Main Nav

Hi, Folks.

We are using Cisco FWSM firewalls at our data centres, and core networks as well. Cisco announced the end-of-life of FWSM in March, and the date of end of SW maintenance release will be September 25, 2013.

For data centres firewalls, it'll probably too disruptive to switch to other firewall platforms. On the core networks, the main functionality that Cisco FWSM provides us is NAT/PAT, instead of applications firewalling which I don't think Cisco FWSM will be able to do so.

One solution for would be to choose the ASA blade or latest ASA appliance, while I am just wondering what firewall platform you are using in your networks, and I am very interested to know your experience of application firewalls, thanks.

--
Leo Song, Senior Analyst & Cluster Lead
Computing and Communication Services - Networking and Security
University of Guelph
(519) 824-4120 x 53181


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Hi Leo,

 

We are in the same boat. We too use Cisco FWSM firewall modules in our core and it is going to be very difficult to replace with a competing product. There is a desire to not increase the complexity within our data center by being homogenous throughout and avoid  the finger pointing game if we were to using other vendors along with our Cisco infrastructure.

 

We are looking at upgrading to the Cisco ASA Service modules or the Cisco ASA appliances, but we haven’t decided which yet. I too would love to know what others have done in their data center if they use Cisco ASA firewalls.

 

Thanks much!

 

Daniel Foerst

Assistant Director, Networks & Security

The Catholic University of America

Washington, DC 20064

 

 

 

Hello,

We were also in the position of needing to upgrade a pair of FWSMs and decided to go with a pair ASA5585Xs.  So far we've been very happy.  Performance has been very good and having the ability to use LR optics is nice.

At the time the ASA service module hadn't been released, but I still think I'd go with external firewalls if I had to do it over again.  I did like the flexibility of creating VLAN interfaces and dropping them into a specific context with the FWSM, but in the end I think it created confusion when troubleshooting.

The only thing to watch out for is the Smartnet on the 5585Xs.  It is by far the most expensive Cisco equipment we have on campus.

-dan


Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbrisson@uvm.edu
On 5/7/2012 12:18 PM, Foerst, Daniel P. wrote:

Hi Leo,

 

We are in the same boat. We too use Cisco FWSM firewall modules in our core and it is going to be very difficult to replace with a competing product. There is a desire to not increase the complexity within our data center by being homogenous throughout and avoid  the finger pointing game if we were to using other vendors along with our Cisco infrastructure.

 

We are looking at upgrading to the Cisco ASA Service modules or the Cisco ASA appliances, but we haven’t decided which yet. I too would love to know what others have done in their data center if they use Cisco ASA firewalls.

 

Thanks much!

 

Daniel Foerst

Assistant Director, Networks & Security

The Catholic University of America

Washington, DC 20064

 

 

 



HI Leo,

 

We are doing the exact same thing that Dan (UVM is doing) – we plan to deploy this fall.  We will use the new 5585-Xs for our Campus Border (not the Data Center).  In the Data Center we are using some Juniper’s (SRX-3400).

 

Chad

 

 

 

Chad D Burnham

Telecommunications Network Planner

University of Denver

University Technology Services

2100 South High Street

Denver CO 80208

303-871-4441 = Desk

303-520-5657 = PCS/Mobile

 

 

We just recently upgraded our FW's but not from the FWSM.  We installed a pair of Cisco 5585X's in the core and are using context on them.  One for border and another for the Data Center.  So far everything has been great but there is a caveat with context in that if you are running them you cannot do VPN on the same appliance.  Therefore we elected to keep our VPN on the Juniper SA4500's.  


Keith Dahl

Director Network Technologies

Colorado Community College System

1059 Alton Way – Bldg 758

Denver, CO 80230

(720) 858-2856

Keith.Dahl@cccs.edu




Yes, we are running 10Gig in the 5585s but it is not licensed separately, to my knowledge.

-dan


Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbrisson@uvm.edu
On 5/7/2012 12:39 PM, Josh Richard wrote:


HI,

 

You do need the “Security Plus” License option to use the 10G ports.  I confirmed this last week.

 

The  10G ports are present physically, but will not work without the license.

 

$20K is list price for this part number/sku (ASA5585-SEC-PL).

 

CB

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Brisson
Sent: Monday, May 07, 2012 11:16 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco FWSM end-of-life.

 

Yes, we are running 10Gig in the 5585s but it is not licensed separately, to my knowledge.

-dan



Dan BrissonNetwork EngineerUniversity of Vermont(Ph) 802.656.8111dbrisson@uvm.edu


On 5/7/2012 12:39 PM, Josh Richard wrote:

 

Message from matthew.stevenson@shu.edu

Count us in the same boat.  We’re looking at the ASA service module as a migration from our FWSMs.  Has anyone migrated a substantial amount of rules from an FWSM to an ASA Services module?  I’m under the impression that this may be a major task (we have many thousands of rules).  Not being the firewall admin, I don’t have firsthand knowledge of this.  Can anyone share their experience with a rule migration?

 

 

Matt Stevenson

Director of Networking and Architecture

Seton Hall University

Phone: 973-313-6184

Email: matthew.stevenson@shu.edu

 

 

 

Ah, yes....Security Plus.  I had forgotten about that license.  My apologies.  Thanks for correcting my misinformation.

-dan


Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbrisson@uvm.edu
On 5/7/2012 1:29 PM, Chad Burnham wrote:

HI,

 

You do need the “Security Plus” License option to use the 10G ports.  I confirmed this last week.

 

The  10G ports are present physically, but will not work without the license.

 

$20K is list price for this part number/sku (ASA5585-SEC-PL).

 

CB

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Brisson
Sent: Monday, May 07, 2012 11:16 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco FWSM end-of-life.

 

Yes, we are running 10Gig in the 5585s but it is not licensed separately, to my knowledge.

-dan



Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbrisson@uvm.edu


On 5/7/2012 12:39 PM, Josh Richard wrote:

 

The FWSM and ASASM (and PIX and ASA boxes) all use the same config syntax, with the caveat that software upgrades can introduce syntax changes (e.g. in NAT configuration between 8.2 and 8.3) so there may be some changes that are needed.   But object groups and ACLs should be directly transferable from one to the other.

(Note; we're looking at the same problem, but haven't yet gotten an ASASM in our lab to play with; so I have to say "should" rather than "are" at this point...)


Thanks for all of your replies.

It appears that all institutions with Cisco FWSM deployment have migrated or are planning migrate to ASA appliance / service module. I am just wondering whether you have considered the option of deploying other non-Cisco application firewalls at either edge our departmental networks to create new values, or it's not worth to consider that, or the stability will outweigh the benefits? thanks.


-----Original Message-----
From: Chad Burnham <cburnham@DU.EDU>
Reply-to: The EDUCAUSE Network Management Constituent Group Listserv <NETMAN@LISTSERV.EDUCAUSE.EDU>
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco FWSM end-of-life.
Date: Mon, 7 May 2012 11:29:55 -0600

HI,

 

You do need the “Security Plus” License option to use the 10G ports.  I confirmed this last week.

 

The  10G ports are present physically, but will not work without the license.

 

$20K is list price for this part number/sku (ASA5585-SEC-PL).

 

CB

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Brisson
Sent: Monday, May 07, 2012 11:16 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco FWSM end-of-life.


 

Yes, we are running 10Gig in the 5585s but it is not licensed separately, to my knowledge.

-dan





Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbrisson@uvm.edu

On 5/7/2012 12:39 PM, Josh Richard wrote:

 

Message from dannyeaton@rice.edu

Here at Rice University, we had a pair of FWSM’s on the border for internet connectivity and a pair of FWSM’s on the “inside” for inter-MPLS VPN connectivity.  Two years ago, we investigated the capabilities of available firewalls, and on Jan 1 2011 we replaced the external FWSM’s with a pair of Juniper 5800’s in active/active HA cluster mode.  We are currently investigating upgrading the internal FWSM’s with either a pair of Juniper 3600’s or Cisco ASA’s (either ASASM’s or 5585’s).  If you’d like to discuss more about our implementation, and our findings, feel free to email me off-list.

 

 

               Respectfully,

               Danny Eaton

 

               Snr. Network Architect

               Networking, Telecommunications, & Operations

               Rice University, IT

               Mudd Bldg, RM #205

               Jones College Associate

               Staff Advisory Committee

               Employee Activities Subcommittee Chair

               Office - 713-348-5233

               Cellular - 832-247-7496

               dannyeaton@rice.edu

 

               Soli Deo Gloria

               Matt 18:4-6

 

G.K. Chesterton, “Christianity has not been tried and found wanting.  It’s been found hard and left untried.”

 

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of leo song
Sent: Wednesday, 09 May, 2012 10:24
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco FWSM end-of-life.

 

Thanks for all of your replies.

It appears that all institutions with Cisco FWSM deployment have migrated or are planning migrate to ASA appliance / service module. I am just wondering whether you have considered the option of deploying other non-Cisco application firewalls at either edge our departmental networks to create new values, or it's not worth to consider that, or the stability will outweigh the benefits? thanks.


-----Original Message-----
From: Chad Burnham <cburnham@DU.EDU>
Reply-to: The EDUCAUSE Network Management Constituent Group Listserv <NETMAN@LISTSERV.EDUCAUSE.EDU>
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco FWSM end-of-life.
Date: Mon, 7 May 2012 11:29:55 -0600

HI,

 

You do need the “Security Plus” License option to use the 10G ports.  I confirmed this last week.

 

The  10G ports are present physically, but will not work without the license.

 

$20K is list price for this part number/sku (ASA5585-SEC-PL).

 

CB

 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Brisson
Sent: Monday, May 07, 2012 11:16 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] Cisco FWSM end-of-life.


 

Yes, we are running 10Gig in the 5585s but it is not licensed separately, to my knowledge.

-dan




 Dan BrissonNetwork EngineerUniversity of Vermont(Ph) 802.656.8111dbrisson@uvm.edu



On 5/7/2012 12:39 PM, Josh Richard wrote:

 

Actually, we run a mix of firewalls right now.

UM has never had a border firewall; we use public address space across campus.  So we don't implicitly trust everything on our campus (which is what a border firewall does); where we have sensitive resources to protect we've placed a firewall close to them (i.e. in the department or building).  Right now we've got about 20 of these deployed, all ASAs of various flavors (with two PIXen still in service); and our "enterprise" data centers have Checkpoint firewalls.  More recently (about 5 years ago) we installed a Checkpoint cluster in our core (six Cat6513 boxes distributed across the campus) and through this are providing virtual firewall service for dozens of other networks - mostly academic units, many of which have a presence in multiple buildings (making local firewalls impractical).

And a couple years ago we installed redundant FWSM pairs (and redundant ACE pairs) in our other data centers; the rationale being that the tight integration with the 6500 simplifies management (VLAN trunking, route injection, etc.).

It looks like we'll be sticking with Checkpoint for the campus virtual firewall service for at leat a few more years; but we're now working to define what the next-generation data center firewalls will be.  The three front runners are Checkpoint, Juniper and Cisco, and right now it looks like the ASASM is the most cost-effective - as long as we don't replace the DC 6500s with Nexus or Juniper boxes.  If the 6500 chassis go, then it's an open question...

I may have some PDFs around that aren't too out of date, if you want more detail on our architecture...



Agreed. It would make life so much simpler if we could just predict the future accurately... ;-)