Advice Needed! - Internet facing ASA

Unanswered Question
Jul 15th, 2008
User Badges:

Hi


I've been asked to draw up a proposal to replace our existing 3rd party Internet facing firewalls with a new solution.


I have worked a lot in the past with PIX s and Cisco being my area of expertise I am going to propose using an ASA. However I know little about them, and even having read a lot of documentation on the Cisco sites still only have a basic understanding.


The customers network is designed along the 3 layer Campus model, and servers in excess of 6500 users, all of whom require Internet access. My initial leaning is toward the ASA5520. Availability is obviously important, so we'll need at least 2 in failover pair. Does this sound like a reasonable choice?


What I'm not so sure of are the 'Security Contexts' that the ASA apparently has upto 20 of, and the bundle I'm looking at comes with 2. Does this refer to IPS services, the basic firewall function, VPN etc ...? What are the basics you get without all the add-ons?


The 5520 comes with 4 Gigabit and 1 100Mb interface - can the Gig interfcaes be configured as 100Mb?


Any advice v gratefully received!


Regards

Paul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Tue, 07/15/2008 - 06:08
User Badges:
  • Red, 2250 points or more

Hello Paul


You may have a look at the following link for a quick comparison:


http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html


Security Contexts = Virtual Firewalls. Two come bundled with the firewall. If you need more, you need to purchase that.


And yes you can use the 'Gig' interfaces as 'Fast' but not vice versa (except the special 5510 corner case).


Regards


Farrukh



PDEdwards Tue, 07/15/2008 - 08:55
User Badges:

Thanks for the replies guys - v useful.


What does Cisco recommend in terms of firewall monitoring? As these ASAs will be replacing a 3rd party managed service they need to be able to generate alerts based on unusal behaviours, DoS attacks etc. Which software or hardware is required for this?


Also is DoS prevention a standard feature of these ASAs or does it need to be purchased, as I haven't seen it explicitly mentioned in the literature.



Thanks and Regards


Paul


Farrukh Haroon Tue, 07/15/2008 - 09:02
User Badges:
  • Red, 2250 points or more

A small MARS box would be the best thing to buy.


What types of DOS attacks...?


Regards


Farrukh

Actions

This Discussion