Cisco PIX Firewall Features
Cisco PIX firewalls bring together a plethora of powerful features that make the PIX series one of the best choices in the appliance firewall market. Embedded operating system, Adaptive Security Algorithm, cut-through proxy, VPN support, URL filtering control, and hot standby failover capabilities are just some of the features that make it one of the best choices.
Embedded Operating System
The PIX firewall appliance is a dedicated system providing one main function, and that is to be a firewall. Unlike other firewalls that run on general-purpose operating systems such as Linux, Unix, or Microsoft Windows, the PIX series runs on a proprietary embedded operating system using a simplified kernel. This allows for both enhanced speed and protection against known operating system vulnerabilities.
Adaptive Security Algorithm
The adaptive security algorithm (ASA) is the heart of the PIX firewall. It controls all traffic flow through the PIX firewall, performs stateful inspection of packets, and creates remembered entries in connection and translations tables. These entries are referenced every time traffic tries to flow back through from lower security levels to higher security levels. If a match is found, the traffic is allowed through. Finally, the ASA provides an extra level of security by randomizing the TCP sequence numbers of outgoing packets in an effort to make them more difficult to predict by hackers.
Cut-through proxy is the capability of the PIX firewall to control which users have access to the system. It does this by requiring a username and password authentication for users who want to use HTTP, Telnet, or FTP across the firewall. The authentication occurs only once, making the process extremely fast and efficient, especially when compared to the same type of technologies available on application proxies that authenticate every packet. If you need to support other protocols that fall out of the HTTP, Telnet, or FTP realm, you can use a technology named Virtual Telnet. This is covered in a later chapter.
Virtual Private Networks
Virtual private network (VPN) support by the PIX firewall is one of the core features that enables flexibility in a variety of environments. The PIX supports both site-to-site and remote-access VPNs encryption. This dual support provides the ability to connect two branch offices together using only PIX firewalls on each side (site-to-site), or to connect remote users to the office via a VPN across the Internet (remote-access). IPSec, PPTP, and L2TP are the main VPN technologies supported.
In many situations, a set of valid and invalid Web site addresses might be an appropriate and effective way to filter network traffic. In response to this, Cisco PIX firewalls have integrated an advanced feature of URL filtering that enables the PIX firewall to work with content filtering services. These services allow the capturing of World Wide Web requests to support the enforcement of policies or monitor user traffic. For example, if Jack requests to go to http://www.JackGPS.com, the PIX forwards this request to a content server that references a database of valid or invalid Web sites. If the content server gives the PIX the okay, Jack is allowed to access this Web site. The PIX firewall supports only two content servers: WebSense and N2H2. These products enable administrators to create acceptable and unacceptable Web site lists for their users' Internet access.
Today's applications are often mission critical, requiring the reliability of a resilient network infrastructure to support them. In response to this, Cisco PIX firewalls support hot standby failover features. Failover is the capability to link two PIX firewalls together, creating an active and a standby failover configuration. If the active firewall fails, the standby firewall assumes the IP and MAC addresses of the once-active, failed firewall. Hot standby means that this failover occurs without the need for a power reset that other systems can require. This failover capability helps provide a fault-tolerant firewall system with reduced human intervention.