Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Oliver Humpage <oliver () watershed co uk>
Date: Sun, 28 May 2006 10:59:54 +0100

I don't know, the network-buying community doesn't seem that simply  
stratified.  There are lots of levels in between, and at the very  
least there is one in the middle where you don't have the expertise  
to deploy fully open-source nor the desire to go completely mega-corp.

Just to weigh in on this discussion, which started the day after my  
new Cisco ASA5510 + AIP-SSM module arrived... :) We're not huge  
(about a 60 person charity operating out of one site), but a lot of  
our stuff is based online and we're connected to a fast metropolitan  
area network, hence we host our servers in-house.

I'm a strong advocate of open source solutions (until now, my various  
routers/firewalls were OpenBSD based), and hacked-together-out-of- 
parts-and-custom-scripts stuff (like my anti spam gateway). However,  
what I wanted was a full on filter, that would spot viruses and  
network/protocol attacks *and* block them in real time. Snort and its  
add-ons just didn't quite seem up to scratch.

So I wanted something that would protect our various public servers,  
and also provide a layer of AV/malware defense for the internal  
networks (protected as well by an OpenBSD box, which is staying in  
place), and settled on the Cisco - it seemed that the basis of the  
PIX OS, plus the AIP-SSM card (with its AV protection), was a pretty  
good combination.

I agree absolutely that an all-in-one solution breaks the ideal of  
"defense in depth" - however, since what I wanted was a mostly a  
border router (we have 3 routes out) and application-level IPS (not  
just IDS), the ASA seemed like it would do the job at a price we  
could afford, throw in a handy VPN endpoint for a few home workers,  
and let me get on with configuring rules rather than making lots of  
boxes work together.

I suppose I'm posting because I wanted to throw a real world example  
into the debate: although theoretically the ASAs are a "bad" idea, it  
seemed that they suited us perfectly. If anyone does break into it,  
hopefully the tripwire style sensors on the servers themselves will  
spot any dodgy stufft hat happens as a result, and I've got a  
separate router protecting the more sensitive private networks. I  
reckon it works out as a reasonable balance between cost,  
managability and security.

Oh, and if anyone has any tips/hints on configuration, I'd love to  
hear them, since I'm pretty new to the PIX OS.

Cheers, and sorry for the long post,

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]