Results 1 to 5 of 5
  1. #1
    Join Date
    May 2006
    Posts
    249

    Advise needed on Cisco PIX 508

    Hello,

    I am thinking to purchase Cisco Pix 508 and plug-in for the shared hosting server..., for just one server and server specs will be like

    dual core dual CPU with 4GB ram and it will on 100mbps port.

    and if I add one more server, I am thinking to purchase another CISCO PIX 508..

    as I know cisco pix 508 can handle upto 100mbps and I think if there are DDOS on the server, Pix will overload because of attack and I think it is not good to share one PIX 508 with like 2 servers...

    is it? or should I use one pix for at least for 2 servers?

    will cisco pix overload and will affect to other server when there are DDOS attack to another server?

    Please give me advise and what will be good number to share one pix 508? also if I share it what switch do you guys recommad on cisco.. like cisco 29xx?

    thanks

  2. #2
    Join Date
    Mar 2005
    Location
    Sri Lanka\Colombo
    Posts
    357
    get a 515E that can do 2 servers with out an issue, u can even have 2 lan ports (DMZ)

  3. #3
    Join Date
    May 2006
    Posts
    249
    so even there are ddos, it won't affect on other server? 515E has two out port? means no switch needed?

    thanks

  4. #4
    Join Date
    Nov 2005
    Location
    Minneapolis, MN
    Posts
    1,648
    What does your upstream connectivity look like? If you are getting a 100mbit port at a data center with multi-gigabit upstream connectivity then even placing the most expensive firewall in the world right in front of your server isn't going to do anything in the event of a dDoS attack; once your 100mbit interface is saturated it's game over. For DoS mitigation to be effective it needs to be handled much further upstream in the connection.

    Are you sure you really need a hardware firewall? We've already established it's not going to help significantly with DoS attacks, and intrusion detection looks for signatures and won't be as effective as an APF/BFD combo that's keyed off the logs on your server. Usually you only pursue a hardware firewall solution if you are uncertain the server software firewall will be properly configured and want an appliance to filter the traffic in advance, or you know that the filtering done on the box is so processor intensive that you want to offload it to an external appliance.
    Eric Spaeth
    Enterprise Network Engineer :: Hosting Hobbyist :: Master of Procrastination
    "The really cool thing about facts is they remain true regardless of who states them."

  5. #5
    Join Date
    Mar 2005
    Location
    Sri Lanka\Colombo
    Posts
    357
    yeah 515E you can get more then one port, but you may need to pay
    license fees.

    if your really want to stop DDOS, pix might not be the correct thing. we use local server firewalls as well like APF/BFD like spaethco told.


    we use a system like

    Pix --- > APF/BFD --> Snort with Snort sam and pix module.

    keep in mind pix is limited and not much flexible as they say.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •