Oh..heh...I guess it was answered. That's what I get for reading my email
from bottom to top ;)
Allen
----- Original Message -----
From: "Brian Wilkins"
To:
Sent: Monday, July 09, 2001 9:50 PM
Subject: RE: PIX recommendations !!! [7:11336]
> Personally, I like hardware solutions over software solutions. My company
> recently ditched proxy in favor of border routers running the firewall IOS
> and PIX's inside. One nice thing about the PIX is PAT (Port Address
> Translation). We run several thousand IP addresses out to the Internet
> using only 1 real IP. The downside for you will be that you will need to
> reconfigure your clients proxy settings, since the PIX is not a proxy
> server. The best way to do this is to just point your core routers to the
> PIX as the gateway of last resort and as long as the clients can get to
the
> core, your ok.
>
> Websense and the Cisco Cache engine also work very nicely with the PIX and
> firewall IOS. I'm not sure I can agree on Private I being a great
> monitoring tool, even though a lot of people like it. I've always had
> issues with the reporting features. It does work nicely though, if all
you
> want is to collect syslog messages and be alerted to various events.
>
> Brian Wilkins
>
>
>
>
> Rik Guyler wrote:
> >
> > Remember that the Proxy server doesn't really provide security
> > as such but
> > rather content caching. Unfortunately the benefit is not that
> > great for big
> > pipes to the Internet and so its value is questionable. If you
> > are using a
> > somewhat slow link or your link is rather oversubscribed, than
> > I would keep
> > the proxy server to reduce the bandwidth requirements via
> > caching.
> >
> > For your situation, I might consider keeping the proxy server
> > in place
> > regardless of your circuit bandwidth. You say you already have
> > filtering
> > software in place so why buy something else to handle the same
> > requirement
> > you're already fulfilling? Websense filters URL (HTTP only)
> > content plus
> > provides authentication via the NT database and creates a
> > variety of
> > reports. For the money, this is one of the best products out
> > there (I
> > know...I install this product quite frequently). A cache
> > engine is a great
> > product also but neither one comes cheap. Since you can
> > already handle the
> > caching and filtering, I wouldn't waste the money replacing
> > them.
> >
> > You can use the MS RADIUS server, which is free (IIS option
> > pack), but you
> > still would be giving up the caching and URL filtering
> > capabilities of your
> > current Proxy server. I like John's overall solution the best
> > but if the
> > budget is limited, stay with the Proxy box and integrate it
> > into the PIX
> > solution.
> >
> > If you want content filtering, then go with
> >
> > ---
> > Rik Guyler
> >
> > -----Original Message-----
> > From: John Hardman [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, July 08, 2001 1:23 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: PIX recommendations !!! [7:11336]
> >
> >
> > Hi
> >
> > I had a very similar problem to solve at work myself.
> >
> > The recommendation I finally came up with to meet the business
> > needs of...
> >
> > 1) Content filtering
> > 2) Logging of Internet activity
> > 3) Improved usage of Internet bandwidth
> >
> > So we used...
> >
> > 1) PIX 520 UR with fail-over
> > 2) WebSense content filtering
> > 3) And add a cache engine using WCCP
> > 4) Added a Private I syslog server/analyzer for detailed usage
> > reports
> >
> > If I also had the need to do authentication against an NT
> > domain I would
> > have also added Cisco Secure ACS and had it use the NT SAM as
> > it's database.
> > I guess you could also use the MS RADUIS server to authenticate
> > against the
> > domain, but I have never used this so I can not guarantee that
> > it will work.
> >
> > HTH
> > --
> > John Hardman CCNP MCSE
> >
> >
> > ""Raees Ahmed Shaikh"" wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hi all,
> > >
> > > I just need some of the recommendations to install a PIX box
> > 525 in our
> > > network, currently we have MS proxy in our network, Should I
> > replace proxy
> > > with the PIX, or use two level of defense, comprising of
> > PIX&Proxy. We
> > have
> > > some application level url filtering software running on that
> > proxy as
> > well.
> > > Moreover the MS-proxy is using the NT Domain Security Model
> > and thus using
> > > cut-through proxy feature, can that security be available if
> > I go on, with
> > > PIX. Without the Ms-proxy is it possible to use the same NT
> > database for
> > > cut-through authentication.
> > >
> > > Some helpful tips please which will help me in the designing
> > process.
> > >
> > > Thanks in advance and Best Regards,
> > >
> > > Shaikh Raees,
> > >
> > > CCNP,CCNA,CCDA,MCSE,MCP,CNE,CCIE Written.
> > >
> > > [GroupStudy.com removed an attachment of type image/jpeg
> > which had a name
> > of
> > > Glacier Bkgrd.jpg]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11713&t=11336
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
