cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1097
Views
42
Helpful
19
Replies

FWSM not a best practice in data center?

poulid
Level 1
Level 1

Hello. We are in the middle of building a data center at a co-location facility, and are planning on using FWSM modules in our redundant 6500' to "zone" the network there. Basically what we are being told is that each subnet in this new data center will be treated as a separate security zone, with each zone not being able to access the other except on specified ports.

Our server access layer will consist of 4 4948-10G switches (we think), trunked into the core 6500'. This will force traffic through the FWSM, allowing it to be policed.

All of a sudden the company has brought in a "senior" guy to oversee the entire project, and he tells us that it is not best practice to have the FWSM zoning the networks, because if the core switch/FWSM is hacked, the entire network is exposed. We are arguing that this is indeed the case with whatever FW you use.

This is only for the internal side of the network, as we will have a pair of checkpoint firewalls on the perimeter protecting us from public traffic. He has proposed an ASA 5510 instead of the FWSM, with each subnet being on a different DMZ/interface. This immediatley throws up two red flags, throughput and scalability. The ASA has a maximum of 8 ports, and we currently have 8 different subnets that need to be separated. Also, backups will run through this network, and having that amount of traffic traversing the ASA doesn't seem realistic.

Is there any merit in what he is saying? I've always been under the impression that the FWSM was designed almost for this exact situation.

1 Accepted Solution

Accepted Solutions

To whoever rated this a 1. Could you try reading the Original poster's response to my answer. He found it helpful and it was to him that my answer was directed.

If you don't agree with what i have said try doing something a little more constructive and present a rational argument as to why.

The vast majority of people in these forums do a great job of helping people offering advice for free.

Sometimes i wonder why we bother

Jon

View solution in original post

19 Replies 19

abinjola
Cisco Employee
Cisco Employee

I agree to what he says to some extent, its good to have a dedicated ASA 5500 rather than the addon FWSM card on 6k

I am not sure whats your connection rate n throughput , however this is what ASA can support

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Throughput and connection will be the limitation

of ASA. ASA does NOT do Active/Active whereas

checkpoint firewall can cluster up to 32 nodes

(i.e 32 servers dual quad-core Intel processors)

where you can push an insane amount of traffics.

ASA is not designed for large scale datacenter.

Iamgine you can scale up to 32 servers in

Active/Active...32Active nodes.

Budget is another matter.

You may want to look at NGx R65 CoreXL. I've

used it and really like a lot.

checkpoint is not safe at all...it was designed in Isreal..and then once it got obsolete there it was distributed in all other countries...I haven't seen small soho checkpoints being used in data centres..

ASA can do active/active failover..if ASA 5510 is not coping up try high end models

are you telling me that ASA can cluster 32

nodes together? ASA Active/Active is not

really active/active. Are you telling me that

ASA can do load sharing for let say network

192.168.1.0/24 on both ASA right out of the box?

"checkpoint is not safe at all.."

Say who? If it is not safe then how come a lot

of government agencies including most financial

services use checkpoint?

One requirement I did not mention was the need for different vendor firewalls protecting us from the Internet. On the outside we currently use clustered Nokia IP390's, therefore the thought was that since we already had the 6509' for the internal side, why not just add the FWSM, giving us the second vendor as required. I believe the FWSM has a firewalled throughput of 5Gb, way way over and above the ASA.

We are likely talking about hundreds of GB's of data that needs to be backed up weekly.

yes checkpoint not safe at all..Isarelis have the source code of this product since they are the ones who designed this...I haven't see checkpoint installed in any US govt agencies.

Now coming back to what requester asked..see if your throughput is higher than 5GBps...then yes either FWSM or ASA 5580s

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

"I haven't see checkpoint installed in any US govt agencies."

Perhaps you need to get out more and stop

putting on the Cisco blinder.

ISS, Verio and just about every MSSP uses

checkpoint. As far a US Gov. agencies, there

are many that use checkpoint. DOA, DOT and HHS,

just to name a few.

Not sure what difference it makes where it was developed (hopefully you mean that differently than it sounds), and we are indeed a financial organization who uses Checkpoint.

Anyway, back to the issue at hand; any idea how much the 5580 costs?

checkpoint is cheap but unsecure., ISPs that uses it only use it on peripharies and not in core.

Coming back to your Query requester, you may check the price of ASA 5580 in pricing tool

"checkpoint is cheap but unsecure"

I would like to know where you get the fact to backup your claims.

If cisco is so great and secure, then let me ask you this:

In Cisco Pix or ASA, BY DEFAULT, hosts residing behind higher security

level interface can traverse the firewall to communicate with hosts

residing behind lowever security level interface. That is a fact,

correct.

Based on that argument, if a host behind a higher security level

interface is infected with viruses, it can then infect other hosts

residing behind lower security level interfaces.

With Checkpoint, nothing is allowed between interfaces unless

it is EXPLICITLY allowed.

If checkpoint is cheap but un-secure, then why Gov. agencies and

financial organizations use checkpoint. These guys must be dumb right?

"ISPs that uses it only use it on peripharies and not in core."

You are right. They don't use checkpoint at the core. They do not

use Cisco either. They use Juniper.

Jon Marshall
Hall of Fame
Hall of Fame

Hi

If you have multiple vlans within your 6500 and you want to firewall between them with a requirement for high throughput and flexible configuration then that is one of the main uses of the FWSM. To my thinking it makes perfect sense if you are merely looking to do internal firewalling between your server subnets.

If you use a standalone pair of ASA's and they are hacked then you have the same issue. Key thing here is all vlans are terminating on firewall interfaces whether that be FWSM or standalone ASA's so either way your firewall is hacked you are in trouble.

Perhaps this guy could go into a bit more detail as to why it is different with the FWSM than the ASA.

One thing that is worth bearing in mind is that the FWSM is only a firewall whereas ASA devices can do more, IPS etc. But this may not be an issue for you.

HTH

Jon

OK, thanks Jon. That was what I was hoping to hear.

Maybe this other guy could also come back and explain a couple of his other comments as well.

I think the FWSMs are good for segmenting a specific portion of your data center and not every single subnet or host. Put them in front of your high-value servers (PCI, Finance databases, secret formula to Coca-Cola, plans to Area 51, whatever) where you don't want to have to go 'outside' your 6500's and where throughput isn't a factor.

Just my .02; don't want to get in the middle of a flame war :-)

To whoever rated this a 1. Could you try reading the Original poster's response to my answer. He found it helpful and it was to him that my answer was directed.

If you don't agree with what i have said try doing something a little more constructive and present a rational argument as to why.

The vast majority of people in these forums do a great job of helping people offering advice for free.

Sometimes i wonder why we bother

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: