Table Of Contents


How Data Moves Through the Firewall

Translating Internal Addresses

For More Information

Creating a Security Policy

Before Creating a Security Policy

Preparing a Security Policy

Know Your Enemy

Count the Cost

Identify Your Assumptions

Control Your Secrets

Remember Human Factors

Know Your Weaknesses

Limit the Scope of Access

Understand Your Environment

Limit Your Trust

Remember Physical Security

Make Security Pervasive

PIX Firewall Features

PIX Firewall Adaptive Security

PIX Firewall Connection Licenses


The PIX (Private Internet Exchange) Firewall, when properly configured, helps prevent unauthorized connections from one network to another. The network that the PIX Firewall protects is referred to as the internal, or inside, network and the network from which connections are controlled are the external, or outside, network. The PIX Firewall optionally supports multiple outside networks, which can be designated as perimeter networks, or demilitarized zones (DMZs). Connections between a perimeter, the outside, and the inside networks can all be managed by the PIX Firewall.

To effectively use a firewall in your organization, you need a security policy to ensure that all traffic from the inside to the outside passes only through the firewall, and you must decide who may access network resources, which services you can effectively support, and who can access the inside and perimeter networks from the outside.

shows how a PIX Firewall protects a network while providing outbound connections secure access to the Internet.

Figure 1-1 The PIX Firewall in a Network

Within this architecture, the PIX Firewall forms the boundary between the internal network and the external networks (which may include one or more perimeter networks). All traffic between the internal and external networks must flow through the firewall to maintain security. The external network is typically accessible to the Internet and contains systems that provide services to the external network. Such services might include a Web server, FTP server, or SMTP (electronic mail) server; connections to these application servers can be controlled using access-lists in the Internet attached router.

Alternatively, server systems can be located on a perimeter network as shown above, and access to the server systems can be controlled and monitored by the PIX Firewall. The PIX Firewall also lets you implement your security policies for connection to and from the inside network.

Typically, the inside network is an organization's own internal network, or intranet, and the outside network is the Internet, but the PIX Firewall can also be used within an intranet to isolate or protect one group of internal computing systems and users from another. The perimeter network can be configured as secure as the inside network or with varying security levels from the most secure inside network to the least secure outside network. Both the inside and perimeter networks are protected with the PIX Firewall's Adaptive Security algorithm described later in this chapter. The inside, perimeter, and outside interfaces can listen to RIP routing updates, and the inside and perimeter interfaces can broadcast a RIP default route.

Both the inside and perimeter networks are protected with the PIX Firewall's Adaptive Security algorithm described in the section, "PIX Firewall Adaptive Security." The inside, perimeter, and outside interfaces can listen to RIP routing updates, and the inside and perimeter interfaces can broadcast a RIP default route.

How Data Moves Through the Firewall

When outbound packets arrive at the PIX Firewall's inside interface, the PIX Firewall checks to see if previous packets have come from the inside host. If not, the PIX Firewall creates a translation slot (also called an "xlate") in its state table for the new connection. The slot includes the inside IP address and a globally unique IP address assigned by network address translation (NAT), port address translation (PAT), or Identity (which uses the inside address as the outside address). The PIX Firewall then changes the packet's source IP address to the globally unique address, modifies the checksum and other fields as required, and forwards the packet to the appropriate outside interface.

When an inbound packet arrives at the outside interface, it must first pass the PIX Firewall Adaptive Security criteria. If the packet passes the security tests, the PIX Firewall removes the destination IP address, and the internal IP address is inserted in its place. The packet is forwarded to the inside interface.

Translating Internal Addresses

Dynamic translation slots are useful for desktop machines that do not need constant addresses on the Internet. Inside network hosts with IP addresses not registered with the NIC (Network Information Center) can directly access the Internet with standard TCP/IP software on the desktop by enabling address translation within the PIX Firewall. No special client software is needed. The PIX Firewall supports network address translation (NAT) which provides a globally unique address for each inside host, and port address translation (PAT) which shares a single globally unique address for many inside hosts. NAT and PAT addresses are drawn from the virtual network of up to 64K host addresses configured within the PIX Firewall.

Another class of address translation on the PIX Firewall is static translation. Static translation effectively moves an internal, unregistered host into the virtual network in the PIX Firewall. This is useful for internal machines that need to be addressed from the outside Internet gateways; for example, an SMTP server.

After basic configuration (described in "Configuring the PIX Firewall") the PIX Firewall permits all outbound connections from the inside network to the outside network, and rejects any connections inbound from the outside network. This default policy can be modified to match the policy requirements of your organization using the features described in "PIX Firewall Features."

For More Information

For more information on firewalls refer to:

Building Internet Firewalls by D. Brent Chapman & Elizabeth D. Zwicky, O'Reilly. Information on this book is available at:

Firewalls & Internet Security by William Cheswick and Steven Bellovin, Addison-Wesley. Information about this book is available at:

Internet Security for Business by Terry Bernstein, Anish B. Bhimani, Eugene Schultz and Carol A. Siegel, Wiley. Information about this book is available at:

Practical UNIX Security by Simson Garfinkel and Gene Spafford, O'Reilly. Information about this book is available at:

TCP/IP Illustrated, Volume 1 The Protocols by W. Richard Stevens, Addison-Wesley. Information about this book is available at:

Note   You can view information on the PIX Firewall and additional documentation over the World Wide Web at:

Creating a Security Policy

The PIX Firewall separates the details of implementing a security policy from providing network services such as Web, FTP, Telnet, and SMTP.

This provides:

Much better scalability and performance—The PIX Firewall is dedicated to the security role and does not incur the substantial overhead required to offer server connections.

Greater security—Unless so configured, the PIX Firewall does not accept connections from the outside network (Private Link is an exception to this), and is implemented using a proprietary embedded system, rather than the full operating system necessary to support server applications.

Reduced complexity—Each device performs a dedicated function.

The following sections describe many of the issues associated with security policies; refer also to RFC 1244 "Site Security Handbook" for more information.

Before Creating a Security Policy

To effectively use a firewall in your organization, you need a security policy to protect your data resources from intrusion. By creating or improving a security policy, you can protect against malicious attack by outsiders and control the effects of errors and equipment failures.

Your security policy needs to ensure that users can only perform tasks they are authorized to do, only obtain information they are authorized to have, and not cause damage to the data, applications, or operating environment of a system.

Before creating any security policy, use these guidelines:

Step 1 Draw a map of your complete network detailing which systems connect to the Internet, which are servers, and identify which IP addresses occur on each subnetwork. When your map is complete, disseminate it to appropriate network administrators, update it regularly, and have paper copies available for troubleshooting problems.

Step 2 Identify which systems you need to protect from Internet access and which must be visible on the outside network, such as NIC-registered IP addresses. The network address translation (NAT) feature of the PIX Firewall lets you specify that NIC-registered IP addresses are visible on the outside of the firewall or that the inside network IP addresses depend solely on the global pool for translation.

Step 3 Identify which inside servers need to be visible on the outside and perimeter networks and what type of authentication and authorization you require before users can access the servers.

Step 4 Identify which router features you will need to set to accommodate the PIX Firewall in your network.

Note   When properly configured, the PIX Firewall can secure your network from outside threats. The PIX Firewall is not a turn-key system. You have to program it to identify which hosts can access your inside network and which cannot. It is your responsibility to protect your network. The PIX Firewall will not prevent all forms of security threats, but its features provide you with an arsenal of resources to repel network attacks.

The PIX Firewall cannot protect your network from inside attackers. To properly protect against these threats, all persons with access to the inside network should be given only the least privilege and access they require to perform their jobs. This access should be reviewed periodically, and updated if necessary.

Preparing a Security Policy

Security measures keep people honest in the same way that locks do. The following sections provide specific actions you can take to improve the security of your network:

Know Your Enemy

Count the Cost

Identify Your Assumptions

Control Your Secrets

Remember Human Factors

Know Your Weaknesses

Limit the Scope of Access

Understand Your Environment

Limit Your Trust

Remember Physical Security

Make Security Pervasive

Know Your Enemy

Consider who might want to circumvent your security measures and identify their motivations. Determine what they might want to do and the damage that they could cause to your network.

Security measures can never make it impossible for a user to perform unauthorized tasks with a computer system. They can only make it harder.

The goal is to make sure the network security controls are beyond the attacker's ability or motivation.

Count the Cost

Security measures almost always reduce convenience, especially for sophisticated users. Security can delay work and create expensive administrative and educational overhead. It can use significant computing resources and require dedicated hardware.

When you design your security measures, understand their costs and weigh those costs against the potential benefits. To do that, you must understand the costs of the measures themselves and the costs and likelihoods of security breaches. If you incur security costs out of proportion to the actual dangers, you have done yourself a disservice.

Identify Your Assumptions

Every security system has underlying assumptions. For example, you might assume that your network is not tapped, or that attackers know less than you do, that they are using standard software, or that a locked room is safe. Be sure to examine and justify your assumptions. Any hidden assumption is a potential security hole.

Control Your Secrets

Most security is based on secrets. Passwords and encryption keys, for example, are secrets. Too often, though, the secrets are not really all that secret. The most important part of keeping secrets is knowing the areas you need to protect. What knowledge would enable someone to circumvent your system? You should jealously guard that knowledge and assume that everything else is known to your adversaries. The more secrets you have, the harder it will be to keep all of them. Security systems should be designed so that only a limited number of secrets need to be kept.

Remember Human Factors

Many security procedures fail because their designers do not consider how users will react to them. For example, because they can be difficult to remember, automatically generated nonsense passwords are often found written on the undersides of keyboards. For convenience, a secure door that leads to the system's only tape drive is sometimes propped open. For expediency, unauthorized modems are often connected to a network to avoid onerous dial-in security measures.

If your security measures interfere with essential use of the system, those measures will be resisted and perhaps circumvented. To get compliance, you must make sure that users can get their work done, and you must sell your security measures to users. Users must understand and accept the need for security.

Any user can compromise system security, at least to some degree. Passwords, for instance, can often be found simply by calling legitimate users on the telephone, claiming to be a system administrator, and asking for them. If your users understand security issues, and if they understand the reasons for your security measures, they are far less likely to make an intruder's life easier.

At a minimum, users should be taught never to release passwords or other secrets over unsecured telephone lines (especially cellular telephones) or electronic mail (e-mail). Users should be wary of questions asked by people who call them on the telephone. Some companies have implemented formalized network security training for their employees; that is, employees are not allowed access to the Internet until they have completed a formal training program.

Know Your Weaknesses

Every security system has vulnerabilities. You should understand your system's weak points and know how they could be exploited. You should also know the areas that present the largest danger and prevent access to them immediately. Understanding the weak points is the first step toward turning them into secure areas.

Limit the Scope of Access

You should create appropriate barriers inside your system so that if intruders access one part of the system, they do not automatically have access to the rest of the system. The security of a system is only as good as the weakest security level of any single host in the system.

Understand Your Environment

Understanding how your system normally functions, knowing what is expected and what is unexpected, and being familiar with how devices are usually used, will help you to detect security problems. Noticing unusual events can help you to catch intruders before they can damage the system. Auditing tools can help you to detect those unusual events.

Limit Your Trust

You should know exactly which software you rely on, and your security system should not have to rely upon the assumption that all software is bug-free or that your firewall can prevent all attacks.

Remember Physical Security

Physical access to a computer, router, or your firewall usually gives a sufficiently sophisticated user total control over that device. Physical access to a network link usually allows a person to tap that link, jam it, or inject traffic into it. It makes no sense to install complicated software security measures when access to the hardware is not controlled.

Make Security Pervasive

Almost any change you make in your system may have security effects. This is especially true when new services are created. Administrators, programmers, and users should consider the security implications of every change they make. Understanding the security implications of a change is something that takes practice. It requires lateral thinking and a willingness to explore every way in which a service could potentially be manipulated.

PIX Firewall Features

The PIX Firewall provides full firewall protection that completely conceals the architecture of an internal network from the outside world. The PIX Firewall allows secure access to the Internet from within existing private networks and the ability to expand and reconfigure TCP/IP networks without being concerned about a shortage of IP addresses.

The PIX Firewall has the features described in .

Table 1-1 PIX Firewall Features 

Security Implication

Adaptive Security Algorithm (ASA)

Implements stateful connection control through the firewall.

Allows one way (inside to outside) connections without an explicit configuration for each internal system and application.

Always in operation monitoring return packets to ensure they are valid. Actively randomizes TCP sequence numbers to minimize the risk of TCP sequence number attack.

Network Address Translation (NAT)

For inside systems, translates the source IP address of outgoing packets per RFC 1631. Supports both dynamic and static translation.

Allows inside systems to be assigned private addresses (defined in RFC 1918), or to retain existing invalid addresses.

Hides the real network identity of internal systems from the outside network.

Port Address Translation (PAT)

By using port remapping, a single valid IP address can support source
IP address translation for up to 64,000 internal systems.

PAT minimizes the number of globally valid IP addresses required to support private or invalid internal addressing schemes. Will not work with multimedia applications that have an inbound data stream.

Hides the real network identity of internal systems from the outside network.

Multiple Interfaces

Additional network interfaces can be added to the PIX Firewall.

Takes the place of multiple PIX Firewall units in a single chassis.

Provides Adaptive Security for perimeter interfaces.


Allows address translation to be disabled.

If existing internal systems have valid globally unique addresses, the Identity feature allows NAT and PAT to be selectively disabled for these systems.

Makes internal network addresses visible to the outside network.

Cut-Through Proxies

User-based authentication of inbound or outbound connections. Unlike a proxy server that analyzes every packet at layer seven of the OSI model, a time- and processing-intensive function, the PIX Firewall first queries an authentication server, and when the connection is approved, establishes a data flow. All traffic thereafter flows directly and quickly between the two parties.

Allows security policies to be enforced on a per user ID basis. Connections must be authenticated with a user ID and password before they can be established. Supports authentication and authorization. The user ID and password are entered via an initial HTTP, Telnet or FTP connection.

Allows much finer level of administrative control over connections compared to checking source IP addresses. When providing inbound authentication, appropriate controls need to be applied to the user ID and passwords used by external users (one-time passwords are recommended in this instance).

Mail Guard

Provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections from the outside to an inside electronic mail server.

Allows a single mail server to be deployed within the internal network without it being exposed to known security problems with some SMTP server implementations. Avoids the need for an external mail relay (or bastion host) system.

Enforces a safe minimal set of SMTP commands to avoid an SMTP server system being compromised. Also logs all SMTP connections.

Java Filtering

Lets an administrator prevent Java applets from being downloaded by an inside system.

Java applets are executable programs that are banned within some security policies.

Java programs can provide a vehicle through which an inside system can be invaded.

Flood Defender

Protects inside systems from TCP SYN flood attacks.

Allows servers within the inside network to be protected from one style of denial of service attack.

Protects inside systems from SYN attacks.

TFTP Configuration Server

Provides PIX Firewall configuration via TFTP.

Allows one or more firewalls access to configurations from a central source.

Insecure. Do not use if your security policy prevents sharing privileged information in clear text.

Cisco IOS-like Configuration

Supports a command line interface similar to Cisco IOS.

Administrators familiar with the Cisco IOS router interface will be comfortable with the PIX Firewall.

over IP

Supports NETBIOS over IP connections from the inside network to the outside network.

Allows Microsoft client systems, such as Windows 95, within the inside network, possibly using NAT, to access servers, such as Windows NT, located within the outside network. This enables security policies to encompass Microsoft environments across the Internet and inside an intranet.

Allows access controls native to the Microsoft environment.


Support for network monitoring via SNMP (Simple Network Management Protocol).

With its SNMP interface, the PIX Firewall integrates into traditional network management environments.

Only supports SNMP GET (read-only) access.

HTML Interface

Provides a management interface from any standard Web browser.

Lets you configure the PIX Firewall via GUI interface rather than the command line interface.

Limits access of the HTML interface to specified client systems within the inside network (based on source address) and is password protected. If the inside network is not secure and sessions on the LAN can be snooped, you should limit use of the HTML interface.

Telnet Interface

Provides the standard Cisco IOS-like command line interface management interface via Telnet.

Enables remote configuration and management.

Limits access of the Telnet interface to specified client systems within the inside network (based on source address) and is password protected. If the inside network is not secure and sessions on the LAN can be snooped, you should limit use of the Telnet interface.

Multimedia Support

The PIX Firewall supports multimedia applications including RealAudio, Streamworks, CuSeeMe, Internet Phone, IRC, H.323, Vxtreme and VDO Live.

Users increasingly make use of a wide range of multimedia applications, many of which require special handling in a firewall environment. The PIX Firewall handles these without requiring client reconfiguration and without becoming a performance bottleneck.

Support for protocols can be disabled using access-lists if required.


Private Link is an optional feature that allows virtual private networks (VPN) to be established between PIX Firewall sites connected to the same public (or outside) network.

Sites connected using Private Link appear as a single contiguous network. Use Private Link to augment or replace traditional dedicated communications circuits.

Data sent between Private Link systems is encrypted using the DES algorithm (with 56-bit keys) and encapsulated using the IETF IPSEC AH/ESP standard.


PIX Firewall failover allows you to configure two PIX Firewall units in a fully redundant topology.

Fault tolerant networks are an increasingly important requirement, which PIX Firewall failover provides.

Both PIX Firewall units must be configured identically; failover does not provide stateful redundancy.

Access Lists

Controls which inside systems can establish connections to the outside network.

The default security policy can be modified to be consistent with the site security policy by limiting outgoing connections based on inside source address, outside destination address, or protocol.

Configure access lists carefully if your security policy limits outgoing connections.


Conduits allows connections from the outside network to the inside network.

For some applications or business requirements, it is desirable for outside systems to establish connections into the inside network. This may be to allow access from certain remote systems, or to provide access to applications hosted on inside systems.

Each conduit is a potential hole through the PIX Firewall and hence their use should be limited as your security policy and business needs require. Make conduits as specific as possible, by specifying a remote source address, local destination address, and protocol.

PIX Firewall Adaptive Security

The Adaptive Security feature applies to the dynamic translation slots and static translation slots created with the static and mailhost commands. The Adaptive Security algorithm is a very stateful approach to security. Every inbound packet is checked against the Adaptive Security algorithm and against connection state information in memory. This stateful approach to security is regarded in the industry as being far more secure than a stateless packet screening approach.

Adaptive Security follows these rules:

Allow any TCP connections that originate from the inside network.

Ensure that if an FTP data connection is initiated to a translation slot, there is already an FTP control connection between that translation slot and the remote host. If not, drop and log the attempt to initiate an FTP data connection. For valid connections, the firewall handles passive and normal FTP transparently without the need to configure your network differently.

Drop and log attempts to initiate TCP connections to a translation slot from the outside.

Drop and log source routed IP packets sent to any translation slot on the PIX Firewall.

Allow ICMP (Internet Control Message Protocol) message types 0, 3, 4, 8, 11, 12, 17 and 18. By implication, deny ICMP redirects (type 5).

Silently drop ping requests to dynamic translation slots.

Passes through ping requests directed to static translation slots.

You can protect static translation slots with Adaptive Security, and you can have exceptions (called conduits) to the previously described rules, which you create with the conduit command. Multiple exceptions may be applied to a single static translation slot (via multiple conduit commands). This lets you permit access from an arbitrary machine, network, or any host on the Internet to the inside host defined by the static translation slot. The PIX Firewall handles UDP data transfers in a manner similar to TCP. Special handling allows DNS, archie, non-passive FTP, StreamWorks, H.323 and RealAudio to work securely. The PIX Firewall creates UDP connection state information when a UDP packet is sent from the inside network. Response packets resulting from this traffic are accepted if they match the connection state information. The connection state information is deleted after a short period of inactivity.

PIX Firewall Connection Licenses

The PIX Firewall provides options you can purchase from Cisco Sales that let you increase the number of simultaneous TCP connections (also known as sessions) the firewall can handle. The options are sold for 64, 1,024, and 16,384 connections. Previous versions of the PIX Firewall with
32 connection licenses are automatically upgraded to 64 connections when version 4 is installed.

Note   To update the number of connections, obtain a new activation key from Cisco Sales. After you receive the activation key, reboot the PIX Firewall with the original floppy disk and during the boot sequence, when prompted, enter your new key.

Each inbound and outbound TCP connection from any of the three interfaces counts as a simultaneous connection. UDP connections are not counted in the license value. The use of Telnet or HTTP to access the PIX Firewall console does not count in the number of TCP connections. You can see how many TCP connections are in use on the firewall with the show conn command.

For example, if a user is running FTP, Telnet, and Netscape Navigator, the user can be using from three to seven simultaneous TCP connections depending on whether Netscape Navigator is loading a page or is done. Telnet takes a single connection, FTP takes two connections, and Netscape Navigator can open up to four connections by default while loading information. (Netscape Navigator can be set to a maximum of 8 connections.)

One application to be aware of is Microsoft's Internet Explorer for Windows 95 and Windows NT, which can use up to 20 TCP connections. The number of connections that Internet Explorer uses is not user-configurable in the Windows version, but is in the Macintosh version, which defaults to 4 connections but can be set to a maximum of 8 connections. You can view the number of connections a Windows 95 or Windows NT system is using by entering the netstat -a command at the MS-DOS prompt.

Note   To avoid letting applications overwhelm your maximum number of connections, it is very important to always use the connection limit and embryonic limit options with the mailhost, nat, and static commands.

The PIX Firewall connection options are generally sold by the type of line speed a site uses, as shown in , although you should also consider the number of TCP connections per application to determine how many users or hosts can access the firewall simultaneously.

Table 1-2

Line Speed
Number of Connections
Number of Inside Hosts

56K frame relay or 56K leased line


70 or fewer

ISDN with two B-channels, 128K to T1


70 to 500

T1 line


500 and higher

Selecting Connection Licenses

After you purchase new connection licenses, you are given an activation key that you enter during bootup by rebooting the firewall from floppy disk.

If you are configuring a second firewall for use with failover, ensure both units have the same number of connection licenses.