Cisco Private Internet Exchange PIX

Cisco Private Internet Exchange (PIX) and Cisco IOS feature sets are designed to further enhance a network's security. The Private Internet Exchange (PIX) Firewall prevents unauthorized connections between two or more networks. The latest versions of Cisco code for the PIX Firewall also perform many advanced security features, such as AAA services, access lists, VPN Configuration (IPSec), FTP logging, and Cisco IOS-like interface commands. In addition, the PIX Firewall can support multiple outside or perimeter networks in the DMZs.

NOTE When reading Cisco documentation about PIX Firewalls, realize that inside networks and outside networks both refer to networks to which the PIX is connected.

For example, inside networks are protected by the PIX, but outside networks are considered the "bad guys." Consider them as trusted and untrusted, respectively.

A PIX Firewall permits a connection-based security policy. For example, you might allow Telnet sessions from inside your network to be initiated from within your network but not allow them to be initiated into your network from outside your network.

The PIX Firewall's popularity stems from the fact that it is solely dedicated to security. A router is still required to connect to WANs, such as the Internet. Some companies use PIX Firewalls for internal use only where they might have sensitive networks, such as a payroll or human resources department.

Figure 7-3 shows a typical network scenario where a PIX Firewall is implemented between an inside network and an outside network.

Figure 7-3 PIX Location

Figure 7-3 shows a typical network scenario where a PIX Firewall is implemented between an inside network and an outside network.

\ / BASTION Hosts

Although optional, it is recommended that you install the Cisco IOS Firewall software on the router directly connected to the Internet. The Cisco IOS Firewall feature is discussed later in this chapter.

Each connection through a PIX Firewall requires memory. You can support up to 32,768 connections with 16 MB of RAM installed on a PIX; 32 MB of memory can support up to 65,536 connections and support up to 260,000 connections with 128 MB.

NOTE Demilitarized zones (DMZs) usually exist as part of a network that the Internet community or general public can access, such as a Web, FTP, or SMTP servers. For example, FTP servers allow external users access to public files, such as Cisco IOS Software, which are available online at ftp.cisco.com. Your remaining servers are protected by the firewall.

The PIX Firewall logic is engineered around the Adaptive Security Algorithm (ASA). Every inbound packet is checked against the ASA and against connection state information in memory. This stateful approach to security is regarded in the industry as being far more secure than a stateless packet-screening approach.

Examples of the stateful approach to security include the following:

• No packets can traverse the PIX Firewall without a connection and state.

• Outbound connections or states are allowed, except those specifically denied by access control lists. An outbound connection is one where the originator, or client, is on a higher security interface than the receiver, or server. The highest security interface is always the inside interface (value 100), and the lowest is the outside interface (value 0). Any perimeter interfaces can have security levels between the inside and outside values (for example, 50).

• Inbound connections or states are denied, except those specifically allowed. An inbound connection or state is one where the originator, or client, is on a lower security interface/ network than the receiver, or server. You can apply multiple exceptions to a single xlate (translation). This lets you permit access from an arbitrary machine, network, or any host on the Internet to the host defined by the xlate.

• All Internet Control Message Protocol (ICMP) packets are denied unless specifically permitted.

• All attempts to circumvent the previous rules are dropped and a message is sent to syslog.

When an outbound packet arrives at a PIX Firewall higher-security-level interface (security levels can be viewed with the show nameif command; by default, the outside interface has a security level set to 100, or untrusted, and the inside interface is set to 0, or trusted), the PIX Firewall checks to see if the packet is valid based on the ASA, and whether or not previous packets have come from that host. If not, the packet is for a new connection, and the PIX Firewall creates a translation slot in its state table for the connection. The information that the PIX Firewall stores in the translation slot includes the inside IP address and a globally unique IP address assigned by NAT, PAT, or Identity (which uses the inside address as the outside address). The PIX Firewall then changes the packet's source IP address to the globally unique address, modifies the checksum and other fields as required, and forwards the packet to the lower-security-level interface.

When an inbound packet arrives at an external interface such as the outside interface, it must first pass the PIX Firewall Adaptive Security criteria. If the packet passes the security tests, the PIX Firewall removes the destination IP address, and the internal IP address is inserted in its place. The packet is forwarded to the protected interface.

NOTE The PIX Firewall supports NAT, which provides a globally unique address for each inside host, and PAT, which shares a single globally unique address for up to 64 K, simultaneously accessing inside hosts. The following is a list of current models that Cisco supports:

PIX

501

PIX

506/506E

PIX

515/515E

PIX

520

PIX

525

PIX

535

For a full feature list of the PIX, visit the following:

www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/intro.htm#xtocid0

Figure 7-4 displays the PIX 520, which is used in the current CCIE Security lab exam. PIX Firewall devices are based on the Intel Pentium process, which is basically a PC with Ciscoinstalled PIX software.

Figure 7-4 Cisco PIX520

Figure 7-4 displays the PIX 520, which is used in the current CCIE Security lab exam. PIX Firewall devices are based on the Intel Pentium process, which is basically a PC with Ciscoinstalled PIX software.

Switch

Standard 1.44 MB Floppy Drive

Standard 1.44 MB Floppy Drive

Examples: Inside/outside perimeter/DMZ
0 0

Post a comment