Protecting a developing network

Posted on 2007-12-01
Last Modified: 2010-04-12
I have a small network consisting of 2 servers and 8 workstations.  We work with a database program and we are starting to use the Internet more and more.  As our resources increase in value, I would want to improve on the security of our network by adding a Cisco ASA 5505.  At the moment we just have a router using NAT.  I have done some research and it seems to me that the Cisco ASA 5505 is a good solution that we will be growing into with the development of a DMZ (in time).

I'm wondering:

1. Would this be a good place to start with network security?  Does anyone have any other recommendations?
2. Do you need a static IP address to start using the ASA 5505, without going into all of the networking options in the begining?
3. Are there yearly update fees with the use of an ASA 5505 + Security Plus module?

Any guidance would be greatly appreciated.

Thank you.
Question by:Global-Mind
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 32

Accepted Solution

rsivanandan earned 500 total points
ID: 20390135
1. Growth rate has to be determined. These boxes value themselves based on the number of concurrent connections, so look for that.
  Along with that I'd also suggest you to take a look at Juniper SSG series firewall (, good performance for about the same price of ASA, ASA are good as well.

2. For both Juniper and Cisco firewalls you don't need a static ip address, means that you can put the box in there and configure for the outside interface to get ip from your ISP's dhcp server and also setup NAT along with security features.

3. Yes you need to go for some kinda support plan which covers your hardware/upgrade of software/ support etc.


Author Comment

ID: 20402835
Thank you for your help, Rajesh.
LVL 32

Expert Comment

ID: 20402873
No Problem. Are you going with ASA ?


Author Comment

ID: 20408260
Hello Rajesh,

Yes, I will be going with the ASA 5505.  Actually, I just ordered it today.  I think that there is enough documentation here and on the Cisco web site that I will be able to get by ... I think.  However, in all of the reading that I have been doing, all of the instructions direct the network admin to gain successful transmission of data, which, of course is the goal.  Having said that, once this goal is accomplished and you are receiving data (web, e-mail, ftp, etc), how do you know that you in fact have a protected network?

If this constitutes a new discussion, I will not have any problem in putting up another 500 points.

Thank you for the follow-up.

LVL 32

Expert Comment

ID: 20408820
There are different logging facilities in the ASA which you can look at it in the firewall itself or decide to send it to a Syslog server (better management and choose to keep the log for a long time).

If you go down the syslog path, then there are so many freeware syslog servers available (kiwi being very famous).

As a network admin, you actually can try to penetrate the firewall (with written permission from your bosses ofcourse :-) ) from internet and see if you're able to get through to your network other than the ports you have opened. Again, there are so many freeware tools available for the same.

ASA works this way => Everything from inside to outside by default is allowed, Nothing from outside to inside is allowed. If you want traffic to come inside, you need to punch holes using access-lists (which is the careful part you need to decide, I'm sure as the time goes people would have more and more requirements for opening ports).


Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question