Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Choose a firewall

My case is like this: an (web)applcation server hosts multiple web apps for the public to access. Moderate traffic. The server is located in a Commercial Hosting Company's server room. So the server can directly plug into the LAN (which is connected to the internet).

1) Among the PIX 50x series, which firewall fits this situation better? (I'll need the firewall to support the NAT, DMZ and VPN). Or I may even need other firewalls (budget sensitive).

2) Is the double firewall necessary to build the DMZ? (i.e. PIX --DMZ-- PIX)

3) Any opinion or comment on the Microsoft ISA Server 2004 (which claims to be a better firewall).

Many thanks.

Scott

1 REPLY

Re: Choose a firewall

1.) PIX 515 Restricted with 3 interfaces FastEthernet

See datasheets:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

2.) No it is not necessary to build a DMZ. Usually you just use your third interface as DMZ inteface and allow some traffic in to your Web Servers.

3.) A firewall that rules an operating system is vulnerable to OS vulnerabilities need more patch management so there are more risks for bugs and holes, usully less performance, you need to buy a server (hardware).

In my opinion MS ISA is a good Caching and SSL Proxy product that is optimised for Microsoft but I prefer a hardware based firewall appliance that is just doing his firewall job.

Finaly you will get MS ISA for about 1500$ plus a server another 1500$ plus installation and maintenance so this is finaly more expensive than a PIX Firewall 515R.

sincerely

Patrick

98
Views
0
Helpful
1
Replies
CreatePlease login to create content