Cisco PIX - Description of Operation

Description of Operation

The PIX runs a custom-written proprietary operating system originally called Finese (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List (ACL) or a conduit. The PIX can be configured to perform many functions including network address translation (NAT) and port address translation (PAT), as well as being a virtual private network (VPN) endpoint appliance.

The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Fixup" has been superseded by "Inspect" on later versions of PIX OS.

The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.

The PIX can be managed by a command line interface (CLI) or a graphical user interface (GUI). The CLI is accessible from the serial console, telnet and SSH. GUI administration was introduced with version 4.1, and it has been through several incarnations: PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PIX Device Manager (PDM) for PIX OS version 6.x, which runs over https and requires Java; and Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS. Examples of emulators include PEMU and Dynagen, and with NetworkSims.com ProfSIMs (Networksims) for a simulator .

As the PIX is an acquired product, the CLI was originally not aligned with the Cisco IOS syntax. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (as opposed to IPX, DECNet, etc.), in most configuration commands 'ip' is omitted. The configuration is upwards compatible, but not downwards. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting, as long as the configuration was using ACLs, versus conduits and "outbounds". This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relatively recent models, the flash memory size of only 8 MB prevents official upgrading to version 7.x, although 7.x can be installed on a 506E using monitor mode up to version 7.1(2). The 8 MB flash size only allows for installation of the PIX OS software, not the ASDM software (GUI). For the PIX 515(E) to run version >7.0, a doubling of the memory size is required (32->64 MB for restricted and 64->128 MB for Unrestricted/Failover licenses). A 515(E) UR/FO can run 7.0 with 64 MB memory installed, but that is not recommended as larger configuration and session/xlate tables can exceed the available memory.