Debate to double the PIX or not

Posted on 2005-05-08
Last Modified: 2013-11-16
I've got a question I need an answer: I have two customers. Customer A with one pix 515 and a third eth card setup to be the DMZ on its own seperate subnet. Customer B with two PIX515 in series with the DMZ in the middle with a hub and of course its own subnet also. If both PIX configs do the same job, Why use one configuration over the other? Customer B has to pay for 2 PIX, whats the secret security gain Im missing here? Get technical, I can take it.
Question by:kdb01
    LVL 13

    Assisted Solution

    some differences off the top of my head:

    * 2 PIX = conceptually easier to understand
    * possiblity to individually replace one of the PIX with another device
    * better throughput as it isn't a single device with traffic from outside to inside going via the DMZ having to go in/out the same DMZ interface
    * easier to understand config on each individual PIX
    * a really weak claim might be that you could have better security as both devices could have diff passwd, but I discount this. I think if someone gets a passwd to even one of your PIX, you are in BIG trouble !

    Out of all of them, I guess the main thing would just be greater flexibility. Sometimes the other thing that happens is someone buys a 515 and then needs a DMZ. They look at the price of adding a NIC to the existing PIX and opt for a second PIX instead.

    LVL 79

    Accepted Solution

    Personal opinion here, but it could simply boil down to this:
     The customer is always right.

    Some customers just don't "feel" right about using a software DMZ and insist on using dual hardware firewalls. I try to dissuade them this way:
    - having dual firewalls will make it much more difficult to create VPN tunnels from inside network to a remote network.
    - A single pix with DMZ interface is doing the exact same thing - logically - and keeps your configurations simipler and easier
    - 2 firewalls doubles your chances of having a configuration error that is difficult to detect or troubleshoot.
    - Having dual firewalls presents you with dual single points of failure. If either one goes out, your internal network is broken.
    - Have dual firewalls, but put them in failover pair mode and use multiple DMZ interfaces.
    LVL 12

    Assisted Solution

    Yeah...I too have seen many people prefering a "hardware" device creating the DMZ...they might be correct in their own way..however end of the day what matters is the money which we are spending for the service/protection..if the user can justify the multiple devices then he can always purchase..but in using them the operations people are the ones who has to face the problems...
    I totally agree with our friends opinions here particular lrmoores last point "put them in Failover mode" makes more sense to me..

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now