How to Remove Document Management Hurdles with X-Docs?
PIX vs ASA_firewall
1. PIX FIREWALL BY R P PORWAL
PIX FIREWALL
What Does a PIX Do?
The PIX is a firewall appliance based on a hardened, specially built operating system, PIX OS,
minimizing possible OS-specific security holes. BSNL is using latest cisco ASA ( adaptive
security appliance) of 55xx series for its 3G OSS More about ASA firewall in upcoming
presentation
PIX firewalls provide a wide range of security and networking services including:
Network Address Translation (NAT) or Port Address Translation (PAT)
content filtering (Java/ActiveX)
URL filtering
IPsec VPN
support for leading X.509 PKI solutions
DHCP client/server
PPPoE support
advanced security services for multimedia applications and protocols including Voice
over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting
AAA (RADIUS/TACACS+) integration
PIX can be graphically managed using the integrated Web-based management interface known
as the PIX Device Manager (PDM) or by the Cisco Secure Policy Manager 2.3f and 3.0f (not to
be confused with CSPM 2.3.3i which is for intrusion detection system management). The PDM
is a PIX-specific device configuration and management tool whereas CSPM is generally used as
part of a larger security management infrastructure and allows one to correlate organizational
security policies with a PIX configuration. Management interfaces include command-line
interface (CLI), telnet, Secure Shell (SSH 1.5), console port, SNMP, and syslog.
.
PIX Terminology and Background Information
The following diagram shows a multi-port PIX connected to various networks. We will use this
diagram as we build up a PIX configuration in this and any subsequent PIX articles.
2. PIX FIREWALL BY R P PORWAL
PIX terminology: we generally refer to the user segment as the Inside subnet. The interface
connected to the Internet router is the outside subnet. As shown, we probably have DMZ (De-
Militarized Zone) subnet, the subnet where we quarantine all servers that are accessible from the
outside. We might also have a separate management subnet and a subnet tying to a redundant
PIX for failover (if supported/licensed).
The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS interface, but different.
Use colon (":") for comments (which, as usual, are not retained). Newer PIX OS uses ACL's,
replacing the former conduits (which were arguably more confusing to experienced Cisco router
administrators).
PIX interfaces are normally shutdown until the administrator activates them.
PIX interfaces have an associated security level. Two interfaces at same level can't send packets
to each other. We'll shortly see that you set levels with nameif command. Connections and traffic
are normally permitted from higher to lower security level interfaces, although you do have to
put in some basic configuration to allow traffic to flow. Connections the other way (from low to
high security) are disallowed unless the configuration explicitly permits them.
3. PIX FIREWALL BY R P PORWAL
You actually do not have to put any ACL if going from a higher security level to a lower.
Everything will be allowed. Best practice is to put an ACL on all interfaces even if the ACL
permits everything to flow using "ip any any". An ACL put inbound (PIX only does inbound
ACLs) to the inside interface can control traffic destined going outbound. If an admin wants to
only have www and dns traffic outbound he would allow only tcp on 80 and udp on 53 then
everything else like real audio would be denied as it goes out.)
To let traffic flow from a high security level to a lower level, use the nat and global commands.
For the opposite direction, from lower to higher, use the static and access-list commands. We
suggest using nat and global when going from any non-outside interface to the outside interface
(Internet usually unless the PIX is used as a border between business units) which is a little
different than the first sentence above. We also suggest using statics from any non-outside
interface to any other non-outside interface (like inside to management or ethernet3 to ethernet4,
below.)
The PIX normally uses stateful NAT connections and stateful security, referred to as the
Adaptive Security Algorithm (ASA). The PIX does not pass multicast traffic