Cisco PIX
History
 |
It has been suggested that Pix firewall be merged into this article or section. (Discuss) |
Cisco PIX (Private Internet EXchange) is a firewall originally conceived in March 1994 by John Mayes of Redwood City, California and coded by Brantley Coiles of Athens, Georgia. The PIX name is derived from Coiles' aim of creating the functional equivalent of an IP PBX; that is, at a time when NAT was just being investigated as a viable approach, he wanted to conceal a block or blocks of RFC 1918 IP addresses behind a single or multiple registered IP addresses, much like PBX's do for internal phone extensions. When he began, RFC 1631 was being discussed, but the now-familiar RFC 1918 had not yet been submitted.
The design, and testing were carried out in 1994 by John Mayes, Brantley Coile[1] and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing was completed and first customer acceptance was on December 21 1994 at KLA Instruments in San Jose, California. The PIX was awarded the Data Communications Magazine "Hot Product of the Year" award of 1994.[1]
After Cisco acquired Network Translation in 1995, Brantley hired four long time associates: Jim Jordan, Tom Bohannon, and Richard Howes and Pete Tenereillo (both who worked for NTI prior to the acquisition). Together they developed Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector. After Cisco acquired Global Internet Software Group in 1997, the PIX was sold alongside GISG's Windows NT-based softwall firewall product, known as the Centri firewall, until 2000. [2]
In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IDS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with version PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.[3]
Description of operation
The PIX runs a custom-written proprietary operating system originally called Finesse (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By design it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an ACL (Access Control List) or a conduit. The PIX can be configured to perform many functions including NAT (network address translation) and PAT (port address translation) as well as serving as a VPN (Virtual Private Network) endpoint appliance.
The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (or outside interface) for each DNS request from a client on the protected (or inside) interface.
The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.
The PIX can be managed by a CLI or a GUI. The CLI is accessible from the serial console, telnet and SSH. GUI administration was introduced with version 4.1, and it has been through several incarnations: PFM (PIX Firewall Manager) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PDM (PIX Device Manager) for PIX OS version 6.x, which runs over https and requires Java; and ASDM (Adaptive Security Device Manager) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS.[4] [5] [6]
As PIX is an acquired product, the command line interface (CLI) was originally not aligned with the Cisco IOS 'standards'. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (not IPX, DECNet, etc.), in most configuration commands, 'ip' is omitted. The configuration is upwards compatible, not downwards. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting. This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relative recent models, the flash size of 8 MB prevents support of version 7.x, although rumors are that 7.0 can be installed on a 506E (see external links). For the PIX 515(E), a doubling of the memory size is required (32->64 MB for restricted and 64->128MB for Unrestricted/Failover licenses).
Description of hardware
The PIX is constructed using Intel-based/Intel-compatible motherboards. Nearly all PIXes use Ethernet NIC's with Intel network chipsets, but some older models are occasionally found with 3COM 3c590 and 3c595 Ethernet cards, Olicom-based Token-Ring cards, Interphase-based FDDI cards. Both the PIX 510 and 520 share basic components, such as motherboard, chassis, NIC's, flash cards, etc, with the Cisco LocalDirector 416/420/430 and the Cisco Service Selector Gateway 6510 (SSG-6510), though each runs a different operating system. The PIX boots off of a proprietary ISA flash memory daughtercard in the case of the PIX Classic, 10000, 510, 520, and 535, and it boots off of integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9.
The PIX technology is also sold in a blade, the FireWall Services Module (FWSM, part code:WS-SVC-FWM-1-K9), for the Cisco Catalyst 6500 switch series and the 7600 Router series.
Specifications of past and present models
Current models
| Model | 501 | 506e | 515e | 525 | 535 | ASA 5520 |
FWSM |
|---|---|---|---|---|---|---|---|
| Introduced | 2001 | 2002 | 2002 | 2000 | 2000 | 2005 | 2003 |
| CPU type | AMD SC520 5x86 [2] |
Intel Celeron (Mendocino SL36A)[3] |
Intel Celeron (Mendocino SL3BA)[4] |
Intel Pentium III (Coppermine)[5] |
Intel Pentium III (Coppermine) |
Intel Pentium 4 Celeron |
Intel Pentium, IBM 4GS3 PowerNP network processors |
| CPU speed | 133 MHz | 300 MHz | 433 MHz | 600 MHz | 1 GHz | 2 GHz | |
| Chipset | AMD SC520 |
Intel 440BX Seattle |
Intel 440BX Seattle |
Intel 440BX Seattle |
Broadcom Serverworks RCC |
Intel 875P Canterwood |
? |
| Default RAM | 16 MB[6] | 32 MB | 64 (128) MB [7] | 128 (256) MB [8] | 512 (1024) MB [9] | 512 MB | 1 GB |
| Boot flash device | Onboard | Onboard | Onboard | Onboard | ISA card & Onboard[10] |
Onboard | Onboard |
| Default flash | 8 MB[11] | 8 MB[12] | 16 MB[13] | 16 MB[14] | 16 MB | 64 MB | 128 MB |
| Boot flash chips | 1 x 28F640 | 1 x 28F640 | 1 x E28F128J3 | 1 x EF28F128J3 | 2 x i28F640J5 | ATA CompactFlash | |
| PIX BIOS flash chips | 28F640 | AM29F400B | AM29F400B | AM29F400B/ E28F400B5T[15] |
DA28F320J5[16] | AT49LW080 | |
| Minimum PIX OS version | 6.1(1) | 5.1(x) | 5.1(x) | 5.2(x) | 5.3(x) | 7.x | |
| Maximum PIX OS version officially supported | Latest 6.3(x) | Latest 6.3(x) | 7.x | 7.x | 7.x | 8.x | |
| Max interfaces | 2[17] | 2 | 6(3)[18] | 10(6)[19] | 14(8)[20] | 8 | |
| Fixed internal interface | 10/100baseT | 10/100baseT | 10/100baseT | 10/100baseT[21] | No | 10/100/1000 | No |
| Fixed external interface | 10/100baseT | 10/100baseT | 10/100baseT | 10/100baseT[22] | No | 10/100/1000 | No |
| PCI slots | 0 | 0 | 2 | 3 | 9 | 1 PCI-X | 0 |
| Expansion cards supported | No | No | 1 port FE, 4 port FE, 1 port 1000baseSX[23] |
1 port FE, 4 port FE, 1 port 1000baseSX |
1 port FE, 4 port FE, 1 port 1000baseSX |
1 port FE, 4 port FE, 1 port 1000baseSX |
Yes[24] |
| Supports SSL VPN | No | No | No | No | No | Yes | No |
| VPN accelerator supported | No | No | Yes | Yes | Yes | Integrated | No[25] |
| Floppy drive | No | No | No | No | No | No | No |
| Failover supported | No | No | Yes | Yes | Yes | Yes | Yes |
| Model | 501 | 506e | 515e | 525 | 535 | ASA 5520 |
FWSM |
Discontinued models
| Model | Classic 47-3158-01 |
10000 | 506 | 510 | 515 | 520 |
|---|---|---|---|---|---|---|
| Introduced | 1994 | 2000 | 1997 | 1999 | 1999 | |
| Discontinued | 1998 | 1998 | 2002 | 1999 | 2002 | 2001 |
| CPU type | Intel Pentium |
Intel Pentium Pro[26] |
Intel Pentium MMX[27] |
Intel Pentium |
Intel Pentium MMX[28] |
Intel Pentium II (Deschutes)[29] |
| CPU speed | 133 MHz | 200 MHz | 200 MHz | 166 MHz | 200 MHz | 233-350 MHz[30] |
| Chipset | Intel 440FX Natoma |
Intel 440FX Natoma |
Intel 430TX |
? | Intel 430TX |
440LX/BX Balboa/ Seattle |
| Default RAM | 8 MB | 16 MB | 32 MB | 16 MB | 32 (64) MB [31] | 128 MB |
| Boot flash device | ISA card | ISA card | Onboard | ISA card | Onboard | ISA card |
| Default flash | 512KB / 2 MB[32] |
2 MB | 8 MB[33] | 2 MB | 16 MB[34] | 2 MB / 16 MB[35] |
| Boot flash chips | 2 x i28f020 / 4 x 29C040 [36] |
4 x 29C040[37] | 1 x i28F640J5 | 4 x 29C040 | 2 x i28F640J5 | 4 x 29C040 / 2 x i28F640J5[38] |
| PIX BIOS flash chips | ? / AM28F256 [39] |
AM28F256[40] | AT29C257 | AM28F256 | AT29C257 | AM28F256/ AT29C257[41] |
| Minimum PIX OS version | 4.4(x) | 4.4(x) | 5.1(x) | 4.4(x) | ||
| Maximum PIX OS version | 6.0(0)[42] | 6.0(0)[43] | Latest 6.3(x)[44] | 5.3(4)[45] | Latest 8.x | Latest 6.3(x)[46] |
| Max interfaces | 2 | 6(3)[47] | 8(6)[48] | |||
| Fixed internal interface | No | No | 10baseT | No | 10/100baseT | No |
| Fixed external interface | No | No | 10baseT | No | 10/100baseT | No |
| PCI slots | 4 | 4 | 0 | 4+[49] | 2 | 4+[50] |
| Expansion cards supported | 1 port FE, 1 port Token Ring, 1 port FDDI |
1 port FE, 1 port Token Ring, 1 port FDDI |
No | 1 port FE, 1 port Token Ring, 1 port FDDI |
1 port FE, 4 port FE, 1 port 1000baseSX[51] |
1 port FE, 4 port FE, 1 port 1000baseSX |
| VPN accelerator supported | Yes | Yes | No | Yes | Yes | Yes |
| Floppy drive | Yes | Yes | No | Yes | No | Yes |
| Failover supported | Yes | Yes | No | Yes | Yes | Yes |
| Model | Classic | 10000 | 506 | 510 | 515 | 520 |
---Information on models supported as of 6/27/2005 verified from Cisco's PIX Brochure (page 2) and the specific product pages
Performance specifications
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520[52] | PIX 525 | PIX 535 | ASA 5520 | FWSM |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cleartext throughput, Mbit/s | 90 | 60 | 20 | 100 | 147 | 190 | 240 | 330 | 1655 | 450 | 5500 | ||
| 56-bit DES throughput, Mbit/s | 6 | 20 | n/a | n/a | n/a | n/a | ? | n/a | |||||
| 168-bit Triple DES throughput, Mbit/s | 3 | 6 | 16 | 10 / 63 (135)[53] [54] | 20 / 63 (135)[55] [56] | 20 [57] | 30 / 72 (145)[58] [59] | 50 / 100 (425)[60] [61] | 225 | n/a | |||
| AES-128 throughput, Mbit/s | 4.5 | 30 | 45 / 130 [62] | 65 / 135 [63] | 110 / 495 [64] | 225 | n/a | ||||||
| AES-256 throughput, Mbit/s | 3.4 | 25 | 35 / 130 [65] | 50 / 135 [66] | 90 / 425 [67] | 225 | n/a | ||||||
| Max simultaneous connections | 16,000 | 7,500 | 10,000 | 25,000 | 64,000 / 128,000[68] | 48,000 / 130,000[69] | 256,000 | 140,000 / 280,000[70] | 250,000 / 500,000[71] | 280,000 | 999,900 total / 100,000 per second | ||
| Max simultaneous hosts (users) | 10 / 50 / Unlimited[72] | Unlimited | Unlimited | 128 / 1000 / unlimited [73] | Unlimited | Unlimited | ? | 256,000 | |||||
| Max number of ACL's | ? | 80,000 | |||||||||||
| Max simultaneous VPN peers | 10 | 25 | 25 | 0 / 2000[74] | 0 / 2000[75] | 0 / 2000[76] | 750 IPSec, 750 SSL | n/a | |||||
| Model | PIX Classic | PIX 10000 | PIX 501 | PIX 506 | PIX 506e | PIX 510 | PIX 515 | PIX 515e | PIX 520 | PIX 525 | PIX 535 | ASA 5520 | FWSM |
---Information on models supported as of 6/27/2005 verified from Cisco's PIX Brochure (page 2) and the specific product pages
List of part numbers for PCI and ISA expansion cards
- Flash cards
- ??? - 512 kB ISA flash card used in the PIX Classic and 10000.
- ??? - 2 MB ISA flash card used in the PIX Classic, 10000, 510, and 520, as well as the SSG-6510 and many LocalDirectors.
- PIX-FLASH-16MB - 16 MB ISA flash card for the PIX 510, 520, and 535.
- Ethernet cards
- PIX-1GE-66 - 64 bit/66 MHz 1000baseSX card for PIX 53x. Based on the Intel Pro/1000-F fiber network card using the INTEL TL82543GC (Intel code name "Livengood") ASIC (PWLA8490sx[77]). The 1000baseT variant of this card, the Intel Pro/1000-t Server adapter (PWLA8490t[78]), is not supported by PIX OS, due to Carrier Extension [79] interoperability problems with early 1000baseT switch products [80].
- PIX-1GE - 32 bit/33 MHz 1000baseSX card for PIX 52x. Based on the Intel PWLA8490 Pro/1000 fiber network card with the 82542 (Intel code name "Wiseman") chipset. The ASIC used on this card is the LSI L2A1157/695314-003. [81]. There is no 1000baseT variant of this card. In the release notes for PIX OS 6.02, Cisco advises against installing this card in the 525 and 535 [82], referencing caveat CSCdu00850, although this caveat actually only lists the PIX 535, which is the only model with a 66 MHz PCI bus.[83]
- PIX-4FE-66 - 64 bit/66 MHz Four port 10/100 Fast Ethernet card. Based on the Intel 82559 chipset. Uses a DEC 21154BE bridge chip.
- PIX-4FE - 32 bit/33 MHz Four port 10/100 Fast Ethernet card. Based on the Intel 82558b chipset. Uses an Intel 21154AC or DEC 21154AB bridge chip. All PIX-4FE's are identified as "mcwa" cards when the PIX boots. It is unclear what "mcwa" stands for.
- PIX-1FE - 32 bit/33 MHz One port 10/100 Fast Ethernet card. Based on the Intel Pro/100+ family with the 82557, 82558 and 82559 chipsets. All PIX-1FE's and a few other non-Cisco-branded Intel cards are identified as "mcwa" cards when the PIX boots. It is unclear what "mcwa" stands for.
- ??? - 3COM 3c590 and 3c595 PCI NIC's found in PIX Classic, 510, 515, and 520. Mentioned in version 4.4.1 install guide and supported through at least PIX OS 5.1.5 [84]. Since these are off-the-shelf PC components predating the creation of the PIX, there may not be PIX-specific part numbers for these at all.
- VPN/Encryption acceleration cards
- PIX-VAC-PLUS - 64 bit/66 MHz IPSec Hardware VPN Accelerator Card. Supported only on the 515, 515e, 520, 525, and 535 running PIX OS 6.3(1) or higher. Accelerates DES, 3DES, and AES. Part number 74-3176-01. Uses BCM5823KPB-5 chip.
- PIX-VPN-ACCEL - 32 bit/33 MHz IPSec Hardware VPN Accelerator Card. Accelerates DES and 3DES.
- PIX-PL2 - 32 bit/33 MHz PIX Private Line proprietary DES encryption card (discontinued and unsupported from PIX OS 6.0.1 on).
- FDDI and Token Ring cards
- PIX-1TR - 32 bit/33 MHz 4/16 Mbit/s PCI Token Ring card based on the Olicom OC-3137/PE-67597 (discontinued and unsupported from PIX OS 6.0.1 on).
- PIX-FDDI - 32 bit/33 MHz 100 Mbit/s SC duplex PCI FDDI card based on the Interphase 5511 FDDI card (PB05511-002). It was discontinued and unsupported from PIX OS 6.0.1 on.
Footnotes
^ Brantley Coile now operates
Coraid, which designs and manufactures Network-attached storage
^ The "inside" port is connected
to an internal, unmanaged, auto-polarity 4 port switch.
^ Restricted package /
Unrestricted package limits (referred to by Cisco as R and UR/FO/FO-AA, respectively). For PIX-525 512Mb RAM not supported but it
works.
^ According to Cisco, the
1000baseSX card is not officially supported by the 515/515e, but it will work.
^ VAC acceleration vs VAC+ (in
parenthesis) acceleration (Implies Unrestricted package).
^ Older 520's made before
February 2000 and with a serial number less than 18025677 shipped with a 2 MB flash card. Newer 520's shipped with a 16 MB flash
card [85].
^ The WS-SVC-FWM-1-K9 blade has
no fixed ports or internal expansion; it makes use of either VLAN interfaces (being used by physical interfaces on a remote
switch) or the physical interfaces on the switch/router it is installed in.
^ PIX Classic firewalls with a
serial number of 06002015 or lower came with 512k flash. Newer models came with 2 MB flash [86].
^ The WS-SVC-FWM-1-K9 blade only
supports IPSec VPN for management. It doesn't have the ability to terminate a VPN connection for remote users.
^ The PIX 520 received updated
PII processors as they became available, starting with the PII 233 and ending with the PII 350. The Intel-manufactured SE440BX-2
ATX motherboard in the 520 can support any Slot1 processor from the
Celeron Covington, Celeron Mendocino, Pentium II Klamath,
Pentium II Deschutes, and the Pentium III Katmai families, as long as the cpu's use 2.0v
core voltage and can run on a 66 or 100 MHz fsb. You may also use 133 MHz FSB cpu's, but
they will run at slower speeds, for example a 933 MHz cpu for 133 MHz FSB will only run at 700 MHz. A slotket can also be used to install the newer 500 MHz - 1.1 GHz Socket 370 Pentium III Coppermine cpu's, as long
as the slotket provides a voltage regulator and manual bus speed selector.
Some PIX 520 Firewalls may use the Intel AL440LX motherboard instead of the SE440BX-2. The AL440LX may be replaced by a SE440BX-2 or
similar motherboard, but the BIOS needs to be re-configured.
^ Cannot be easily upgraded,
due to clearance issues with the top cover.
^ In early 2005, Cisco
indicated that PIX OS 7.x would only support the 515, 515e, 525, and 535, while a "stripped-down" version would eventually be
released for the 501 and 506e. While not officially supported, it is actually possible to update the 506E to 7.x code by removing
all GUI management software.
^ Running the highest possible
PIX OS version requires the use of the PIX-FLASH-16MB flash card, as the 5.2 through 6.3 train won't fit on a 512KB or 2 MB flash
card.
^ Shows flash chips on the 2 MB
flash card versus the chips on the 16 MB flash card.
^ Various models of the 525 use
different flash chips, probably due to differing production runs.
^ Shows flash chips on the
512KB flash card versus the chips on the 2 MB flash card.
^ While the PIX 535 boots off
of the same ISA flash card as some PIX 510's and 520's (the PIX-FLASH-16MB) its newer on-board PIX BIOS (version 4.x) overrides
the PIX BIOS on the flash card (version 3.6) at boot.
^ Since both the 510 and 520
have standard ATX motherboards, the PCI slot count can be higher or lower than the default if the motherboard is replaced with a
different one.
^ The performance figures cited
here are highly changeable, as one can upgrade the CPU in the PIX 520 to a 1 GHz Pentium III, which will considerably increase
its throughput in all of the below categories, putting it on a level with the 525 and 535.
^ According to a 2002 field
notice, 525's with serial numbers 44480380055 through 44480480044 were manufactured with erroneous eeprom information in their
82559 chips that caused the onboard FastEthernet ports to behave erratically when set to full-duplex. Starting with PIX OS 5.3.1,
the "eeprom update" command will reprogram the defective data and restore normal operation permanently. Viewing the field notice
requires registration [87]. Most, if not all, 525's in use today within that range have likely been corrected,
but an unused or unopened unit within that range would still need the corrective action to be taken.
^ It is theoretically possible
to upgrade the Socket 8 Pentium Pro processor in the PIX
Classic and 10000 with either an Intel Pentium II Overdrive (300 or 333 MHz depending on the system bus speed)[88] or a
Powerleap PL-Pro/II Celeron adapter[89], both of which are long out
of production. The Powerleap adapter natively can allow use of a 300 - 533 MHz Mendocino Celeron PPGA processor. Coupled with the Powerleap Neo S370 FC-to-PPG adapter, one can use a 533 - 766 MHz
FC-PGA Coppermine-128 Celeron processor. However, the 60 or 66 MHz bus (no 100
MHz bus) and 72-pin SIMM memory limitations of the workstation-style 440FX board used limit the
potential gains in performance to be had from such upgrades. Upgrading the motherboard to a compatible server-style 440FX board
with DIMM slots may allow for the use of the 440FX chipset's theoretical limit of 1 GB of RAM,
although if the motherboard is to be replaced, it may arguably be more cost-efficient to upgrade to a SE440BX-2 motherboard with
a slocket and Tualatin Celeron CPU. It is also worthwhile to note that PIX OS later than 5.3.4 explicitly does not support the
440FX chipset.
^ The PIX 525 is known to come
with a variety of processors including 1.65V 600MHz (SL3VH) and 1.75V 600MHz (SL5BT). It would appear that all 1.65V to 1.75V
100MHz FSB CPUs would work, this has been substantiated to 1000MHz with a SL5QV 1.75V CPU.
Citations
- ^ Brantley Coile's notes on creating the PIX. Retrieved on 2007-06-18.
- ^ Details of GISG's work. Retrieved on 2007-06-18.
- ^ Cisco open source license page. Retrieved on 2007-08-21.
- ^ FAQs for Cisco PFM. Retrieved on 2007-06-19.
- ^ Documentation on Cisco PDM. Retrieved on 2007-06-19.
- ^ Documentation on Cisco ASDM. Retrieved on 2007-06-19.
See also
External links
- Cisco's website for the PIX series
- Cisco's website for the ASA 5500 Series
- Cisco's website for the PIX
- Notes on upgrading a PIX506E to 7.x
- PIX Simulator/Emulator - with over 90 challenges
The following links may require a free registration at Cisco's website to view.
This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)
