Newbish question - overkill.

[Harmonia]

Hi,

This is simply a general question about requirements. I work in a company of about thirty employees, roughly ten - fifteen of which use the internet / email for work to a small degree. On Friday, our IT manager persuaded the MD to lay out £10,000 on a PIX 520 firewall (I think with a 1000 user licence).

I don't know that much about firewalls, but given our limited needs and our broadband internet connection this seemed to be bit of overkill.

I know this isn't strictly a technical question but could some of you wiser folk here respond and let me know if I'm right to query this? What can this hardware do that a linux box with say Smoothwall could not do? And is it appropriate in our environment?

Much thanks in advance,

-Harmonia

Have a good day.

 

[tbissett]

How can I put this nicely? I think your IT manager needs a bit of a reality check. Here's why:

1) The PIX 520 is no longer made. It hasn't been produced for about two years now. In fact, you could probably pick up it's replacement, a 525 for less money and the 525 would have an unlimited user license vs. a 1,000-user license. From the sounds of it, your IT manager is trying to buy a used piece of equipment for 10,000. Not good. Furthermore, the 525 is a better device than the 520 simply because it doesn't need a floppy for upgrades, etc. Not a huge deal, but it can be a nuiscance.

2) A 520 for 30 users? Complete overkill. For comparison's sake, one of my 525's services 3,000 users, and that's a bit overkill. I also have several 515s servicing 750-1,000 users. The only gotcha is if you plan on setting up a busy DMZ and expect a lot of traffic from the Internet to that DMZ. You may need some horsepower there.

3) Linux vs. PIX? I don't know a whole lot about the Smoothwall project, but I prefer the applicance model of the PIX. It's very easy to maintain and I don't have to worry about downloading the latest RPM patches for it every week (as I have to do with Linux today).

My recommendation: If you need a DMZ, the lowest model you can go is a PIX 515 with a restricted licnese. The "Restricted" part means you can't do hot failover and multiple DMZs (only one DMZ allowed). There is no user limit, however.

If you don't need a DMZ, look at either the 506, or even a 501 w/ 50-user license. The commands, etc. are exactly the same across all models, so you aren't losing much functionality. If you want to do VPNs, lean towards the 506 or 515. The 506 and 501 are under US $1,000, so maybe I'm pretty sure you can get them for less than 10,000 in the U.K.!

 

[Harmonia]

Thank you very much. It's been the considered opinion of the handful of engineers here (lost amongst the sales people and managers) that our new IT Manager has only a nodding aquaintance with Reality(tm).

However, I was not aware that the unit he bought is out of production!

I'm fairly sure that its the PIX 520 that we now have, so something is wrong here. We don't need DMZ so I'm guessing our company has been ripped off.

Thanks a lot, especially for the comparison figures,

-Harmony


Have a good day.

 

[baddos]

Sounds like a PIX 506e will be more than enough for your company.