Wednesday 14 January 2015

Infrastructure upgrade

With the 100 mbps line arriving in the next few weeks (I hope) I've been thinking thoughts about infrastructure.

On firewalls - I like the Cisco Pix; there's a whole range of them, they're obsolete, and once you're used to programming them, they're easy to program.

I use a Pix 506e both here, and at my colocation in Cheltenham. Here, it's only having to handle 2mbps, but at Cheltenham it sits on a 100 mbps link, and it copes fine. But the specs for a 506e says "up to 100 Mbps throughput", and I'm always a bit nervous about that "up to" phrasing. So if it could only handle 50 mbps, that would still be "up to 100"?

So I'm thinking, maybe I should think about getting something beefier. I have a pix 515, that's capable of "up to 147 mbps" which sounds adequate.

But then I had a forage through Ebay, and I found a Pix 525 for £40. It can transfer 330 mbps. And, even better, it has 10 ethernet ports! What's the use of 10 ethernet ports? DMZ!

One is for inbound packets, and one is for outbound. So you always need at least two ports on a firewall, let's call them INSIDE and OUTSIDE. But if you have a third, then you can have less security on it.

So let's consider web access. You might want outsiders to have access to some of your servers, but not to others. The ones that you allow outsiders to access via the web, could be put on that third ethernet port, usually called "DMZ - demilitarised zone". And it means that you have a whole separated network, with no access from DMZ to INSIDE, so that even if (heaven forbid) someone hacked into a DMZ computer, they still don't get access to the INSIDE computers.

And the other seven ports? Most likely, I won't use them. If I were buying new, I wouldn't want them. But since they're alreeady there, I don't care. And maybe I can use them for something; I've found that often when I get something with more capabilities that I really need, I find a use for those extra capabilities.

And that's the great thing about buying obsolete corporate-type equipment. If you know what you're doing, you can buy fantastic bargains. No corporate IT department would buy an obsolete Pix as their firewall, they'd get something brand new from Cisco costing £500. Or £5000. Or £120,000.

But how obsolete is this? It can handle three times as much bandwidth as I actually have, it will give me a DMZ (and seven more DMZs if I want them) and if it should break down, I can always slide on my old Pix 515 or 506e until I get a replacement.

Or I could build my own firewall. I know I can do that, because I did; you just have three ethernet ports in a linux PC, and program the iptables. But with a Pix 525 costing only £45, I'd rather use that.


  1. Can you still get updates to the Pix firmware? Last year was not kind to the ASA line, and I know they share some common code...

    (Sorry if this is a duplicate; Blogger seems to have eaten my previous attempt at this comment, but maybe it's just slow)

  2. I doubt it, but would that be a problem? This thing is mega - see my next blog.

  3. I'd worry about security issues with it. They've had a historical problem with all those protocol analyzers it comes with. Some of them can be turned off (ex: SIP), some can't. I say this as someone with a far bit of ASAs in places :) Again, that might be the ASAs, not the PIX, but I know there's some code shared.