Networking

Getting to know Cisco PIX: The rich man?s firewall

If you are in need of large-scale, enterprise-level security, then you might be looking at a Cisco PIX firewall device. Todd Lammle introduces you to these powerful firewall units and shows you some basic configurations.


If you want the basic firewall for your network, you can buy a Microsoft server running Proxy Server and get firewall services. It’s cheap and easy. Of course, “You get what you pay for” comes into mind.

If you want unparalleled network throughput to thousands of users while sustaining network integrity, however, that is going to cost you. That type of service is not cheap, but Cisco has made it very fast and very easy. The Cisco PIX line is for people who like their firewalls big and powerful and for people who have cash.

This Daily Feature will describe the Cisco PIX line of firewall products, as well as the history and future of the “rich man’s firewall.”

Cisco Secure PIX
Just about five years ago, Cisco had only a couple of PIX offerings, and they listed for over $20,000. They were basically rack-mountable PCs that had two 100-Mbps Ethernet cards.

Fast and easy but not cheap, these machines provided medium-size to large corporations with Internet security out of the box.

Cisco recently changed the name PIX to Cisco Secure PIX Firewall series and made it even easier to install and configure. The PIX is an integrated hardware/software device that allows you to rigorously protect your internal network from the outside world of hackers and would-be hackers.

Typical proxy devices perform intensive processing on each and every packet at the application layer of the OSI model, which can cause a bottleneck on a corporate network. Cisco’s Secure PIX uses a real-time embedded system that, unlike other firewall solutions, does not have application-layer software that can be compromised and can slow things down. Also, the highest performing PIX box can have up to 500,000 simultaneous connections with 1-Gbps throughput! Now that is worth some money. (It would work great for my home network.)

Cisco also created a way to improve performance by creating access-list type security at the PIX box itself, which allows administrators to permit or deny any TCP- or UDP-based applications at the network’s point of connection to the Internet. You do not need a separate authentication device for users and applications when using the Cisco Secure PIX.

Easy configuration
Installing, maintaining, and keeping connections with Microsoft products is supposedly so easy that anyone who can use a mouse can configure a Microsoft Proxy and IIS Server for Internet and intranet security. If this is the case, then why do small and large companies have so many NT administrators? Shouldn’t one suffice? Well, yes, if NT did half of what Microsoft’s marketing department said it did, we’d probably have world peace.

If world peace hinged on Cisco’s Secure PIX installation, we’d have to find a new job for Colin Powell. Cisco has created a centralized configuration and management GUI interface that allows easy configuration through a Web browser called PIX Firewall Manager. Plus, it works with all PIX firewalls sold by Cisco. Besides configuration help, this manager allows administrators to gather statistics and real-time alerts of attempted break-ins. There is also a more robust version called the Cisco Secure Policy Manager that can manage up to 500 PIX firewalls with VPN installations.

You can also easily configure a second PIX box running in parallel in case of failure. The only hard part in this configuration is the cost.

PIX products
The biggest, strongest Cisco Secure PIX box is the 535, which provides the 500,000 concurrent users and 1-Gpbs throughput I mentioned earlier. VPNs are handled by adding a VPN Accelerator Card in the PIX box (again, just a rack-mounted PC) for two or more locations. This card can provide 100-Mbps throughput and 2000 IPSEC tunnels. It retails for only $60,000. Okay, that is a lot, but you can get it for slightly less if you need fewer simultaneous connections.

When buying a PIX box, you must keep memory requirements in mind. The Cisco 535 comes with only 512 MB of RAM but can support up to six Gigabit or FastEthernet interfaces. However, the failover software is extra. (I could not find the price on this product.) The $60,000 version comes with 1 GB of RAM and supports up to eight Gigabit or FastEthernet interfaces and includes the failover software free. I guess if you are spending $120,000 for two boxes, they have to throw something in for free.

The next box in the series is the 525, which is also designed for large companies and ISPs. It can handle 280,000 simultaneous sessions at 370-Mbps throughput. Although it doesn’t sound as tough as the 535, it has a 600-MHz CPU and works just fine in large companies. The cost of 280,000 simultaneous sessions is $22,000, but you can buy a somewhat restricted version for only $16,000.

The 520 has basically the same maximum connections and throughput as the 525 but was created for large enterprise organizations with complex and very high-end traffic environments. You can buy the 520 with 128 simultaneous connections for a retail price of $9,000; 1,024 connections for $13,000; and up to 230,000 for only $19,000. Although I use the word “only,” these prices are cost-prohibitive for small and home-based companies.

The 515 is a PIX box for the rest of us. It handles up to 125,000 simultaneous connections (which is still a lot) with a throughput of 170 Mbps and free failover software and support for six FastEthernet interfaces. This is much different from the 535, but the top price is $12,000, and the lowest price is only $5,000, which allows 50,000 concurrent connections with three FastEthernet interfaces. Remember that this is retail price, and no one pays that much. However, for a home-based office, that is still way too much.

Cisco Secure PIX 506 was created for high-end Small Office/Home Office (SOHO) organizations and has throughput measured at a whopping 10 Mbps. But it only costs $1,950! Besides, for a home-based office, who has a connection to the Internet of more then 1.5 Mbps, if that?

Note
All Cisco PIX devices have IPSEC encryption built into the IOS, which allows VPN deployments to one or multiple remote locations.

Designing a PIX firewall network
The simplest design would be two connections, one to the Internet and one to the inside network, and would look like Figure A.

Figure A
The most basic PIX design would include only two connections, one to the outside network and one to the inside network.


This configuration uses Network Address Translation (NAT) or Port Address Translation (PAT) to assign addresses to outgoing Internet traffic from the inside network. NAT provides a globally unique address for each inside host, and PAT, which shares a single globally unique address for simultaneously accessing inside hosts, provides a globally unique address for the external network to see. What this means is that you can assign the reserved IP addresses of 10.0.0.0, 172.16-31.0.0, and 192.168.0.0 to the inside network and have the PIX box translate the inside address to a real Internet address. By default, no connections can be made from the Internet to the inside network. You can configure outside hosts to access inside hosts; they just can’t do it by default.

The configuration is simple and straightforward, and it only allows outbound connections.

Configuring the PIX Firewall device is more like configuring a series 5000 switch. Instead of entering one command at a time, you enter the entire line, like so:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 10baset
interface ethernet1 10baset


The first command, nameif, tells the PIX which interface is the outside network and which is the inside network. The security command is set as 0 for the outside network or 100 for the inside network. Although you can use any number between 1 and 99, by default, PIX Firewall sets the security level for the inside interface to security100 and the outside interface to security0.

The next command, 10baset, tells the PIX that the connection speed is 10 Mbps. You can set this to 100 Mbps, 1000 Mbps, or auto, depending on your device.

Assign the IP addresses to each interface:
ip address outside 65.14.33.33 255.255.255.224
ip address inside 172.16.10.1 255.255.255.0


In Figure A, the inside network is 172.16.10.0/24, which means our valid hosts are 1-254. The valid hosts assigned by the ISP for the outside network in this example are 65.14.33.32/27. We need to reserve four hosts for the two Web devices, router, and PIX interface.

Associate a network with a pool of global IP addresses, like so:
nat (inside) 1 0 0

This command permits all inside users to start outbound connections using the translated IP addresses from the global pool.

Create the global pool that devices will use to connect to the outside world (reserve four addresses for DMZ purposes):
global (outside) 1 65.14.33.37-65.14.33.62

This creates a pool of global addresses that translated addresses use when they exit the firewall from the protected networks to the unprotected networks. This command says that when devices from the inside network want to create a session to the outside world, then the PIX will provide an address from the address pool.

The host’s default gateway addresses should now be set to 172.16.10.1, and they should now be able to access the outside network.

Another example of setting up PIX on your network would be one in which you have a separate interface to the DMZ zone. This is possible with the higher-end PIX models. The nice part of this configuration is that you do not need to have real Internet addresses from the ISP. You can use reserved addresses and then create secured connections to the outside world, which creates a completely secure connection.

One more point that I want to make is that you can easily add a VPN card in any of the higher-end models to provide VPN connections between your sites. This allows you to purchase an Internet connection for each branch and then run VPN secure connections from the remote locations to the branch offices.

Conclusion
The Cisco Secure PIX offering can be useful in all sizes and shapes of networks. You just have to determine your network business requirements, and more than likely, the Cisco PIX can meet them.

If you also determine that you do not need a DMZ, then running a PAT, which uses only one real IP address and keeps track of sessions between hosts and the Internet with Transport layer TCP port numbers, would be useful. Also, if you have more then one interface on your PIX box, then you can run a combination of both PAT and NAT.

I think the biggest benefit and the future of the Cisco PIX is that VPN and IPSEC are so easily configured and implemented. I think we’ll find that the prices will keep dropping, and more products will be offered that support this type of security.

Editor's Picks