I need to find a firewall that will give me 1 LAN port, and 5-7 DMZ ports.
I have a requirement to replace some FreeBSD systems that are used to run some testing equipment. It is essential that the DMZ ports cannot communicate with each other, but the LAN port can communicate with everyone. That way a user on the LAN can connect to the test systems, but the test systems are isolated entirely and cannot interfere with each other.
One of the DMZ's will be connected to a VMWare ESXi server, one to a standard server, and the rest to various types of equipment.
The lan port will be connected to the corporate LAN switch.
Sorry if i am a little vague, I am just trying to work all this out myself! Currently we have a FreeBSD configured, but the quad port NIC's are pretty expensive, and the PC itself is old, so i would prefer to replace it with a dedicate piece of kit which can do the same job, but more reliably! These test rigs are used all over the place, and get moved quite often, so i am aiming for Cisco kit for ease of configuration and reliability of the hardware itself.
Thanks
One of the Cisco 55xx series ASA hardware firewalls should be what you're after.
You should probably have a good look through their various specifications and choose the one that gives you the right feature set. (It's difficult for me to do this, not knowing your exact set up currently). Also choose one which will give you room to expand in the future.
If I had to guess, I'd say to choose the 5520 or 5540 models..
If you want High Availability, you'll need 2 of these, that support Active/Standby configuration. This is supported by models 5520 and above.
You might be able to save some money by having the DMZ ports on a VLAN which is then distributed by a managed switch. That way, you could trunk multiple DMZs traffic over a single port, with a virtual interface (You could do this on your FreeBSD box too, might save you having to have a quad port server NIC.) [YMMV on this bit though]
I'll elaborate on what Kyle's describing:
You need a firewall that understands 802.1q vlan tagging. Ideally it will have at least one gigabit interface.
You need a switch that also speaks 802.1q vlan tagging.
Now -- configure each of your DMZs and associate each DMZ with a different 802.1q tag, lets say the tags are 10, 20, 30, and 40.
Now, add all those tags to one interface on the firewall (thus creating a "VLAN trunk") and run that "trunk" to a switch that also has those VLAN tags associated with that port.
Now, put several other interfaces untagged on each vlan and connect those untagged ports to the host computers.
Now your firewall has exclusive access to all the tags and can enforce ACLs that prevent one subnet from accessing any other DMZ subnet.
Depending on your security needs, if you have a good modern switch you can make each dmz a vlan and just use one port, and then have the rules separating each dmz on the router.
There are arguments against this though, there used to be ways to bypass vlans (vlan hopping), but I think there is nothing current. Also, a misconfiguration of the switch could lead to a security hole.