CiscoSecure PIX Firewall Technology

The Cisco Secure PIX Firewall series, formerly PIX Firewall, is the top of the firewall product line within the Cisco firewall family, offering high-performance, enterprise-class implementations. The PIX-integrated hardware/software strategy provides high security with minimal impact on network performance. The Cisco Secure PIX Firewall series is both a key component of the Cisco end-to-end security strategy and a leader in the firewall market.

Key features of the Cisco Secure PIX Firewall Series include the following:

Non-UNIX, secure, real-time, embedded system A single-purpose–built firewall appliance that uses a proprietary, hardened OS, which eliminates security risks associated with general purpose OSs. By not having to compromise to support other server services and features, Cisco Secure PIX Firewall series can deliver superior performance of up to 500,000 simultaneous connections and nearly 1.7 Gigabits per second (Gbps) aggregate throughput, dramatically greater than any UNIX-based firewall.

Adaptive Security Algorithm (ASA) ASA is a stateful, connection-oriented technology, which is less complex and more robust than ACL-based packet filtering while offering higher performance and better scalability than proxy firewalls. ASA creates and maintains extensive state tables of session flows that include source and destination addresses, randomized TCP sequence numbers, port numbers, and additional TCP flags. To be considered part of an “established” session, traffic must be consistent with these connection table entries.
Cut-through proxy Using CiscoSecure Access Control Server (ACS) this patent- pending method of authentication and authorization offers improved performance advantages over other systems.
PIX Firewall Manager This Java-based, graphical user interface (GUI) configuration tool provides centralized configuration and management of firewall security policies. The tool can provide configuration information common to all system PIX Firewalls, built-in per-user accounting reports showing web sites visited and volume of files transferred, and automatic real-time alerts using e-mail or pager notification for any attempts to breach the firewall.
Standards-based VPN support The PIX Firewall IPSec encryption card is easily installed in the user PC and provides easy-to-use connections for mobile users and remote sites to the corporate network over the Internet or other public IP networks. Triple DES (3DES)–based VPN throughput can be scaled to nearly 100 Mbps using the PIX VPN Accelerator Card (VAC), which offloads CPU- intensive encryption/decryption processes to specialized cryptographic coprocessors.
URL filtering URL filtering uses NetPartners WebSENSE software to check outgoing URL requests against the policy defined on a local WebSENSE server (Windows or UNIX). Any connection requests matching web-site characteristics defined as inappropriate are denied. PIX Firewall performance isn’t impacted because the filtering is performed on a separate server.

Failover/hot standby Two PIX Firewalls running in parallel provide redundancy both for failure of the primary firewall and during system maintenance or upgrades. Network traffic can be automatically sent to a hot standby unit in case of a failure, while maintaining concurrent connections via automated state synchronization between the primary and standby units.

STUDY TIP

Technology changes and improvements come out all the time, so be less concerned with feature details, such as maximum throughput and numbers of interfaces. From a practical standpoint, recognize that in the field, some features might not be implemented on earlier OS versions or device models.

PIX Adaptive Security Algorithm

The key to Cisco Secure Firewall technology is the ASA. Like other stateful technologies, ASA stores key information from outgoing packets, which are then used to screen returning packets. As with others, source and destination addresses and port information are stored, but then randomized TCP sequence numbers are generated and, together, are encrypted into a “signature” used to evaluate new packets. These randomized TCP sequence numbers make hacking considerably more difficult than the often-sequential incrimination used by most systems. These random-sequence numbers and encryption create a secure stateful connection system that’s both efficient and fast.

No inbound traffic is allowed unless specifically accepted as part of an existing flow in the state table, or included in a conduit or access list definition. For example, all inbound ICMP packets are blocked unless specifically permitted by the conduit permit icmp command.

ASA Security Levels

PIX routers have two or more interfaces, each assigned a security level. Basic PIX ASA operation allows data to travel freely from interfaces with higher security values to interfaces with lower security values. Any two interfaces should have a security level difference that defines the natural flow of data. Data can’t flow from a lower security to a higher value, unless a specifically configured static tunnel or conduit is created.

STUDY TIP

PIX Firewall releases since 5.1.2 use access lists, instead of static and conduit commands. While this is fine for the Advanced PIX exam, the MCNS exam still includes questions that refer to these earlier commands.

The range of security levels is 0 to 100, with 100 as the most trusted and, therefore, reserved for the inside interface. The lowest trust level is 0, which is reserved for the outside interface. With 0 security level, any hosts accessing the network via the outside interface require explicit permission; otherwise, they’ll be rejected. On the simplest two-interface firewall, the inside interface would be assigned a security value of 100 by default, while the outside interface would be assigned 0.

Security levels 1 to 99 are used for protected DMZ interfaces. If the PIX device has a single protected DMZ interface, the security level would be configured between the inside and outside levels, such as 50. Figure 17-1 shows the interfaces just described. With this setting, packets originating from the inside interface could flow to the DMZ. DMZ packets could reply to inside requests, but couldn’t originate new traffic to the inside without static tunnels, conduit, or access lists being created. DMZ originating packets can travel to the outside, which is handy for servers, such as e-mail and DNS servers, which must periodically communicate with the outside world. With multiple-protected DMZ interfaces, planning the security-level assignments to make sure security flows properly is important. Two DMZ interfaces with the same security level wouldn’t allow flows between them, except with special configuration. Traffic only flows from high- to low-security level without assistance.

Figure 17-1: PIX security levels with a DMZ interface

The PIX Firewall device using ASA technology and NAT features while working in tandem with a properly configured perimeter router can create an impenetrable barrier to attacks from the outside world.

The PIX Firewall Family

Cisco PIX 500 Series Firewalls security appliances are famous for high levels of security, performance, and reliability. These devices provide a solid package of security services, including stateful firewall inspection, standards-based IPSec VPN, intrusion protection, and much more in several platforms to meet the needs of the smallest office to the largest enterprise.

The following material identifies the target audience for each of the platforms with feature and performance indicators gleaned from current Cisco marketing materials.

Note

It’s important to understand that the actual features and capacities might be dependent on hardware configurations and, more important, the software licensing purchased. Just as with its routers, Cisco offers various software licenses that support certain features and possibly performance enhancements. As with network OSs, the price typically goes up with increased services and the number of users or connections supported. Also like other OSs, router and firewall software licenses are subject to audit and antipiracy enforcement.

Cisco PIX 535 Firewall

The latest and biggest PIX model—the 535—is designed for the largest Enterprise and Service Provider implementations, providing over 1 Gbps of firewall throughput, plus the capability to handle up to 500,000 concurrent connections. Some PIX 535 models include stateful high-availability capabilities, as well as integrated hardware acceleration for VPN, providing up to 95 Mbps of 3DES VPN and support for 2,000 IPSec tunnels. The PIX 535 is a modular chassis with support for up to 10 10/100 Fast Ethernet interfaces or 9 Gigabit Ethernet interfaces.

Cisco PIX 525 Firewall

The 525 was designed for Enterprise and Service Provider environments, providing over 360 Mbps of firewall throughput, plus the capability to handle up to 280,000 concurrent connections. Some PIX 525 models include stateful high-availability capabilities, as well as integrated hardware acceleration for VPN, providing up to 70 Mbps of 3DES VPN and support for 2,000 IPSec tunnels. The PIX 525 is a modular chassis with support for up to eight 10/100 Fast Ethernet interfaces or 3 Gigabit Ethernet interfaces.

Cisco PIX 515E Firewall

The latest version of the 515 platform is the 515E, where the E stands for enhanced services. The 515s were designed for small-to-medium business and enterprise environments, providing up to 188 Mbps of firewall throughput with the capability to handle as many as 125,000 simultaneous sessions. Some PIX 515E models include stateful high-availability capabilities, as well as integrated support for 2,000 IPSec tunnels. The PIX 515E is a modular chassis with support for up to six 10/100 Fast Ethernet interfaces.

Cisco PIX 506E Firewall

Another E series improvement—the 506E—was designed for branch office implementations, providing up to 20 Mbps of firewall throughput and 16 Mbps of 3DES VPN throughput. The PIX 506E is a fixed interface desktop unit with two autosensing 10 Mbps RJ-45 interfaces. The 506E model has two optional encryption software license options (168-bit 3DES and 56-bit DES), available either at purchase time or as an upgrade.

Cisco PIX 501 Firewall

The 501 was designed for the telecommuter or small office, providing up to 10 Mbps of firewall throughput and 3 Mbps of 3DES VPN throughput. The PIX 501 is a full-fledged member of the PIX family supporting state-of-the-art security with plug-and-play simplicity. The PIX 501 is a fixed interface desktop unit with one 10 Mbps interface for the outside and an integrated 4-port Fast Ethernet (10/100) switch for inside use. The optional software licenses for the 501 include the following:

10-user license	Supports up to ten concurrent source IP addresses from the internal network to pass through the PIX 501, plus DHCP server support for up to 32 internal users.
50-user license	Supports up to 50 concurrent source IP addresses from the internal network to pass through the PIX 501, plus DHCP server support for up to 128 DHCP leases. Additional 10-to-50 user upgrade licenses are also available.
3DES and DES licenses	Two optional encryption licenses (168-bit 3DES and 56-bit DES) are available either at purchase time or as an upgrade.

The following model information is intended to demonstrate this diversity rather than to imply any test objective. As with any rapidly changing technology, going to the Cisco web site is always best—http://www.cisco.com—and either select products or perform a search on PIX Firewalls to see the latest offerings and technical specifications. The current offerings are summarized in the following table:

Models	501	506E	515E	525	535
Processor	133 MHz	300 MHz	433 MHz	600 MHz	1 GHz
RAM	16MB	32MB	32MB or 64MB	128MB or 256MB	512MB or 1GB
Flash	8MB	8MB	16MB	16MB	16MB
PCI slots	None	None	2	3	9
Fixed int.	**	2 10Mb	2 10/100Mb	2 10/100Mb	None
Maximum interfaces	**	2 10Mb	6 10/100Mb	8 10/100Mb or Gb	10 10/100Mb or Gb
VAC*	No	No	Yes	Yes	Yes
Failover	No	No	Yes, UR only	Yes, UR only	Yes, UR only
Connections	3,500	400	125,000	280,000	500,000

*VPN Accelerator Card (VAC) support
**1 10Mb (outside) and a four-port 10/100Mb switch (inside)

In addition, several earlier PIX models still exist, including the Classic, 10000, 510, and 520 protecting networks around the world. Full documentation for each is on the Cisco web site, and, while most can be upgraded to support newer features, the latest features often aren’t supported because of hardware limitations.

Interface Modules

The larger PIX models, beginning with the 515, allow additional interface modules for creating additional connections. These modules can include a single RJ-45 or fiberoptic interface, or up to four RJ-45 interfaces. You need to check the current Cisco documentation to verify support for specific modules and to see which slots they can occupy. Slot placement will also impact interface designations. The PIX 535, with nine slots connecting to three different buses at two different speeds, requires special attention.

While PIX 520 and higher devices can support Token Ring and FDDI interfaces, as well as 10/100 Mbps Ethernet, the PIX OS version 5.3 is the last to support these aging technologies. The 525 and 535 devices also support Gbps.

Restricted (R) Software License

The larger PIX models, beginning with the 515, offer a lower cost, reduced-connections model, called a Restricted model, with a product notation like PIX 515E-R. Typically the R models support fewer connections and interfaces, and contain less memory.

Unrestricted (UR) Software License

The larger PIX models, beginning with the 515, offer Unrestricted models with a product notation like PIX 515E-UR. Typically, the UR models support more connections and interfaces, contain more memory, and support expanded capabilities, such as stateful failover.

Failover (FO) Software License

The larger PIX models, beginning with the 515, offer Failover models with a product notation like PIX 515E-FO. These units are stateful failover units designed for use with a same platform unrestricted (UR) device. With the same hardware configuration as the Cisco PIX UR unit, the FO unit operates in Hot Standby mode, acting as a complete redundant system that maintains current sessions. The discount pricing for the failover units provides a highly cost-effective, high-availability solution.

EXAM TIP

The exam covers only the 515 and larger devices; but because the OS and the commands are the same, don’t overlook the 501 and 506 units as lower-cost units on which to practice basic commands.

Tested and Certified

PIX Firewalls provide high levels of security. They’ve been tested and certified to meet certain levels of quality, reliability, and trustworthiness by the leading security organizations, including TruSecure’s ICSA Firewall and IPSec certification, and the independent Common Criteria Evaluation Assurance’s EAL4 rating. The Common Criteria EAL4 certification requires in-depth analysis of product design and development methodology, backed by extensive testing.

The Common Criteria for Information Technology Security Evaluation (CCITSE) is a set of evaluation criteria agreed to by the United States National Security Agency/National Institute of Standards and Technologies, and equivalent bodies in 13 other countries. The organization’s role is to resolve the technical and conceptual differences in existing standards for the evaluation of security systems and products. Common Criteria version 2.1 recently became an international standard—ISO 15408.

PIX Firewalls support a wide range of security and networking services, including Network Address Translation (NAT), Port Address Translation (PAT), DHCP client and server, AAA (both TACACS+ and RADIUS) integration, content filtering (Java/ActiveX), URL filtering, PPP over Ethernet (PPPoE), and Public-Key Infrastructure X.509. PIX Firewall devices support security services for multimedia applications and protocols, including Voice over IP (VoIP), H.323, SIP, Skinny, and Microsoft NetMeeting to allow organizations to securely implement next-generation converged network technologies.

VPN Support

PIX Firewall support enables users to extend their networks safely with secure VPNs to include telecommuters, branch offices, and even trade or industry partners, vendors, and suppliers. PIX Firewalls support a wide range of remote access VPN clients, including Cisco software VPN clients (available for Windows 95/98/NT/2000/ME/XP, Linux, Solaris UltraSparc-32bit, and Apple Macintosh OS X) and Cisco hardware VPN clients (such as the VPN 3002), as well as PPTP and L2TP clients found within Microsoft Windows OSs.

PIX Management Options

PIX Firewall devices support Cisco’s familiar command-line interface (CLI) using access methods including Telnet, Secure Shell (SSH), and an out-of-band console port. While not identical to the router CLI, the differences represent no greater challenge than those encountered when working with Cisco switches.

Administrators can choose from a variety of other solutions for remotely configuring, monitoring, and troubleshooting PIX Firewall devices. These solutions range from an integrated, web-based management interface (PIX Device Manager) to centralized, policy-based management tools. The PIX devices support remote monitoring protocols, such as Simple Network Management Protocol (SNMP) and support Syslog logging features.

Cisco PIX Device Manager (PDM) features an easy-to-use GUI and the capability to provide real-time and historical reports on use trends, performance baselines, and security events. PDM is covered in detail in Chapter 22.

Cisco Mobile Office Support

The PIX Firewall Series supports the Cisco Mobile Office strategy to extend the corporate network by offering high bandwidth and complete access through both wired and wireless solutions. The three components of the Cisco Mobile Office include On The Road, At Home, and At Work. Together, they help to create a network that’s secure, flexible, highly manageable, and scalable, and that increases productivity.

For more information, go to http://www.cisco.com/go/mobileoffice.

Cisco Catalyst 6500 Implementation

Cisco has introduced a PIX Firewall implementation—the Firewall Services Module (FWSM)—bringing firewall protection services to the Catalyst 6500 family of IP switches that already support intrusion detection and VPNs, along with multilayer LAN, WAN, and MAN switching capabilities. The FWSM is completely VLAN-aware, offers dynamic routing, and is a fully integrated module within the Cisco Catalyst 6500 Series switches.

FWSM is based on Cisco PIX Firewall technology and, therefore, offers the same security and reliability as the PIX security appliances. In addition, the FWSM capitalizes on the strengths of the Catalyst system to create the industry’s highest-performance firewall solution, providing 5GB of throughput per module and scaling to 20GB of bandwidth with multiple modules. The module is based on network processor technology, allowing feature enhancements via software download.