Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Secure PIX Firewall Advanced Exam Certification Guide - Cisco press.pdf
15.78 Mб

Cisco PIX Firewall 17

Cisco PIX Firewall

Four major characteristics of the Cisco Secure PIX Firewall’s design make it a leadingedge, high-performance security solution:

Secure real-time embedded system

Adaptive Security Algorithm

Cut-through proxy


Secure Real-Time Embedded System

Unlike most firewalls, the Cisco PIX Firewall runs on a single proprietary embedded system. Whereas most firewalls run a firewall application over a general-purpose operating system, the PIX has a single system that is responsible for operating the device. This single system is beneficial for the following reasons:

Better security—The PIX operating environment is a single system that was designed with functionality and security in mind. Because there is no separation between the operating system and the firewall application, there are no known vulnerabilities to exploit.

Better functionality—The combined operating environment requires fewer steps when you configure the system. For example, if multiple IP addresses are bound to the external interface of an application firewall that runs over a general operating system, you must configure the networking portions (that is, Address Resolution Protocol [ARP] entries and routing) on the operating system and then apply the ACLs or rules in the firewall application. On the Cisco PIX Firewall, all these functions are combined into a single system. As soon as an IP address is bound to an interface, the PIX automatically replies to ARP requests for that address without its having to be specifically configured.

Better performance—Because the operating environment is a single unit, it allows for streamlined processing and much greater performance. The Cisco PIX 535 Firewall can handle 500,000 concurrent connections while maintaining stateful inspection of all connections.

Adaptive Security Algorithm (ASA)

The Adaptive Security Algorithm is the key to stateful connection control on the Cisco PIX Firewall. It creates a stateful session flow table (also called the state table). Source and destination addresses and other connection information are logged into the state table. By using the ASA, the Cisco PIX Firewall can perform stateful filtering on the connections in addition to filtering packets.

18 Chapter 2: Firewall Technologies and the Cisco PIX Firewall

Cut-Through Proxy

Cut-through proxy is a method of transparently performing authentication and authorization of inbound and outbound connections at the firewall. Cut-through proxy requires very little overhead and provides a significant performance advantage over application proxy firewalls.


The Cisco Secure PIX 515 series and above can be configured in pairs with a primary system and a hot standby. This redundancy and stateful failover make the PIX a high-avail- ability solution for use in protecting critical network segments. If the primary firewall fails, the secondary automatically assumes the load, dramatically reducing the chances of a network outage. Failover is discussed in greater detail in Chapter 9, “Cisco PIX Firewall Failover.”

Foundation Summary 19

Foundation Summary

The three firewall technologies are packet filtering, proxy, and stateful inspection. The Cisco PIX Firewall utilizes stateful inspection and further increases security with the Adaptive Security Algorithm. The PIX is more secure and more efficient than competing firewalls because it is a single operating environment rather than a firewall application running on another operating system. The Cisco PIX Firewall can be configured in pairs to reduce the possibility of an outage due to system failure.

20 Chapter 2: Firewall Technologies and the Cisco PIX Firewall


As mentioned in the Introduction, the questions in this book are written to be more difficult than what you should experience on the exam. The questions are designed to ensure your understanding of the concepts discussed in this chapter and to adequately prepare you to complete the exam. Use the simulated exams on the CD to practice for the exam.

The answers to these questions can be found in Appendix A.

1True or false: Packet filtering can be configured on Cisco routers.

2What design feature allows the Cisco Secure PIX Firewall to outperform conventional application firewalls?

AThe Packet Selectivity Algorithm

BSuper-packet filtering

CA single embedded operating environment

DHot standby proxy processing

3True or false: Cut-through proxy technology allows users to do anything they want after authenticating at the firewall.

4What steps are required to add an ARP entry to a Cisco PIX Firewall?

AEdit the /etc/interfaces/outside/arp.conf file.

BYou don’t need to add an ARP entry on a PIX Firewall.

CAdd the ARP entry using the GUI interface.

DUse the set arp command in interface config mode.

5True or false: There is no limit on the number of connections an application proxy firewall can handle.

6True or false: The Adaptive Security Algorithm requires a tremendous amount of processing by the firewall. Even though it is not very efficient, the PIX can handle it.

7True or false: Redundancy allows you to configure two or more PIX firewalls in a cluster to protect critical systems.

This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-111):

2.PIX Firewall Overview

3.PIX Firewall Models

4.PIX Firewall Licensing