Cisco PIX Firewall Software Features

A list of the current features of the Cisco PIX Firewall product follows:

• State-of-the-art Adaptive Security Algorithm (ASA) and stateful inspection firewalling.

• Cut-through proxy authenticates and authorizes connections, while enhancing performance.

• Easy-to-use web-based interface for managing PIX Firewalls remotely; the web-based interface is not a suggested practice by Cisco for medium to large networks.

• Support for up to 10 Ethernet interfaces ranging from 10-BaseT, 10/100 Fast Ethernet to Gigabit Ethernet.

• Stateful firewall failover capability with synchronized connection information and product configurations.

• True Network Address Translation (NAT), as specified in RFC 1631.

• Port Address Translation (PAT) further expands a company's address pool—one IP address supports 64,000 hosts.

• Support for IPsec and L2TP/PPTP-based VPNs.

• Support for high-performance URL filtering via integration with Websense-based URL filtering solutions.

• Mail Guard removes the need for an external mail relay server in perimeter network.

• Support for broad range of authentication methods via TACACS+, RADIUS, and Cisco Access Control Server (ACS) integration.

• Domain Name System (DNS) Guard transparently protects outbound name and address lookups.

• Flood Guard and Fragmentation Guard protect against denial-of-service attacks.

• Support for advanced Voice over IP (VoIP) standards.

• Java blocking eliminates potentially dangerous Java applets (not compressed or archived), extending authentication, authorization, and accounting capabilities.

• Net Aliasing transparently merges overlapping networks with the same IP address space.

• Capability to customize protocol port numbers.

• Integration with Cisco Intrusion Detection Systems for shunning connections of known malicious IP addresses.

• Enhanced customization of syslog messages.

• Simple Network Management Protocol (SNMP) and syslog for remote management.

• Reliable syslogging using either TCP or UDP.

• Extended transparent application support (both with and without NAT enabled) includes the following:

— Sun remote procedure call (RPC)

— Microsoft Networking client and server communication (NetBIOS over IP) using NAT

— Multimedia, including RealNetworks' RealAudio, Xing Technologies' Streamworks, White Pines' CuSeeMe, Vocal Tec's Internet Phone, VDOnet's VDOLive, Microsoft's NetShow, VXtreme Web Theatre 2; and Intel's Internet Video Phone and Microsoft's NetMeeting (based on H.323 standards)

— Oracle SQL*Net client and server communication

Cisco will also publish loopholes found in PIX software, such as the PIX mail guard feature, which was designed to limit SMTP messages but can be exploited by intruders. You can find the Cisco publications at www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml.

NOTE When troubleshooting why certain applications, such as SMTP mail or L2TP (TCP 1071)

tunnels are not working, a good starting point is always to look at which TCP or UDP ports are filtered by the PIX because, by default, you must configure any TCP/UDP ports you will permit through the PIX with the conduit or static translations commands.

Cisco Secure PIX Firewalls, published by Cisco Press (ISBN 1-58705-035-8 by David W. Chapman Jr., Andy Fox), is an excellent resource if you want to learn more about the PIX Firewall.

0 0

Post a comment