Managed Firewall - FAQs
Introduction
Will a firewall give me complete protection?
Do I have to buy the firewall from Primus?
Can I rent the firewall from Primus?
In your hardware specifications table, what do the terns "throughput" and "maximum sessions" mean?
How does the "per-user" licensing work on the ASA 5505?
How many "users" do the ASA 5510, 5520, 5540, 5550 support?
Primus' Managed Firewall Services
If I have a firewall, why do I need Primus' “Managed Firewall” service?
Will I have access to my firewall to make my own configuration changes?
I have a firewall, but it isn't a Cisco device. Can you manage it for me?
How many free rule changes do I get per month?
How quickly will you make the rule change?
What if I need the rule change done very quickly?
Why is the setup and monthly management fee higher if I have one or more DMZ's?
Network Security
Will Primus' “Managed Firewall” service prevent my servers from getting hacked?
What is the recommended default firewall configuration?
Can I block outgoing traffic coming from certain hosts on my network?
Why would I want to block outgoing traffic from certain hosts?
Can I prevent my employees from accessing certain websites?
Advanced Hardware Features
What is a “Demilitarized Zone” (DMZ)?
Do I need extra hardware to support a DMZ?
The ASA 5505 has eight internal switch ports. Does it support a DMZ?
Is extra hardware required to support failover?
Virtual Private Networks
What software would I use on my home PC to connect to my office network using the VPN?
Do I need any extra software/hardware to support the VPN?
Cisco Smartnet and Hardware Support
What is Cisco Smartnet? Why do I need it?
I'm renting a ASA firewall from Primus. Do I need to purchase Smartnet?
What is the difference between the 24x7x4hr and the 8x5xNBD Smartnet plan?
What happens when the annual Smartnet contract expires?
Can I purchase my Smartnet plan from someone else?
If my Smartnet-protected firewall fails, who contacts Cisco to request the replacement device?
Primus' One Hour Recovery Service
What is Primus' one hour recovery service?
How much does Primus' one hour recovery service cost?
If I purchase the one-hour recovery service and my firewall fails, how long will I be down for?
Introduction
A firewall is a device which prevents unauthorized access to or from a private network. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. The firewall is positioned between the Internet connection and the private network. All data entering and leaving the private network passes through the firewall. The firewall will only let traffic into (or out of) the private network which meets specified security criteria. Refer to the sample network diagram which shows a typical firewall configuration.
If you have one or more computers or servers connected to the Internet, it is imperative that these systems are protected by a firewall.
Most computers and servers run a multitude of “services”, many of which are required for normal operation of the system. However, many of these services should not be accessible to everyone on the Internet. For example, you may have a file server or a network “share” which is used by employees in your office to store files on. A firewall should be used to block all external access to that file server so Internet users cannot access your confidential files.
A properly configured firewall will block access to all services running on your internal systems. A firewall will also prevent many “denial of service” attacks from reaching your internal network.
Will a firewall give me complete protection?
Depending on your network configuration, a firewall may not provide complete protection.
If you need to allow certain traffic through your firewall, that access point could be used to take advantage of a vulnerability elsewhere in your network.
Example: You have an internal network which connects all of your employees' computers together. Your network is protected by a firewall. On your network, you have a server which hosts your company's website. To allow people on the Internet to access your website, you add a rule to your firewall to only allow web traffic (port 80) through the firewall to just the internal web server. The problem is that the web server software running on your server could have one or more vulnerabilities which allow a hacker to take control of your web server machine. Once the hacker has control of your server, he might then be able to access other internal systems on your network which “trust” the web server machine.
If you do need to provide unrestricted external access to some internal systems through the firewall, you need to ensure those internal systems are secure from attack. You should consider your firewall to be one “layer” in a multi-layered security strategy. Your security strategy should include other layers which address application-layer security on your publicly accessible servers, physical security, etc.
There are many different types and brands of firewalls on the market. All of them provide similar functionality in one way or another. Before you can choose a particular firewall, you need to determine your requirements. You must consider anticipated traffic volumes, required hardware and software features and finally price. If you have any questions, please contact one of Primus' Corporate Sales representatives for assistance.
Do I have to buy the firewall from Primus?
You can supply the firewall yourself. Please ensure it is a model that Primus supports. Also please ensure the firewall has the proper feature set for your intended network configuration. You can also "rent" some of the firewall models from Primus for a monthly fee. See below for details.
Can I rent the firewall from Primus?
Primus does offer a "rental" option for some firewall models. Please refer to the comparison chart for details. The rental option is only available for firewalls located in our Internet Data Centre (protecting your colocated servers).
In your hardware specifications table, what do the terms "throughput" and "maximum sessions" mean?
Throughput is a term used to describe the volume of network traffic which the firewall can handle. It is measured in megabits per second (Mbps).
The maximum VPN throughput will always be less than the throughput for normal (non-encrypted) traffic because it requires more CPU power to handle the encrypted VPN traffic.
The term "maximum sessions" is used to describe how many simultaneous "connections" can be supported on the firewall at any one time. A connection might be a user on your protected network accessing an external site or someone at an external location accessing one of your internal servers.
How does the "per-user" licensing work on the ASA 5505?
There are two "user" licenses available for the ASA 5505- a 10 user license and a 50 user license or unlimited. For the purposes of these licenses, a "user" is defined as a unique source IP address located on the protected subnet of the firewall.
If you have 10 or less computers, the 10 "user" license will work fine.
If you have more than 10 computers, or some of those computers have several public IP addresses (such as a webserver hosting multiple IP-based websites), you may require a ASA 5505 with the 50 user license.
How many "users" do the ASA 5510, 5520, 5540, 5550 support?
There is no "user" limit on the ASA 5510, 5520, 5540, 5550. These devices can protect an unlimited number of users (computers). Note that these devices (like all firewalls) do have theoretical maximum session counts, dictated by the power of the CPU and the speed of the network interfaces.
Primus' Managed Firewall Services
If I have a firewall, why do I need Primus' “Managed Firewall” service?
Purchasing the firewall is just the first step. Installing and maintaining a firewall properly requires a certain level of expertise and ongoing time and effort.
Primus' trained and experienced technicians will review your requirements with you, deploy and configure the firewall, monitor the firewall on a 24x7 basis, provide you with monthly reports outlining the effectiveness of the firewall, apply rule changes as you request them, and respond to any problems which may arise with the system. Primus provides these advanced services on a 24x7 basis, all for a low monthly fee.
A full description of this service offering is available at this location.
Will I have access to my firewall to make my own configuration changes?
For security purposes, only authorized Primus technicians will have access to firewalls which are under a management contract. All changes must be requested through Primus.
I have a firewall, but it isn't a Cisco device. Can you manage it for me?
Primus officially supports the Cisco firewall series. If your firewall is not a Cisco, we can potentially manage it for you. Please contact a Corporate Sales Representative for more information.
If the initial review/planning meeting exceeds the 1 hour timeframe, you will be billed for each additional 1/2 hour of time.
As part of the Managed Firewall Service, Primus provides a certain number of "rule changes" per month to you for free. Refer to the comparison chart for details.
A "rule change" can consist of multiple changes, but they must all be requested at the same time.
During the 24 hours after the firewall is first installed, all rule changes are "free".
How many free rule changes do I get per month?
The number of free rule changes depends on the package you have. Refer to the comparison chart for details.
What if I need the rule change done very quickly?
If you need a rule change made sooner than one business day, you can request an "emergency" rule change. An extra fee will apply. Emergency rule changes are made within four hours.
Why is the setup and monthly management fee higher if I have one or more DMZ's?
The addition of one or more DMZ's into your network architecture makes the firewall configuration more complicated. Logically and physically, each DMZ is another independent network with its own firewall rules and requirements.
Network Security
Will Primus' “Managed Firewall” service prevent my servers from getting hacked?
As explained above, the firewall should be considered as just one layer in a multi-layered security policy. If you allow Internet users to access certain, internal servers through your firewall, it is possible that those users could exploit one or more vulnerabilities on your server(s) to gain access to your internal network. The firewall will not prevent those “application layer” attacks from occurring.
Primus does offer a “Managed System Administration” service which includes the maintenance and administration of your servers. This service also includes the application of security patches and fixes as they become available to prevent application layer attacks. Please contact Primus' Corporate Sales Team for more information.
What is the recommended default firewall configuration?
For an office environment which does not run any Internet-accessible servers, the default configuration will block all incoming traffic to your private network and allow all outgoing traffic coming from your private network.
If the firewall is used to protect one or more servers which must be Internet accessible (at your office or at Primus' Internet Data Centre), the firewall will be configured to only allow the minimum levels of access required.
Can I block outgoing traffic coming from certain hosts on my network?
Yes, the firewall can be configured to block any outgoing traffic coming from your private network destined for some or all external sites on the Internet.
Why would I want to block outgoing traffic from certain hosts?
You might block outgoing traffic from some or all hosts on your private network for various reasons:
- to prevent certain groups of employees from accessing the Internet
- to prevent certain systems which contain sensitive information from being used to access the Internet
- to only allow certain types of traffic from leaving your network and to block all others
Can I prevent my employees from accessing certain websites?
The firewall device can be used to provide URL filtering on outgoing traffic. This feature requires additional hardware and software. Contact Primus' Corporate Sales Department for more information.
Advanced Hardware Features
What is a “Demilitarized Zone” (DMZ)?
The term "DMZ" is used to describe a firewalled network segment which is physically and logically separate from the primary, firewalled network segment. The DMZ network segment would have completely independent security rules applied to it.
Example:
- You have several/many desktop computers on your network used by your employees.
- You have one or more "internal" servers used for file sharing.
- You have a mail server which must receive email from external locations on the Internet. The mail server is the only system on your network which must be accessible to the public (untrusted) Internet.
Scenario #1 - No DMZ Config
- You place all of your desktop computers, internal servers, and the mail server on the same "network segment" and place a firewall in front of that network segment. To allow incoming email through the firewall, you add a single rule to your firewall which allows inbound email on port 25 to your mail server.
- A security problem is discovered with the mail server software you are running. A hacker exploits the vulnerability and is able to gain "Administrator" or "root" access to your mail server and installs a "backdoor" program on your mail server which gives the hacker full access to your server.
- Because your mail server is on the same network segment as your other computers, the hacker can easily attack the other computers, and access files on them because there is no firewall between the mail server and those other computers.
Scenario #2 - DMZ Config
- You place all of your desktop computers and internal servers on the same "network segment" and place a firewall in front of that network segment. You block all inbound traffic to your internal network using the firewall.
- You place your mailserver on a separate, "DMZ" subnet connected to your firewall. To allow incoming email through the firewall, you add a single rule to your firewall which allows inbound email on port 25 to your mail server.
- A security problem is discovered with the mail server software you are running. A hacker exploits the vulnerability and is able to gain "Administrator" or "root" access to your mail server and installs a "backdoor" program on your mail server which gives the hacker full access to your server.
- Because your mail server is not on the same network segment as your other computers (they are protected by separate firewall rules), the hacker has no ability to attack or access the other computers on your internal network.
As you can see from the example above, the DMZ allows you to mitigate risk. Running a public mail server on the Internet is inherently risky (as is running any public server). Once you understand that, the goal then becomes to configure and deploy the server(s) so they do not pose an additional risk if they are compromised.
Refer to the sample diagram which shows a typical DMZ configuration.
A DMZ configuration is often used in a network configuration which includes one or more “public” servers along with one or more “internal” computers/servers. In this configuration, you would typically block all external access to your internal systems, but you would allow some external access to the public server(s).
The DMZ configuration is designed to provide additional protection to guard against the example scenario described in question #3 above. In that scenario, a hacker was able to take advantage of a vulnerability in the web server software running on your public web server to gain access to the web server machine. From there, the hacker was able to access other internal systems because those systems were not protected from the web server machine (they “trusted” the web server machine).
The solution to this problem is to segregate all public servers onto a completely separate network segment attached to the firewall. The firewall would protect this DMZ segment using a ruleset specific to the servers located on the segment. Refer to the sample network diagram for details.
The DMZ configuration has multiple benefits:
- the public servers can still be protected by the firewall
- the internal segment is protected by the firewall
- the public servers don't have unrestricted access to the internal devices
- a hacker who gains control of a public server will not be able to access the internal servers because they are protected by the firewall and do not “trust” the public servers
When deploying a DMZ, it is imperative that the public servers do not have any “back-door” connections to the internal network which could be exploited by a hacker. The firewall should be the only link between the two subnets.
You can deploy multiple DMZ's on your network to provide extra levels of security. For example, you could install a mail server on one DMZ and a web server on another DMZ. If your web server gets hacked, the mail server would still be protected from the web server.
Do I need extra hardware to support a DMZ?
You will require an additional network interface card (NIC) in the firewall for each separate DMZ to be configured. The maximum number of NIC cards you can install in the firewall depends on which model you choose.
The ASA 5505 has eight internal switch ports. Does it support a DMZ?
The 8 internal switch ports, by default supports a limited DMZ where the segment is visible to the internet. The segment is also visible to any private segment but the DMZ can not see the private segment. For the ability to initiate communication from the DMZ to the private segment a license upgrade is required for the ASA 5505.
Failover is a high-availability network configuration which requires a second, identically configured firewall to be installed “beside” the primary firewall. The second firewall is considered as the “standby” firewall. The standby firewall will continuously monitor the health of the primary firewall. If the primary firewall has a hardware failure or an operating system crash, the standby firewall will automatically take over the firewall duties which were performed by the primary firewall. Refer to the sample network diagram for details.
Many organizations consider their office Internet connection or their web servers to be “mission critical”. In these cases, every minute a firewall is offline results in lost revenue or opportunity. If an “outage” of a few minutes (for a reboot after a crash) up to a few hours (to replace a failed device) is acceptable to your organization, then you do not require a failover configuration.
The organization must obviously have a business case to justify the additional expense required to setup and configure a redundant-firewall configuration.
Before deciding on a redundant firewall configuration, the organization should also ensure that all other aspects of the network infrastructure are redundant as well (redundant network connections, RAID-disk storage in servers, etc)
Is extra hardware required to support failover?
Failover requires the purchase of a second identical ASA Firewall unit.
Network Address Translation (NAT) is designed for IP address simplification and conservation. NAT enables private IP networks that use non-registered IP addresses to connect to the Internet. NAT translates the private addresses used in the internal network into “routable” addresses before they are forwarded onto the Internet. This provides additional security, effectively hiding the entire internal network from the world behind that address. NAT has the dual functionality of security and address conservation, and is typically implemented in remote access environments.
Whether or not you will use NAT depends on your existing and planned network configuration, etc. Primus' security experts can recommend a suitable configuration.
Virtual Private Networks
A Virtual Private Network (VPN) is a term used to describe a secure connection between two trusted networks made over an insecure network (such as the Internet). Each VPN connection is considered to be a “tunnel”. VPN's utilize access control and encryption to ensure the security of the data transported through the tunnel.
You would use a VPN to provide secure connectivity between two networks.
Refer to the sample network diagram which shows two different VPN connections in action. In the network configuration shown, the two firewall devices which protect the two corporate networks are logically connected together using a VPN tunnel. This connection allows systems in each network to communicate securely with systems in the other network. For example, this would allow a server in the one network to access a “network share” in the other network.
The home user shown on the diagram has opened up a VPN connection (tunnel) from their home PC to one of the office networks. This allows the home user to access all resources on the corporate network as if their PC was physically connected to the corporate network.
Yes. Refer to the above question for an example of this type of configuration.
What software would I use on my home PC to connect to my office network using the VPN?
Most VPN client software is either provided by the VPN vendor or integrated in the operating system (OS). For example, Microsoft's Windows operating system has built in support for the PPTP, IPsec, and L2TP VPN protocols.
IPsec is an industry-wide standard suite of protocols and algorithms that allows for secure data transmission over an IP-based network and it functions on the Network Layer of the OSI model.
PPTP (Point to Point Tunneling protocol) was created by Microsoft to allow the secure transfer of data from remote networks to the corporate network.
L2TP (Layer 2 Tunneling Protocol was created by Cisco and Microsoft to replace older Cisco's L2F (Layer 2 Forwarding) and PPTP (Point to Point Tunneling Protocol). L2TP merge the capabilities of both L2F and PPTP into one tunneling protocol.
Do I need any extra software/hardware to support the VPN?
Depending on your specific requirements, additional hardware and/or software may be required. Please contact a Primus Corporate Sales agent for details.
Cisco Smartnet and Hardware Support
What is Cisco Smartnet? Why do I need it?
Cisco Smartnet is a maintenance package which is provided by Cisco. A Smartnet maintenance package provides the following features:
- hardware replacement if the device fails
- access to new software releases or patches as they become available
- access to Cisco's technical support department (TAC)
Primus will not provide its “Managed Firewall” service on a customer-owned firewall unless it is covered under a current Smartnet contract.
I'm renting a ASA firewall from Primus. Do I need to purchase Smartnet?
No. Because the firewall is owned by Primus, Primus will take care of all support requirements on the device.
The Smartnet support plan is always registered under the customer's name. However, if Primus technicians need to request an RMA replacement or request technical support for your firewall, we will do so using your support contract number.
What is the difference between the 24x7x4hr and the 8x5xNBD Smartnet plan?
The main difference between these two packages is the amount of time it takes to get a hardware replacement for a failed firewall. Under the 24x7x4hr plan, Cisco will deliver the replacement firewall within four hours upon receiving the request. Under the 8x5xNBD plan, the firewall will not arrive until sometime the next business day. If your firewall fails on a Friday afternoon or weekend, the replacement firewall will not arrive until the following Monday.
What happens when the annual Smartnet contract expires?
To ensure clients are always protected by a Smartnet plan, Primus will track your Smartnet coverage for you and invoice you for the renewal shortly before your current contract expires.
Can I purchase my Smartnet plan from someone else?
You can purchase the Smartnet contract from any Cisco reseller. If you do purchase the contract elsewhere, you must provide Primus with the contract number so Primus can verify its validity.
If my Smartnet-protected firewall fails, who contacts Cisco to request the replacement device?
As part of Primus' “Managed Firewall” service, Primus will contact Cisco on your behalf to request the replacement device. The firewall will be delivered to Primus first so the proper configuration can be installed on it. The replacement firewall will then be installed by Primus.
Primus does not have physical access to the firewall located in your office. The first troubleshooting step will be to attempt to power the device on and off in an attempt to “reboot” it. This will require your assistance. If the device does not recover after a reboot, Primus will contact Cisco to request a replacement. Once the replacement has arrived at Primus' location and has been configured by the Primus technician, Primus will either have the new firewall delivered to your office or Primus will deliver it to you directly. Delivery charges will apply.
There are a number of phases to the hardware replacement.
- Identification of failure - if your firewall device fails, someone first has to confirm that it is "broken" - this could take anywhere from twenty minutes (if the firewall is at Primus' IDC) to several hours (if the firewall is at your office and the failure occurs during the night)
If the device is located at Primus' Internet Data Centre (protecting your servers), a Primus technician will identify the outage within a few minutes. The technician will perform specific troubleshooting steps to try to bring the device back online.
If the device is located at your office, you will be asked to attempt to power-cycle the device to see if it recovers after a reboot - if it is still offline after the reboot or it does not power up at all, it has probably "failed". - Once Primus confirms that the device has "failed", Primus will contact Cisco on your behalf to request an RMA replacement. This may take several minutes.
- If you have the 24x7x4hr Smartnet package, Cisco will then deliver the replacement firewall to Primus within 4 hours.
- If you have the 8x5xNBD Smartnet package, Cisco will then deliver the replacement firewall to Primus by the next business day.
- Once Primus has the replacement firewall, a technician will install the proper operating system version on the device and then upload a backup copy of your firewall configuration to the device. This could take 30-60 minutes to complete.
- Once the replacement firewall has been configured, the firewall will be installed.
- If your firewall is located at Primus' Internet Data Centre, the technician will replace the failed device immediately. This could take 5-10 minutes.
- If your firewall is located at your office, Primus will either ship you the replacement firewall, or you can pick it up at our office. Optionally, you can request that a Primus technician deliver the replacement firewall to you and install it (an extra fee will apply for this service).
In summary, the replacement time for a failed firewall depends on the Smartnet package you have purchased and also on whether or not the firewall is located at your office location or at Primus' Internet Data Centre.
If you require faster recovery in the event of an outage, you should consider either a "failover" option, or Primus' one-hour recovery service.
Primus will repair/replace a firewall that is not functioning as per #47, however if Primus is required to come onsite for a replacement installation or to further troubleshoot then our standard hourly rate will apply (call for details). Travel time will be included in the total time. One hour minimum billing and 30 minute increments afterwards. Primus is willing to troubleshoot with an onsite client contact prior to dispatching a technician.
Primus' One Hour Recovery Service
What is Primus' one hour recovery service?
Primus offers an optional "one hour recovery service" for customers who have Cisco's 24x7x4hr Smartnet package and whose firewall is located at Primus' Internet Data Centre.
Under this service, Primus will keep a "spare" firewall available at all times which could be used as a temporary replacement for a customer. If the customer's firewall was to fail, Primus will configure the "spare" firewall and install it for the customer within one hour. This "spare" firewall would be installed on a temporary basis until Cisco ships the official replacement under the Smartnet service contract.
How much does Primus' one hour recovery service cost?
Please contact a Primus Corporate Sales agent for details.
If I purchase the one-hour recovery service and my firewall fails, how long will I be down for?
Under this service, your system should be offline for no more than one hour.
Order by Phone: 1-888-502-8380