Hello. We are in the middle of building a data center at a co-location facility, and are planning on using FWSM modules in our redundant 6500' to "zone" the network there. Basically what we are being told is that each subnet in this new data center will be treated as a separate security zone, with each zone not being able to access the other except on specified ports.
Our server access layer will consist of 4 4948-10G switches (we think), trunked into the core 6500'. This will force traffic through the FWSM, allowing it to be policed.
All of a sudden the company has brought in a "senior" guy to oversee the entire project, and he tells us that it is not best practice to have the FWSM zoning the networks, because if the core switch/FWSM is hacked, the entire network is exposed. We are arguing that this is indeed the case with whatever FW you use.
This is only for the internal side of the network, as we will have a pair of checkpoint firewalls on the perimeter protecting us from public traffic. He has proposed an ASA 5510 instead of the FWSM, with each subnet being on a different DMZ/interface. This immediatley throws up two red flags, throughput and scalability. The ASA has a maximum of 8 ports, and we currently have 8 different subnets that need to be separated. Also, backups will run through this network, and having that amount of traffic traversing the ASA doesn't seem realistic.
Is there any merit in what he is saying? I've always been under the impression that the FWSM was designed almost for this exact situation.
To whoever rated this a 1. Could you try reading the Original poster's response to my answer. He found it helpful and it was to him that my answer was directed.
If you don't agree with what i have said try doing something a little more constructive and present a rational argument as to why.
The vast majority of people in these forums do a great job of helping people offering advice for free.
Sometimes i wonder why we bother