pfsense and ASA 5505

A

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
641
I have two firewalls, one a pfSense and the other a ASA 5505. I initially thought about putting the ASA behind the pfSense.

What are your thoughts on this, good idea, bad idea? Will I see a degradation in the speed of my internet connection?
 
amrogers3 said:
I have two firewalls, one a pfSense and the other a ASA 5505. I initially thought about putting the ASA behind the pfSense.

What are your thoughts on this, good idea, bad idea? Will I see a degradation in the speed of my internet connection?
Click to expand...

Bad idea... pick one and use it. There's no reason to have two firewalls unless you have some sort of crazy DMZ, which I'm going to guess you don't. Otherwise you're just adding complexity.
 
OK, my reason for doing this was two fold.

1) learn the cisco IOS
2) I wanted to implement both a SW and HW firewall into my network for added security
 
ASAs don't run IOS. PFSense is, in essence, a hardware firewall as it typically runs on dedicated hardware (or in a VM). A software firewall is something like Norton whatever.

Running two firewalls in a row is likely not ideal for your situation.
 
why not run them both, BUT on 2 seperate ip's externally ?

internet provider - switch cisco and pfsense.

i do this right now to play and learn
 
Vito_Corleone said:
ASAs don't run IOS. PFSense is, in essence, a hardware firewall as it typically runs on dedicated hardware (or in a VM). A software firewall is something like Norton whatever.

Running two firewalls in a row is likely not ideal for your situation.
Click to expand...

Vito, why do you say not ideal? Trying to learn here and understand your reasoning. Also, would you agree that this would be a "double layer" of security so to speak?
 
Not ideal for a couple reasons. One is that you're adding complexity before truly understanding things. This could lead to a deeper understanding of the technologies or just a lot of broken shit and no clue where to look. Also, what kinds of things are you worried about/trying to mitigate? Why would two firewalls be better than one for you?

The only time I've seen/heard of two firewalls in a row (nothing in between them, like you'd see in a DMZ) is one company who was very, very security-obsessed. They used two firewalls from different vendors in a row to avoid a zero-day exploit from a single vendor compromising their network.

In a home scenario, it's kind of ridiculous. I'm all for playing with many, many different technologies in a lab, but I'd avoid complicating my home "production" network without good reasons.
 
Vito_Corleone said:
....security-obsessed. They used two firewalls from different vendors in a row to avoid a zero-day exploit from a single vendor compromising their network.
Click to expand...

That's me. I don't trust one device. Much like you don't trust one hard drive for all your data backup needs, you use a RAID array.

I have a pfSense box up and running and just got a ASA gifted to me so I figure why not, right? But my main question is before I try and implement something like this is will there be a degredation of my network and will two device present any problems other than it's not an "ideal" solution?
 
Except you're not actually using multiple technologies.

Since I highly doubt you're paying for the SSC module, all the ASA is doing is basically access-lists - just dropping or rejecting datagrams based upon a list. That's the same thing pfSense is doing. The first firewall is going to drop all of the 'bad' traffic (that you've defined), so the second is just going to be pushing the rest through.

Now, if you were to set up, say, a UTM and a Palo Alto, or an ASA with the SSC, or whatever else that's actually doing packet inspection (Cisco gear can do this - but the configuration isn't entry level and you often have to pay for definitions), that might be more security.
 
cymon said:
Except you're not actually using multiple technologies.

Since I highly doubt you're paying for the SSC module, all the ASA is doing is basically access-lists - just dropping or rejecting datagrams based upon a list. That's the same thing pfSense is doing. The first firewall is going to drop all of the 'bad' traffic (that you've defined), so the second is just going to be pushing the rest through.

Now, if you were to set up, say, a UTM and a Palo Alto, or an ASA with the SSC, or whatever else that's actually doing packet inspection (Cisco gear can do this - but the configuration isn't entry level and you often have to pay for definitions), that might be more security.
Click to expand...

something a sonicwall tz210 or a 2400 would do :)
 
I think its a bad idea to use 2 frewall in line with each other,

however to learn and play with :

Here is mine,

DSCN2880.JPG


My setup goes :

shaw cable into a switch then splt one to my untangle firewall, then one for my pfsense / other firewalls i play learn and tinker with.

top unit is untangle with 5 nic's
bottom is supermicro 1u unit with 2 nic's, i have another switch its just on the floor beside my desk that i plug in etc etc when playing.
 
Putting two firewalls in a row...all you're doing is creating a double NAT setup, which adds complexity, loss of performance, and....some software that you use across the internet (like remote desktop apps, or VPN clients) doesn't like double NAT and acts weird on you.

Double NAT doesn't increase security. The leak in NAT is when you do a port forward...exposing a service...and that service is compromised. Double NAT will not secure this any further. Now, yeah...some firewalls do better deep SPI than others..but just select 1 and put it at the edge. Having 2 firewalls..1 better than the other..the one that is less good will just be adding complexity and making you lose performance.

If you want to learn different firewalls...just put one in place and use it for a while. When you're bored with it...swap it out with something else. Every couple of months I often change what I'm running at home for my firewall.
 
really, ALL firewalls are "SF" since they ALL require SF to run.... the difference is that the OS runs solely firewall related tasks on what people say are SF only, unlike say, windows firewall, which is OS related which does other things.

Now, is something like... pfsense / untangle a hardware, or software FW?
 
MrGuvernment said:
really, ALL firewalls are "SF" since they ALL require SF to run.... the difference is that the OS runs solely firewall related tasks on what people say are SF only, unlike say, windows firewall, which is OS related which does other things.

Now, is something like... pfsense / untangle a hardware, or software FW?
Click to expand...

It'll be an endless debate.
Maybe they're called a software firewall because...they run on a hard drive!
But..what if you use a CF card?
But really...even a Stinksys router...or a DStink or Nutgear or any other little box you pickup at your local WorstBuy superstore, that operating system is just flashed into it. What if you re-flash it with DD-WRT? Yet...you can also install DD-WRT in an x86 rig with a hard drive..so does that suddenly change the rules?!
 
YeOldeStonecat said:
Putting two firewalls in a row...all you're doing is creating a double NAT setup, which adds complexity, loss of performance, and....some software that you use across the internet (like remote desktop apps, or VPN clients) doesn't like double NAT and acts weird on you.

Double NAT doesn't increase security. The leak in NAT is when you do a port forward...exposing a service...and that service is compromised. Double NAT will not secure this any further. Now, yeah...some firewalls do better deep SPI than others..but just select 1 and put it at the edge. Having 2 firewalls..1 better than the other..the one that is less good will just be adding complexity and making you lose performance.

If you want to learn different firewalls...just put one in place and use it for a while. When you're bored with it...swap it out with something else. Every couple of months I often change what I'm running at home for my firewall.
Click to expand...

You wouldn't have to double NAT with two firewalls. Two firewalls is still a stupid idea.
 
amrogers3 said:
That's me. I don't trust one device. Much like you don't trust one hard drive for all your data backup needs, you use a RAID array.

I have a pfSense box up and running and just got a ASA gifted to me so I figure why not, right? But my main question is before I try and implement something like this is will there be a degredation of my network and will two device present any problems other than it's not an "ideal" solution?
Click to expand...

A RAID is not a backup solution, you are failing if you use it as such.

As for using both devices; yes, unless you know exactly what you're doing and implement it correctly you're very likely to lose performance and cause yourself random problems that you will have a difficult time diagnosing. It's perfectly possible to run two firewalls without stepping on each others toes but you need to have a full understanding of them both and how they work first. Once you do you will probably understand why it's completely unnecessary, and often a bad idea.

If you want additional security, add an IDS (such as Snort)... which you can add into your pfSense box and be right back to a single firewall/edge device.

Vito_Corleone said:
You wouldn't have to double NAT with two firewalls. Two firewalls is still a stupid idea.
Click to expand...

With default settings it will be double NATing.
 
You must log in or register to reply here.
Back
Top