/

Reviews /

Cisco: Response to firewall RFP

Network World Fusion, 07/19/99

HPI's Firewall RFP Summary

According to the HPI Firewall RFP, HPI wants a firewall security solution that meets the following parameters:

HPI wants to place highly reliable, redundant firewalls to secure its infrastructure while maintaining 4-9's uptime.
These firewalls need to scale up to 100 Mbps for internal traffic, T3 speeds from the Internet, and T1 speeds on other connections.
The firewalls must handle up to 3000 simultaneous user connections and be configurable to handle HPI's custom applications.
The Firewall should handle Network Address Translation (NAT) but doing this should not have an adverse effect on network performance.
Centralized management of all the firewalls, central site as well as remote site, is critical as well.
This management station should also store and update the firewalls' rule base in one single location and distribute it securely to each firewall as needed.
A strong security logging capability and log file analysis with report generation is also required with the firewall.
If an attempted attack or break in occurs and is logged, the firewall should have some mechanism to page a network manager or alert the standard network management platform.

Cisco Proposal

Cisco proposes solving Happy Pharmaceutical Inc.'s (HPI) security concerns with a solution comprising of its PIX 515 firewalls, the Cisco Security Manager that handles the policy management and remote device configuration of the PIX firewalls. This proposal is being made with the assumptions that the additional routing devices necessary for HPI's network expansion are included in a separate RFP, if necessary, but are not to be included in this proposal. If otherwise, please contact the POC for this proposal listed at the end of the document.

Security Product Background

PIX 515 Firewall

Cisco PIX 515 Firewall is a very high performance, dedicated firewall appliance which is tailored to meet the needs of small to medium business networks. The PIX Firewall provides full firewall protection that completely conceals the architecture of an internal network from the outside world. The PIX Firewall enforces secure access between an internal network and an intranet, extranet links, and the Internet, and with its hardened operating system, the PIX firewall is inherently more secure than firewalls installed on general purpose operating systems. The PIX is well known as the fastest firewall on the market, demonstrating nearly 170 megabits per second throughput in KeyLab's FireBench firewall performance analysis. The Pix 515 can handle up to 128,000 simultaneous sessions as well, which offers Happy Pharmaceuticals plenty of room to expand its network while still offering high performance in a cost-effective package.

Cisco Security Manager

Cisco Security Manager is a scalable, powerful security management system for Cisco PIX Firewalls. With Security Manager, Cisco customers can define, distribute, enforce, and audit security policies of multiple distributed firewalls from a central location. As the management cornerstone of the Cisco end-to-end security product line, Security Manager can dramatically simplify management of the PIX Firewall---the highest-performance, enterprise-class firewall available.

Network Layout with proposed Cisco Security Solution

Click for a network diagram

Point-by-Point Review

HPI wants to place highly reliable, redundant firewalls to secure its infrastructure while maintaining 4-9's uptime.

Cisco PIX firewalls are highly reliable - their mean time between failures is approximately 60,000 hours which equates to 6.85 years. Such a high level of reliability is attributed to its appliance architecture and efficient proprietary operating system which is created for the sole purpose of high performance, secure firewalling - this is in contrast to firewall software which operates on general purpose operating systems such as Unix or NT -reliability issues with and on-going maintenance of that code can thereby affect the performance and reliability of the firewall itself.
The redundancy issue is covered in this Cisco solution by implementing redundant PIX 515 with crossover cables. To promote this redundancy and in response to customer requests for this capability, Cisco offers the second or redundant PIX 515 at a substantially reduced price of $3000 (list price). This is not a one-time offer but rather standard list pricing for the second unit.

These firewalls need to scale up to 100 Mbps for internal traffic, T3 speeds from the Internet, and T1 speeds on other connections.

Cisco PIX firewalls have been tested by third party sources, including KeyLabs, as having nearly 170 Megabits per second throughput. As a result, the PIX's performance capability far exceeds HPIs current requirements and provides "room to grow" options for HPI in the months and years to come as it advances its network.

The firewalls must handle up to 3000 simultaneous user connections and be configurable to handle HPI's custom applications.

The Pix 515 can handle 65,000 simultaneous user connections with the "Restricted" software shown protecting the remote office and up to 125,000 connections with the "Unrestricted" software shown defending the corporate location. As a result, the PIX's capability far exceeds HPI's current requirements and provides "room to grow" for HPI in the months and years to come as it advances and expands its network.

The Firewall should handle Network Address Translation (NAT) but doing this should not have an adverse effect on network performance.

The PIX was originally developed to handle Network Address Translation, and as a result, performs this function very efficiently. A recent published third-party report of firewall testing that called the PIX's performance remarkable claimed "What was even more remarkable was that activating NAT did not slow down the performance."

Centralized management of all the firewalls, central site as well as remote site, is critical as well.

The Cisco Security Manager manages the policies of up to 100 PIX firewalls from a central location. Through the Cisco Security Manager, users input the policies they want to enforce on their network, and the Cisco Security Manager determines what the appropriate configurations of the firewalls should be in accordance with those policies and then remotely configures the PIX firewall appropriately.

This management station should also store and update the firewalls' rule base in one single location and distribute it securely to each firewall as needed.

The Cisco Security Manager stores the rule base for all of the PIX firewalls under its domain in a single location. When policy changes are made through its interface, the Security Manager distributes the resulting configuration changes to each firewall as needed. This configuration information can be distributed to the PIX firewalls using a secure telnet session. Thereby ensuring confidentiality of that information.

A strong security logging capability and log file analysis with report generation is also required with the firewall. If an attempted attack or break-in occurs and is logged, the firewall should have some mechanism to page a network manager or alert the standard network management platform.

The security solution we provided has the ability to securely notify the logging/mgmt system on the occurrence of events.
Security Manager offers an event/log collection facility for use when running historical reports. A variety of template reports are offered as well to enable administrators to track warning activity and operational information.
The proposed solution also provides a distributed logging facility (the dual Cisco Security Managers) that includes two logging servers to distribute the high traffic of the firewalls on the campus network. The remote sites are also distributing the logging information between the distributed management station.
In addition, the PIX firewall has the ability to send a page based on a range of preset conditions. PIX also integrates with HP Openview and Open Systems Solutions Private I management software as well as other log management infrastructures. Cisco's NetRanger Intrusion Detection products can also be used to provide robust Intrusion Detection that integrates with the Cisco IOS routers and security products.

Proposal Pricing


FW1 - PIX 515 UR (primary) $12,000
FW2 - PIX 515 UR (failover  $3,000
FW3 - PIX 515 UR (primary) $12,000
FW4 - PIX 515 UR (failover) $3,000
FW5 - PIX 515 R             $5,000
FW6 - PIX 515 R             $5,000
SM1 - Security Manager      $5,000
SM2 - Security Manager      $0,000
----------------------------------
TOTAL COST                 $45,000

NOTE: All security-related hardware is included except two NT Workstations (approx. $6,000 total) to operate Cisco Security Manager

Additional Information

For additional information or questions regarding this RFP, please contact Doug Webster, Cisco Systems, at 512.378.1113 or via email at websterd@cisco.com.

The RFP
Vendor responses:

Axent

Cisco

Elron

Lucent

Sun

RELATED LINKS

Firewall RFP
See what the vendors are responding to. Includes links to all the RFP responses.

Review: Firewalls
Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.

Issues and trends
Where the firewall market is headed and what to look for. Network World, 7/19/99.

Interactive buyer's guide
Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.

Forum: Firewalls
Post your firewalls questions and discuss their use in this forum.

Firewalls to the rescue
Interviews with firewall users. Network World Fusion, 7/19/99.