I have a few concentrators and with them being EOL and not much support going on I'm wanting to replace them. I also wanted to upgrade the existing internet firewalls we have (currently redundant PIX 535s) with beefier ASA models and running all of our VPNs off that same firewall as well (adding the VPN module to it). Good idea, bad idea? Aside from eggs in one basket argument, any reason I shouldn't do that? We have about 200 VPN connections at the most on any given day.
-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
Anyone retired their VPN Concentrator 3000 series recently?
- Thread starter oddyager
- Start date
We have a pair of Juniper's SA4500 running in parallel to the Cisco 3060 Concentrators.
They've been working well so far; we just need to find a time to migrate everyone over, which will require a lot of leg work.
We use dedicated hardware for VPN to keep it separate from the firewall traffic load on our ASA5550's.
If you only have 200 concurrent connections at a time, having it on your new ASA's should be fine.
If you're looking to replace your PIX535's, look into Palo Alto's firewall...they do L7 inspections and content filtering at line rate.
The performance kicks Cisco & Juniper's ass.
I've been trying to persuade my colleagues to switch to them, but everyone's afraid of their young history, even though the founders all came from Juniper/Netscreen.
They've been working well so far; we just need to find a time to migrate everyone over, which will require a lot of leg work.
We use dedicated hardware for VPN to keep it separate from the firewall traffic load on our ASA5550's.
If you only have 200 concurrent connections at a time, having it on your new ASA's should be fine.
If you're looking to replace your PIX535's, look into Palo Alto's firewall...they do L7 inspections and content filtering at line rate.
The performance kicks Cisco & Juniper's ass.
I've been trying to persuade my colleagues to switch to them, but everyone's afraid of their young history, even though the founders all came from Juniper/Netscreen.
I was very impressed by Palo Alto's presentation at Interop this year. If I were in the market for something of that performance level, I would definitely look at them. Unfortunately, they don't operate in the SMB sector, so I will not likely have an oportunity to work with them any time soon.
Traditional L4 firewalls from Cisco & Juniper are all port-based. You define source -> destination in the ACL based on IP & port numbers.
The firewalls have no intelligence in determining if it's legit http traffic to your web server, or if somebody's exploiting your vulnerabilities.
Some of them can support some L7 features, but they're very limited.
Palo Alto Networks is one of the few players in the next generation firewalls market.
They do full L7 firewall and IPS for inbound traffic.
They also do content filtering outbound based on apps & user login/AD credentials.
They can even do PCI compliance checks for you to make sure no credit card number or SSN leaks out of your network.
**Disclaimer**
I'm in no way affiliated w/ Palo Alto.
I just came across their product, and thought they're a very unique player that offers a solution that no other big players have yet.
Cisco has Iron Port, but it's not really the same thing.
The firewalls have no intelligence in determining if it's legit http traffic to your web server, or if somebody's exploiting your vulnerabilities.
Some of them can support some L7 features, but they're very limited.
Palo Alto Networks is one of the few players in the next generation firewalls market.
They do full L7 firewall and IPS for inbound traffic.
They also do content filtering outbound based on apps & user login/AD credentials.
They can even do PCI compliance checks for you to make sure no credit card number or SSN leaks out of your network.
**Disclaimer**
I'm in no way affiliated w/ Palo Alto.
I just came across their product, and thought they're a very unique player that offers a solution that no other big players have yet.
Cisco has Iron Port, but it's not really the same thing.
m1ldslide1
Platinum Member
That's funny - I'm working on this exact project today. I'm swapping a VPN 3000 with an ASA 5510, and am deploying SSL VPN with the Anyconnect client. The hardware isn't very expensive, and the license is very cheap. If you want to do client-less SSL VPN the licensing gets very expensive, so we elected not to go that route. The 5510 scales to 250 concurrent connections, and you can cluster them to get more capacity. The 5520 does like 500 concurrent sessions, but is substantially more expensive.
Juniper stuff is nice too, but I haven't used it personally. I've been pleased with the various IPSec VPN setups I've done with the ASA's, and expect this to go well too.
m1ldslide1
Platinum Member
To clear up misinformation - Cisco has modules that you can add to the 5520, 5540, and 5580 firewalls that perform enterprise-class IPS. I just bought one and haven't yet put it into production, so I can't really speak to it, but I'm told that with the right license package it offers similar functionality to their big IPS units, and you get access to the same protocol signatures for detection.
Thanks for the response.
Just a quick clarification - many existing IPS solutions (including the IPS module for ASA's) can detect attacks against applications.
If your only goal is to protect your applications from external attacks, that's all you need.
What differentiates PaloAlto's firewall from traditional firewalls and IPS' is their Application visibility and control feature.
It provides very granular control over applications...you get to dictate exactly what apps can flow through which zones, and who get to use the apps at very high speed. (5G w/ IPS turned on, 10G w/o IPS)
It's essentially a combo-box w/ content filter, firewall, and IPS.
Just a quick clarification - many existing IPS solutions (including the IPS module for ASA's) can detect attacks against applications.
If your only goal is to protect your applications from external attacks, that's all you need.
What differentiates PaloAlto's firewall from traditional firewalls and IPS' is their Application visibility and control feature.
It provides very granular control over applications...you get to dictate exactly what apps can flow through which zones, and who get to use the apps at very high speed. (5G w/ IPS turned on, 10G w/o IPS)
It's essentially a combo-box w/ content filter, firewall, and IPS.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 25K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
