i_harfoush
asked on
Pix515e and sonicwall
I have come to a company
where they place 2 firewalls connected to each other,
one is pix515e and sonicwall tz170, the system admin that he hand over me told me this for more security.
I found that there is double nating happeneing,from sonicwall to pix and from pix to wan,
I tried to remove sonicwall ,but there is a lot of features inside it, like anti spam ,anti virus,content filter........aslo if I remove pix (pix is the most trusted firewall) and i dont need Dmz in the middle of the 2 firewall because i can create it with the sonicwall with the third interface,
anybody can advise to keep them both or to remove pix?
drawing1-1-.JPG
where they place 2 firewalls connected to each other,
one is pix515e and sonicwall tz170, the system admin that he hand over me told me this for more security.
I found that there is double nating happeneing,from sonicwall to pix and from pix to wan,
I tried to remove sonicwall ,but there is a lot of features inside it, like anti spam ,anti virus,content filter........aslo if I remove pix (pix is the most trusted firewall) and i dont need Dmz in the middle of the 2 firewall because i can create it with the sonicwall with the third interface,
anybody can advise to keep them both or to remove pix?
drawing1-1-.JPG
ASKER
Sir,
I am not using the pix for vpn..only the nating...and access rules
so u advise me to keep the current setup Sir,
I am not using the pix for vpn..only the nating...and access rules
so u advise me to keep the current setup Sir,
Let's look at pros and cons of removing the PIX out of the picture:
PRO:
- removes a level of complexity that eases troubleshooting problems (potential to save manpower $)
- removes a device that is using electricity (save $ on power bill)
- removes a device that is nearing end-of-life from the vendor (no more upgrades or vendor support)
- removes an additional point of failure
CON:
- any change requires careful planning and takes time (manpower costs $)
- You are left with "adequate" security with the Sonicwall (are you comfortable with that)
- PIX is generally a better, more trusted, firewall than Sonicwall and will last you a couple more years probably
- creates a single point of failure scenario
Bottom line is that you have to make the decision based on many factors, not just an opinion posted in a forum. I have no knowledge of the business, regulatory requirements on the business, amount of data, budget constraints, your level of expertise with any of the equipment, etc. I've just posted some things to think about in your decision making process.
PRO:
- removes a level of complexity that eases troubleshooting problems (potential to save manpower $)
- removes a device that is using electricity (save $ on power bill)
- removes a device that is nearing end-of-life from the vendor (no more upgrades or vendor support)
- removes an additional point of failure
CON:
- any change requires careful planning and takes time (manpower costs $)
- You are left with "adequate" security with the Sonicwall (are you comfortable with that)
- PIX is generally a better, more trusted, firewall than Sonicwall and will last you a couple more years probably
- creates a single point of failure scenario
Bottom line is that you have to make the decision based on many factors, not just an opinion posted in a forum. I have no knowledge of the business, regulatory requirements on the business, amount of data, budget constraints, your level of expertise with any of the equipment, etc. I've just posted some things to think about in your decision making process.
ASKER
Mr irm,
is double nating bad for networking?or something i can ignore?
is double nating bad for networking?or something i can ignore?
ASKER
can I leave the pulbic servers nated only by pix and their defualt gateway keep it pix ,and the clients using sonicwall for content filtring ,antispam?
Double-nat is not necessarily bad. If it works, ignore it.
Yes, you can leave the public servers natted only by the PIX and use the Sonicwall for the content filtering and antispam for end users.
Yes, you can leave the public servers natted only by the PIX and use the Sonicwall for the content filtering and antispam for end users.
ASKER
Mr, Irm, can you comment on this drawing?
drawing-final.JPG
drawing-final.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so it s recommeded by you MR. Irm?
ASKER
ok
What I recommend is that you use your own expertise, and your own knowledge of your business requirements, assess the information I have provided, and make your own recommendations to your superiors.
You will not corner me into saying "yes, this is what I recommend" because I do not have enough information on why it was built the way it was in the first place. There may have been good reasons for it.
You will not corner me into saying "yes, this is what I recommend" because I do not have enough information on why it was built the way it was in the first place. There may have been good reasons for it.
If it ain't broke, don't fix it. If everything is working the way the business needs it to be, leave it alone for now.
Knowing that the PIX is nearing end-of-life, you might start planning for a replacement. The SonicWall is providing some features not available on the PIX, and would probably be adequate to support everthing all by itself, so your replacement plans may be to replace them both with another combination of appliances, or a single device that does it all. Cisco gives you the option to use best-of-breed products for each function instead of trying to cram them all in to one box where you get "adequate" and not "best" solution for your business needs.