I run the ASA 5505 at home and use the larger ones frequently at work. The 5505 runs the same enterprise grade software as all the other ASA's (except some of the newer high-end multi GB throughput ASA-X firewalls) - so you are getting a rock solid feature-rich firewall, this is not a consumer/retail type of firewall. The flip side of this is that it is complicated, there are many options and its not like a typical web-based SOHO/residential firewall although I suspect folks with a moderate level of network experience should be able to setup one up. I'd be happy to help anyone here who needs it. The 10 user license refers to 10 internal users (devices) that will traverse the firewall (outbound) so you can have as many internal only users as you like but only 10 can have outbound connections through the firewall at any given time. Note there are other ASA 5505 options and you if you start with 10 user license you can upgrade later up to either 50 user or unlimited user license via a soft upgrade (license string) but its not cheap so I would start with the right number of licenses to begin with. The unlimited user version also has full DMZ support if that is something that interests you. You do not have to pay any subscription fees to use it. If you're looking to save money I'd check out used/refurb units on ebay, I believe Cisco gives you limited support when new so the difference between buying new vs used isn't that significant.
Really? Only 10 outbound connections through the firewall? Are you sure it's not 10 IPSec vpn connections? That's how I read it. I'd rather take an old computer and put another NIC in it and run OpenBSD using pf (http://www.openbsd.org/faq/pf/) for my firewall. Not only do you get the most secure OS out there - there have been zero, yes zero security vulnerabilities in the last 3 versions (about a year and a half) and you get real routing (BGP, OSPF) capability, great built-in IPSec tools and because it is a full fledged Unix operating system it can be used for a variety of other infrastructure tasks like DNS, DHCP, and as a MTA using openSMTPD - no sendmail configuration! You could even use it for your file server if you wanted. It is also completely free to use, for any purpose. The downsides are it is not newbie friendly, configuration is done via the command line and conf files, there are no point and click or web configuration interfaces. Using an old computer can lead to hardware problems as well although this can be mitigated by using CARP and having a hot spare. I realize that rolling your own is not for everyone but I have never been a big fan of the PIX/ASA devices, they don't have a stellar security record, especially for a security device (http://web.nvd.nist.gov/view/vuln/search-results?query=cisco+asa+&search_type=last3years&cves=on) and they have business driven, broken by design arbitrary limitations like the vpn user limit ala Microsoft terminal server. If it has to be a commercial product I suggest looking at Juniper's SSG series as an alternative.
Its not 10 outbound connections, its 10 outbound internal IP addresses - those 10 users can have as many outbound connections as they like Remember, this is the lowest end offering, designed for a SOHO or a remote office with just a handful of users where the 10 user license is fine ... anything more and you should be looking at the 50 user or unlimited license instead (or one of the more traditional rack-mounted ASA 55xx models) I believe you can have 25 IPSEC VPN tunnels, here is what mine looks like with the security plus license: Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : Unlimited Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled SSL VPN Peers : 2 Total VPN Peers : 25 Dual ISPs : Enabled VLAN Trunk Ports : 8 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled I don't really want to get into a firewall vendor debate on ET but you need to look beyond the count of bugs, you need to look at the type/conditions. I use multiple vendor products, not just Cisco and I wouldn't recommend Juniper in this case. Rolling your own is fine if you enjoy it but otherwise its unlikely its worth the time you will need to invest versus buying a commercial product.
Cool, I've been out of the networking device side of things for a while, back when I was I generally preferred Juniper, tho it was in enterprise and carrier situations. Always good to get another perspective.
I'm not so sure about that. It takes a bit of learning - but then again should you really be implementing firewalls if you don't know what you are doing? In my experience you can build an $800 PfSense box that can compete with some pretty high-end Cisco, Juniper or even SonicWall boxes ($10k+++) For 2-3 times that price ($1,600-$2,400) you can have a fully redundant (CARP) setup with a spare on-hand ready to go. To get back to the OP's question, if you have a firewall solution you should be able to easily isolate a NAS/SAN from the internet or specific users on the network. Even some cheap all-in-one units (like D-Link, Netgear, Drobo, etc.) **could** work in an office environment as long as you don't have super demanding needs. It's the same as a home file server where you have movies, music, photos, files, etc. If you have kids or multiple users you probably don't want your tax returns or adult movies/music (not porn just you don't want an 8-year old kid seeing rated R movies) to be visible to the network. Similarly, many people don't want all of that exposed to the internet so they keep it only on their LAN with no internet access. Your rules may be a little more complicated since it's not just two user groups - but essentially the same.
After hearing all the responses, I'm going to keep one system as it exists today. It is not connected to any network and it contains the critical files. There's no need for this information to be on the network. And I'll also set up another Win7 box on the network to store the files which are shared internal. These files are of no value to anyone else but necessary for the operation of the company. I'll set this up to an offsite backup (Carbonite style) so that we have business continuity in case of adverse event. There are no internal threats at this time. Thanks to everyone for their input. It's nice to know this invaluable resource exists.