Cisco PIX Firewall Basics
Firewalls are essential components of an effective information security infrastructure. At its most basic level, a firewall is a hardware or software that filters traffic between your network and the Internet. The firewall (hardware) I am most familiar in using is the Cisco PIX (Private Internet eXchange) Firewall. It was one of the first products in the IP firewall and NAT appliance market segments.
PIX firewalls include the following security and network services features:
- Network Address Translation (NAT) or Port Address Translation (PAT)
- Content filtering
- URL filtering
- IPsec VPN
- DHCP client/server
- PPPoE support
- Advanced security services for multimedia applications including Voice over IP (VoIP), H.323, SIP, Skinny
Managing the firewall can be done through its integrated web-based management interface called PIX Device Manager (PDM), command-line interface (CLI), Telnet, Secure Shell (SSH), console port, SNMP, and syslog.
Here are 10 steps to ensure your PIX Firewall is as secure as it can be:
- Password protect it
- Know your access-lists
- Log denials and errors
- Use SSH in place of Telnet
- Understand the ASA
- Enable optional security
- Keep the PIX OS and PDM patched
- Back up your configuration
- Use secure encryption
- Know your network
Read more in detail here: Cisco PIX Firewall: Lock it down in 10 steps
Most PIX Firewall models optionally support multiple outside or perimeter networks (also known as demilitarized zones (DMZs)). Connections between the networks can be controlled by the PIX Firewall.
A Demilitarized zone (DMZ) is the most common and secure firewall topology, often referred to as a screened subnet. A DMZ creates a secure space between your Internet and your network. It will typically contain the following:
- Web server
- Mail server
- Application gateway
- E-commerce systems (It should contain only your front-end systems. Your back-end systems should be on your internal network.)
In 2005, Cisco introduced the newer Adaptive Security Appliance (ASA) firewall that inherited much of PIX features, and in 2008 announced the PIX end-of-sale. I actually just found out about their discontinuity of the PIX firewall as I was doing some research for this blog post. However, the PIX technology is still sold in a blade, the FireWall Services Module (FWSM), for the Cisco Catalyst 6500 switch series and the 7600 Router series.
Photo Credit: fzurell
Network Security Basics
Securing the network may include implementing technologies such as firewalls, VPNs, antivirus, and anti-spam software. These are for first line of defense of the network. In addition, for enterprises, they need to have a comprehensive approach that includes Access Control, Data Privacy, and Compliance.
Firstly, in order to know what kind of security measures should be implemented, it is imperative that you know the network inside out. It is not possible to protect anything unless you clearly understand what you want to protect.
Secondly, you need to understand the different threats, both from internal and external sources. They may be human-based, automated, or a natural phenomenon.
Thirdly, physical security should be established, then partitioning and protecting network boundaries with firewalls, and also putting up workstation firewalls.
For the enterprise security network, Access Control will include Authentication, Authorization, User Provisioning & Identity Administration, and Role Management.
Authentication includes the use of passwords, token cards, and/or biometrics. Authorization policies should be centralized. User Provisioning & Identity Administration should be automated to prevent human errors. As well, user roles/privileges should be properly managed.
Data Privacy will include encrypting data, classifying data based on sensitivity, and putting up access control lists. Adding a security layer to enterprise search results will additionally prevent access of confidential information.
Automated Compliance controls and processes flexible enough to adapt to meet changing requirements should be used to conform with governance and privacy regulations.
Read these whitepapers for more detailed information:
Security Inside Out
Fundamental Principals of Network Security
Photo Credits: Javier Aroche, JoePhoto
Cisco IOS 10 Basic Commands That Should Be Mastered
David Davis wrote in TechRepublic about the ten commands that a Cisco professional or network administrator should know when using the Cisco IOS in routers, switches, and firewalls. This is a good reminder for me, and I’m glad to know that I have embedded all of it in my brain already.
Below is the list he made plus my comments on what I think about each item.
1. The “?”
This is the most helpful command ever. There are thousands of possible commands in the Cisco IOS and this is definitely useful when you don’t know or can’t remember the command to type, or the parameter that should come next.
2. show running-configuration (sh run)
If you want to check the current configuration of the router, switch, or firewall, this is what is used.
3. copy running-configuration startup-configuration (copy run start)
This command will save your current configuration, which is in the RAM, to the nonvolatile RAM (NVRAM). You can also use the copy command to copy to the TFTP server. If you must turn off your router, do not forget to use this command unless you don’t want to save the configuration changes you made.
4. show interface (sh int)
For troubleshooting, this command is used to check the status of the router’s interfaces.
5. show ip interface (sh ip int)
Much useful information about the configuration and status of the IP protocol and its services, on all interfaces are displayed with this command. Alternatively, you can add brief at the end of the command to get a shorter quick status.
6. config terminal, enable, interface, and router (conf t, en, int, router)
These are used to enter different modes in configuring the router.
7. no shutdown (no shut)
This is used to enable an interface, and also useful for troubleshooting when used with shut (to bring down interface then up).
8. show ip route (sh ip ro)
To check the routing table, use this command.
9. show version (sh ver)
This will display the router’s firmware settings, the last time the router was booted, the version of the IOS, the name of the IOS file, the model of the router, and the router’s amount of RAM and Flash.
This is helpful in troubleshooting. The debug command is used with other commands like for example, debug ip route.
Alright. That should be pretty simple to remember. Commands, stay in my brain please, thank you.
Photo Credit: dontthink.feel