Firewalls are essential components of an effective information security infrastructure. At its most basic level, a firewall is a hardware or software that filters traffic between your network and the Internet. The firewall (hardware) I am most familiar in using is the Cisco PIX (Private Internet eXchange) Firewall. It was one of the first products in the IP firewall and NAT appliance market segments.
PIX firewalls include the following security and network services features:
- Network Address Translation (NAT) or Port Address Translation (PAT)
- Content filtering
- URL filtering
- IPsec VPN
- DHCP client/server
- PPPoE support
- Advanced security services for multimedia applications including Voice over IP (VoIP), H.323, SIP, Skinny
Managing the firewall can be done through its integrated web-based management interface called PIX Device Manager (PDM), command-line interface (CLI), Telnet, Secure Shell (SSH), console port, SNMP, and syslog.
Here are 10 steps to ensure your PIX Firewall is as secure as it can be:
- Password protect it
- Know your access-lists
- Log denials and errors
- Use SSH in place of Telnet
- Understand the ASA
- Enable optional security
- Keep the PIX OS and PDM patched
- Back up your configuration
- Use secure encryption
- Know your network
Read more in detail here: Cisco PIX Firewall: Lock it down in 10 steps
Most PIX Firewall models optionally support multiple outside or perimeter networks (also known as demilitarized zones (DMZs)). Connections between the networks can be controlled by the PIX Firewall.
A Demilitarized zone (DMZ) is the most common and secure firewall topology, often referred to as a screened subnet. A DMZ creates a secure space between your Internet and your network. It will typically contain the following:
- Web server
- Mail server
- Application gateway
- E-commerce systems (It should contain only your front-end systems. Your back-end systems should be on your internal network.)
In 2005, Cisco introduced the newer Adaptive Security Appliance (ASA) firewall that inherited much of PIX features, and in 2008 announced the PIX end-of-sale. I actually just found out about their discontinuity of the PIX firewall as I was doing some research for this blog post. However, the PIX technology is still sold in a blade, the FireWall Services Module (FWSM), for the Cisco Catalyst 6500 switch series and the 7600 Router series.
Photo Credit: fzurell