Cisco PIX 515E Firewall

Overview

• What a PIX Firewall can do

• Adaptive Security Algorithm

• Address Translation

• Cut-Through Proxy

• Access Control

• Network Intrusion Detection

Overview Cont..

• Specific Protocols and Applications

• PIX Technical Specs

• Expansion and Interfaces

• PIX Firewall Comparison Chart

• PIX Firewall Licensing

• PIX Firewall Price List

• Bibliography

What a PIX Firewall can do

• Protect one or more perimeter networks, also know as a DMZ (demilitarized zone)

• Allows you to implement security policies for connection to and from the inside network

• Can be used within an intranet to protect a specific group of internal computing systems

Adaptive Security Algorithm (ASA)

• Allows one way connections (inside to outside) without an explicit configuration for each internal system and application

• Always in operation• No packets can traverse the PIX Firewall

without a connection and state• All ICMP packets are denied unless

specifically permitted

Multiple Interfaces and Security Levels

• All PIX Firewalls provide at least two interfaces assigned a security level of 0 and 100, respectively

Address Translation

• Network Address Translation (NAT)– Works by substituting or translating host addresses on

one interface with a global address associated with another interface

• Port Address Translation (PAT)– Uses port remapping which allows a single valid IP

address translation for up to 64,000 active objects– Does not work with multimedia applications that have

an inbound data stream different from the outgoing control path

Cut-Through Proxy

• Unique feature of a PIX Firewall

• Allows user-based authentication of inbound or outbound connections

• A PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly

Access Control

Access Lists

• Uses standard and extend ACL’s

• Implemented using access-list and access-group commands

TurboACL

• Introduced in PIX Firewall version 6.2

• Supports access lists with up to 16,000 access list entries

Network Intrusion Detection

Flood Guard

• Helps prevent a denial of service (DoS) attack

• Enabled by default and can be controlled with the floodguard 1 command

ActiveX Blocking

• Blocks HTML <object> commands and comments them out of the HTML web page

Java Filtering

• Prevents Java applets from being downloaded by a system on a protected network

Specific Protocols and Applications

• Mail Guard• Multimedia Applications• RAS Version 2• Real Time Streaming Protocol (RTSP)• Voice over IP

– H.323– SCCP– SIP

Technical Specs

• Cleartext throughput 188 Mbps• 168-bit 3DES IPsec VPN throughput 63 Mbps• Simultaneous VPN tunnels 2,000• Processor 433-MHz Intel Celeron• Random Access Memory 32 MB, or 64 MB of

SDRAM• Flash Memory 16 MB• Cache 128 KB level 2 at 433 MHz• System BUS Single 32-bit, 33-MHz PCI

Expansion and Interfaces

• PCI BUS Two 32-bit/33-MHz PCI• Random Access Memory Two 168-pin DIMM

slots(64 MB maximum supported byCisco PIX OS)

• Integrated Network Ports Two 10/100 Fast Ethernet (RJ-45)

• Console Port RS-232 (RJ-45) 9600 baud• Failover Port RS-232 (DB-15) 115 Kbps

(Cisco specified cable required)

PIX Firewall Comparison Chart

PIX Firewall LicensingCisco PIX Firewall licenses are available in Unrestricted, Restricted, and Fail-Over configurations. These basic licenses can be augmented with VPN DES or 3DES cryptographic services.

Unrestricted—PIX Firewall platforms in an Unrestricted (UR) license mode allow installation and use of the maximum number of interfaces and RAM supported by the platform. The Unrestricted license supports a redundant 'hot standby' system for Fail-over operation to minimize network downtime.

PIX Firewall Licensing cont..Restricted—PIX Firewall platforms in a Restricted (R) license mode limit the number of interfaces supported and the amount of RAM available within the system. A restricted license provides a cost-optimized firewall solution for simplified network connectivity requirements, or where lower than the maximum number of user connections are acceptable. A Restricted licensed firewall does not support a redundant system for fail-over configurations.

Fail-Over—The Fail-Over (FO) software licenses place the Cisco PIX Firewall in a 'hot-standby' mode for use along side another PIX Firewall with an Unrestricted license. Fail-Over software licensing provides stateful fail-over capabilities thus enabling high availability network architectures. The fail-over PIX firewall acts as a fully redundant system maintaining state with all active sessions on the primary PIX Firewall, thereby minimizing connection disruptions due to equipment or network failures.

Current PIX 500 Series Firewall Price Listing

Model Price

501 $509.08

501-50 $847.55

506E $1,212.37

515-R $2,516.58

515-UR $6,099.63

525-R $10,499.40

525-UR $13,553.90

535-R $30,981.52

535-UR $48,825.46

(Prices compiled from CDW and MicroWarehouse)

Bibliography

• All information was obtained through Cisco’s website and the Cisco Press PIX Textbook unless otherwise noted.