CISCO PIX Firewall

My organization have been using Cisco Pix firewall since forver, it is the only firewall that have been use in all the branches of my organizations; I know it to be reliable and operationwise less problematic.

Cisco PIX (Private Internet EXchange) is a firewall originally conceived in March 1994 by John Mayes of Redwood City, California and coded by Brantley Coiles of Athens, Georgia. The PIX name is derived from Coiles' aim of creating the functional equivalent of an IP PBX; that is, at a time when NAT was just being investigated as a viable approach, he wanted to conceal a block or blocks of RFC 1918 IP addresses behind a single or multiple registered IP addresses, much like PBX's do for internal phone extensions. When he began, RFC 1631 was being discussed, but the now-familiar RFC 1918 had not yet been submitted.

The design, and testing were carried out in 1994 by John Mayes, Brantley Coile1 and Johnson Wu of Network Translation, Inc. , with Brantley Coile being the sole software developer. Beta testing was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX was awarded the Data Communications Magazine "Hot Product of the Year" award of 1994.[1]

After Cisco acquired Network Translation in 1995, Brantley hired four long time associates: Jim Jordan, Tom Bohannon, and Richard Howes and Pete Tenereillo (both who worked for NTI prior to the acquisition). Together they developed Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector. After Cisco acquired Global Internet Software Group in 1997, the PIX was sold alongside GISG's Windows NT-based softwall firewall product, known as the Centri firewall, until 2000. [2]

In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IDS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with version PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.[3]

The PIX runs a custom-written proprietary operating system originally called Finesse (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By design it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an ACL (Access Control List) or a conduit. The PIX can be configured to perform many functions including NAT (network address translation) and PAT (port address translation) as well as serving as a VPN (Virtual Private Network) endpoint appliance.

The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (or outside interface) for each DNS request from a client on the protected (or inside) interface.

The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.

The PIX can be managed by a CLI or a GUI. The CLI is accessible from the serial console, telnet or SSH. GUI administration was introduced with version 4.1, and it has been through several incarnations: PFM (PIX Firewall Manager) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PDM (PIX Device Manager) for PIX OS version 6.x, which runs over https and requires Java; and ASDM (Adaptive Security Device Manager) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS.[4] [5] [6]

As PIX is an acquired product, the command line interface (CLI) was originally not aligned with the Cisco IOS 'standards'. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (not IPX, DECNet, etc.), in most configuration commands, 'ip' is omitted. The configuration is upwards compatible, not downwards. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting. This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relative recent models, the flash size of 8 MB prevents support of version 7.x, although rumors are that 7.0 can be installed on a 506E (see external links). For the PIX 515(E), a doubling of the memory size is required (32->64 MB for restricted and 64->128MB for Unrestricted/Failover licenses).

more on this site