PIX 525 Product Essentials and application environment
Cisco PIX 525 Firewall Application Environment
The Cisco Secure PIX 525 Firewall is part of the world's leading Cisco Secure PIX Firewall series, providing unmatched security, reliability, and performance for today's network customers. Its full firewall protection and IP Security (IPSEC) virtual private Network (VPN) capabilities make it particularly appropriate to protect the boundaries of enterprise headquarters.
Strong security Features
The development of the Internet poses a greater security risk for businesses, governments, and private networks. Existing solutions such as the agent-based firewall running on the application tier have many limitations, including low performance, expensive general-purpose platforms, and security risks when using open systems such as UNIX.
While the Cisco Secure PIX Firewall delivers unprecedented security protection, the core of its protection mechanism is the ability to provide an adaptive security algorithm (ASA) for the functionality of the static-attached firewall. Static security, although relatively simple, but compared with packet filtering, the function is more robust, in addition, with the Application Layer Agent firewall, its performance is higher, scalability is stronger. ASA can track source and destination addresses, Transmission Control Protocol (TCP) serial numbers, port numbers, and additional TCP flags for each packet. Access is allowed through the Cisco Secure PIX Firewall Only if there are correct connections that have determined connection relationships. In doing so, internal and external authorized users can transparently access enterprise resources while protecting the internal network from unauthorized access.
In addition, real-time embedded systems can further enhance the security of the Cisco Secure PIX Firewall family. Although UNIX servers are an ideal open development platform for widespread use of open source code, the common operating system does not provide the best performance and security. The dedicated Cisco Secure PIX Firewall is specifically designed to achieve secure, high-performance protection.
Secure VPN with IPSec interop
Traditionally, the firewall implements the boundary security by maintaining the static control of all connections between the connected network segments. Today, more and more customers are looking for firewalls that provide VPN services in addition to access control. With VPNs, remote users or distributed branch offices can access the enterprise network at a lower cost, while using Internet access can significantly reduce the cost of telecommunications associated with a previous dedicated line or other private network. Companies do not need to maintain large modem pools and access servers to handle remote dial-up users, and these are things that require a lot of money and headaches for administrators. Now, with only a local call to the ISP, users can access the dedicated enterprise intranet securely over the Internet.
PIX 525 implements secure, confidential communication on the Internet or on all IP networks. It integrates the main features of the VPN-tunneling, data encryption, security, and firewalls-to provide a secure, scalable platform for better and more cost-effective use of public data services for remote access, remote office and extranet connectivity. 525 can connect up to 4 VPN tiers at the same time, providing users with complete IPSec standard implementations, where IPSec guarantees confidentiality, integrity, and authentication capabilities. For secure data encryption, Cisco's IPSec implementation methods support 56-bit Data Encryption Standard (DES) and 168-bit triple DES algorithms and AES algorithms.
Extreme Reliability
The PIX Firewall delivers unprecedented reliability with an average of no downtime (MTBF) exceeding 60,000 hours. Even at this high level, companies that have Internet, intranet, or extranet connectivity as enterprise Lifelines recognize that firewall redundancy is a key factor. Every minute the firewall stops running, it means the loss of revenue, opportunity, or critical information. Cisco has created a failover bundle that works with the PIX 525-ur to meet these requirements simply and cheaply. This package provides a second firewall specifically designed to run in failover mode for an enterprise.
Amazing flexibility
The Cisco Secure PIX 525 Firewall supports a variety of network interface cards (NICs). Standard NICs include single port or 4-port 10/100 Fast Ethernet, Gigabit Ethernet, 4/16 Token ring and dual-connected multimode FDDI cards.
In addition, the PIX 525 offers a variety of power options that allow users to choose between AC or 48V DC power. Each option is equipped with a pair of products for the second failover PIX system to achieve maximum redundancy and high availability.
Main features and advantages
- Part of the Cisco End-to-end Solution-allows companies to extend cost-effective, seamless network infrastructure to branch offices.
- Lowest cost of ownership-installation, simple configuration, less network downtime. In addition, it allows transparent support for Internet multimedia applications and no longer requires the actual tuning and reconfiguration of each client workstation or PC.
- Non-UNIX security, real-time, and embedded systems-eliminates the risk of a common operating system and delivers outstanding performance.
- standards-based Virtual Private Networking-enables administrators to reduce the cost of connecting mobile users and remote sites to the corporate network via the Internet or other public IP networks.
- Adaptive security algorithm-provides static security for all TCP/IP dialogs to protect sensitive and confidential resources.
- static failover/Hot standby-provides high availability, making the network most reliable.
- Network address Translation (NAT)-saves valuable IP addresses, expands network address space, and hides IP addresses from outside.
- Truncate through proxies-provides the industry's highest level of authentication performance and lowers cost of ownership by reuse of existing certified databases.
- Multiple network interface cards-provides strong security for the web and all other public access servers, multiple extranet links with different partners, protected records, and URL filtering servers.
- Supports up to 380,000 simultaneous connections-deploying few firewalls can greatly improve the performance of the proxy server.
- Prevent denial of service attacks-protect firewalls and their servers and clients from destructive hacker attacks.
- Support for a variety of applications-overall reduce the impact of firewalls on network users.
- Java applet Filtering-enables firewalls to terminate potentially dangerous Java applications on a per-client or per-IP address.
- Support for multimedia applications-reduces the administrative time and costs required to support these protocols. No special client configuration is required.
- Simple to set-you can implement a general security policy with just 6 commands.
- Compact design-can be deployed more easily on desktops or smaller office settings.
- URL filtering-When used in conjunction with the Websense Enterprise software, provides the ability to control which Web sites users can access and maintain audit trail data for billing purposes. Minimal impact on PIX firewall performance.
- Message protection-no longer requires external messages to be forwarded in the perimeter network, and also to prevent denial-of-service attacks during external mail forwarding.
Main characteristics and advantages of PIX525 |
Performance overview |
Clear-Text throughput |
370Mbps |
168-bit 3DES IPSec VPN throughput |
145Mbps |
Concurrent VPN tunnels |
2000 |
Concurrent connections |
380,000 7500/sec |
PIX 535 Product Essentials and application environment
The load-level performance provided by Cisco Secure PIX Firewall 535 can meet the needs of large business networks and service providers. As part of the world's leading Cisco Secure PIX Firewall series, PIX 535 delivers unmatched security, reliability, and performance for today's network customers. The firewall combines static firewall and IP Security (IPSEC) virtual private Network (VPN) capabilities with Gigabit Ethernet throughput flexibly.
PIX 535 is a common firewall device capable of providing unprecedented protection. It is tightly integrated with the PIX operating system (OS), a dedicated curing system that eliminates security vulnerabilities and performance degradation costs. At the heart of the PIX535 Firewall is a protection mechanism based on adaptive Security Algorithm (ASA) that provides a firewall for static connections that enables 500,000 simultaneous connections while preventing common denial of service (DoS) attacks.
In addition, the PIX 535 is a fully functional VPN gateway capable of transmitting data securely over the public network, which supports site to site and remote access to VPN applications using 56-bit Data Encryption Standard (DES) or 168-bit 3DES. The integrated VPN capabilities of the PIX 535 are supported by the VPN accelerator card (VAC) option, providing throughput for 495 Mbps and 2000 IPSec tunnels.
High availability is achieved by deploying a redundant hot standby unit that maintains simultaneous connections through automatic static synchronization. This ensures that the conversation can be maintained even in the event of a system failure and that the switching process is done transparently to the network user. In addition, the PIX 535 allows you to add optional redundant, hot-swappable power to the AC or DC model to make it a truly fault-tolerant security device.
PIX535 Limited software version
The PIX 535, which contains limited software licenses, is equipped with 512MB of RAM, supports up to 6 Gigabit Ethernet or 10/100 Fast Ethernet interfaces, and a vac.
PIX535 Unlimited software version
The PIX 535, which contains unlimited software licenses, is equipped with 1GB of RAM, supports up to 8 Gigabit Ethernet or 10/100 Fast Ethernet interfaces, and a vac. In addition, the PIX 535-ur also adds the ability to share state information with the hot standby pix to achieve full firewall redundancy.
Performance Summary of PIX535 |
Performance overview |
Clear-Text throughput |
1.675Mbps |
168-bit 3DES IPSec VPN throughput |
495Mbps |
Concurrent VPN tunnels |
2000 |
Concurrent connections |
500,000 9400/sec |
Technical Specifications
Processor: 1.0 GHz Intel Pentium III
Random Read and write memory: MB or 1 GB SDRAM (hosting PC 133)
Flash Memory: MB
Cache: 256 KB level 2,1 GHz
System bus: Dual 64-bit, 66MHz PCI; Single 32-bit, 33MHz PCI
Extended
Interface
Cisco high-end firewall 6503/6506/6509 product Essentials and application environment, solution application
The Cisco catalyst?6503/6506/6509 High-end firewall is a high-speed, integrated firewall that delivers the fastest firewall data transfer rate in the industry: 5Gb throughput, 100000CPS, and 1 million concurrent connections. Up to four FWSM firewall modules can be installed in a single device, so that each device can provide up to 20Gb of throughput. As part of the world's leading Cisco PIX Firewall series, the 6503/6506/6509 high-end firewall provides unmatched security, reliability, and performance for large businesses and service providers.
The 6503/6506/6509 high-end firewall (FWSM) employs the Cisco PIX Technology and runs the Cisco PIX operating System (OS)-a real-time, solid embedded systems that eliminate security vulnerabilities and prevent all kinds of losses that can lead to performance degradation. The core of this system is a protection mechanism based on adaptive Security Algorithm (ASA), which can provide a stateful firewall with connection-oriented capabilities. Using ASA,FWSM, you can create a connection table entry for a session stream based on the source and destination addresses, random TCP serial numbers, port numbers, and other TCP flags. FWSM can control the flow of all inputs and outputs by enforcing security policies on these join table entries.
FWSM Integrated Firewall module
The 6503/6506/6509 high-end firewall is FWSM Firewall Service module installed inside the Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet router, and any cat6k port can act as a firewall port. And the State firewall security is integrated into the network infrastructure. This functionality is important for systems with very limited rack space. Cisco Catalyst 6500 truly becomes the preferred IP service switch for customers who require a variety of intelligent services, such as firewall access, intrusion detection, virtual private network (VPN), and multi-tier LAN, WAN, and man switching capabilities.
Adapt to future needs
The 6503/6506/6509 high-end firewall (FWSM) can support 5Gb throughput, thus providing unmatched performance that allows users to meet future requirements without a thorough upgrade of the system. You can add up to four FWSM in Catalyst 6500 to meet the evolving needs of your users.
Reliability
The FWSM firewall module is based on the Cisco PIX Technology and uses the same, verified Cisco PIX operating System-a secure, real-time operating system. FWSM can leverage proven Cisco PIX Technology detection groupings to provide a unique combination of performance and security on the same platform.
Low overall operating costs
FWSM can provide the best performance price ratio in all firewalls. Because the FWSM firewall module is based on the Cisco PIX Firewall, the training and management costs are low, and because it is integrated within the CAT6K device, the number of devices that need to be managed is greatly reduced.
Ease of Use
The intuitive graphical user interface (GUI) of the Cisco PIX Device Manager can be used to manage and configure FWSM.
FWSM Firewall Features |
Main Features |
Advantages |
Performance |
5 Gbps |
1 million concurrent connections |
Establish and disconnect more than 100,000 connections per second |
Multiple interfaces |
Up to 100 firewalls can be supported vlan--any Cisco Catalyst 4000 VLAN can act as a firewall VLAN |
Support for 802.1q and ISL protocols |
Plunge Agent |
Implementing security policies for each VLAN |
Main Features |
Advantages |
Configuration support |
Console to command line interface (CLI) |
Telnet to the internal interface of the Cisco PIX Firewall |
IPSec-based Telnet to the external interface of the Cisco PIX Firewall |
SSH to CLI |
SSL to Cisco PIX Device Manager |
AAA Support |
Integrates common identity authentication, authorization, and accounting services with tacacs+ and RADIUS support |
Nat/pat Support |
Provides dynamic/static network address resolution (NAT) and port address resolution (PAT) |
Cisco PIX Device Manager (PDM) |
A simple, intuitive, web-based GUI can support remote firewall management |
Multiple reports based on real-time data and historical data can provide information on usage trends, basic performance, and security events |
Secure network Management |
Secure network management access with triple Data Encryption Standard (3DES) encryption |
Access Control List |
Supports up to 128,000 access control lists |
URL filtering |
Set policy in the server and check the output URL request using the Websense software |
Command authorization |
Prioritize all CLI, creating a user account or login environment that corresponds to those priorities. |
Object Group |
Ability to combine network objects (such as hosts) and services (such as FTP and HTTP) |
Prevent DoS |
DNS Protection |
Flood Defender |
Flood Guard |
TCP interdiction |
Unicast Reverse Path sending |
Fragguard and virtual reorganization |
Routing |
Static routing · Dynamic, such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) |
High Availability |
State recovery--between the device and the device |
Log |
Comprehensive System log, FTP, URL, and ACL logs |
Other agreements |
H.323 V2 |
IP-based NetBIOS |
RAS second version |
RTSP |
Sip |
XDMCP |
Skinny |
6503/6506/6509 High-end firewall application environment
6503/6506/6509 high-end firewalls are deployed in the network topology of the Enterprise Park's data center.
Today's enterprises not only need perimeter security, but also need to connect business partners and provide park security zone, for the various departments in the enterprise to provide security services. 6503/6506/6509 high-end firewalls provide a flexible, cost-effective, performance-based solution by allowing users and administrators to set up security domains in the enterprise with different policies. Figure 2 shows a park deployment that uses state filtering to create a different VLAN-based security domain.
With the 6503/6506/6509 high-end firewall, users can make corresponding policies for different VLANs.
Data centers also need to use stateful firewall security solutions to protect data and provide gigabit performance at the lowest possible cost. 6503/6506/6509 High-end firewalls can maximize the efficiency of capital investment by providing the best performance-price ratios in the firewall, allowing customers to forgo the expensive firewall products that they used to have to buy additional firewall load-balancing devices.
Cisco IOS router firewall products and features
Cisco's iOS routers offer powerful security features, and with the high integration requirements, Cisco's full range of routers and security-enabled iOS software are also a flexible option.
Cisco iOS firewall software highlights a wide variety of powerful security features, including:
- Context-based access control (CBAC)
- Intrusion detection
- Authentication Agent
- Denial of service detection and prevention
- Dynamic port Mapping
- Java Small application Lockdown
- VPN, IPSec encryption, and QoS support:
- Real-time alarms
- Network Transaction trace Record
- Event logging
- Firewall management
- Integration with Cisco IOS software
- Basic and advanced Data flow filtering:
- Multi-interface support based on policy
- Network Address Translation
- Time-based access list
- Peer Router authentication