Summary


The PIX is a dedicated firewall appliance based on a special-purpose, hardened operating system. The simplified kernel and reduced command structure (compared with firewalls based on general-purpose operating systems) means that all other things being equal, the PIX will have higher throughput and more reduced maintenance costs than the general-purpose device. In addition, the similarity to IOS provides an edge to security administrators who are familiar with the Cisco environment.

The PIX is a hybrid firewall based on stateful packet filtering with the use of proxies for specific applications. The stateful packet filter is known as the Adaptive Security Algorithm, or ASA, and uses two databases: a table of translations and a table of known connections, to maintain state of the traffic transiting the network and to dynamically allow packets through the filter. The ASA inspects both packet header information, including source address, destination address, and TCP and UDP socket information, as well as packet contents for certain protocols, to make intelligent decisions on routing the packets. ASA has additional features: It will rewrite packets where necessary, as part of its inspection engine, where the protocols are well known.

About a dozen proxies are associated with the PIX. Some, such as the FTP proxy, augment the ASA process by permitting the passing of packets associated with an allowed communication—for FTP, while the command channel follows the normal three-way handshake initiated by the client and directed at a well-known socket, the data channels have the handshake initiated by the server (in the opposite direction of the usual security policy) and directed at a port defined during the transaction. Others, such as the SMTP proxy, are designed to enforce a limited subset of protocol commands and, by enforcing the RFC, provide additional security to potentially buggy applications. Still others, such as the multimedia proxies, provide the intelligence to extract IP addresses from the body of the packets and handle the complex rewriting and authorization for these interrelated protocols.

In addition to its native packet-filtering and access control features, the PIX provides additional common firewall services. Again, a key advantage of an appliance is performance, and the PIX makes an excellent VPN terminator, with the ability to pass encrypted traffic at wire speed, when an accelerator card is installed. It can provide content logging and filtering to help control Web surfing and provides address translation to allow for either "sewing together" networks seamlessly at the perimeter or consolidating (and concealing) internal networks to present to the outside world a limited number of addresses.

Modern environments depend on firewalls, and so the PIX provides high resiliency through its failover mechanism. This mechanism provides for a hot spare—a second PIX with an equivalent configuration that will automatically press itself into service should the primary device fail.

The PIX's extensive capabilities are matched by hardware flexibility. As of this writing, five different models are shipping, designed to match almost any environment. The PIX 501 is designed for the SOHO user, with a small switch built in for basic use. The PIX 506E, designed for the small or branch office, supports better performance for connecting back to the corporate hub. The PIX 515E is designed for the enterprise core of small to medium-sized business, with a rack-mount chassis and corresponding enterprise-class performance. The PIX 525 is designed for large enterprise or small service provider environments and has a slot-based configuration to allow for multiple interface configurations. The PIX 535 is the top-of-the-line model, designed for service provider environments, with the best possible throughput of the PIX appliances.

Communicating with an unconfigured PIX is most easily achieved through the console cable. This is provided with each firewall kit. Use a communications program such as Hyperterm, set your parameters to 8-N-1, and during the boot sequence you will see characters on your screen.

Licensing for the PIX features is set via an activation key. You should have received information about your activation key when you purchased the PIX; additional features can be purchased and new activation keys applied. The activation keys are dependent on a (hardware) serial number based on your flash. You can add new keys through either monitor mode or the activation-key command, new to version 6.2. Licensing usually falls into three types: unrestricted (all features enabled), restricted (limited features and interfaces), or failover (used for hot standby machines).

Password recovery is achieved by running a special program (different for each version of the operating system) on the PIX itself. The process requires either a dedicated boot diskette or the use of monitor mode and a TFTP download of a temporary image.

The normal configuration of the PIX is achieved through a command-line interface. This interface uses the "emacs" editing commands and is very similar to that provided in the Cisco IOS. The command structure is modal, with three major modes: unprivileged, which has very few available commands; privileged, where all commands are available (subject to your privilege level, which can be set in a local database); and configuration mode, by which changes are made to the running configuration.

Things that you will want to set up in every configuration include host and domain name, which configures the prompt and controls fields in the digital certificates used in VPN traffic, and the properties of the interfaces. You control a name—an association between a distinctive identifier for the interface and its default security characteristics—physical properties, and IP properties. You will also probably want to set up some basic routing, particularly the default route.

Passwords on any security device are very important. There are passwords for access to the device (unprivileged mode) and for escalation to privileged mode. They can be shared passwords, one per box, or passwords on a per-user basis. Cisco recommends the latter method, which requires setting up AAA services, either remote or local.

Managing configuration information is also important. Once you have built the perfect configuration, you do not want to have to retype it all in case of an emergency. Configurations can be stored in human-readable format via an ASCII capture (via write terminal) or as a text file on a TFTP server (via write net). Images can also be brought onto the system with the copy command, either from a TFTP server (copy tftp) or from a Web server URL (copy https://servername/pix_image flash). The system can then be restarted with the reload command and is ready to run under the new configuration.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net