Cisco PIX (Private Internet eXchange) is a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.
In 2005, Cisco introduced the newer Adaptive Security Appliance (ASA), that inherited much of PIX features, and in 2008 announced PIX end-of-sale.
The PIX technology is still sold in a blade, the FireWall Services Module (FWSM), for the Cisco Catalyst 6500 switch series and the 7600 Router series.PIX was originally conceived in early 1994 by John Mayes of Redwood City, California and designed and coded by Brantley Coile of Athens, Georgia. The PIX name is derived from its creators' aim of creating the functional equivalent of an IP PBX to solve the then-emerging registered IP address shortage. At a time when NAT was just being investigated as a viable approach, they wanted to conceal a block or blocks of IP addresses behind a single or multiple registered IP addresses, much as PBXs do for internal phone extensions. When they began, RFC 1597 and RFC 1631 were being discussed, but the now-familiar RFC 1918 had not yet been submitted.
The design, and testing were carried out in 1994 by John Mayes, Brantley Coile and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing of PIX serial number 000000 was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX quickly became one of the leading enterprise firewall products and was awarded the Data Communications Magazine "Hot Product of the Year" award in January 1995.
After Cisco acquired Network Translation in November 1995, Mayes and Coile hired four long time associates: Jim Jordan, Tom Bohannon, and Richard Howes and Pete Tenereillo (both who worked for NTI prior to the acquisition). Together they continued development on Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector.
End-of-Life
On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008. The last day to purchase accessories and licenses was January 27, 2009. Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013.
Adaptive Security Appliance (ASA)
In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IPS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.
Description of operation
The PIX runs a custom-written proprietary operating system originally called Finese (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List (ACL) or a conduit. The PIX can be configured to perform many functions including network address translation (NAT) and port address translation (PAT), as well as being a virtual private network (VPN) endpoint appliance.
The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Fixup" has been superseded by "Inspect" on later versions of PIX OS.
The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.
The PIX can be managed by a command line interface (CLI) or a graphical user interface (GUI). The CLI is accessible from the serial console, telnet and SSH. GUI administration was introduced with version 4.1, and it has been through several incarnations: PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PIX Device Manager (PDM) for PIX OS version 6.x, which runs over https and requires Java; and Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS. Examples of emulators include PEMU and Dynagen , and with NetworkSims.com ProfSIMs (Networksims) for a simulator.
As the PIX is an acquired product, the CLI was originally not aligned with the Cisco IOS syntax. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (as opposed to IPX, DECNet, etc.), in most configuration commands 'ip' is omitted. The configuration is upwards compatible, but not downwards. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting, as long as the configuration was using ACLs, versus conduits and "outbounds". This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relatively recent models, the flash memory size of only 8 MB prevents official upgrading to version 7.x, although 7.0 can be installed on a 506E using monitor mode up to version 7.1(2). The 8MB flash size only allows for installation of the PIX OS software, not the ASDM software (GUI). For the PIX 515(E) to run version >7.0, a doubling of the memory size is required (32->64 MB for restricted and 64->128MB for Unrestricted/Failover licenses). A 515(E) UR/FO can run 7.0 with 64 MB memory installed, but that is not recommended as larger configuration and session/xlate tables can exceed the available memory.
Description of hardware
The original NTI PIX and the PIX Classic had cases that were sourced from OEM provider Appro. All flash cards and the early encryption acceleration cards, the PIX-PL and PIX-PL2, were sourced from Productivity Enhancement Products (PEP).Later models had cases from Cisco OEM manufacturers.
The PIX was constructed using Intel-based/Intel-compatible motherboards; the PIX 501 used an AMD 5x86 processor, and all other standalone models used Intel 80486 through Pentium III processors. Nearly all PIXs used Ethernet NICs with Intel 82557, 82558, and 82559 network chipsets, but some older models are occasionally found with 3COM 3c590 and 3c595 Ethernet cards, Olicom-based Token-Ring cards, and Interphase-based FDDI cards.
Some Intel-based Ethernet cards for the PIX are identified at boot with the designation "mcwa". This designation denotes a multicast receive bug in the card's firmware that the designers addressed with a feature they called Multi Cast Work Around.
Both the PIX 510 and 520 share basic components, such as motherboard, chassis, NICs, flash cards, etc., with the Cisco LocalDirector 416/420/430, the Cisco Service Selector Gateway 6510 (SSG-6510), and the Cisco Cache Engine CE2050, though the latter two run VxWorks, rather than a Finesse derivative.
The PIX boots off a proprietary ISA flash memory daughtercard in the case of the NTI PIX, PIX Classic, 10000, 510, 520, and 535, and it boots off integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9.
The PIX technology implemented in the FWSM, for the Catalyst 6500 and the 7600 Router, has a part code of WS-SVC-FWM-1-K9.
The PIX535 has a PCI-X 66 MHz/64 bit bus for expansion slots. This results in a much higher cleartext throughput, as the PCI bus is no longer the bottleneck (the PCI bus is 33 MHz and 32 bits, resulting in maximum throughput of 1.2 GBit without overhead taken in account). As the lower Cisco ASA models use a PCI bus, the PIX535 was faster for cleartext than its successor ASA, until the introduction of the ASA5580.
Specifications of latest and older models
Latest models
| Model | 501 | 506e | 515e | 525 | 535 | FWSM |
|---|---|---|---|---|---|---|
| Introduced | 2001 | 2002 | 2002 | 2000 | 2000 | 2003 |
| Discontinued | 2008 | 2008 | 2008 | 2008 | 2008 | |
| CPU type | AMD SC520 5x86 | Intel Celeron (Mendocino SL36A) | Intel Celeron (Mendocino SL3BA) | Intel Pentium III (Coppermine) | Intel Pentium III (Coppermine) | One Intel Pentium III and three IBM 4GS3 PowerNP network processors |
| CPU speed | 133 MHz | 300 MHz | 433 MHz | 600 MHz | 1 GHz | 1 GHz |
| Chipset | AMD SC520 | Intel 440BX Seattle | Intel 440BX Seattle | Intel 440BX Seattle | Broadcom Serverworks RCC | ? |
| Default RAM | 16 MB | 32 MB | 64 (128) MB | 128 (256) MB | 512 (1024) MB | 1 GB |
| Boot flash device | Onboard | Onboard | Onboard | Onboard | ISA card & Onboard | Onboard |
| Default flash | 8 MB | 8 MB | 16 MB | 16 MB | 16 MB | 128 MB |
| Boot flash chips | 1 x 28F640 | 1 x 28F640 | 1 x E28F128J3 | 1 x EF28F128J3 | 2 x i28F640J5 | ATA CompactFlash |
| Minimum PIX OS version | 6.1(1) | 5.1(x) | 5.1(x) | 5.2(x) | 5.3(x) | FWSM 2.3(x) |
| Maximum PIX OS version officially supported | Latest 6.3(x) | Latest 6.3(x) | 8.0.4 | 8.0.4 | 8.0.4 | FWSM 4.0(x) |
| Max interfaces | 2 | 2 | 3(6) | 6(10) | 8(14) | |
| PCI slots | 0 | 0 | 2 | 3 | 9 | 1 |
| Expansion cards supported | No | No | 1 port FE, 4 port FE, 1 port 1000baseSX | 1 port FE, 4 port FE, 1 port 1000baseSX | 1 port FE, 4 port FE, 1 port 1000baseSX | Yes |
| Supports SSL VPN | No | No | No | No | No | No |
| VPN accelerator supported | No | No | Yes | Yes | Yes | No |
| Floppy drive | No | No | No | No | No | No |
| Failover supported | No | No | Yes | Yes | Yes | Yes |
| Model | 501 | 506e | 515e | 525 | 535 | FWSM |
Older models
| Model | NTI PIX | Classic 47-3158-01 | 10000 | 506 | 510 | 515 | 520 |
|---|---|---|---|---|---|---|---|
| Introduced | 1994 | 1995 | 1996 | 2000 | 1997 | 1999 | 1999 |
| Discontinued | 1995 | 1998 | 1998 | 2002 | 1999 | 2002 | 2001 |
| CPU type | Intel 486DX2/ Intel Pentium | Intel Pentium | Intel Pentium Pro | Intel Pentium MMX | Intel Pentium | Intel Pentium MMX | Intel Pentium II (Deschutes) |
| CPU speed | 66 / 90 MHz | 100~133 MHz | 200 MHz | 200 MHz | 166 MHz | 200 MHz | 233~350 MHz |
| Chipset | Intel 430FX/TX | Intel 440FX Natoma | Intel 430TX | Intel 430TX | Intel 430TX | 440LX/BX Balboa/ Seattle | |
| Default RAM | 4 MB | 8 MB | 16 MB | 32 MB | 16 MB | 32 (64) MB | 128 MB |
| Boot flash device | ISA card | ISA card | ISA card | Onboard | ISA card | Onboard | ISA card |
| Default flash | 512KB | 512KB / 2 MB | 2 MB | 8 MB | 2 MB | 16 MB | 2 MB / 16 MB |
| Boot flash chips | 2 x i28f020 | 2 x i28f020 / 4 x 29C040 | 4 x 29C040 | 1 x i28F640J5 | 4 x 29C040 | 2 x i28F640J5 | 4 x 29C040 / 2 x i28F640J5 |
| Minimum PIX OS version | 1.x | 2.x | 4.4(x) | 4.4(x) | 4.4(x) | 5.1(x) | 4.4(x) |
| Maximum PIX OS version | 4.2(2) | 4.2(2) 5.1(x) | 5.1(x) | Latest 6.3(x) | 5.3(4) | Latest 8.x | Latest 6.3(x) |
| Max interfaces | 2 | 6(3) | 8(6) | ||||
| Fixed internal interface | No | No | No | 10baseT | No | 10/100baseT | No |
| Fixed external interface | No | No | No | 10baseT | No | 10/100baseT | No |
| PCI slots | ? | 4 | 4 | 0 | 4+ | 2 | 4+ |
| Expansion cards supported | ? | 1 port FE, 1 port Token Ring, 1 port FDDI | 1 port FE, 1 port Token Ring, 1 port FDDI | No | 1 port FE, 1 port Token Ring, 1 port FDDI | 1 port FE, 4 port FE, 1 port 1000baseSX | 1 port FE, 4 port FE, 1 port 1000baseSX |
| VPN accelerator supported | Yes | Yes | Yes | No | Yes | Yes | Yes |
| Floppy drive | Yes | Yes | Yes | No | Yes | No | Yes |
| Failover supported | No | No/Yes | Yes | No | Yes | Yes | Yes |
| Model | NTI PIX | Classic | 10000 | 506 | 510 | 515 | 520 |
Performance specifications
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520 | PIX 525 | PIX 535 | ASA 5520 | FWSM |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cleartext throughput, Mbit/s | 90 | 60 | 20 | 100 | 147 | 190 | 240 | 330 | 1655 | 450 | 5500 | ||
| 56-bit DES throughput, Mbit/s | 6 | 20 | n/a | n/a | n/a | n/a | ? | n/a | |||||
| 168-bit Triple DES throughput, Mbit/s | 3 | 6 | 16 | 10 / 63 (135) | 20 / 63 (135) | 20 | 30 / 72 (145) | 50 / 100 (425) | 225 | n/a | |||
| AES-128 throughput, Mbit/s | 4.5 | 30 | 45 / 130 | 65 / 135 | 110 / 495 | 225 | n/a | ||||||
| AES-256 throughput, Mbit/s | 3.4 | 25 | 35 / 130 | 50 / 135 | 90 / 425 | 225 | n/a | ||||||
| Max simultaneous connections | 16,000 | 7,500 | 10,000 | 25,000 | 64,000 / 128,000 | 48,000 / 130,000 | 256,000 | 140,000 / 280,000 | 250,000 / 500,000 | 280,000 | 999,900 total / 100,000 per second | ||
| Max simultaneous hosts (users) | 10 / 50 / Unlimited | Unlimited | Unlimited | 128 / 1000 / unlimited | Unlimited | Unlimited | ? | 256,000 | |||||
| Max number of ACL entries | ? | 80,000 | |||||||||||
| Max simultaneous VPN peers | 10 | 25 | 25 | 0 / 2000 | 0 / 2000 | 0 / 2000 | 750 IPSec, 750 SSL | n/a | |||||
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520 | PIX 525 | PIX 535 | ASA 5520 | FWSM |
0 comments:
Post a Comment