro that I have found to be very nice to have. Plus it is free to home users under GNU. and yes you provide the server. Mine is running on a PIII 500 with 256 of RAM. Picked it up from retrobox for $75.
     
  7. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,631
    Likes Received:
    41
    Location:
    Atlanta, GA
    Bah, just get the PIX. You know it already works for you, and would be a better solution than something that you roll yourself. Plus if you sell the 506 on ebay the 515 will only end up costing you about $600.
     
  8. Sloshua

    Sloshua New Member

    Joined:
    Nov 4, 2003
    Messages:
    8,553
    Likes Received:
    0
    Location:
    Evansville, IN
    I can get that much out of a used 506? :eek3:

    I thought the 515 was 3-4k with the options I need. :dunno: (Haven't gotten quotes yet).

    I really like the idea of an appliance; better support options, replacement services, etc.

    The price on this Symantec Appliance is CHEAP. Everything mentioned above for under $1k. But how does it perform??? :sad2: Hopefully somebody can tell me something about them. :o
     
  9. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    I would never put faith in a symantec product. I've seen my share of problems with their software.
     
  10. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,631
    Likes Received:
    41
    Location:
    Atlanta, GA

    Guh, I guess you're right. I didn't look at the prices. :o
     
  11. Sloshua

    Sloshua New Member

    Joined:
    Nov 4, 2003
    Messages:
    8,553
    Likes Received:
    0
    Location:
    Evansville, IN
    I have used their Enterprise products for years (Desktop, Server-Side, and Exchange Server) and have never had any problems at all.
     
  12. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    we gave symantec enterprise anti-virus a try, but it was alarming how much got through undetected.
     
  13. Sloshua

    Sloshua New Member

    Joined:
    Nov 4, 2003
    Messages:
    8,553
    Likes Received:
    0
    Location:
    Evansville, IN
    Hmm. I guess it is just personal preference. :dunno:
     
  14. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    to some degree. There's a few packages that I would trust, but I choose AVG out of personal preference.

    But I would never trust norton/symantec corporate... It's not a personal choice, but one of me wanting a secure system/network.

    Of course I'm sure this comes off too harsh, but I really just don't care to go edit my post.
     
  15. Balzz

    Balzz N54 Elitist OT Supporter

    Joined:
    Mar 30, 2000
    Messages:
    22,467
    Likes Received:
    0
    Do you need PPPoE with your DSL provider? If you connect via plain ethernet, you can turn on 802.1q trunking on the 506E and just add a managed switch with .1q capability which would allow you to create logical interfaces.
     
  16. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,631
    Likes Received:
    41
    Location:
    Atlanta, GA

    Damn that means you could create a virtualy limit-less (within reason) amount of public interfaces. :eek3:
     
  17. Sloshua

    Sloshua New Member

    Joined:
    Nov 4, 2003
    Messages:
    8,553
    Likes Received:
    0
    Location:
    Evansville, IN
    I felt the same way about McAfee for awhile. I am sure that most IT admins have a preference of vendor, and of course the best line of defense is multiple ways of checking. I have SMTP Spam appliance that sits directly behind my firewall that checks all incoming mail for viruses/spam that uses McAfee, followed by Symantec Mail Security on my Exchange Server, and then Symantec AV on all my clients. I know (unless it is a day zero virus) that chances are I will be covered.
     
  18. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    aye. Although hypothetically, huristics (sp?) should catch even day-zero viri.
     
  19. __23skidoo

    __23skidoo ...has the nuts

    Joined:
    Jan 3, 2002
    Messages:
    4,588
    Likes Received:
    0
    Location:
    Atlanta
    Watchguards are decent products IMO, running their own verson of linux.


    The new X1000's come with 5 configuable ports on front.

    http://www.watchguard.com/products/x1000.asp ...I have two of these...VPN, tunneling and Web Portal behind it.

    Very easy on the command line or GUI.
     
  20. Sloshua

    Sloshua New Member

    Joined:
    Nov 4, 2003
    Messages:
    8,553
    Likes Received:
    0
    Location:
    Evansville, IN
    True. :o

    Cisco Security Agent is supposed to do a good job at that.
     
  21. Balzz

    Balzz N54 Elitist OT Supporter

    Joined:
    Mar 30, 2000
    Messages:
    22,467
    Likes Received:
    0
    Yes it does. CSA is part of every voice implementation I do.
     
  22. Balzz

    Balzz N54 Elitist OT Supporter

    Joined:
    Mar 30, 2000
    Messages:
    22,467
    Likes Received:
    0
    There are limits in software. :p I don't think you do more than 4 .1q intefaces on the 506...or is that the 515. I forget.
     
  23. Supernaut

    Supernaut New Member

    Joined:
    May 20, 2003
    Messages:
    8,047
    Likes Received:
    0
    I believe you're right, and if anyone wants a definitive answer I'll find out. I have a 506 and a couple 515s sitting on my desk waiting to be configured.
     
  24. Balzz

    Balzz N54 Elitist OT Supporter

    Joined:
    Mar 30, 2000
    Messages:
    22,467
    Likes Received:
    0
    It's up on CCO...I'm just too lazy. :big grin:
     

Share This Page