Friday, 6 February 2015

From the network lab ...

Yes, I now have a network lab. It consists of pixes:

A 525 with 10 interfaces and a failover licence, which means it reboots every 24 hours, but it has the lovely lovely ASDM interface.
A 515E with 6 interfaces and a full licence.
A 515E with two interfaces and a failover licence

And computers:

A computer on the IP which represents the outside world
A computer on the IP which is on the DMZ
A computer on the IP which is on the inside interface
A computer on the IP which is also on the inside

The four computers above stand in for my full network, and share three monitors.

A computer on the IP which is also on the inside. That's running the linux gui, and is used to control the pix via the asdm interface, and go look up things using google.

There's also the usual mess of cables, switches, keyboards and bits of paper. I'm now setting up my regression testing. This means that for every possible combination of inside/dmz/outside (six possibilities) and for all the important services (ssh, http, https, smtp, dns, samba and nfs) I test each one (so far, 30-odd tests) to check that the packet flow is correctly allowed or correctly denied. So far, I've got everything working except nfs and dns, and that's because I've run out of time today.

Tomorrow, I'll finish the regression test setup. Then I'll unhook the 525 and try it all out on the 515. I haven't decided yet which one will be the main pix, but probably the 515 (since it doesn't reboot every 24 hours, leaving one minute of non-service which could be a bit of a pain). And I'll use the 525 as a backup firewall, so if the 515 should stop working, I can just swap in the 525 until I get the 515 fixed (or buy a new one). I'll also look at the 515 failover unit, except that I can't use it for that as it stands, it only has two interfaces. But maybe I can take one of the four-port cards out of the 525 and put it in the 515 failover.

Something important I've learned - if you're a network engineer, and you know your stuff, you've got a job for life.

No comments:

Post a Comment