networking-forum.com
Community BlogCommunity Wiki * Register  * Search  * Login
View unanswered postsView active topics

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]


Post new topic Reply to topic  Page 1 of 1
  [ 9 posts ] 
  Print view Previous topic | Next topic 
Author Message
Carlitos_30
PostPosted: Wed Jul 11, 2012 2:12 pm 
Offline
Post Whore
Post Whore
User avatar

Joined: Mon Feb 08, 2010 9:30 am
Posts: 1172
Location: Santiago, Chile
Certs: CCENT, CCNA,CCNP Route
Hello. In a big network with +60,000 hosts and a media BW of 700 Mbps to the Internet, what would be the best FW solution to protect the network?

A big FW with a centralized perimeter?

Or, some little FW per area and a last resort FW pointing to Internet?

Currently we have a cluster of firewalls in a centralized perimeter, but from time to time some latency issues affect the network, it seems the FW is unable to inspect so much traffic.

Thanks!
Top
 Profile  
 
ristau5741
PostPosted: Wed Jul 11, 2012 2:17 pm 
Offline
Post Whore
Post Whore
User avatar

Joined: Tue Aug 21, 2007 2:15 pm
Posts: 8260
Location: Frederick MD
Certs: Instanity
I would probbaly setup 2 big firewall, active/active redundancy , running multiple firewall contexts.
by than again, I have alot of customers,

I also would have dedicated IPS/IDS devices to inspect traffic.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw
Top
 Profile  
 
mellowd
PostPosted: Wed Jul 11, 2012 2:27 pm 
Offline
CCIE #38070
CCIE #38070
User avatar

Joined: Wed Jun 18, 2008 7:49 am
Posts: 12424
Location: London, UK
Certs: CCIE ,CC-NP/IP, JNCIP-SP, JNCIS-ENT, BC-/SPNE/NP
HA firewall pair, geographically separated if possible. Much easier to manage all access from a single point. All vpn/etc will come from that firewall

_________________
www.mellowd.co.uk/ccie/
Top
 Profile  
 
mlan
PostPosted: Wed Jul 11, 2012 2:30 pm 
Offline
Senior Member
Senior Member
User avatar

Joined: Thu Nov 17, 2011 6:09 pm
Posts: 487
Location: Portland, OR
I agree with ristau5741. We have a similar need, and are looking at a large cluster HA pair for this purpose. I would rather deal with complexity within the pair rather than complexity in a multitude of boxes/cables/switches, etc.
Top
 Profile  
 
Halo
PostPosted: Fri Jul 27, 2012 4:48 am 
Offline
Post Whore
Post Whore
User avatar

Joined: Thu Oct 14, 2010 4:39 am
Posts: 1003
Certs: CCNP (R&S, Security), ITILv3 Foundation
Presuming you're using ASAs, you won't be terminating VPNs if you're in multiple context mode (as you would be if you're going for active/active). Might be worth bearing that in mind.
http://www.cisco.com/en/US/docs/securit ... texts.html
Top
 Profile  
 
dsmhood
PostPosted: Mon Jul 30, 2012 11:48 pm 
Offline
New Member
New Member

Joined: Wed Jul 25, 2012 8:22 am
Posts: 1
Certs: CCNP CCSA FNCSA MCSA
I think hes looking for recommendations on hardware as well.

I think it would depend on what features you want turned on to determine what hardware you would want to use... What features were you looking at? Standard stateful firewall inspection? Or IPS, IPSec tunnels and all the other colorful lights/bells and whistle you can have on a firewall?
Top
 Profile  
 
matfa
PostPosted: Wed Aug 08, 2012 12:40 pm 
Offline
Member
Member
User avatar

Joined: Sat Oct 24, 2009 10:48 am
Posts: 109
Location: Niagara Falls, Canada
Certs: A+, Network+, CCNA-S
Halo wrote:
Presuming you're using ASAs, you won't be terminating VPNs if you're in multiple context mode (as you would be if you're going for active/active). Might be worth bearing that in mind.
http://www.cisco.com/en/US/docs/securit ... texts.html



I've been informed by Cisco, that ASA version 9.0 will allow IPSec and dynamic routing while in multiple context mode. It will also align the operating systems of both, the 5500 and 5500-X series hardware lines.

This should be available later this year.
Top
 Profile  
 
ristau5741
PostPosted: Thu Aug 09, 2012 7:26 am 
Offline
Post Whore
Post Whore
User avatar

Joined: Tue Aug 21, 2007 2:15 pm
Posts: 8260
Location: Frederick MD
Certs: Instanity
matfa wrote:
Halo wrote:
Presuming you're using ASAs, you won't be terminating VPNs if you're in multiple context mode (as you would be if you're going for active/active). Might be worth bearing that in mind.
http://www.cisco.com/en/US/docs/securit ... texts.html



I've been informed by Cisco, that ASA version 9.0 will allow IPSec and dynamic routing while in multiple context mode. It will also align the operating systems of both, the 5500 and 5500-X series hardware lines.

This should be available later this year.


hope that wasn't discussed outside your NDA with Cisco.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw
Top
 Profile  
 
Halo
PostPosted: Thu Aug 09, 2012 8:43 am 
Offline
Post Whore
Post Whore
User avatar

Joined: Thu Oct 14, 2010 4:39 am
Posts: 1003
Certs: CCNP (R&S, Security), ITILv3 Foundation
They were talking about it at Cisco Live back in January - but as with all things Cisco, I'll believe it when I see it.
So is anyone else waiting for Cisco to announce the successor to the ASA?
http://www.bradreese.com/blog/4-9-2012.htm
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 9 posts ] 

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]

Who is online

Users browsing this forum: Exabot [Bot] and 10 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group