ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
Carlitos_30
Post Whore
Posts:
1222
Joined:
Mon Feb 08, 2010 9:30 am
Certs:
CCENT, CCNA,CCNP R&S

Big network, big firewall?

Wed Jul 11, 2012 2:12 pm

Hello. In a big network with +60,000 hosts and a media BW of 700 Mbps to the Internet, what would be the best FW solution to protect the network?

A big FW with a centralized perimeter?

Or, some little FW per area and a last resort FW pointing to Internet?

Currently we have a cluster of firewalls in a centralized perimeter, but from time to time some latency issues affect the network, it seems the FW is unable to inspect so much traffic.

Thanks!

User avatar
ristau5741
Post Whore
Posts:
10547
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: Big network, big firewall?

Wed Jul 11, 2012 2:17 pm

I would probbaly setup 2 big firewall, active/active redundancy , running multiple firewall contexts.
by than again, I have alot of customers,

I also would have dedicated IPS/IDS devices to inspect traffic.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: Big network, big firewall?

Wed Jul 11, 2012 2:27 pm

HA firewall pair, geographically separated if possible. Much easier to manage all access from a single point. All vpn/etc will come from that firewall

User avatar
mlan
Ultimate Member
Posts:
815
Joined:
Thu Nov 17, 2011 6:09 pm

Re: Big network, big firewall?

Wed Jul 11, 2012 2:30 pm

I agree with ristau5741. We have a similar need, and are looking at a large cluster HA pair for this purpose. I would rather deal with complexity within the pair rather than complexity in a multitude of boxes/cables/switches, etc.

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: Big network, big firewall?

Fri Jul 27, 2012 4:48 am

Presuming you're using ASAs, you won't be terminating VPNs if you're in multiple context mode (as you would be if you're going for active/active). Might be worth bearing that in mind.
http://www.cisco.com/en/US/docs/securit ... texts.html

dsmhood
New Member
Posts:
1
Joined:
Wed Jul 25, 2012 8:22 am
Certs:
CCNP CCSA FNCSA MCSA

Re: Big network, big firewall?

Mon Jul 30, 2012 11:48 pm

I think hes looking for recommendations on hardware as well.

I think it would depend on what features you want turned on to determine what hardware you would want to use... What features were you looking at? Standard stateful firewall inspection? Or IPS, IPSec tunnels and all the other colorful lights/bells and whistle you can have on a firewall?

User avatar
matfa
Member
Posts:
113
Joined:
Sat Oct 24, 2009 10:48 am
Certs:
A+, Network+, CCNA-S

Re: Big network, big firewall?

Wed Aug 08, 2012 12:40 pm

Halo wrote:Presuming you're using ASAs, you won't be terminating VPNs if you're in multiple context mode (as you would be if you're going for active/active). Might be worth bearing that in mind.
http://www.cisco.com/en/US/docs/securit ... texts.html



I've been informed by Cisco, that ASA version 9.0 will allow IPSec and dynamic routing while in multiple context mode. It will also align the operating systems of both, the 5500 and 5500-X series hardware lines.

This should be available later this year.

User avatar
ristau5741
Post Whore
Posts:
10547
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: Big network, big firewall?

Thu Aug 09, 2012 7:26 am

matfa wrote:
Halo wrote:Presuming you're using ASAs, you won't be terminating VPNs if you're in multiple context mode (as you would be if you're going for active/active). Might be worth bearing that in mind.
http://www.cisco.com/en/US/docs/securit ... texts.html



I've been informed by Cisco, that ASA version 9.0 will allow IPSec and dynamic routing while in multiple context mode. It will also align the operating systems of both, the 5500 and 5500-X series hardware lines.

This should be available later this year.


hope that wasn't discussed outside your NDA with Cisco.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: Big network, big firewall?

Thu Aug 09, 2012 8:43 am

They were talking about it at Cisco Live back in January - but as with all things Cisco, I'll believe it when I see it.
So is anyone else waiting for Cisco to announce the successor to the ASA?
http://www.bradreese.com/blog/4-9-2012.htm

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 15 guests