© 2000, Cisco Systems, Inc. CSPFF Chapter 2 Cisco Secure PIX Firewall Models and Features

© 2000, Cisco Systems, Inc. CSPFF Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe firewall technologies and define the three types of firewalls used to secure todays computer networks. Describe the PIX Firewall. Identify the PIX Firewall models. Describe the PIX Firewall features and functions.

© 2000, Cisco Systems, Inc. CSPFF Firewalls

© 2000, Cisco Systems, Inc. CSPFF What Is a Firewall? A firewall is a system or group of systems that manages access between two networks.

© 2000, Cisco Systems, Inc. CSPFF Firewall Technologies Firewall operations are based on one of three technologies: Packet filtering Proxy server Stateful packet filtering

© 2000, Cisco Systems, Inc. CSPFF ACL Packet Filtering Limits information into a network based on destination and source address

© 2000, Cisco Systems, Inc. CSPFF Proxy Server Requests connections between a client on the inside of the firewall and the Internet

© 2000, Cisco Systems, Inc. CSPFF Stateful Packet Filtering Limits information into a network not only based on destination and source address, but also based on packet data content

© 2000, Cisco Systems, Inc. CSPFF Overview of the Cisco Secure PIX Firewall

© 2000, Cisco Systems, Inc. CSPFF PIX FirewallWhat Is it? Stateful firewall with high security and fast perfomance Secure, real-time, embedded operating system no UNIX or NT security holes Adaptive security algorithm provides stateful security Cut-through proxy eliminates application-layer bottlenecks Pentium Pro (515) or Pentium II (520) processor- based system

© 2000, Cisco Systems, Inc. CSPFF The PIX Firewall Models PIX Firewall 520 Enterprise chassis design 256,000 simultaneous sessions 240 Mbps thru-put PIX Firewall 515 Low profile design 128,000 simultaneous sessions 170 Mbps thru-put

© 2000, Cisco Systems, Inc. CSPFF Finesse Operating System Eliminates the risks associated with general-purpose operating systems

© 2000, Cisco Systems, Inc. CSPFF Adaptive Security Algorithm Provides stateful connection security Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags TCP sequence numbers are randomized Tracks UDP and TCP session state Connections allowed outallows return session back flow (TCP ACK bit) Supports authentication, authorization, syslog accounting

© 2000, Cisco Systems, Inc. CSPFF Cut-Through Proxy Operation Authenticates once at the application layer (OSI Layer 7) for each supported service Connection is passed back to the PIX high-performance ASA engine, while maintaining session state Internal/ External User IS Resource 1. User makes a request to an IS resource 2. PIX intercepts connection 3. PIX prompts user for username and password, authenticates user and checks security policy on RADIUS or TACACS+ server 5. PIX directly connects internal/external user to IS resource via ASA 4. PIX initiates connection from PIX to the destination IS resource Cisco Secure PIX Firewall Username and Password Required Enter username for CCO at User Name: Password: OKCancel student 3.

© 2000, Cisco Systems, Inc. CSPFF Stateful Failover/Hot Standby Protection of your network is ensured through the stateful failover function.

© 2000, Cisco Systems, Inc. CSPFF Summary

© 2000, Cisco Systems, Inc. CSPFF Summary There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. There are two primary PIX Firewall models: 515 and 520. The PIX Firewall features include: Finesse operating system, Adaptive Security Algorithm, cut-through proxy, stateful failover, and stateful packet filtering.

© 2000, Cisco Systems, Inc. CSPFF Review Questions

© 2000, Cisco Systems, Inc. CSPFF Review Questions Q1) What is the main purpose of a firewall? Q2) What are the three main types of firewalls, as discussed in this chapter? Q3) Describe packet filtering in relation to firewall security. Q4) What is stateful packet filtering? Q5) What does the acronym PIX stand for?

© 2000, Cisco Systems, Inc. CSPFF Review Questions (cont.) Q6) Explain how the PIX Firewall is secure right out of the box. Q7) Name and describe three primary features of the PIX Firewall. Q8) What does the acronym ASA stand for and how does it work? Q9) Describe the cut-through proxy process as it relates to the PIX Firewall.

© 2000, Cisco Systems, Inc. CSPFF Review Questions (cont.) Q10) What is stateful failover/hot standby? Q11) When a secondary PIX Firewall completes its initial bootup, the active Pix Firewall does what? Q12) What command is used to force this process? Q13) Which firewall technology does the PIX Firewall use?