Cisco PIX Firewall 17

Cisco PIX Firewall

Four major characteristics of the Cisco Secure PIX Firewall’s design make it a leadingedge, high-performance security solution:

Secure Real-Time Embedded System

Unlike most firewalls, the Cisco PIX Firewall runs on a single proprietary embedded system. Whereas most firewalls run a firewall application over a general-purpose operating system, the PIX has a single system that is responsible for operating the device. This single system is beneficial for the following reasons:

•Better security—The PIX operating environment is a single system that was designed with functionality and security in mind. Because there is no separation between the operating system and the firewall application, there are no known vulnerabilities to exploit.

•Better functionality—The combined operating environment requires fewer steps when you configure the system. For example, if multiple IP addresses are bound to the external interface of an application firewall that runs over a general operating system, you must configure the networking portions (that is, Address Resolution Protocol [ARP] entries and routing) on the operating system and then apply the ACLs or rules in the firewall application. On the Cisco PIX Firewall, all these functions are combined into a single system. As soon as an IP address is bound to an interface, the PIX automatically replies to ARP requests for that address without its having to be specifically configured.

•Better performance—Because the operating environment is a single unit, it allows for streamlined processing and much greater performance. The Cisco PIX 535 Firewall can handle 500,000 concurrent connections while maintaining stateful inspection of all connections.

Adaptive Security Algorithm (ASA)

The Adaptive Security Algorithm is the key to stateful connection control on the Cisco PIX Firewall. It creates a stateful session flow table (also called the state table). Source and destination addresses and other connection information are logged into the state table. By using the ASA, the Cisco PIX Firewall can perform stateful filtering on the connections in addition to filtering packets.

20 Chapter 2: Firewall Technologies and the Cisco PIX Firewall

Q&A

As mentioned in the Introduction, the questions in this book are written to be more difficult than what you should experience on the exam. The questions are designed to ensure your understanding of the concepts discussed in this chapter and to adequately prepare you to complete the exam. Use the simulated exams on the CD to practice for the exam.

The answers to these questions can be found in Appendix A.

1True or false: Packet filtering can be configured on Cisco routers.

2What design feature allows the Cisco Secure PIX Firewall to outperform conventional application firewalls?

AThe Packet Selectivity Algorithm

BSuper-packet filtering

CA single embedded operating environment

DHot standby proxy processing

3True or false: Cut-through proxy technology allows users to do anything they want after authenticating at the firewall.

4What steps are required to add an ARP entry to a Cisco PIX Firewall?

AEdit the /etc/interfaces/outside/arp.conf file.

BYou don’t need to add an ARP entry on a PIX Firewall.

CAdd the ARP entry using the GUI interface.

DUse the set arp command in interface config mode.

5True or false: There is no limit on the number of connections an application proxy firewall can handle.

6True or false: The Adaptive Security Algorithm requires a tremendous amount of processing by the firewall. Even though it is not very efficient, the PIX can handle it.

7True or false: Redundancy allows you to configure two or more PIX firewalls in a cluster to protect critical systems.