When shopping for an advanced firewall appliance that can handle high levels of enterprise traffic, the first option that many organizations consider is a Cisco PIX Firewall. If your organization opts for an advanced firewall solution such as the PIX, you’ll face two important challenges.
First, the PIX abounds with features, but all those options can make it challenging to configure. In order to best configure the PIX and maximize the advanced features, you need to learn the PIX OS. I’m going to provide some tips to get you started.
Second, the PIX can function as more than a simple Internet gateway. It can also be used to create a DMZ for hosting Internet services internally, and it can effectively segment certain parts of an internal network. I’m going to illustrate these topology options with a few simple diagrams.
Working with the PIX interface
As you’ve probably heard, Cisco devices aren’t known for their user-friendly GUI. Because of this, you might be wary of learning another operating system and shy away from the PIX firewall. But if you are already using Cisco routers and are familiar with the Cisco IOS, you’ll probably catch on quickly; the PIX OS is basically the same, with fewer options and a few new or renamed commands.
On the other hand, if you know nothing about the Cisco IOS, I’d recommend taking a Cisco course or two, or at least doing some self-study. To learn about PIX firewalls, the two best classes are Managing Cisco Network Security and Cisco Secure PIX Firewall Advanced. (If you like the look and feel of a graphical interface, the Cisco PIX Device Manager is an option, but it’s still good to understand the command-line interface configuration mode.)
The same, but different
So, what are the differences between the Cisco router IOS and the Cisco PIX OS?
- PIX OS has fewer commands and less functionality.
- PIX OS is less friendly when it comes to providing help; for example, you can’t use the up arrow key to redo the last command.
- PIX OS doesn’t have as many complex levels of configuration modes (like the interface configure mode). Once booted, PIX OS has only 3 modes: unprivileged, privileged, and configuration.
- PIX OS works off of what are called Adaptive Security Algorithms (ASA). These are security levels that are assigned to each interface. Security level 100 is the highest (and most trusted) and 0 is the lowest.
- Unlike a router, a PIX OS device operates as a firewall by default
Some commands share the same syntax in PIX OS and IOS, but have different functionality. The six primary commands that you need to watch out for are:
- nameif—assigns a name and security level to an interface
- interface—used to assign hardware parameters (like full or half duplex) and to shutdown interfaces
- ip address—assigns an IP address and other IP parameters to an interface
- nat—does network address translation between the inside interfaces and outside interfaces
- global—does network address translation between the outside and inside interfaces
- route—configures an IP route
You’ll also need to spend a little time getting used to PIX OS’s less complex configuration modes. For example, logging in and out is a little different; showing a running configuration is done with the command write terminal; and saving the configuration to NVRAM is done with the command write memory, or just wr.
PIX Firewall topology options
Think of your network as an office building with security desks at each entry point. At the desks, security guards check identification and make sure visitors aren’t carrying anything unauthorized in or out of the building. They may also ask you what your purpose is in the building and log the time that you came in or went out. This is exactly what firewalls do at the entry points to your network.
The most common use of a firewall is restricting access to your private network from a public network, such as the Internet. Figure A shows an example of this type of topology.
You may also want to create a DMZ (demilitarized zone) between the Internet and your private network. You’d use this segment as the home for servers (like Web servers or external mail servers) that are accessed over the Internet, but still need some protection. Figure B shows an example of this topology.
A less common—but still very important—use for a firewall is to protect the borders between internal networks. Perhaps you share a network with a business partner, do e-commerce with a vendor through a leased line, or just want to control access between departments (like human resources or accounting and everyone else). A firewall can serve this purpose as well, as illustrated in Figure C.
Cisco PIX firewalls are also virtual private network (VPN) servers, which means that remote client systems can run the Cisco VPN Client and connect to the corporate network via the PIX firewall.
Cisco PIX firewalls are advanced, highly-configurable devices, albeit with a command-line interface that is a little challenging to learn. However, these tools are powerful enough to meet the needs of almost any secure topology.