PIX and BorderManager

[cjlemmer]

We are trying to get BorderManager working with a PIX firewall. Pix to keep people from coming in and BorderManager to restrict who goes out on a Netware NDS username basis.

Has anyone done this type of setup and if so, how did you set up the routing and NAT?

 

[raburns]

Just curious as to why you aren't using BorderManager to keep people from getting in.

 

[cjlemmer]

Although we know BorderManager is an ICSA-certified firewall, we decided to go with the PIX due to its reputation and local support. We were also told that BorderManager's firewall isn't it's strongest feature. Better safe than sorry when it comes to network security.

We found some documentation on how to set up BorderManager as a proxy only server to keep people from getting out, while using an existing firewall to keep people from coming in. Our network admin is going to try that route next.

 

[jholc]

Using the PIX and BorderManager sounds like good defense-in-depth to me. We are currently using this setup as follows:

LAN -> BorderManager -> PIX -> Router -> Internet

Here is an example of how you can configure IP:

LAN(private ip addressing)
192.168.0.x

BorderManager (proxy services only)
"inside" interface: 192.168.0.1
"outside" interface: 192.168.1.1

PIX (firewall services and NAT)
"inside" interface: 192.168.1.2
"outside" interface: 12.x.x.x (public ip)

Router
"inside" interface: 12.x.x.x (public ip)
"outside" interface: 10.x.x.x (private ip given by ISP)

This configuration, if done properly, is fairly secure. It comes with a cost, however. Troubleshooting issues with other companies' browser-based applications can be difficult. I can give you some more detail if needed. Good luck!

jholc