PIX Firewall interfaces must be purchased from Cisco or Cisco resellers. No other interfaces are supported, because vendors would not be able to provide drivers to work with the closed operating system used by the PIX Firewall. Currently, the following interface types are available:

Network Separation

Consider the following PIX Firewall separating three distinct networks:

PIX Firewall

Inside Outside

Perimeter

DNS server

Enterprise server

E-mail server

Because all traffic between these three networks must physically pass through the PIX Firewall, it is in the ultimate position to control and potentially limit all access between these networks. These networks are labeled inside, perimeter, and outside. They each have a separate function:

Inside network The inside network is your internal network where you keep your protected resources such as enterprise servers or other internal-access devices, along with your internal users.

Outside network The outside network is the open, untrusted Internet.

Perimeter network Also called a DMZ (for de-militarized zone), the perimeter network is where you host services such as DNS (Domain Name System) servers, e-mail servers, web and FTP servers, and so on. These services are generally made available to users from the outside network.

Some of you may recognize this terminology from the classic three-part firewall.

The administrator has the ability to control what the PIX Firewall lets through. There are many functions that the PIX Firewall can accomplish, but once it is installed, there are only three ways to get traffic through a PIX Firewall. You will learn about these next.

326 Appendix A Introduction to the PIX Firewall

Three Ways through a PIX Firewall

The PIX Firewall has ultimate control over what traffic goes between the networks it separates, and it gives a great deal of control to the administrator in configuring which traffic is to be permitted and which traffic is not allowed. The PIX Firewall can permit traffic between networks using three methods:

Cut-Through Proxy User Authentication

The cut-through proxy user authentication method performs user authentication at the Application layer. When a user requests a resource through the PIX Firewall, the firewall intercepts that request and forces the user to provide a username and password. The firewall then authenticates this user against a security server using either the TACACS+ or the RADIUS security protocol (as discussed in Chapter 3, “Configuring CiscoSecure ACS and TACACS+”). Assuming that the security policy allows this particular user to access this resource, the user’s request is forwarded through the firewall. This method can be used for either inbound or outbound requests.

One common problem with proxy servers is that they must evaluate the contents of each and every packet passing through them. This is a processor-expensive operation and can introduce a potential bottleneck into the network. The PIX Firewall gets around this requirement by using a cut-through proxy technique. Once the user’s request has been approved, the PIX Firewall establishes a data flow between the two communicating partners. All traffic between that user and the resource then flows directly through the PIX Firewall, without needing to have each individual packet “proxied.”

Static Route

You can enter static routes on a PIX Firewall. The syntax is similar to that used on a Cisco router, but it is not the same. You must specify an interface name in the command, as in the following examples:

route outside 0.0.0.0 0.0.0.0 172.19.20.1 1

route inside 10.0.0.0 255.0.0.0 10.1.1.1

This syntax should look familiar to those of you with router experience. The only difference is the addition of the inside and outside parameters, which are the interface names. The “Configuring Interfaces” section later in this appendix discusses the naming of interfaces.

The routing protocol that the PIX Firewall supports is RIP (Routing Information Protocol). Earlier PIX Firewall versions support only RIP version 1 (RIPv1). RIP version 2 (RIPv2) is supported as of PIX Firewall version 5.1(1).