Recently, Cisco introduced a new line of firewall appliances called the ASA Series.These new firewall appliances build on the PIX technology and add a new features including enterprise-wide management and monitoring tools, and a modular design that permits easy integration with new sister products.The other products in the ASA line are VPN Edition Security Service Modules (SSMs), which are designed for secure communications between remote locations.The IPS Edition is designed for application-level packet inspection and intrusion detection, and the Anti-X Edition is designed for virus protection.The series is comprised of four models (using 64MB flash memory) for the OS, configuration storage, support application layer filtering, and layer 2 transparent mode. The following are used throughout:

- Security Services Card (SSC) A lower-end implementation of a Security Services Module (SSM).

- SSM (see above).

- Advanced Inspection and Prevention Security Services Module (AIP-SSM) An intrusion prevention service designed to stop malicious traffic, including worms and network viruses.

- Content Security and Control Security Services Module (CSCSSM) A threat protection and content control product designed to be placed at the Internet edge, providing antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking and filtering, and content filtering.

- 4 Gigabit Ethernet Security Services Module (4GE-SSM)

- Power over Ethernet (PoE) The ability for the LAN-switching infrastructure to provide power over a copper Ethernet cable to an endpoint such as an IP telephone.

- ASA 5505 Designed for the SOHO/Enterprise Teleworker, the 5505 provides a maximum throughput of 150Mbps with 100 Mbps during 3DES VPN connectivity. 256MB of RAM supports the series standard 64MB flash memory.There are eight 10/100 ports that support three VLANs. There is an SSC slot, which will be supported in the future. No SSMs are supported. While active/passive failover is supported, it is stateless; therefore, any existing connections will be lost.

- ASA 5510 This model is targeted to small businesses and enterprises. 300Mbps standard throughput and 170Mbps VPN throughput raise this above the 5505. More significantly, this model supports up to 50 10/100 ports with one dedicated out-of-band management port. It also supports up to 25 VLANs.This and all subsequent models share support for active/active stateful failover and the CSC-SSM, AIP-SSM, and 4GE-SSM modules.

- ASA 5520 Targeted to small enterprises, this model provides up to 45Mbps standard throughput and 225Mbps VPN throughput.This is the first in the series to support four gigabit ports and up to 100 VLANs, and memory is increased to 512MB.This and all subsequent models support VPN clustering and load balancing.

- ASA 5540 Medium-sized enterprises would benefit from this model, boasting 650Mbps standard throughput and 325Mbps VPN. Memory is up to 1024MB and 200 VLANs are supported in this and the next model.

- ASA 5550 This model is strictly for large enterprises. While it has a maximum throughput of 1200Mbps and a VPN throughput of 425Mbps, it does not support any plug-in modules. Instead, separate appliances must be purchased to enhance the filtering capabilities. It also supports up to eight gigabit interfaces and the memory is 4096MB.

Software Licensing and Upgrades

The PIX uses software licensing to enable or disable features within the PIX OS. Although the hardware is common to all platforms (except certain licenses that can ship with additional memory or hardware accelerators) and the software is common, features differ depending on the activation key. The activation key allows you to upgrade features without acquiring new software, although the process is similar.The activation key is computed by Cisco, depending on what you have ordered and your serial number, which is different for each piece of PIX hardware.The serial number is based on the flash; thus, if you replace the flash, you have to replace the activation key. The activation key enables feature-specific information such as interfaces, HA, and type of encryption.

Management Access

Management access is used to access the Cisco PIX for configuration and management. The Cisco PIX is very flexible.You can connect through a console port and a simple eight-wire cable, or through Telnet, Secure Shell (SSH), or Hypertext Transfer Protocol Secure (HTTPS) using a browser.This provides a lot of options for configuring the Cisco PIX management access in a secure manner based on your own situation.

- Console Port The default mechanism for talking to a PIX is via the console port.This is the connection you use to configure the PIX the first time, or if you cannot access the PIX via a network port. Some devices have old DB9 connectors (i.e., nine-pin D-subminiature connectors similar to those found on the back of many PCs).The newer devices use the Cisco standard RJ45 connector, similar to those used with most Cisco routers and switches. In each case, an appropriate cable is provided with your equipment and generally connects to the DB9 serial port on your PC.Any terminal program such as TeraTerm or Windows HyperTerminal can be used to connect to the PIX.

- Telnet Telnet is the antiquated way to access a network device. Even though the Cisco PIX supports Telnet access it should never be used. Disable Telnet entirely by removing any existing Telnet command using: no telnet [ip address] [interface] Then set the Telnet timeout to one second: telnet timeout 1 Telnet is strongly discouraged in favor of using SSH, which is encrypted.

- SSH The preferred method of connecting over a network to the Cisco PIX firewall. SSH is a suite of encrypted applications that replaces Telnet, copy, and FTP with SSH, SCP, and SCP. SSH uses port 22 and is not enabled by default.To enable SSH, a public/private DES or 3DES key must be generated and the interfaces must be configured to permit SSH. For full details on using and enabling SSH on the Cisco PIX firewall, please see Cisco documentation. All three of the above interfaces use the CLI. In the case of the Cisco PIX firewall, the command line is a flexible way to configure the Cisco PIX.With the new 7.0 code, it is easier if you already know the Internetwork Operating System (IOS) command structure, because many old PIX commands were updated to reflect the IOS command line structure. In rare cases, the command line is the only way to configure certain features that the ASDM does not yet support. The PIX firewall builds help functionality into the CLI. At any point, typing ? will help you complete your commands. In addition,“man page” or “manual page” functionality is built in (e.g., if you want to ping something and forgot the syntax, type ping ?. If you don’t remember what the ping command does, type help ping. This provides usage, description, and syntax for the command).

- Web The Cisco PIX can be managed by a Web interface called the ASDM, which replaces the PIX Device Manager (PDM).The new ASDM can be accessed using HTTPS or using a Windows application installed on the management console.The Web-based interface is Java-based, so any Java-enabled Web browser can be used to manage the PIX, including Firefox, Internet Explorer, Mozilla, Opera, and Safari.The installed application is downloaded directly from the PIX.

Introduction

NetScreen is the fastest growing firewall product line on the market today, and has clinched the number two spot among the worldwide security appliance market.The NetScreen product line is robust and competitive, and is now part of Juniper Networks. As of April 16, 2004, Juniper Networks completed its purchase of NetScreen for four billion dollars, which it chose to purchase in order to enter the enterprise market. Previously, Juniper Networks focused on the carrier class market for high-end routers; however, now it is attempting to compete directly with Cisco for the number one firewall appliance vendor and the number one router vendor in the world. The NetScreen firewall appliance is Juniper Network’s firewall/VPN solution. Throughout this section, the firewall is referred to as a NetScreen firewall.This product line provides integrated firewall and IPSec VPN solutions in a single appliance.