PIX Firewall Questions

Posted on 2005-03-18
Medium Priority
Last Modified: 2013-11-16
One of our partner associations recommends that we install a PIX firewall to isolate the wireless AP's from the rest of the network. I have never setup a firewall and I am unclear of how the physical connection will take place.

All connectivity is run back to a central patch panel, and then connected to 3Com 3300 XM switches which are unmanaged. Since my switches are unmanaged, will I need to have a seperate switch for the AP's. There will only be two AP's( cisco aironet 1100 AP"s).
Question by:comtekso
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 10

Accepted Solution

ruddg earned 1000 total points
ID: 13576921
Depending on the PIX firewall you select, you may have the following options:


(Internet)----PIX515E----LAN switch---(LAN)
                "DMZ" switch
                Wireless APs


(Internet)----(firewall/router)----LAN switch---(LAN)
                                               Wireless APs

The advantage of the first option is that the PIX can be leveraged for both Internet protection and isolation of your wireless deployment -- the PIX515E with a third interface, however, is more expensive than a two interface 506E.  (Note: If you have a small network with less than 50 wireless clients, and 4 or less APs, you can use a PIX501 and utilize the integrated hub ports on the PIX to connect to the APs directly.)

Also, while not recommended, you *can* technically use the same switch hardware for two different IP subnets.  There are security risks involved with this configuration, but it will work:

           SWITCH PORTS
[1]    [2]     [3]     [4]     [...]
 |       |        |        |
[0]    [1]      AP     PC

The APs would reside on one IP subnet (i.e. 10.0.0.x/24) while the LAN used another subnet (i.e. 192.168.1.x/24).  The APs & wireless clients would use the PIX506 "outside" interface as their default gateway, while the LAN gateway router would have a route to the 10.0.0.x/24 network pointed at the PIX506 "inside" interface.  As noted, it would be possible for a wireless host to attack the unmanaged switches with a MAC address flood, thereby circumventing the PIX, so this is not recommended.

Author Comment

ID: 13578369
Thanks. I have a small network. I will have two Cisco Aironet AP's serving no more than 12 clients. Probably more likely to be 5 or 6 to start with. This is all for a new in-house  Electronic Medical Records System, so security has to be tight in order to meet all the different associations requirements for patient health information.

So if I am reading correctly if I use the PIX501 then I will not need a seperate switch for the AP's, right?

Would there be any performance benifits over the 506e or 501? The wireless clients will be using terminal services to connect to the new EMR system.

Note: I actually have a PIX506e that handles our T1 traffic, but it is provided by one of our vendors and I don't have access to configure it. I want to keep this seperate anyway.
LVL 10

Expert Comment

ID: 13578432
The PIX501 would be suitable for your needs.  I would recommend buying it with the 50-user license.  And, yes, if you only have two APs, you can use the integrated ethernet hub on the PIX501 thereby eliminating the need for an additional switch.

Author Comment

ID: 13578483
Thank you for the excellent information.
LVL 10

Expert Comment

ID: 13578495
Note: the PIX501 supports 60Mbps of firewall throughput and 3Mbps 3DES / 4.5Mbps AES VPN throughput -- this is probably sufficient to handle your wireless networking needs.  The PIX506E provides up to 100Mbps firewall throughput and 16Mbps 3DES / 30Mbps AES VPN throughput.  If you are considering using VPN clients on your wireless clients to provide encryption (much better than WEP), the 506E may be a better fit.  However, the 506E does not have an integrated 4-port 10/100 switch like the PIX501 does.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question