42 Chapter 3: The Cisco Secure PIX Firewall
Foundation Summary
The Cisco PIX Firewall uses the Adaptive Security Algorithm to perform stateful inspection. It performs cut-through proxy by authenticating a user against a AAA server and comparing the user request against the security policy. Currently, six PIX Firewall models are available. Table 3-1 lists their features.
Table 3-1 |
PIX Models and Features |
|
|
|
|
||
|
|
|
|
|
|
|
|
Firewall Model |
501 |
506 |
515 |
520 |
525 |
535 |
|
|
|
|
|
|
|
|
|
Intended |
|
Small |
Remote |
Small/ |
Enterprise |
Enterprise |
Enterprise/ |
Application |
|
office/home |
office/ |
medium |
|
|
ISP |
|
|
office |
branch office |
business |
|
|
|
|
|
|
|
|
|
|
|
Intrusion |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Protection |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AAA Support |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
|
|
|
|
X.509 Certificate |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Support |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AVVID Partner |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Support |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Maximum |
|
One plus a |
Two |
Six |
Six |
Eight |
Ten |
Installed |
|
four-port |
|
|
|
|
|
Interfaces |
|
hub |
|
|
|
|
|
|
|
|
|
|
|
|
|
Supports DHCP |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
|
|
|
|
Net Address |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Translation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Port Address |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Translation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PPP Over |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Ethernet |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cisco PIX |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Command Line |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PIX Device |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Manager |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Foundation Summary 43
Table 3-1 |
PIX Models and Features (Continued) |
|
|
|
|
||
|
|
|
|
|
|
|
|
Firewall Model |
501 |
506 |
515 |
520 |
525 |
535 |
|
|
|
|
|
|
|
|
|
Cisco Secure |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Policy Manager |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SNMP and |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Syslog Support |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Failover Support |
No |
No |
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
|
|
|
|
Maximum |
|
10 Mbps |
20 Mbps |
188 Mbps |
370 Mbps |
370 Mbps |
1 GBps |
Throughput |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Maximum |
|
6 Mbps |
20 Mbps |
100 Mbps |
100 Mbps |
100 Mbps |
100 Mbps |
Throughput |
|
|
|
|
|
|
|
(DES) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Maximum |
|
3 Mbps |
10 Mbps |
63 Mbps |
100 Mbps |
100 Mbps |
100 Mbps |
Throughput |
|
|
|
|
|
|
|
(3DES) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Maximum |
|
3500 |
3500 |
125,000 |
250,000 |
280,000 |
500,000 |
Concurrent |
|
|
|
|
|
|
|
Connections |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Maximum |
|
5 |
25 |
2000 |
2000 |
2000 |
2000 |
Concurrent VPN |
|
|
|
|
|
|
|
Peers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Processor |
|
133 MHz |
200 MHz |
433 MHz |
350 MHz |
600 MHz |
1.0 GHz |
|
|
|
|
|
|
|
|
RAM |
|
16 MB |
32 MB |
32/64 MB |
Up to 128 |
Up to 256 |
Up to 1 GB |
|
|
|
|
|
MB |
MB |
|
|
|
|
|
|
|
|
|
Flash Memory |
8 MB |
8 MB |
16 MB |
16 MB |
16 MB |
16 MB |
|
|
|
|
|
|
|
|
|
44 Chapter 3: The Cisco Secure PIX Firewall
Q&A
As mentioned in the Introduction, the questions in this book are written to be more difficult than what you should experience on the exam. The questions are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should take the simulated exams on the CD to practice for the exam.
The answers to these questions can be found in Appendix A.
1List four advantages of ASA.
2What are the three firewall technologies?
APacket filtering, proxy, connection dropping
BStateful inspection, packet filtering, proxy
CStateful proxy, stateful filtering, packet inspection
DCut-through proxy, ASA, proxy
3How does cut-through proxy work in a PIX Firewall?
4What happens to the session object after a connection ends?
5True or false: A PIX 501 is designed to support five network segments.
6How many interfaces can the PIX 525 handle?
7How many PCI slots does the PIX 506 have?
8True or false: If the ACT LED on the front of a PIX 525 is lit, it means that everything is working correctly.
9True or false: The interfaces on a PIX 520 are numbered top to bottom and left to right.
10True or false: You don’t need a license for any Cisco PIX Firewall. If you own the appliance, you can do anything you want with it.
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-511):
45. Remote Access