Im trying not to bother my sales rep too much, so I am asking here instead about some specifics on a firewall solution for our cabinet space.

1) Do I loose HSRP if I have a PIX installed?
2) Would I be able to have a few ports blocked by default, but leave everything else open?
3) How fast would I be able to black list IPs (or make other changes) in it?

Mainly this is for blocking these kids deciding to Denial of Service our game server clients. I'd rather have 1 place to put black lists than on all the diff machines.

As far as #1 goes, I don't really know.

#2
You can setup an ACL within a Pix that will permit only the ports you choose, and deny all others
-OR-
You can implicitly DENY certain ports but include a Permit any any statement at the end (otherwise it will deny everything)

(Option A is the best in that case)

#3
Depending on the situation of how you'd like to have IP's blacklisted, a Pix can automatically block IP's using built in IDS (Intrustion Detection System) and you can specify exactly what you'd like to do (action) for any given situation (alarm, drop, reset, etc) for the originating IP.

You're Pix would be at the end most point of connection before going out to the Internet, it should handle all the incomming threats. Otherwise you're leaving a device outside the trusted network and leaving it unsecured.

Ideal setup would be Pix > Router > Switch > PC's -- your mileage may vary.

I'm taking my NetAcademy Final on Pix Firewalls so I won't claim to be an expert but I'd be happy to help where needed.

Hogie I believe you have two options for HSRP redundancy. You only have one switch right? We would most likely vlan your switch with a public and private side. Leave your two drops and the firewall public interface on one vlan and put the firewall backend port and the servers on another vlan. You can also get two PIXs (sp?) that support fail over but the first option is probably your best best. Do you want to do public NAT? You may need another small block (/29) for the public interface if you do not want to use private subnets for NAT.

Pix Failover...man that starts to get expensive!
Depending on how many interfaces, or actually, what type of Pix you can install, you can do all sorts of additional things.

Unless you know the command line, become familiar with PDM as its gotta be the best GUI I've ever used with a Cisco device. SDM (router IOS) has a few nice features but PDM does so much more its not funny.

Our cabinet only has a switch in it. We have dual uplinks to the routers, but it is all TP equipment. Our servers a directly plugged into that switch.

For #2, I mean I want to block the windows ports (139, 445, etc), but leave the game ports open by default.

Then for #3, Im talking about when I get a complaint that someone is DoSing their server, I could call/open a ticket and just have the Pix drop all traffic to/from that IP(s) that is causing the problems. I dont need fancy IDS or anything, just a packet filter.

You can block ports at the switch level and depending on what type of router it is, you can even block them there. Hell if you have an Advanced Securites IOS Router, you can do DDoS mitigation there as well. No need for a Pix.

IDS is a packet filter, btw, and would have to be enabled inorder to mitigate DDoS attacks. What you could do it setup an SSH over VPN tunnel to allow you access to the Pix, then just add the IP to a list of DENY statements and away you go.

JUST remember to add a permit any any statement, otherwise all traffic gets denied if an ACL is created.

That's the thing, we dont have control of the router or the switch. It came with the cabinet. Our cabinet has a Cisco 2450t (I think that's the model) with dual uplinks back to the routers/whatever. We just plug our servers into the router.

However, after some private messages with gbork, I think we will see about setting up 2 vlans on the switch, one with the uplinks and say 2 more ports, and another vlan with just the other ports. This way I can put a bridge in the middle (say, with OpenBSD running on it), that I can just go into and add blocking rules. This has run well for me for over 4 years with my home connection, but then again I didn't have over 2mbps going over it at a time.