Foundation TopicsOverview of the Cisco PIX FirewallChapter 2, the design of the Cisco PIX Firewall provides some significant advantages over application-based firewalls. The Cisco PIX Firewall is designed to be a "performance built, best of breed, all-in-one security appliance." The PIX Firewall appliance provides state-of-the-art stateful firewalling, protocol and application inspection, virtual private networking, inline intrusion prevention, and outstanding multimedia and voice security. Having a single operating environment allows the device to operate more efficiently. Also, because it was designed with security in mind, it is not vulnerable to any known exploits.Two key components that facilitate the outstanding performance of the PIX Firewall are the Adaptive Security Algorithm (ASA) and cut-through proxy. Both are discussed in detail in the following sections. Adaptive Security AlgorithmA key part of the Cisco PIX operating environment is the ASA. The ASA is more secure and efficient than packet filtering and provides better performance than application-type proxy firewalls. The ASA segregates the network segments connected to the firewall, maintains secure perimeters, and can control traffic between those segments.The firewall interfaces are assigned security levels. The PIX allows traffic to pass from an interface with a higher security level (inside) to an interface with a lower security level (outside) without an explicit rule for each resource on the higher-level segment. Traffic that is coming from an interface with a lower security level destined for an interface with a higher security level must meet the following two requirements:
Access lists and conduits can be used to deny traffic from a higher security level to a lower security level just as they allow traffic from a lower level to a higher level.NoteThe use of conduits is not supported beyond PIX OS Version 6.3.The ASA is designed to function as a stateful, connection-oriented process that maintains session information in a state table. Applying the security policy and address translation to the state table controls all traffic passing through the firewall. A random TCP sequence number is generated, and the ASA writes the connection information to the state table as an outbound connection is initiated. If the connection is allowed by the security policy, the source address is translated to an external address and the request goes out. Return traffic is compared to the existing state information. If the information does not match, the firewall drops the connection. The security emphasis on the connection rather than on the packets makes it nearly impossible to gain access by hijacking a TCP session.Figure 3-1 depicts the mechanics of the Adaptive Security Algorithm and how it affects traffic flowing through the PIX Firewall. The following numbered list explains the steps indicated in the figure. Notice that Steps 1 and 5 are performed by the requestor and responder. Steps 2, 3, 4, and 6 are all performed by the PIX Firewall. Figure 3-1. How ASA Works
Cut-Through ProxyThe cut-through proxy feature on the Cisco PIX Firewall provides significantly better performance than application proxy firewalls because it completes user authentication at the application layer, verifies authorization against the security policy, and then opens the connection as authorized by the security policy. Subsequent traffic for this connection is no longer handled at the application layer but is statefully inspected, providing significant performance benefits over proxy-based firewalls.Figure 3-2 depicts the mechanics of cut-through proxy and the four steps that take place prior to the activation of the ASA. The following numbered list explains the steps indicated in the figure: Figure 3-2. How Cut-Through Proxy Works
NoteUsers can authenticate to a user database on the PIX Firewall, but it is more efficient to use an external authentication server with RADIUS or TACACS+ because the processing required by the PIX Firewall to maintain and query an internal database increases the firewall''''s workload. Cisco PIX Firewall Models and FeaturesChapter 19, "Firewall Service Module." All the PIX firewalls have the functionality described in the following sections incorporated into their design. Intrusion ProtectionPIX firewalls were designed to detect a variety of attacks. They can also be integrated with the Cisco Secure Intrusion Detection Sensor to dynamically react to different threats. AAA SupportPIX firewalls work with RADIUS or TACACS+ and the Cisco Access Control Server (CSACS) or other AAA products to provide authentication, authorization, and accounting (AAA) functionality. It is also possible to configure a local user database on the PIX rather than integrate with an external authentication server. X.509 Certificate SupportDigital certificates are your digital identification that verifies you are who you claim to be and validates the integrity of your data. Digital certificates are most commonly combined with encryption to secure data in the following four ways:
PIX firewalls support the Simple Certificate Enrollment Protocol (SCEP) and can be integrated with the following X.509 digital identification solutions:
Network Address Translation/Port Address TranslationPIX firewalls can statically or dynamically translate internal private (RFC 1918) addresses or any other address used internally to the assigned public addresses. They can also hide multiple hosts on the internal network behind a single public address. A one-for-one translation of addresses from internal to external, or from external to internal, is referred to as Network Address Translation (NAT). If multiple internal addresses are translated behind a single external address, each outgoing connection uses a different source port. This is called Port Address Translation (PAT). Firewall ManagementPIX firewalls can be managed using one of three methods:
Simple Network Management ProtocolPIX firewalls allow limited SNMP support. Because SNMP was designed as a network management protocol and not a security protocol, it can be used to exploit a device. For this reason, the PIX Firewall allows only read-only access to remote connections. This enables the manager to remotely connect to the device and monitor SNMP traps but does not allow the manager to change any SNMP settings. Syslog SupportPIX firewalls log four different types of events onto syslog:
The PIX can be configured to react differently to any of eight severity levels for each event type. Logs are stored in system memory and can be forwarded to a syslog server. It is a recommended practice to select the appropriate log level that generates the syslog details required to track session-specific data. Virtual Private NetworksAll PIX firewalls are designed to function as a termination point, or VPN gateway, for VPNs. This functionality allows administrators to create encrypted connections with other networks over the Internet. The VPN performance of each PIX model is listed in its corresponding specifications section later in this chapter. Optional Firewall ComponentsCisco offers five optional components for use with the PIX 515E, 525, or 535 models. These components can increase the performance and functionality of the PIX Firewall. The five optional components include:
NoteThe type and number of interfaces that will function in the PIX Firewall appliance is normally determined by the license installed not the number of available PCI slots. PIX Firewall Model CapabilitiesThe following sections describe the characteristics and capabilities of each of the PIX Firewall models. The throughput speeds mentioned for each model refer to the speeds at which the firewall can process the data. The actual throughput for the firewall is largely determined by the speed of the firewall interface, the speed of the connected link, or the packet (MTU) size. Cisco PIX 501The Cisco PIX 501 Firewall was designed for the SOHO environment. It has a 133-MHz processor, 16 MB of RAM, and 8 MB of Flash memory. It has an outside Ethernet interface and an integrated four-port Ethernet 10/100 switch on the internal side. It has a 9600-baud console port that is used for local device management. The PIX 501 does not support failover.Connection capabilities for the PIX 501 are as follows:
As shown in Figure 3-3, the front panel of the PIX 501 has a power indicator, a VPN tunnel indicator, and two rows of LEDs for link and network activity. These indicators are divided into two groups: Figure 3-3. PIX 501 Front Panel
There are several licenses available for the PIX 501 Firewall. Upgrades are available to increase the number of users or to implement VPN support. Chapter 11. Cisco PIX 506EThe Cisco PIX 506E Firewall was designed for the ROBO environment. It has a 300-MHz Celeron processor, 32 MB of RAM, and 8 MB of Flash memory. It has a fixed outside Ethernet interface and a fixed inside Ethernet interface. It has a 9600-baud console port that is used for local device management. The PIX 506 does not support failover.Connection capabilities for the PIX 506 are as follows:
As shown in Figure 3-4, the PIX 506 has three status LEDs on the front panel that indicate power to the system, that the system is active (the OS is fully loaded), and that there is network activity on any interface. Figure 3-4. PIX 506 Front Panel Figure 3-5. PIX 506E Rear Panel Figure 3-6. PIX 506E Console Connection
Cisco PIX 515EThe Cisco PIX 515E Firewall was designed for small- to medium-size businesses. The PIX 515E is the smallest firewall of the PIX family that is designed to be rack-mountable and is a standard 1U (1.75-inch) configuration. It has a 433-MHz processor, 32 MB or 64 MB of RAM, and 16 MB of Flash memory. It has two fixed 10/100 Ethernet interfaces that have a default configuration of outside (Ethernet 0) and inside (Ethernet 1) and contains two PCI slots for the installation of up to four additional Ethernet interfaces.Chapter 9, "Routing and the PIX Firewall."Connection capabilities for the PIX 515E are as follows:
As shown in Figure 3-7, the PIX 515E has three status LEDs on the front panel that indicate power to the system, that the system is active (the OS is fully loaded and the system is operational), and that there is network activity on any interface. If you have two firewalls running in the failover mode, the active light indicates which firewall is active and which is standby. Figure 3-7. PIX 515E Front Panel Figure 3-8. PIX 515E with Additional Four-Port Interface Figure 3-9. PIX 515E with Two Additional Interfaces
Cisco PIX 525The Cisco PIX 525 Firewall is an enterprise firewall. It provides perimeter security for large enterprise networks. The PIX 525 is rack-mountable in a 2U (3.5-inch) configuration. It has a 600-MHz processor, up to 256 MB of RAM, and 16 MB of Flash memory. It has two fixed 10/100 Ethernet interfaces. The two fixed interfaces are Ethernet 0, which is the outside interface by default, and Ethernet 1, which is the inside interface by default.The PIX 525 also includes three PCI slots for the installation of up to six additional Ethernet interfaces. It has a 9600-baud console port that is used for local device management. The PIX 525 can be configured for failover using a failover cable connected to the 115-kbps serial connection or can be configured for LAN-based failover. The PIX 525 also can be configured with a VAC. The VAC handles much of the processing of VPN traffic (encryption and decryption), thus improving the firewall''''s performance. The VAC is recommended for firewalls that will connect multiple high-traffic VPNs.Connection capabilities for the PIX 525 are as follows:
As shown in Figure 3-10, the PIX 525 has two LEDs on the front. These LEDs indicate that the firewall has power and that the system is active (the OS is loaded and the system is operational). The active light indicates which firewall is active in a failover pair. Figure 3-10. PIX 525 Front Panel Figure 3-11. PIX 525 Rear Panel
Cisco PIX 535The Cisco PIX 535 Firewall is the ultimate enterprise firewall designed for enterprise networks and service providers. The PIX 535 is rack-mountable and fits a 3U configuration. It has a 1-GHz processor, up to 1 GB of RAM, and 16 MB of Flash memory. It has nine PCI slots for the installation of up to ten Ethernet interfaces. It has a 9600-baud console port that is used for local device management, as shown in Figure 3-12. Figure 3-12. PIX 535 Rear Panel
As shown in Figure 3-13, the PIX 535 has two LEDs on the front. These LEDs indicate that the firewall has power and that the system is active (the OS is loaded and passing traffic). The active light indicates which device of a failover pair is active and which is standby. Figure 3-13. PIX 535 Front Panel Figure 3-14. PIX 535 Rear Panel
|
لطفا منتظر باشید ...