A list of the current features of the Cisco PIX Firewall product follows:
■ State-of-the-art Adaptive Security Algorithm (ASA) and stateful inspection firewalling.
■ Cut-through proxy authenticates and authorizes connections, while enhancing performance.
■ Easy-to-use web-based interface for managing PIX Firewalls remotely; using the web-based interface is not a suggested practice by Cisco for medium to large networks.
■ Support for up to 10 Ethernet interfaces ranging from 10BASE-T, 10/100 Fast Ethernet to Gigabit Ethernet.
■ Stateful firewall failover capability with synchronized connection information and product configurations.
■ PAT further expands a company's address pool—one IP address supports 64,000 hosts.
■ Support for IPSec and L2TP/PPTP-based VPNs.
■ Support for high-performance URL filtering via integration with Websense-based URL filtering solutions.
■ Mail Guard removes the need for an external mail relay server in the perimeter network.
■ Support for broad range of authentication methods via TACACS+, RADIUS, and Cisco Access Control Server (ACS) integration.
■ Domain Name System (DNS) Guard transparently protects outbound name and address lookups.
■ Flood Guard and Fragmentation Guard protect against DoS attacks.
■ Support for advanced Voice over IP (VoIP) standards.
■ Java blocking eliminates potentially dangerous Java applets (not compressed or archived), extending AAA capabilities.
■ Net Aliasing transparently merges overlapping networks with the same IP address space.
■ Capability to customize protocol port numbers.
■ Integration with Cisco IDSs for shunning connections of known malicious IP addresses.
■ Enhanced customization of syslog messages.
■ Simple Network Management Protocol (SNMP) and syslog for remote management.
■ Reliable syslogging using either TCP or UDP.
■ Extended transparent application support (both with and without NAT enabled) includes the following:
— Sun Remote Procedure Call (RPC)
— Microsoft networking client and server communication (NetBIOS over IP) using NAT
— Multimedia, including RealNetworks' RealAudio, Xing Technologies' Streamworks, White Pines' CuSeeMe, Vocal Tec's Internet Phone, VDOnet's VDOLive, Microsoft's NetShow, VXtreme Web Theatre 2; and Intel's Internet Video Phone and Microsoft's NetMeeting (based on H.323 standards)
— Oracle SQL*Net client and server communication
■ PAT for H.323 and Session Initiation Protocol (SIP)
■ Dynamic Host Configuration Protocol (DHCP) server support for Cisco IP Phones
■ Internet Locator Service (ILS) fixup
Cisco also publishes loopholes found in PIX Firewall software, such as the PIX Mail Guard feature, which was designed to limit SMTP messages but can be exploited by intruders. You can find the Cisco publications at http://www.cisco.com/en/US/partner/products/ products_security_advisories_listing.html.
NOTE When troubleshooting why certain applications such as SMTP mail or L2TP (TCP 1701) tunnels are not working, a good starting point is always to look at which TCP or UDP ports are filtered by the PIX Firewall, because, by default, you must configure any TCP/UDP ports you will permit through the PIX Firewall with the conduit or static translations commands.
CCSP Self-Study: Cisco Secure PIX Firewall Advanced (CSPFA), 2nd Edition, by Behzad Behtash (Cisco Press, ISBN 1587051494), is an excellent resource if you want to learn more about the PIX Firewall.
Was this article helpful?