• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 242
  • Last Modified:

Debate to double the PIX or not

I've got a question I need an answer: I have two customers. Customer A with one pix 515 and a third eth card setup to be the DMZ on its own seperate subnet. Customer B with two PIX515 in series with the DMZ in the middle with a hub and of course its own subnet also. If both PIX configs do the same job, Why use one configuration over the other? Customer B has to pay for 2 PIX, whats the secret security gain Im missing here? Get technical, I can take it.
3 Solutions
some differences off the top of my head:

* 2 PIX = conceptually easier to understand
* possiblity to individually replace one of the PIX with another device
* better throughput as it isn't a single device with traffic from outside to inside going via the DMZ having to go in/out the same DMZ interface
* easier to understand config on each individual PIX
* a really weak claim might be that you could have better security as both devices could have diff passwd, but I discount this. I think if someone gets a passwd to even one of your PIX, you are in BIG trouble !

Out of all of them, I guess the main thing would just be greater flexibility. Sometimes the other thing that happens is someone buys a 515 and then needs a DMZ. They look at the price of adding a NIC to the existing PIX and opt for a second PIX instead.

Personal opinion here, but it could simply boil down to this:
 The customer is always right.

Some customers just don't "feel" right about using a software DMZ and insist on using dual hardware firewalls. I try to dissuade them this way:
- having dual firewalls will make it much more difficult to create VPN tunnels from inside network to a remote network.
- A single pix with DMZ interface is doing the exact same thing - logically - and keeps your configurations simipler and easier
- 2 firewalls doubles your chances of having a configuration error that is difficult to detect or troubleshoot.
- Having dual firewalls presents you with dual single points of failure. If either one goes out, your internal network is broken.
- Have dual firewalls, but put them in failover pair mode and use multiple DMZ interfaces.
Yeah...I too have seen many people prefering a "hardware" device creating the DMZ...they might be correct in their own way..however end of the day what matters is the money which we are spending for the service/protection..if the user can justify the multiple devices then he can always purchase..but in using them the operations people are the ones who has to face the problems...
I totally agree with our friends opinions here ..in particular lrmoores last point "put them in Failover mode"..it makes more sense to me..

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now