Understanding the Cisco PIX firewall solution

If you work in an enterprise-level network environment, you know that reliable equipment is essential for handling your security needs. Lance Cockcroft explains why the Cisco PIX could be the solution you've been looking for.

In today's corporate enterprise networks, traffic is load balanced between many standalone PC or UNIX-based firewalls, which leads to a complex and error-prone configuration. The PIX firewall can successfully manage 500,000 concurrent connections and up to a gigabit of throughput per second, thus eliminating the need to load balance between multiple standalone PC or UNIX-based firewalls. While providing this extraordinary speed, the PIX offers enterprise-class security and features found in only a handful of the top firewall solutions.

From whence it came
Years ago, before the rise and fall of the dot coms and before the Internet was coined the “Information Super Highway,” network engineers and architects designed and built networks around the 80-20 rule. The 80-20 rule specifies that 80 percent of all network traffic is destined for a local address and 20 percent of the traffic is addressed to remote networks. In the age of centralized IS departments, server farms, outsourced data centers, and of course, the Internet, this model has done a complete reversal. In many of today's enterprise networks, the 80-20 rule has become the 20-80 rule. More and more of the enterprise traffic is destined for remote resources located on foreign networks.

This transformation in traffic patterns places more strain on devices at the edge of the network. Routers and switches have adapted and evolved around this change; however, firewalls are still primarily UNIX-based, or they are PC workstations running packet-filtering software. Even more common are packet filters or ACLs configured on the company’s egress router.

What is needed today, in the age of the hack, crack, snerf, smerf, spoof, and countless other cute names that spell disaster on our networks, is a real firewall that can guard the gates without choking the bandwidth to a mere trickle. Cisco's PIX 535 does just that.

Fault tolerance
Because of the PIX’s high performance, there’s less of a need for multiple standalone firewalls; however, it may be necessary to have multiple firewalls for the purpose of fault tolerance. A second PIX can be connected to the network and configured to take over in the event of a failure of the first. Both of the PIX firewalls are connected via a heartbeat cable. If the primary firewall fails, the second will automatically take over.

Industry-leading security
The PIX firewall provides the highest level of security by employing the adaptive security algorithm (ASA) and stateful inspection. Unlike packet filters and access control lists that must analyze every packet, a stateful engine or process can be used to discover or recognize TCP flows.

Stateful inspection
Think of a flow as a session between two machines. The PIX can recognize a request from a client and a reply from a server and then open the appropriate ports to allow for communication between the two. The PIX can also recognize when the client computer attempts to disconnect the session, and in this case, the PIX won’t allow additional packets to transfer from the server into the protected network. Simply put, stateful inspection means the firewall sees and understands a connection rather than just a number of packets.

Each time a connection is established through the firewall, information about that connection is logged in the stateful session table. Information that is logged includes: source and destination IP addresses, TCP port numbers, TCP flags, and TCP sequence numbers. This information creates a connection object that’s stored in the connection table. Packets entering the firewall are compared to the connection object in the connection table and are allowed or disallowed based on the existence of these connection objects.

Once the connection object has been created, the ASA takes the source and destination address, as well as the port, sequence number, TCP flags, and the IP header information, and performs a hashing algorithm to create a “fingerprint” that identifies the client and its connection. In order for anyone to penetrate the firewall, he or she would have to know all of the variables contained in the hashing formula, as well as the hashing algorithm itself. For additional security, the PIX firewall also randomizes the TCP sequence numbers for all connections.

Secured connections
The Cisco PIX allows two types of connections through the firewall:
  • Cut-through proxy authentication
  • Conduits

Cut-through proxy authentication
The cut-through proxy feature allows the PIX to initially authenticate a user ID and password at the application layer using TACACS or RADIUS. However, once this authentication is complete, the PIX switches the connection and uses the stateful engine to monitor the session flow. This method offers considerable advantages over a proxy server that must monitor each packet against an authentication token at the application layer.

Conduits are created according to corporate security policies set by the firewall administrator. Conduits are rules that identify the hosts that are allowed to connect to a particular host on the protected network. Conduits can be very granular in detail by specifying destination and source IP addresses, as well as target port numbers. Any packets not matching the conduit criteria are dropped, and information about the connection attempt is logged.

Sequence number randomization
To prevent the hijacking of TCP sessions and spoofing, the PIX firewall uses a randomizing algorithm to produce sequence numbers for TCP sessions. Spoofing an address and taking control of a session requires that the would-be hacker capture only one packet from an initiated session and then use the known additive algorithm to determine what the next sequence number will be. By using a randomizing algorithm, the Cisco PIX makes it impossible to guess the sequence number and subsequently hijack a session.

Embedded operating system
Since the Cisco PIX uses a non-UNIX-based and non-NT-based embedded operating system, the PIX is not susceptible to the hundreds of security vulnerabilities discovered each year. This leads to easier administration by allowing the security administrator to focus on security policies rather than on operating system patches.

DoS attacks
Cisco’s PIX includes the Fragment Guard and Flood Guard features to prevent denial of service attacks. As more and more connection attempts are made, the PIX will begin running out of resources. When this happens, the PIX will start dropping redundant connections and will reclaim memory and CPU resources in an effort to make other connection attempts.

The Fragment Guard feature enables you to set parameters regarding TCP fragments. Using the sysopt command, you can set minimum, maximum, time out, and many other TCP segment/fragment parameters.

Network address translation
The PIX firewall supports true network address translation (NAT). Normally used to connect private addresses to the Internet, NAT provides additional security by hiding the true IP address of hosts on the interior network. Administrators can specify what IP addresses each host gets, or they can configure the PIX to dynamically use addresses from a pool of IP addresses.

NAT works in both directions. Packets destined for a remote network have the source address removed and a public address used in its place. Packets destined for a public IP address can be rewritten to include the address of a host on the interior network.

A Web or mail server within the local network can use private addressing such as; however, hosts on the Internet will see the server as having a public address such as This is called mapping an IP address. The PIX maps the IP address to the address Of course, you must have a conduit configured to allow traffic into the firewall to host

The Cisco PIX also includes a unique feature called Dual NAT. Dual NAT allows an administrator to connect two networks that have overlapping address ranges. The PIX realizes which address came from which network and automatically performs mapping and translations to prevent each network segment from seeing duplicate addresses. This can be particularly helpful in situations where two separate networks must be connected because of a company buyout.

Multiple networks
The PIX supports the use of up to eight network cards. By allowing multiple networks, the PIX allows security policies to specify multiple specialized demilitarized zones (DMZs).
To learn more about DMZ, please read the Daily Drill Down “To DMZ or not to DMZ.”
Locating specialized applications, Web servers, and mail servers within their own DMZ creates a more scalable and secure network. If the mail server and the Web servers are located on different DMZs, hackers won’t be able to hack the mail server using a vulnerable Web server.

Reporting and logging
The PIX supports various forms of logging to a standard syslog server. Additionally, the firewall can be configured to send an e-mail or a page when a critical error occurs or a security violation is attempted. Messages are also sent from the firewall whenever there has been a fail-over to a secondary firewall.

The PIX supports MIB II group systems, interfaces, and SNMP; however, the PIX does not allow settings to be changed via the set SNMP commands.

Virtual private networking
By performing as a high-speed VPN server, the Cisco PIX firewall allows customers to leverage their investment. All Cisco PIX firewalls offer built-in IP Security (IPSec) encryption, which allows secure communications between the firewall and remote offices or mobile users. The PIX VPN is fully interoperable with the Cisco IOS VPN. The PIX also has an add-on VPN Accelerator Card (VAC) that can be used to scale up to 2,000 IPSec tunnels to remote offices or users.

VPN Accelerator Card
The VAC connects to the PIX via a PCI interface. The VAC can utilize the standard 56-bit Data Encryption Standard (DES) or the 168-bit 3DES and maintain throughput of 100 MB per second. In addition to maintaining up to 2,000 concurrent connections, the VAC can offload tasks from the processor such as hashing, key exchange, and storage of security associations. The VAC performs the necessary mathematical formulas to create and maintain the IPSec tunnels, which prevent the VPN from overburdening the PIX processor.

The PIX firewall automatically detects the presence of the VAC. You won’t need to buy any extra software or configure any additional hardware. Once installed, the PIX will offload all VPN and authentication processes, including key generation, device authentication, packet authentication, and encrypting/decrypting packets.

Multimedia support
Due to the total required throughput and the demand for multiple open ports, today's multimedia applications represent a considerable security threat. Multimedia applications establish connections with client computers on one port and then attempt to send streams of data to the client by opening additional ports. The increased data rate and the need for multiple open ports pose a viable security threat on corporate networks, and in many situations, network managers can’t refuse to allow the use of these applications.

The PIX firewall natively supports a wide variety of today's most popular multimedia applications. The PIX can support multimedia applications by knowing how they operate and by knowing which ports are used for each application. The PIX can be configured to dynamically open ports for specified applications only when a client initiates a request for a multimedia application and then to close the port when not in use by the application.

Many applications such as CU-SeeMe write the host IP address not only in the IP header but also in the data portion of the TCP/IP packet. This can cause problems on networks where the internal address is hidden from the outside network through the use of NAT and is a potential security violation since an internal host’s IP address can be discovered. The PIX firewall provides support for CU-SeeMe by rewriting the IP address within the data portion of the packet and in the header when NAT is in use.

The Cisco PIX natively supports the following multimedia applications:

Cisco has set a new standard in the enterprise firewall market by introducing the first firewall that’s enterprise-ready, while still providing a rich feature set. The PIX combines high security with high bandwidth in a single, easy-to-manage box. Enterprise networks that have had to cluster tens or even hundreds of standalone firewalls now have a better security option.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks