mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Oliver Humpage <oliver () watershed co uk>
Date: Sun, 28 May 2006 10:59:54 +0100
I don't know, the network-buying community doesn't seem that simply
stratified. There are lots of levels in between, and at the very
least there is one in the middle where you don't have the expertise
to deploy fully open-source nor the desire to go completely mega-corp.
Just to weigh in on this discussion, which started the day after my
new Cisco ASA5510 + AIP-SSM module arrived... :) We're not huge
(about a 60 person charity operating out of one site), but a lot of
our stuff is based online and we're connected to a fast metropolitan
area network, hence we host our servers in-house.
I'm a strong advocate of open source solutions (until now, my various
routers/firewalls were OpenBSD based), and hacked-together-out-of-
parts-and-custom-scripts stuff (like my anti spam gateway). However,
what I wanted was a full on filter, that would spot viruses and
network/protocol attacks *and* block them in real time. Snort and its
add-ons just didn't quite seem up to scratch.
So I wanted something that would protect our various public servers,
and also provide a layer of AV/malware defense for the internal
networks (protected as well by an OpenBSD box, which is staying in
place), and settled on the Cisco - it seemed that the basis of the
PIX OS, plus the AIP-SSM card (with its AV protection), was a pretty
I agree absolutely that an all-in-one solution breaks the ideal of
"defense in depth" - however, since what I wanted was a mostly a
border router (we have 3 routes out) and application-level IPS (not
just IDS), the ASA seemed like it would do the job at a price we
could afford, throw in a handy VPN endpoint for a few home workers,
and let me get on with configuring rules rather than making lots of
boxes work together.
I suppose I'm posting because I wanted to throw a real world example
into the debate: although theoretically the ASAs are a "bad" idea, it
seemed that they suited us perfectly. If anyone does break into it,
hopefully the tripwire style sensors on the servers themselves will
spot any dodgy stufft hat happens as a result, and I've got a
separate router protecting the more sensitive private networks. I
reckon it works out as a reasonable balance between cost,
managability and security.
Oh, and if anyone has any tips/hints on configuration, I'd love to
hear them, since I'm pretty new to the PIX OS.
Cheers, and sorry for the long post,
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com