Cisco PIX Firewall

The Cisco Private Internet Exchange (PIX) Firewall and Cisco IOS Firewall feature set are designed to further enhance a network's security. The PIX Firewall prevents unauthorized connections between two or more networks. The latest versions of Cisco code for the PIX Firewall also perform many advanced security features, such as AAA services, access lists, VPN configuration (IPSec), FTP, logging, and Cisco IOS-like interface commands. In addition, the PIX Firewall can support multiple outside or perimeter networks in the DMZs.

NOTE When reading Cisco documentation about PIX Firewalls, realize that "inside networks" and "outside networks" both refer to networks to which the PIX Firewall is connected.

For example, inside networks are protected by the PIX Firewall, but outside networks are considered the "bad guys." Consider them as trusted and untrusted, respectively.

A PIX Firewall permits a connection-based security policy. For example, you might allow Telnet sessions from inside your network to be initiated from within your network but not allow them to be initiated into your network from outside your network.

The PIX Firewall's popularity stems from the fact that it is dedicated solely to security. A router is still required to connect to WANs, such as the Internet. Some companies use PIX Firewalls for internal use only where they might have sensitive networks, such as a payroll or human resources department.

Figure 6-3 shows a typical network scenario in which a PIX Firewall is implemented between an inside network and an outside network.

Although optional, it is recommended that you install the Cisco IOS Firewall software on the router directly connected to the Internet. The Cisco IOS Firewall feature set is discussed later in this chapter. Be aware that there are performance ramifications when enabling the Firewall feature sets.

Each connection through a PIX Firewall requires memory. You can support up to 7500 connections with 16 MB of RAM installed on a PIX Firewall; 32 MB of memory can support up to 25,000 connections; 256 MB can support up to 280,000 connections; and 1 GB can support up to 500,000 connections.

DMZs usually exist as part of a network that the Internet community or general public can access, such as a web, FTP, or SMTP server. For example, FTP servers allow external users to access public files, such as Cisco IOS Software files, which are available online at Your remaining servers are protected by the firewall typically with a third firewall interface called the DMZ.

Figure 6-3 Figure 6-3P1X Firewall Location


Protected Servers

Protected Clients

Outbound Connections OK


PIX Firewall

Cisco IOS Feature Set Enabled Router

No Direct Inbound Connections

Cisco IOS Feature Set Enabled Router

Internet Attached Router

Server 1



Internet Attached Router

Internet Accessible Server 2 Server

\ / BASTION Hosts


The PIX Firewall logic is engineered around the Adaptive Security Algorithm (ASA). Every inbound packet is checked against the ASA and against connection state information in memory.

This stateful approach to security is regarded in the industry as being far more secure than a stateless packet-screening approach.

Examples of the stateful approach to security include the following:

■ No packets can traverse the PIX Firewall without a connection and state.

■ Outbound connections or states are allowed, except those specifically denied by ACLs. An outbound connection is one where the originator, or client, is on an interface with higher security than that of the interface on which the receiver, or server, resides. The highest-security interface is always the inside interface (value 100), and the lowest is the outside interface (value 0). Any perimeter interfaces can have security levels between the inside and outside values (for example, 50).

■ Inbound connections or states are denied, except those specifically allowed. An inbound connection or state is one where the originator, or client, is on an interface with lower security than that of the interface/network on which the receiver, or server, resides. You can apply multiple exceptions to a single xlate (translation). This lets you permit access from an arbitrary machine, network, or any host on the Internet to the host defined by the xlate.

■ All Internet Control Message Protocol (ICMP) packets are denied unless specifically permitted. ICMP packets to the PIX Firewall itself are allowed unless explicitly denied by an ICMP access control entry.

■ All attempts to circumvent the previous rules are dropped and a message is sent to syslog.

When an outbound packet arrives at a PIX Firewall higher-security-level interface (security levels can be viewed with the show nameif command; by default, the outside interface has a security level set to 0, or untrusted, and the inside interface is set to 100, or trusted), the PIX Firewall checks whether the packet is valid based on the ASA, and whether previous packets have come from that host. If not, the packet is for a new connection, and the PIX Firewall creates a translation slot in its state table for the connection. The information that the PIX Firewall stores in the translation slot includes the inside IP address and a globally unique IP address assigned by NAT, PAT, or identity (which uses the inside address as the outside address). The PIX Firewall then changes the packet's source IP address to the globally unique address, modifies the checksum and other fields as required, and forwards the packet to the lower-security-level interface.

When an inbound packet arrives at an external interface such as the outside interface, it must first pass the PIX Firewall ASA criteria. If the packet passes the security tests, the PIX Firewall removes the destination NAT IP address, and the internal IP address is inserted in its place. The packet is forwarded to the protected interface.

NOTE The PIX Firewall supports NAT, which provides a globally unique address for each inside host, and PAT, which shares a single globally unique address for up to 64,000 simultaneously accessing inside hosts. The following is a list of current models that Cisco supports (not required knowledge for the examination):

For a full feature list of the PIX Firewall, visit product/iaabu/pix/pix_sw/v_63/config/overvw.htm#wp1008066.

Figure 6-4 displays a sample PIX Firewall, which is used in the current CCIE Security lab exam. PIX Firewall devices are based on the Intel Pentium processor, which is basically a PC with Ciscoinstalled PIX Firewall software.

Figure 6-4 Cisco PIX Firewall

Rear View

Power Switch

Standard 1.44 MB Floppy Drive

Rear View

fS oppnDon □ ooouoou Lt mum


Front View

Standard 1.44 MB Floppy Drive

Front View

Interfaces are located here. Examples: Inside/outside perimeter/DMZ

Was this article helpful?

0 0

Post a comment