Cisco PIX 515E Firewall

advertisement
Cisco PIX 515E Firewall
Overview
•
•
•
•
•
•
What a PIX Firewall can do
Adaptive Security Algorithm
Address Translation
Cut-Through Proxy
Access Control
Network Intrusion Detection
Overview Cont..
•
•
•
•
•
•
•
Specific Protocols and Applications
PIX Technical Specs
Expansion and Interfaces
PIX Firewall Comparison Chart
PIX Firewall Licensing
PIX Firewall Price List
Bibliography
What a PIX Firewall can do
• Protect one or more perimeter networks,
also know as a DMZ (demilitarized zone)
• Allows you to implement security policies
for connection to and from the inside
network
• Can be used within an intranet to protect a
specific group of internal computing
systems
Adaptive Security Algorithm
(ASA)
• Allows one way connections (inside to
outside) without an explicit configuration
for each internal system and application
• Always in operation
• No packets can traverse the PIX Firewall
without a connection and state
• All ICMP packets are denied unless
specifically permitted
Multiple Interfaces and Security
Levels
• All PIX Firewalls provide at least two
interfaces assigned a security level of 0 and
100, respectively
Address Translation
• Network Address Translation (NAT)
– Works by substituting or translating host addresses on
one interface with a global address associated with
another interface
• Port Address Translation (PAT)
– Uses port remapping which allows a single valid IP
address translation for up to 64,000 active objects
– Does not work with multimedia applications that have
an inbound data stream different from the outgoing
control path
Cut-Through Proxy
• Unique feature of a PIX Firewall
• Allows user-based authentication of
inbound or outbound connections
• A PIX Firewall uses cut-through proxy to
authenticate a connection and then allow
traffic to flow quickly and directly
Access Control
Access Lists
• Uses standard and extend ACL’s
• Implemented using access-list and accessgroup commands
TurboACL
• Introduced in PIX Firewall version 6.2
• Supports access lists with up to 16,000
access list entries
Network Intrusion Detection
Flood Guard
• Helps prevent a denial of service (DoS)
attack
• Enabled by default and can be controlled
with the floodguard 1 command
ActiveX Blocking
• Blocks HTML <object> commands and
comments them out of the HTML web page
Java Filtering
• Prevents Java applets from being
downloaded by a system on a protected
network
Specific Protocols and
Applications
•
•
•
•
•
Mail Guard
Multimedia Applications
RAS Version 2
Real Time Streaming Protocol (RTSP)
Voice over IP
– H.323
– SCCP
– SIP
Technical Specs
•
•
•
•
•
Cleartext throughput 188 Mbps
168-bit 3DES IPsec VPN throughput 63 Mbps
Simultaneous VPN tunnels 2,000
Processor 433-MHz Intel Celeron
Random Access Memory 32 MB, or 64 MB of
SDRAM
• Flash Memory 16 MB
• Cache 128 KB level 2 at 433 MHz
• System BUS Single 32-bit, 33-MHz PCI
Expansion and Interfaces
• PCI BUS Two 32-bit/33-MHz PCI
• Random Access Memory Two 168-pin DIMM
slots
(64 MB maximum supported by
Cisco PIX OS)
• Integrated Network Ports Two 10/100 Fast
Ethernet (RJ-45)
• Console Port RS-232 (RJ-45) 9600 baud
• Failover Port RS-232 (DB-15) 115 Kbps
(Cisco specified cable required)
PIX Firewall Comparison Chart
PIX Firewall Licensing
Cisco PIX Firewall licenses are available in Unrestricted,
Restricted, and Fail-Over configurations. These basic
licenses can be augmented with VPN DES or 3DES
cryptographic services.
Unrestricted—PIX Firewall platforms in an Unrestricted
(UR) license mode allow installation and use of the
maximum number of interfaces and RAM supported by the
platform. The Unrestricted license supports a redundant
'hot standby' system for Fail-over operation to minimize
network downtime.
PIX Firewall Licensing cont..
Restricted—PIX Firewall platforms in a Restricted (R) license mode limit
the number of interfaces supported and the amount of RAM available
within the system. A restricted license provides a cost-optimized firewall
solution for simplified network connectivity requirements, or where lower
than the maximum number of user connections are acceptable. A
Restricted licensed firewall does not support a redundant system for failover configurations.
Fail-Over—The Fail-Over (FO) software licenses place the Cisco PIX
Firewall in a 'hot-standby' mode for use along side another PIX Firewall
with an Unrestricted license. Fail-Over software licensing provides
stateful fail-over capabilities thus enabling high availability network
architectures. The fail-over PIX firewall acts as a fully redundant system
maintaining state with all active sessions on the primary PIX Firewall,
thereby minimizing connection disruptions due to equipment or network
failures.
Current PIX 500 Series Firewall
Price Listing
Model
Price
501
$509.08
501-50
$847.55
506E
$1,212.37
515-R
$2,516.58
515-UR
$6,099.63
525-R
$10,499.40
525-UR
$13,553.90
535-R
$30,981.52
535-UR
$48,825.46
(Prices compiled from CDW and MicroWarehouse)
Bibliography
• All information was obtained through
Cisco’s website and the Cisco Press PIX
Textbook unless otherwise noted.
Download