Cisco Secure PIX Firewall

The Cisco Secure PIX Firewalls are a series of dedicated firewall appliances covering implementations for high-end small or home offices through large enterprises or service providers. On the low end, the Secure PIX 501 offers a throughput of up to 10 Mbps (3 Mbps with 3DES), with the high end devices boasting a top speed of 370 Mbps while supporting up to 280,000 simultaneous connections.

The devices all operate with an embedded real-time OS and feature built-in support for IPSec encryption. They can be managed via the Cisco PIX Device Manager (PDM), an embedded GUI that can be accessed from most Web browsers. PDM provides administrators with graphical reporting and monitoring tools for both real-time and historical network activity, utilization, and event logs. Because of its embedded design, the PDM requires no additional installation beyond the Firewall itself.

The firewalls operate by enforcing a centrally defined Security Policy using the Adaptive Security Algorithm (ASA), a scheme which, states Cisco, "...is less complex and more robust than packet filtering." ASA is a stateful-connection protocol which tracks the sender and destination of transmissions, along with TCP sequence numbers, port numbers and TCP flags. Only those transmissions which match the administrator's defined table of allowable transmissions are allowed to pass through the firewall; breaches can be reported in real-time via E-Mail or pager notifications.

Key features in later versions (6+) of the Cisco PIX Firewall OS include support for Cisco's Unified VPN Client Framework, which provides VPN connectivity between compatible client machines and PIX Firewalls; support for "shunning," selectively blocking suspicious network traffic; L2TP tunneling support; and enhanced support for SCCP and SIP. The latest OS version (6.2, due before the end of Q1/2002) adds extended VPN support that allows PIX firewalls to act as hardware-based VPN clients complete with support for dynamic policy updating; PPPoE support; bi-directional (dual) NAT support; LAN Based failover features; PAT (Port Address Translation) support for both SIP and H323v2 protocols; and support for the third party URL filtering service, N2H2.

The latest firewall releases in the Cisco PIX line are the 506E and the 515E, which, according to Cisco, provide "...extra processing power resulting in up to [a] two and a half times increase in firewall throughput." The 515E, specifically, boasts hardware-based VPN acceleration.

The Cisco Secure PIX Firewalls are now available. For further information, visit the Cisco Web site.