Cisco PIX 515E Firewall Overview • • • • • • What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network Intrusion Detection Overview Cont.. • • • • • • • Specific Protocols and Applications PIX Technical Specs Expansion and Interfaces PIX Firewall Comparison Chart PIX Firewall Licensing PIX Firewall Price List Bibliography What a PIX Firewall can do • Protect one or more perimeter networks, also know as a DMZ (demilitarized zone) • Allows you to implement security policies for connection to and from the inside network • Can be used within an intranet to protect a specific group of internal computing systems Adaptive Security Algorithm (ASA) • Allows one way connections (inside to outside) without an explicit configuration for each internal system and application • Always in operation • No packets can traverse the PIX Firewall without a connection and state • All ICMP packets are denied unless specifically permitted Multiple Interfaces and Security Levels • All PIX Firewalls provide at least two interfaces assigned a security level of 0 and 100, respectively Address Translation • Network Address Translation (NAT) – Works by substituting or translating host addresses on one interface with a global address associated with another interface • Port Address Translation (PAT) – Uses port remapping which allows a single valid IP address translation for up to 64,000 active objects – Does not work with multimedia applications that have an inbound data stream different from the outgoing control path Cut-Through Proxy • Unique feature of a PIX Firewall • Allows user-based authentication of inbound or outbound connections • A PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly Access Control Access Lists • Uses standard and extend ACL’s • Implemented using access-list and accessgroup commands TurboACL • Introduced in PIX Firewall version 6.2 • Supports access lists with up to 16,000 access list entries Network Intrusion Detection Flood Guard • Helps prevent a denial of service (DoS) attack • Enabled by default and can be controlled with the floodguard 1 command ActiveX Blocking • Blocks HTML <object> commands and comments them out of the HTML web page Java Filtering • Prevents Java applets from being downloaded by a system on a protected network Specific Protocols and Applications • • • • • Mail Guard Multimedia Applications RAS Version 2 Real Time Streaming Protocol (RTSP) Voice over IP – H.323 – SCCP – SIP Technical Specs • • • • • Cleartext throughput 188 Mbps 168-bit 3DES IPsec VPN throughput 63 Mbps Simultaneous VPN tunnels 2,000 Processor 433-MHz Intel Celeron Random Access Memory 32 MB, or 64 MB of SDRAM • Flash Memory 16 MB • Cache 128 KB level 2 at 433 MHz • System BUS Single 32-bit, 33-MHz PCI Expansion and Interfaces • PCI BUS Two 32-bit/33-MHz PCI • Random Access Memory Two 168-pin DIMM slots (64 MB maximum supported by Cisco PIX OS) • Integrated Network Ports Two 10/100 Fast Ethernet (RJ-45) • Console Port RS-232 (RJ-45) 9600 baud • Failover Port RS-232 (DB-15) 115 Kbps (Cisco specified cable required) PIX Firewall Comparison Chart PIX Firewall Licensing Cisco PIX Firewall licenses are available in Unrestricted, Restricted, and Fail-Over configurations. These basic licenses can be augmented with VPN DES or 3DES cryptographic services. Unrestricted—PIX Firewall platforms in an Unrestricted (UR) license mode allow installation and use of the maximum number of interfaces and RAM supported by the platform. The Unrestricted license supports a redundant 'hot standby' system for Fail-over operation to minimize network downtime. PIX Firewall Licensing cont.. Restricted—PIX Firewall platforms in a Restricted (R) license mode limit the number of interfaces supported and the amount of RAM available within the system. A restricted license provides a cost-optimized firewall solution for simplified network connectivity requirements, or where lower than the maximum number of user connections are acceptable. A Restricted licensed firewall does not support a redundant system for failover configurations. Fail-Over—The Fail-Over (FO) software licenses place the Cisco PIX Firewall in a 'hot-standby' mode for use along side another PIX Firewall with an Unrestricted license. Fail-Over software licensing provides stateful fail-over capabilities thus enabling high availability network architectures. The fail-over PIX firewall acts as a fully redundant system maintaining state with all active sessions on the primary PIX Firewall, thereby minimizing connection disruptions due to equipment or network failures. Current PIX 500 Series Firewall Price Listing Model Price 501 $509.08 501-50 $847.55 506E $1,212.37 515-R $2,516.58 515-UR $6,099.63 525-R $10,499.40 525-UR $13,553.90 535-R $30,981.52 535-UR $48,825.46 (Prices compiled from CDW and MicroWarehouse) Bibliography • All information was obtained through Cisco’s website and the Cisco Press PIX Textbook unless otherwise noted.