• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 358
  • Last Modified:

What should I replace my Pix firewall with to make things easier

My Pix firewall is getting a little long in the tooth and I would like to replace it with something that is easier to use.  I've got about 100 machines on my network, but I only have about 10 users that get on the Internet.  Right now I have one webserver running behind the firewall, but I may outsource that in the near future.  I also have Active Directory running with local DNS and DHCP setup on my Domain Controller.

I can do some basic things in the Pix, but have never found it very easy to manage.  Can I just replace it with something like a simple D-Link or Linksys router?  Will I still be protected as well?  Can I let traffic pass to my one webserver and nothing else like I can with the Pix?  Should I use DHCP on one of these devices and turn it off in Windows Server?  My goal is to simplify the network setup, make repair/replacement simple, and hopefully do it all inexpensively.  I'm preparing to switch from 2 T1's to Cavalier's Ethernet Express and I'd like to make the transition as easy as possible.

2 Solutions
I'd go for the newer ASA - 5505 or 5510.
if you want your network protected and be in a good performance and make it is easy as well then there are lots of option to sort it out this issue. First new Pix-Firewall is also good product from cisco and easy to manage. there is also an Astaro Security device. the device is Hardware Appliances,sofware appliances and virtual appliances. it will give you network security, firewall security ,mail security,web security, easy management and flexible deployment. and an other device which is cyberoam, GUI Mode web Interface with dash board, firewall Vpn, bandwidth policy surfing time policy  data policy, manage goups user authentication with AD , Antivirus with mail,pop,smtp,Imap,Http and Ftp, Anti spam with policy, traffic discoverey with live connections and daily reports etc. now its depend on your IT Budget. so now you will take a survay on these devices and decide which one is the best for your organization. i given you the options. now its depend on you.

s_sykesAuthor Commented:
I'm familiar with the Astaro appliance, but that doesn't answer the questions I have about changing  setup:
-Can I just replace the Pix with something like a simple D-Link or Linksys router?  
-Will I still be protected as well?  
-Can I let traffic pass to my one webserver and nothing else like I can with the Pix?  
-Should I use DHCP on one of these devices and turn it off in Windows Server?
Yes you can replace your Pix with Linksys Router.
there is a built in Firewall Protection. you can also block or unblock anonymous internet  Requests, but by default it is enable.
you can also use access policy and block the users by mac or Ip.
dont disable your dhcp from windows server. disable the linksys modem dhcp. Recommended
I've worked on most major firewalls out there and am certified on the main ones.  For ease of use on a firewall that is comparable to the PIX I would recommend the Juniper SSG line.  Although the new Cisco ASA firewalls are also quite easy to work with.

To answer your other questions, yes you can replace the PIX with something simple like a D-Link or Linksys router and use their firewalling capabilities.  Generally they are considered good enough for home use and can provide at least some of the functionality of the higher end firewall.  They don't provide any advanced security and really just act as a very basic statefull firewall (look for the words statefull firewall or SPI when shopping for them) with limited additional protections.

Just about all of them also allow you to setup internal services such as a web server and only allow access into that on the ports that you select (or selected from a list).

I do recommend keeping DHCP on your Windows server as you get much better integration with AD (if you use it) plus better logging and tracking of your users and systems.  DHCP on the firewall/network device/etc is only really good if you don't have a local server and even then if you can do DHCP relay back to a windows server that is also preferable.

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now