Cisco PIX Firewall

Product Overview

Standard Features

Benefits

Adaptive Security

Product Numbers

Cisco PIX Firewall

This chapter provides information on the Cisco PIX Firewall. The information is organized into the following sections:

Product Overview

Cisco Systems' PIX Firewall provides full firewall security protection that completely conceals the architecture of an internal network from the outside world.

PIX Firewall operates on a secure real-time kernel, not UNIX, which provides another level of security. PIX Firewall provides firewall security without the administrative overhead and risks associated with UNIX-based firewall systems. The network administrator is provided with complete auditing of all transactions, including attempted break-ins. PIX Firewall offers controlled access to the Internet. Its streamlined software is scalable and simple to configure; typical configuration takes five minutes. It offers a high performance, inexpensive, and low-maintenance firewall solution that protects your internal network from unauthorized access.

PIX Firewall allows secure access to the Internet from within existing private networks. PIX Firewall utilizes a protection scheme called stateful network address translation (NAT), which shields your internal network from the Internet. Stateful means that it tracks the source and destination ports plus addresses, TCP sequence numbers, and additional TCP flags. PIX Firewall gives your organization the protection of allowing internal users access to the Internet, while protecting your internal network from unauthorized access.

The PIX Firewall also provides an additional benefit to your organization by providing the ability to expand and reconfigure TCP/IP networks without being concerned about a shortage of IP addresses. NAT makes it possible to use either existing IP addresses or the addresses set aside in the Internet Assigned Numbers Authority's (IANA's) reserve pool (RFC 1918).

Encryption is available with the Cisco PIX Firewall Private Link, a card that provides secure communication between multiple PIX Firewall systems over the Internet using the Data Encryption Standard (DES).

Figure 150 : PIX Firewall Front View

Figure 151 : PIX Firewall Rear View

Standard Features

PIX Firewall includes the following features:

Secure Stateful Network Address Translation (NAT)-based firewall
Over 16,000 simultaneous connections supported
Internal network concealed
Normal configuration in five commands---in 5 minutes
Secure dynamic and static translation
True Network Address Translation as discussed in RFC 1631
Transparent support for all common TCP/IP Internet services such as World Wide Web, FTP, Telnet, Archie, Gopher, and Rlogin
Secure real-time software (less than 80KB total)

Benefits

PIX Firewall provides the following benefits:

Less complex and more robust than packet filters
No downtime required for installation
No upgrading of hosts or routers
No day-to-day management
Full outbound Internet access from unregistered internal hosts
Does not require additional registered IP addresses for network expansion
Allows use of Address Allocation for Private Internets (RFC 1918) or registered IP addresses
No user impact---nondisruptive to existing LANs

Adaptive Security

PIX Firewall provides the following features that support adaptive security:

All inbound traffic is verified for statefulness against the following connection state information:
- Source and destination IP address
- Source and destination port number
- Protocol
- TCP sequence number
Completely disallows access from the outside network to the inside network
Provides stateful security for TCP and UDP transactions

Table 320 : PIX Firewall Summary of Features

Description Feature

Dimensions (H x W x D) 7 x 19 x 19" (17.8 x 48.3 x 48.3 cm)

Weight 21 lbs (9.5 kg)

Hardware 19-in. rack-mount enclosure
2 Ethernet interfaces (inside and outside)
DB-9 EIA/TIA-232 console interface port
3.5-in. diskette drive
Lockable front panel

Compatibility 10BaseT, thick or thin Ethernet or 10/100 BaseT
Internet Protocol standards: IP, TCP, UDP, ICMP

Power requirements 115 VAC±10%, 47-63 Hz, 2.5A
230 VAC±10%, 47-63 Hz, 1.3A

Available software sessions (based on simultaneous TCP/IP connections) 32, 256, 1024, 4096, 16,384

Description	Feature
Dimensions (H x W x D)	7 x 19 x 19" (17.8 x 48.3 x 48.3 cm)
Weight	21 lbs (9.5 kg)
Hardware	19-in. rack-mount enclosure 2 Ethernet interfaces (inside and outside) DB-9 EIA/TIA-232 console interface port 3.5-in. diskette drive Lockable front panel
Compatibility	10BaseT, thick or thin Ethernet or 10/100 BaseT Internet Protocol standards: IP, TCP, UDP, ICMP
Power requirements	115 VAC±10%, 47-63 Hz, 2.5A 230 VAC±10%, 47-63 Hz, 1.3A
Available software sessions (based on simultaneous TCP/IP connections)	32, 256, 1024, 4096, 16,384

Table 321 : PIX Firewall Environmental Specifications

Description Specification

Temperature
Operating
Storage
0 to 131°F (0to55°C)
--40 to 131°F (--40 to 55°C)

Humidity
Operating
Storage
85% relative humidity maximum at 55°C
92% relative humidity maximum at 55°C

Altitude
Operating
Storage
10,000' (3,048 m)
50,000' (15,240 m)

Description	Specification
Temperature Operating Storage	0 to 131°F (0to55°C) --40 to 131°F (--40 to 55°C)
Humidity Operating Storage	85% relative humidity maximum at 55°C 92% relative humidity maximum at 55°C
Altitude Operating Storage	10,000' (3,048 m) 50,000' (15,240 m)

Product Numbers

Table 322 lists the product numbers you can use to order PIX Firewall or upgrade an existing configuration. For documentation product numbers, refer to the "Internet Products" section in the "Documentation" chapter, later in this catalog.

Table 322 : PIX Firewall Product Numbers

Description Product Number

PIX Firewall PIX

2 Ethernet interfaces PIX-2E

2 Ethernet interfaces (spare) PIX-2E=

2 Fast Ethernet interfaces PIX-2FE

2 Fast Ethernet interfaces (spare) PIX-2FE=

Private Link Encryption PIX-PL

Private Link Encryption (spare) PIX-PL=

Standard cord options CAB-AC
CAB-ACE
CAB-ACI
CAB-ACU
CAB-ACA

PIX software for 32 users SW-PIX-32

PIX software for 256 users SW-PIX-256

PIX software for 1024 users SW-PIX-1024

PIX software for 4096 users SW-PIX-4096

PIX software for 16384 users SW-PIX-16384

PIX software upgrade, 32 to 256 users SW-PIX-32-256=

PIX software upgrade, 32 to 1024 users SW-PIX-32-1024=

PIX software upgrade, 32 to 4096 users SW-PIX-32-4096=

PIX software upgrade, 32 to 16384 users SW-PIX-32-16384=

PIX software upgrade, 256 to 1024 users SW-PIX-256-1024=

PIX software upgrade, 256 to 4096 users SW-PIX-256-4096=

PIX software upgrade, 256 to 16384 users SW-PIX-256-16384=

PIX software upgrade, 1024 to 4096 users SW-PIX-1024-4096=

PIX software upgrade, 1024 to 16384 users SW-PIX-1024-16384=

PIX software upgrade, 4096 to 16384 users SW-PIX-4096-16384=

PIX software version update SW-PIX-VER=

PIX SMARTnet maintenance CON-SNT-PIX

Description	Product Number
PIX Firewall	PIX
2 Ethernet interfaces	PIX-2E
2 Ethernet interfaces (spare)	PIX-2E=
2 Fast Ethernet interfaces	PIX-2FE
2 Fast Ethernet interfaces (spare)	PIX-2FE=
Private Link Encryption	PIX-PL
Private Link Encryption (spare)	PIX-PL=
Standard cord options	CAB-AC CAB-ACE CAB-ACI CAB-ACU CAB-ACA
PIX software for 32 users	SW-PIX-32
PIX software for 256 users	SW-PIX-256
PIX software for 1024 users	SW-PIX-1024
PIX software for 4096 users	SW-PIX-4096
PIX software for 16384 users	SW-PIX-16384
PIX software upgrade, 32 to 256 users	SW-PIX-32-256=
PIX software upgrade, 32 to 1024 users	SW-PIX-32-1024=
PIX software upgrade, 32 to 4096 users	SW-PIX-32-4096=
PIX software upgrade, 32 to 16384 users	SW-PIX-32-16384=
PIX software upgrade, 256 to 1024 users	SW-PIX-256-1024=
PIX software upgrade, 256 to 4096 users	SW-PIX-256-4096=
PIX software upgrade, 256 to 16384 users	SW-PIX-256-16384=
PIX software upgrade, 1024 to 4096 users	SW-PIX-1024-4096=
PIX software upgrade, 1024 to 16384 users	SW-PIX-1024-16384=
PIX software upgrade, 4096 to 16384 users	SW-PIX-4096-16384=
PIX software version update	SW-PIX-VER=
PIX SMARTnet maintenance	CON-SNT-PIX

Table of Contents