The following section looks at some of the hardware-based firewalls and the advantages they offer, including Cisco Private Internet Exchange (PIX), Juniper NetScreen, SonicWall, and Nokia Security Platform (NSP) firewalls. It then touches on other hardware-based firewalls (e.g., using routers as packet filters). Some manufacturers offer additional appliances that work with firewalls to protect data in transit (e.g., virtual private network [VPN] appliances, content filtering (anti-phishing, antispam, and antivirus), and content blocking (e.g., Universal Resource Locator [URL] filtering/reverse proxy).This section focuses solely on the firewalls offered by these companies.

PIX

Cisco PIX firewalls offer world-class security and high levels of performance and reliability, and have been a part of enterprise and service provider networks since 1995. Cisco PIX firewalls fit into a wide range of environments, from small office/home office (SOHO) environments to large enterprises and service providers. With support for complex protocols, the latest VPN technologies, and intrusion detection features, PIX firewalls are leaders in the market and have the widest deployment of any firewall.

Introduction

Cisco firewalls utilize a proprietary OS and command language.Version 7.0 of the PIX OS introduced some new features into the Cisco product line (e.g., switches and routers). One new feature is security zones within a single interface. In previous versions, security zones were limited to the number of physical network interfaces a device had. Now, a single interface can be split into several security zones. Active/active device failover is also an option; previously, only active/passive was offered. Version 7.0 also introduced the Adaptive Security Device Manager (ASDM), which is a useful graphical tool used for managing the PIX. The actual physical device runs on flash memory so that the only moving parts are the fans.This improves the reliability of the PIX, because there are no hard drives to fail. Models 515 and higher are generally upgradeable, both in interface number and memory size.

Command Line Interface (CLI) vs. Graphical User Interface (GUI)

While the GUI is attractive to many Windows and Mac administrators (and even some Linux administrators), ease of use is limited. The CLI provides the ability to enter a number of commands into a text file, confirm the order and configuration, copy and paste it into a command window, and execute all of them correctly the first time. In addition, reading the CLI flat file configuration is much easier than searching through various windows, and it is searchable. Where did I use this particular Internet Protocol (IP) address? Which object-group did I use in this access list? These answers are much easier to find in a text file. A GUI can be very useful for moving access-list lines, or adding a single Internet Protocol (IP) or port to an object-group. The PIX GUI has an excellent interface for checking firewall statistics, complete with colored graphs indicating the device’s health. Both interfaces have their strong points. Don’t disregard one for the other; learn them both. This applies to all firewalls with both interfaces, not just the PIX.

Embedded OS

Many firewalls are based on general-purpose OSs, which means maintenance is required to ensure that the correct configuration is used and that the base OS is patched and secured.This requirement offers a higher long-term cost and the potential for security weaknesses. An embedded OS is one where the OS is self-contained in the device and resident in Read-Only Memory (ROM).This involves reduced maintenance costs, and because no customizations or OS configurations are required, a single image is downloaded and stored to flash.There is little that can go wrong with the OS itself; you cannot accidentally leave an unnecessary service running, because the firewall’s services are tuned to only those features appropriate for a security device. Unlike appliances based on a general-purpose kernel such as Linux or Windows CE, the PIX is based on a hardened, specialized OS specific to security services.This OS allows for kernel simplification, which supports explicit certification and validation. The PIX OS has been tested for vendor certifications such as International Computer Security Association (ICSA) Labs’ Firewall Product Certification Criteria and the very difficult-to-obtain International Standards Organization (ISO) Common Criteria EAL4 certification.This testing allows for maximum assurance in deployment from Cisco’s positive security engineering based on good commercial development practices. Kernel simplification has advantages in throughput as well; the PIX 535 will support up to 256,000 simultaneous connections, far exceeding the capabilities of a UNIX- or Windows-based OS on equivalent hardware. One key advantage to PIX firewall software is its command-line structure similarity to Cisco Internetwork Operating System (IOS).This means that firewall administrators have the ability to rapidly master management of the PIX, thereby reducing deployment costs and supporting management using Network Operations Center (NOC) personnel.

Cisco OS Upgrade/Update Warning

In addition to learning the new commands, it is vital to examine each release closely and determine if it is necessary to update. Read the release notes carefully and check to see if any of the fixes apply to your environment. Will new functionality be useful? Are security fixes needed to protect either your firewall or your internal network? Most importantly, search the Internet discussion groups for any potential problems with an update/upgrade. I discovered through painful personal experience that PIX version 7.1(2) had a bug that dropped all network connectivity through the firewall on a regular basis, and then restored it over a period of about 5 minutes. Version 7.1(2)4 solved the problem, but it wasn’t until after consultation with other PIX administrators and a call to Cisco’s support team, that I found the updated version. Cisco’s support team said I should have stayed with 7.0(2). Cisco’s first question regarding any support call concerning an update is, “Why did you update?” If there isn’t a security problem, the PIX is functioning, and you don’t need the new functionality, don’t apply an update.

The Adaptive Security Algorithm

The heart of the PIX is the Adaptive Security Algorithm (ASA).The ASA is a mechanism used to determine if packets should be passed through the firewall if they are consistent with the information flow control policy implemented in the access control list (ACL) table.The PIX evaluates packet information against a developed state and decides whether to pass the packet. ASA allows traffic to flow from a higher security level to a lower security level, unless modified by access-list commands. More formally, the manual notes:

- No packets can traverse the PIX firewall without a connection and state.

- Outbound connections or states are allowed, except those specifically denied by ACLs. An outbound connection is one where the originator or client is on a higher security interface than the receiver or server.

- Inbound connections or states, except those specifically allowed, are denied access. An inbound connection or state is one where the originator or client is on a lower security interface or network than the receiver or server. Multiple exceptions can be applied to a single translation (xlate), which lets you permit access from an arbitrary machine, network, or any host on the Internet to the host defined by the xlate.

- All Internet Control Message Protocol (ICMP) packets are denied unless specifically permitted.

- All attempts to circumvent the previous rules are dropped.A message is generated and sent to a management device (e.g., local buffer, Simple Network Management Protocol (SNMP) trap, syslog, console), depending on the severity of the attempt and the local configuration. (Normal traffic may also trigger logging, again depending on configuration. At the highest debugging mode, every packet generates an alert.