CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources]

Greg Bastien; Earl Carter; Christian Degu

نسخه متنی -صفحه : 191/ 34

Foundation Summary

The "Foundation Summary" provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.

Adaptive Security Algorithm

The ASA is an algorithm used by the PIX Firewall to provide better security than packet filters and better performance than application proxies. Each interface of the firewall is assigned a security level. Traffic flows through the firewall are managed by the security level combined with ACLs or conduits. TCP sequence numbers for outbound connections are randomly generated by the PIX Firewall to greatly reduce the chances of an inbound TCP session being hijacked.

Cut-Through Proxy

Cut-through proxy is the method used by the PIX Firewall to authorize users and then allow the connection to occur at the network level after completing the ASA process. This greatly improves firewall performance over application proxy firewalls because every packet traversing the firewall is not inspected.

Cisco PIX Firewall Models and Features

The following is a list of the Cisco PIX Firewall models. Chapter 19.

Table 3-7. PIX Models and Features
Firewall Model	501	506E	515E	525	535
Intended Business Application	SOHO	ROBO	Small- to medium-size business	Enterprise	Enterprise/ ISP
Intrusion Protection	Yes	Yes	Yes	Yes	Yes
AAA Support	Yes	Yes	Yes	Yes	Yes
X.509 Certificate Support	Yes	Yes	Yes	Yes	Yes
AVVID Partner Support	Yes	Yes	Yes	Yes	Yes
Maximum Installed Interfaces	One plus a four-port 10/100 switch	Two 10/100	Six 10/100	Eight 10/100 or three Gigabit and two 10/100	Ten 10/100 or Nine Gigabit
Supports DHCP	Yes	Yes	Yes	Yes	Yes
NAT	Yes	Yes	Yes	Yes	Yes
PAT	Yes	Yes	Yes	Yes	Yes
PPP over Ethernet	Yes	Yes	Yes	Yes	Yes
Cisco PIX Command Line	Yes	Yes	Yes	Yes	Yes
PIX Device Manager	Yes	Yes	Yes	Yes	Yes
Cisco Secure Policy Manager	Yes	Yes	Yes	Yes	Yes
SNMP and Syslog Support	Yes	Yes	Yes	Yes	Yes
Failover Support	No	No	Yes	Yes	Yes
Maximum Throughput	60 Mbps	100 Mbps	188 Mbps	330 Mbps	1.7 GBps
Maximum Throughput (DES)	6 Mbps	20 Mbps	Not listed	Not listed	Not listed
Maximum Throughput (3DES)	3 Mbps	17 Mbps	63-Mbps VAC 140-Mbps VAC+	72-Mbps VAC 155-Mbps VAC+	100-Mbps VAC 440-Mbps VAC+
Maximum Throughput (AES)	4.5 Mbps (128 AES)	30 Mbps (128 AES)	135 Mbps (128 AES) 140 Mbps (256 AES)	165 Mbps (128 AES) 170 Mbps (256 AES)	535 Mbps (128 AES) 440 Mbps (256 AES)
Maximum Concurrent Connections	7500	25,000	130,000	280,000	500,000
Maximum Concurrent VPN Peers	10	25	2000	2000	2000
Processor	133 MHz	300 MHz	433 MHz	600 MHz	1.0 GHz
RAM	16 MB	32 MB	32/64 MB	Up to 256 MB	Up to 1 GB
Flash Memory	8 MB	8 MB	16 MB	16 MB	16 MB

PIX 501 Designed for SOHO use and has two effective interfaces, a single outside interface and a four-port inside switch.
PIX 506E Designed for ROBO use and has a single outside interface and a single inside interface.
PIX 515E Designed for small- to medium-size networks.
PIX 525 Designed for large enterprise networks.
PIX 535 Designed for large enterprise networks and ISPs.
FWSM A firewall blade designed for the Cisco Catalyst 6500 Series Switch and 7600 Series Router.

Intrusion Protection

PIX firewalls were designed to independently detect and react to a variety of attacks. They can also be integrated with the Cisco Secure Intrusion Detection System to dynamically react to different threats.

AAA Support

The PIX Firewall supports the following AAA technologies:

Local database It is possible to configure a local AAA database on the PIX Firewall; however, it is not recommended because the additional processing required to utilize the local database can adversely effect the performance of the firewall.
RADIUS The PIX Firewall supports RADIUS.
TACACS+ The PIX Firewall supports TACACS+.

X.509 Certificate Support

The PIX Firewall supports X.509 certificates for digital identity verification. X.509 certificates are used in conjunction with encryption for the following:

Authentication Digital certificates are used to authenticate the identity of a user or server.
Integrity A digital certificate becomes invalid if the digitally signed data has been altered.
Token verification Digital certificates can be used as a replacement for passwords.
Encryption Digital certificates simplify the identity authentication process when negotiating a VPN connection.

The Cisco PIX Firewall supports the Simple Certificate Enrollment Protocol (SCEP) and can be integrated with the following X.509 digital identification solutions:

Entrust Technologies, Inc. Entrust/PKI 4.0
Microsoft Corp. Windows 2000 Certificate Server 5.0
VeriSign Onsite 4.5
Baltimore Technologies UniCERT 3.05

Network Address Translation/Port Address Translation

The PIX Firewall can perform both NAT and PAT.

Firewall Management

PIX firewalls can be managed using one of three methods:

Cisco command-line interface (CLI)
PIX Device Manager (PDM)
CiscoWorks Management Center for Firewalls (PIX MC)

Simple Network Management Protocol

PIX firewalls allow limited SNMP support. Because SNMP was designed as a network management protocol and not a security protocol, it can be used to exploit a device. For this reason, the PIX Firewall allows only read-only access to remote connections. This allows the manager to remotely connect to the device and monitor SNMP traps but does not allow the manager to change any SNMP settings.

Syslog Support

PIX firewalls log four different types of events onto syslog:

Security
Resource
System
Accounting

Virtual Private Networks

All PIX firewalls are designed to function as a termination point, or VPN gateway, for VPNs. This functionality enables administrators to create encrypted connections with other networks over the Internet.