Which way should I go?

My question concerns firewalls, looking for opinions here.
My company needs to implement a firewall solution, i am torn between buying a new appliance (firewal) or adding something to the spare cisco 2600 series router.
Was looking for a cisco solution either way we go.
Anybody have any experience (good or bad) either way?
I also need to implement a vpn soltion into this, does this mean I need a firewall appliance? Does anyone know of a good solution from cisco in the $5k to $10k range?
Thanks.
qbert123Asked:
Who is Participating?
 
sh00t3rConnect With a Mentor Commented:
The PIX offers exactly what your looking for as well as VPN. Althought the price varies.

Have you researched other possibilities? Is your preference of a cisco appliance just because you want to streamline your hardware?

Either way I would suggest looking at other options. Symantec has the veliciraptor and the SGS. Priced around 5-10k with full VPN. Checkpoint is also a great product. The symantec SGS offers Anti-Virus scanning, content filtering, and IDS (intrusion detection) among many other things. The PIX doesn't offer av, content filtering, or IDS, although there are options for configuring the PIX like an IDS system.

You'll want to make sure you get an application level firewall. Which means it's going to scan down the packet layer all the way to the application layer of the OSI model. Basically it's better security. Most of the corporate FW's are app level. I'd also recommend to get a hardware based firewall vs software. Enhanced security and failover.

How many end users?
0
 
lrmooreConnect With a Mentor Commented:
Posted in your other related Q:
http://www.experts-exchange.com/Hardware/Routers/Q_20785490.html

I don't think I've ever disagreed with sh00t3r, but the PIX certainly does have built in IDS capabilities, not "like" an IDS system.

The PIX does have an awsome VPN capability built right in. Be sure to order the 3DES license (an extra $35 to handle export control costs) and you'll get up to 512bit AES encryption. The clien is the easiest to configure that I have ever seen.

If you want content filtering, anti-virus, or other features, then I would suggest the new Symantec gateway appliances as sh00t3r mentioned.

For a $10k budget, you can get a very nice multi-layer defense strategy going.


0
 
qbert123Author Commented:
My reasoning behind cisco equipment is simply throughput, but yes I like the idea of keeping all my hardware from the same manufacturer (for compatability sake) .There are 50+ end users not including the 4 VPN connections.Also something that I had failed to mention, there are 2 separate routers with two separate wan connections coming in, and I need to wire both ethernet ports through the firewall, Is this going to be an issue? Do they make such a beast as to allow for this?

Thanks in advance
 
0
 
sh00t3rCommented:
Well if there's anyone on this board I would agree with it would be Irmoore. I was under the assumption that the PIX IDS solution was more or less a limited IDS system. Glad I know now!

In regards to the two WAN connections. Most advanced corp firewalls have numerous NIC's that you can specify as WAN or LAN. If the two WAN connections are actually two seperate ISP's you'll have to use some type of load balancing hardware. Something like radware or BigIP F5 boxes. Otherwise you'll just plug the two WAN's into the two NIC's you specified as WAN connections. Hope this helps!

Sh00t3r


0
All Courses

From novice to tech pro — start learning today.