> I don't know, the network-buying community doesn't seem that simply
> stratified. There are lots of levels in between, and at the very
> least there is one in the middle where you don't have the expertise
> to deploy fully open-source nor the desire to go completely mega-corp.

Just to weigh in on this discussion, which started the day after my
new Cisco ASA5510 + AIP-SSM module arrived... We're not huge
(about a 60 person charity operating out of one site), but a lot of
our stuff is based online and we're connected to a fast metropolitan
area network, hence we host our servers in-house.

I'm a strong advocate of open source solutions (until now, my various
routers/firewalls were OpenBSD based), and hacked-together-out-of-
parts-and-custom-scripts stuff (like my anti spam gateway). However,
what I wanted was a full on filter, that would spot viruses and
network/protocol attacks *and* block them in real time. Snort and its
add-ons just didn't quite seem up to scratch.

So I wanted something that would protect our various public servers,
and also provide a layer of AV/malware defense for the internal
networks (protected as well by an OpenBSD box, which is staying in
place), and settled on the Cisco - it seemed that the basis of the
PIX OS, plus the AIP-SSM card (with its AV protection), was a pretty
good combination.

I agree absolutely that an all-in-one solution breaks the ideal of
"defense in depth" - however, since what I wanted was a mostly a
border router (we have 3 routes out) and application-level IPS (not
just IDS), the ASA seemed like it would do the job at a price we
could afford, throw in a handy VPN endpoint for a few home workers,
and let me get on with configuring rules rather than making lots of
boxes work together.

I suppose I'm posting because I wanted to throw a real world example
into the debate: although theoretically the ASAs are a "bad" idea, it
seemed that they suited us perfectly. If anyone does break into it,
hopefully the tripwire style sensors on the servers themselves will
spot any dodgy stufft hat happens as a result, and I've got a
separate router protecting the more sensitive private networks. I
reckon it works out as a reasonable balance between cost,
managability and security.

Oh, and if anyone has any tips/hints on configuration, I'd love to
hear them, since I'm pretty new to the PIX OS.

Cheers, and sorry for the long post,

firewall-wizards mailing list