Protection for DataCenter

v.nastase · ‎07-23-2002

Our company intend to develope the present security level for the internal DataCenter.

It is possible to deploy a secure solution based on cisco PIX family?

In case of possitive what type of PIX can we use regarding the great amount of data transferring to and from internal DataCenter.

Thanks

jwitherell · ‎07-23-2002

Are you saying that you will be isolating the data center from other internal networks? In other words, are you planning to firewall the data center from the whole world, internal and external?

As far as sizing the PIX models, some questions:

-How many nodes are inside the data center?

-How many nodes outside the data center?

-What speed WAN/LAN feeds into the data center are in place?

-Are you planning to just restrict traffic, or use AAA to authorize users to pass into the data center?

-Are you planning to use NAT, or just NAT 0 (the latter is to restrict traffic without translating IP addresses

-Any other basic detail?

Alot of times, companies may use their routers' Access Lists (Standard or Extended) to limit or restrict access to specific hosts, or subnets. You should probably consider using these more ordinary methods of protection before firewalling the data center. I can't really say that it would be unheard of to firewall the data center, but it certainly seems unusual and extreme.

Maybe you could explain why you want to go with a firewall for this purpose, if what I have said above is accurate...

Jim

v.nastase · ‎07-23-2002

. Datacenter has Unix servers and big storage capacity

. We have 70 PoPs in order to access the datacenter, everyone has its own private access to the Internet

. Datacenter is connected to the network core with gigabit link

.No, we don't plan to use address translation

My question reffers to the importance of datacenter and the opportunity to use PIX firewall as a strong solution. We strategically consider the strongly need to have a high level protection on the datacenter border. In case if PIX is a overevaluated solution, what are your suggestions?

Thanks very much

v.nastase · ‎07-23-2002

. Datacenter has Unix servers and big storage capacity

. We have 70 PoPs in order to access the datacenter, everyone has its own private access to the Internet

. Datacenter is connected to the network core with gigabit link

.No, we don't plan to use address translation

My question reffers to the importance of datacenter and the opportunity to use PIX firewall as a strong solution. We strategically consider the strongly need to have a high level protection on the datacenter border. In case if PIX is a overevaluated solution, what are your suggestions?

Thanks very much

jwitherell · ‎07-24-2002

I would go straight to a PIX 535, unlimited license, Gigabit ethernet adapters, and either a failover or secondary PIX535. If you went with a secondary PIX 535, that would provide two points of access to the data center. If you went this way, you would also want to have a "DMZ" just outside of the PIXes.

The PIX535 or 525 with Gigabit adapters are a pretty powerful boxes. If it's really that important, just go with the 535 from the outset. It sounds like you may not be using alot of the more CPU intensive features, so I would suspect that you have a good chance that it will not be a bottleneck.

If you can categorize incoming networks as "trusted" and "untrusted", you may be able to allow some networks to come straight in as they do today, and put the PIX in place to restrict the other untrusted ones. The reasons to do this would be risk and performance.