I currently have a dmz with FW1 (inherited) which is going away. I also have a new application that needs a dmz and I need to look at alternatives. Traffic from the internet into the dmz needs to be limited by uname/passwd and will be about 100 hits a day, max. Inside the dmz will be an apache and an iis server.. I 'think' all access will be web pages, but apps group may think up other wonderful things. NO access from dmz to inTRAnet, Access from inTRAnet will be 'update only' to the dmz systems. I want to keep my life simple and think a Cisco pix solution would be easier/more-reliable than FW1 on a Solaris box. I may want to log accesses but could care less about statistics... should I look into pix---? Is pix applicable for this use??
Indeed. PIX can use local and centralised user databases for auth to the DMZ, and for the above configuration quite easy to setup, especially with the new PDM Java GUI interface. By default no low security interface can access a high security interface i.e. DMZ to inside, Internet (outside) to dmz or inside, unless expressly permitted.
Its very secure, no need to manage both Fw1 and the OS it runs on etc. Logging is to syslog, as per Cisco routers and numerous scripts and commercial apps can analysis this for you.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...