PIX FIREWALL BY R P PORWAL

PIX FIREWALL

What Does a PIX Do?

The PIX is a firewall appliance based on a hardened, specially built operating system, PIX OS,

minimizing possible OS-specific security holes. BSNL is using latest cisco ASA ( adaptive

security appliance) of 55xx series for its 3G OSS More about ASA firewall in upcoming

presentation

PIX firewalls provide a wide range of security and networking services including:

Network Address Translation (NAT) or Port Address Translation (PAT)

content filtering (Java/ActiveX)

URL filtering

IPsec VPN

support for leading X.509 PKI solutions

DHCP client/server

PPPoE support

advanced security services for multimedia applications and protocols including Voice

over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting

AAA (RADIUS/TACACS+) integration

PIX can be graphically managed using the integrated Web-based management interface known

as the PIX Device Manager (PDM) or by the Cisco Secure Policy Manager 2.3f and 3.0f (not to

be confused with CSPM 2.3.3i which is for intrusion detection system management). The PDM

is a PIX-specific device configuration and management tool whereas CSPM is generally used as

part of a larger security management infrastructure and allows one to correlate organizational

security policies with a PIX configuration. Management interfaces include command-line

interface (CLI), telnet, Secure Shell (SSH 1.5), console port, SNMP, and syslog.

.

PIX Terminology and Background Information

The following diagram shows a multi-port PIX connected to various networks. We will use this

diagram as we build up a PIX configuration in this and any subsequent PIX articles.

PIX FIREWALL BY R P PORWAL

PIX terminology: we generally refer to the user segment as the Inside subnet. The interface

connected to the Internet router is the outside subnet. As shown, we probably have DMZ (De-

Militarized Zone) subnet, the subnet where we quarantine all servers that are accessible from the

outside. We might also have a separate management subnet and a subnet tying to a redundant

PIX for failover (if supported/licensed).

The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS interface, but different.

Use colon (":") for comments (which, as usual, are not retained). Newer PIX OS uses ACL's,

replacing the former conduits (which were arguably more confusing to experienced Cisco router

administrators).

PIX interfaces are normally shutdown until the administrator activates them.

PIX interfaces have an associated security level. Two interfaces at same level can't send packets

to each other. We'll shortly see that you set levels with nameif command. Connections and traffic

are normally permitted from higher to lower security level interfaces, although you do have to

put in some basic configuration to allow traffic to flow. Connections the other way (from low to

high security) are disallowed unless the configuration explicitly permits them.

PIX FIREWALL BY R P PORWAL

You actually do not have to put any ACL if going from a higher security level to a lower.

Everything will be allowed. Best practice is to put an ACL on all interfaces even if the ACL

permits everything to flow using "ip any any". An ACL put inbound (PIX only does inbound

ACLs) to the inside interface can control traffic destined going outbound. If an admin wants to

only have www and dns traffic outbound he would allow only tcp on 80 and udp on 53 then

everything else like real audio would be denied as it goes out.)

To let traffic flow from a high security level to a lower level, use the nat and global commands.

For the opposite direction, from lower to higher, use the static and access-list commands. We

suggest using nat and global when going from any non-outside interface to the outside interface

(Internet usually unless the PIX is used as a border between business units) which is a little

different than the first sentence above. We also suggest using statics from any non-outside

interface to any other non-outside interface (like inside to management or ethernet3 to ethernet4,

below.)

The PIX normally uses stateful NAT connections and stateful security, referred to as the

Adaptive Security Algorithm (ASA). The PIX does not pass multicast traffic