Basics of the PIX Firewall
Terms you'll need to understand:
Stateful packet filters
Embedded operating system
Failover, hot standby
Techniques you'll need to master:
Adaptive Security Algorithm (ASA)
Hardware differences between models
There are several areas of a network in a secure environment; the most common are the inside, the outside, and the DMZ firewalls that help divide and control traffic between them. Cisco has designed the PIX series of firewalls to be the primary devices for performing these functions. This chapter covers the basics of the PIX firewall areas that connect to the firewallthe trusted, untrusted, and DMZ.
Trusted, Untrusted, and DMZ Defined
The PIX firewall always contains trusted and untrusted areas that are used to identify the types of areas around the firewall. Firewalls with more than two interfaces can contain areas called DMZs. These areas are created to support servers that need to be accessed from an untrusted area without compromising the trusted locations. This section covers each in more detail.
The term trusted is used to refer to users and computers that are in an area considered more secure or protected. This area is typically a private section of the network that needs to be protected against malicious hackers and other security threats. Security in the trusted area is established by blocking all traffic from less trusted sections of the firewall.
The term untrusted defines areas of the network that might contain malicious hackers or other security threats. One good example of an untrusted area is the Internet side of your firewall or even segments of your own internal network that are exposed to unknown access. Such an area could be a segment exposed to outside usefor example, kiosk computers on a storeroom floor.
The demilitarized zone (DMZ) sits between both trusted and untrusted areas and usually hosts computers that need to be available to users from both of these areas. For example, a Web server in the DMZ can be accessed by people on the Internet, which is untrusted, as well as by users in the private trusted network. From the perspective of the inside, private, and trusted portion of your network, the DMZ area is considered untrusted, so traffic initiated from computers in the DMZ is blocked.