LAS TIC EN LA COTIDIANIDAD Y LA EDUCACIÓN

■ _{Cisco Secure Integrated Software} ■ _{Cisco Secure Integrated VPN Software} ■ _{Cisco Secure VPN Client}

■ _{Cisco Secure Access Control Server} ■ _{Cisco Secure Scanner}

■ _{Cisco Secure Intrusion Detection System} ■ _{Cisco Secure Policy Manager}

■ _{Cisco Secure Consulting Services}

The breadth of these products provides a fairly complete set of security solutions for organizations to protect the availability, confidentiality, and integrity of their systems.

Cisco Secure PIX Firewall

Firewalls are typically placed at network borders to create a security perimeter. Most frequently, they are used to protect an internal network from external access. Firewalls may also be used internally to control net- work access to specific departments or resources. The Cisco Secure PIX Firewall series of products are dedicated firewall appliances. All models offer VPN, IPSec, and firewall capabilities. The three models—506, 515, and 520—provide performance levels ranging from small offices up to large enterprises and Internet Service Providers (ISPs). Choose the appropriate model based on the throughput and number of interfaces needed for your application.

Security policies can be enforced consistently across large enterprises and ISPs with the Cisco Secure Policy Manager. It can centrally manage up to 500 Cisco Secure PIX Firewalls. Organizations providing managed net- work security to many customers will also appreciate this centralized man- agement feature.

Cisco Secure PIX Firewall 506 has two integrated10BaseT ports. The 515-R is limited to two 10/100 Ethernet interfaces. The 515-UR and the 520 provide up to six 10/100 Ethernet interfaces. The 520 also gives the option of up to four 4/16 Mbps Token Ring or two dual-attached, multi- mode FDDI interfaces.

Common features shared by all models are as follows:

Embedded, Real-Time Operating System The proprietary operating system was developed specifically for the PIX firewall. It provides high per- formance, is immune to UNIX security breaches, but is based upon secu- rity by obscurity. The code is a trade secret held by Cisco.

Stateful Inspection Cisco calls it Adaptive Security Algorithm (ASA). ASA tracks the state of connections based upon source address, destination address, sequence numbers, ports numbers, and TCP flags. Forwarding decisions are based on applying the configured security policy to these parameters.

VPN Tunnels Using DES or 3DES This feature provides confidentiality across untrusted networks. The addition of the PIX Private Link encryption card allows the PIX to create and/or terminate VPN tunnels between two PIX firewalls, between a PIX and any Cisco VPN enabled router, and between a PIX and the Cisco Secure VPN Client. The 506 supports up to 4 VPN peers. The 515 and 520 support up to 256 peers.

Java Applet Filter Java applets can be blocked when delivered in HTTP content. More sophisticated filtering requires a third-party product.

NOTE

Three basic types of firewalls are available today. Some firewall products combine more than one of these approaches to compensate for the strengths and weaknesses of each.

Packet Filters look at the protocol, address, or port information in each packet and make a forwarding decision for that packet based on rules. Access Control Lists (ACLs) on routers is an example of packet fil- ters. Packet filters are useful for blocking source or destination addresses, and can restrict the services accessible.

Proxy Servers use a specific application for each service that will be forwarded through the firewall. The proxy application takes requests on one interface, examines the contents of the traffic, and makes a for- warding decision based on policy rules. Proxies offer excellent security, but you must have an application for each service that will be processed

by the firewall. Proxy-based firewalls have the slowest performance of the three types.

Stateful Inspection analyzes all the communication layers, extracts the relevant communication and application state information, and dynami- cally maintains the state of communications in tables. Forwarding deci- sions are based upon the configured security policy. Stateful inspection offers flexibility and performance.

The 515 and 520 models offer additional features of interest to larger organizations:

Network Address Translation (NAT) NAT conserves the IP address space by translating up to 64,000 internal hosts to a single external IP address. The PIX firewall uses port address translation (PAT) to multiplex each internal host with a different port number. PAT does not work with H.323 applications, multimedia applications, or caching nameservers.

Failover/Hot Standby Option This feature improves availability of the network. It is not available on the 515-R. Cisco has created a Fail-Over Bundle (515-UR only) to add software and a second chassis to create a redundant firewall configuration.

Cut-through User Authentication A cut-through proxy is used to authenticate users with a TACACS+ or RADIUS server. This feature improves performance for authentication, authorization, and accounting. When the username and password are correct, PIX firewall lets further traffic between the specified authentication server and the connection interact directly.

URL Filtering A NetPartners WebSENSE server is needed to utilize this feature. The PIX firewall permits or denies connections based on the out- bound URL requests and the policy on the WebSENSE server.

Table 1.1 compares the performance of the PIX firewalls offered by Cisco.

Table 1.1

Model Throughput Simultaneous Sessions

506 10Mbps N/A

515-R 120Mbps 50,000

515-UR 120Mbps 125,000

You will find configuration details on Cisco Secure PIX Firewalls in Chapter 4, “Cisco PIX Firewall.” Additional information on related topics is found in Chapter 3, “Network Address Translation,” Chapter 5, “Virtual Private Networks” Chapter 6, and “Cisco Authentication, Authorization, and Accounting Mechanisms.”