The world-leading Cisco PIX® Firewall Series of purpose-built security appliances provides robust, enterprise-class security services, including stateful inspection firewalling, virtual private networking (VPN), intrusion protection, and much morein cost-effective, easy-to-deploy solutions. Ranging from compact, plug-and-play desktop firewalls for small/home offices to carrier-class gigabit firewalls for the most demanding enterprise and service-provider environments, Cisco PIX Firewalls provide robust security, performance, and reliability for network environments of all sizes.
Cisco PIX Firewalls deliver a broad range of advanced firewall services that protect enterprise networks from the threats lurking on the Internet and in today's network environments. The state-of-the-art Cisco Adaptive Security Algorithm (ASA) provides rich stateful inspection firewall services, tracking the state of all authorized network communications and preventing unauthorized network access. Cisco PIX Firewalls deliver an additional layer of security through intelligent, "application-aware" security services that examine packet streams at Layers 4 through 7, using inspection engines specialized for many of today's popular applications. Administrators can easily create custom security policies that will be enforced on network traffic traversing the firewall by leveraging more than 100 pre-defined applications, services, and protocols within Cisco PIX Firewalls, and the flexible access control capabilities that Cisco PIX Firewalls provide. Access to network resources can also be strongly authenticated via the Cisco PIX Firewall's seamless integration with enterprise databases, either directly using TACACS+/RADIUS or indirectly via Cisco Secure Access Control Server (ACS). In addition to these services, Cisco PIX Firewalls provide extensive logging, URL filtering, content filtering, and more in concert with Cisco AVVID (Architecture for Voice, Video and Integrated Data) partner solutions.
Cisco PIX Firewalls continue to provide market-leading protection for numerous voice-over-IP (VoIP) standards and other multimedia standards, including H.323, Session Initiation Protocol (SIP), Skinny, Real-Time Transport Protocol (RTP), Real-Time Streaming Protocol (RTSP), and Real-Time Transport Control Protocol (RTCP). This allows businesses to securely take advantage of the many benefits that converged data and voice networks provide, such as significant total cost of ownership (TCO) savings and the competitive advantages and improved productivity gained through the power of fully integrated voice, video, and data networks. By combining VPN with the rich stateful inspection firewall services that Cisco PIX Firewalls provide for these converged networking standards, businesses can easily extend voice and multimedia services to remote/satellite offices for additional bandwidth and cost savings.
Using the standards-based site-to-site VPN capabilities within Cisco PIX Firewalls, businesses can securely extend their network across low-cost Internet connections to business partners and remote/satellite offices worldwide. Built upon the Internet Key Exchange (IKE) and IP Security (IPSec) VPN standards, Cisco PIX Firewalls encrypt data using 56-bit Data Encryption Standard (DES) or advanced 168-bit Triple DES (3DES) encryption, ensuring that malicious individuals cannot see sensitive business data as it safely travels across the Internet. Cisco PIX Firewalls can also participate in X.509-based Public Key Infrastructures (PKI) and provide easy, automated certificate enrollment by taking advantage of the Simplified Certificate Enrollment Protocol (SCEP)another Internet standard Cisco helped to pioneer. Certain Cisco PIX Firewall models also provide integrated hardware VPN acceleration, providing up to 100 Mbps of 3DES throughput and support for up to 2000 IKE security associations.
The innovative Easy VPN capabilities found in Cisco PIX Firewalls and other Cisco solutionssuch as Cisco IOS® Software-based routers and Cisco VPN 3000 Series Concentratorsdeliver a uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture. Built upon the foundation of dynamic policy distribution and effortless provisioning, Easy VPN eliminates the operational costs associated with maintaining remote-device configurations typically required by traditional VPN solutions. Easy VPN enables Cisco customers to enjoy the numerous benefits that VPNs provideincreased employee productivity by taking advantage of high-speed broadband connectivity, and significantly reduced operational costs by eliminating expenses associated with legacy dialup architectureswithout the problems commonly found with other remote-access VPN solutions.
Cisco PIX Firewalls provide robust, remote-access VPN concentrator services that enable enterprises to securely extend their network to traveling employees, teleworkers, and remote offices for "anytime, anywhere access" to vital corporate network resources. Acting as an Easy VPN Server, Cisco PIX Firewalls support the wide range of Cisco software- and hardware-based Easy VPN Remote products. By dynamically pushing VPN security policies to Easy VPN-enabled users as they connect, Cisco PIX Firewalls ensure that the latest VPN security policy is consistently enforced for all remote-access users.
Certain models of Cisco PIX Firewalls can also act as "hardware VPN clients" using the new Easy VPN Remote features in Cisco PIX Firewall OS, transparently providing secure access to a corporate network for all devices protected by a Cisco PIX Firewall in a remote network. This dramatically simplifies the initial deployment and ongoing management of VPNs deployed to remote offices and teleworker environments by eliminating the need to install and maintain VPN client software on the individual devices protected by a remote Cisco PIX Firewall. Advanced client-side resiliency features ensure maximum VPN uptime by providing automatic failover to backup Easy VPN Servers in the event of a network or service failure.
The integrated intrusion-protection capabilities in Cisco PIX Firewalls protect today's networks from many popular forms of attacks, including Denial-of-Service (DoS) attacks and malformed packet attacks. Using a wealth of advanced intrusion-protection features, including DNSGuard, FloodGuard, FragGuard, MailGuard, and TCP intercept, in addition to looking for more than 55 different attack "signatures," Cisco PIX Firewalls keep a vigilant watch for attacks, can optionally block them, and can notify administrators about them in real time. Additionally, Cisco PIX Firewalls support virtual packet reassembly, searching for attacks that are hidden over a series of fragmented packets. Strong integration with Cisco Intrusion Detection Systems (IDS) sensors enables Cisco PIX Firewalls to automatically shun (block) network nodes identified as being hostile by Cisco IDS sensors.
Cisco PIX Firewalls provide award-winning stateful failover capabilities (on select models) that ensure resilient network protection for enterprise network environments. Employing a cost-effective, active-standby high-availability architecture, Cisco PIX Firewalls configured as a failover pair continuously synchronize connection state information and device configuration data between one another. Performing this synchronization over a high-speed LAN connection provides the added benefit of being able to geographically separate failover pair members, thus providing a further layer of protection. In the rare event of a system or network failure, network sessions are automatically transitioned between firewalls seamlessly, and with complete transparency to network users.
Cisco PIX Firewalls deliver a wealth of remote-management methods for configuration, monitoring, and troubleshooting. Management solutions range from an integrated, Web-based management application to highly scalable multi-firewall management tools to support for remote-monitoring protocols such as Simple Network Management Protocol (SNMP) and syslog. Cisco PIX Firewalls additionally provide up to 16 levels of customizable administrative roles, so that enterprises can grant administrators and operations personnel the appropriate level of permissions they need for each firewall they manage (for example, monitoring only, read-only access to the configuration, VPN configuration only, firewall configuration only, etc.). Cisco PIX Firewalls now also support Auto Update, a revolutionary secure remote-management capability that ensures firewalls configurations and software images are kept up-to-date.
Cisco PIX Device Manager (PDM), integrated with Cisco PIX Firewalls, provides administrators an intuitive, Web-based management interface for remotely configuring and monitoring a single Cisco PIX Firewall, without requiring any software (other than a standard Web browser) to be installed on an administrator's computer. Administrators can also remotely configure, monitor, and troubleshoot Cisco PIX Firewalls using a command-line interface (CLI) through various methods, including Telnet and Secure Shell (SSH) Protocol, or out-of-band via a console port.
Administrators can easily manage a large number of remote Cisco PIX Firewalls using either the new combination of the CiscoWorks Management Center for Cisco PIX Firewalls and Auto Update Server, or Cisco Secure Policy Manager (CSPM)all available within the Cisco VPN Security Management Solution (VMS) network management suite. The CiscoWorks Management Center for Cisco PIX Firewalls is a highly scalable, next-generation, three-tier management solution for Cisco PIX Firewalls that includes features such as hierarchical grouping of managed firewalls, "Smart Rules" configuration inheritance, customizable administrative roles and access privileges, workflow-based enterprise change management, comprehensive support for Cisco PIX Firewall's new Auto Update capabilities, and support for dynamically addressed firewalls. Cisco Secure Policy Manager Release 3.0 is a policy-based centralized management solution for Cisco PIX Firewalls that includes a task-based interface, an interactive network topology map, policy wizards, and policy import capabilities. Additional integrated event management and inventory solutions are also available as part of the Cisco VMS network management suite.
|Software IPSec VPN clients|
|Hardware IPSec VPN clients|
|Layer 2 Tunneling Protocol
(L2TP)/IPSec VPN clients
|Point-to-Point Tunneling Protocol
(PPTP) VPN clients
Cisco PIX Firewalls can now act as hardware-based VPN clients, taking advantage of the new Easy VPN Remote capabilities in Cisco PIX Firewall OS. The following Easy VPN Server platforms are supported for this deployment scenario:
|Cisco IOS Routers|
|Cisco PIX Firewalls|
|Cisco VPN 3000 Concentrators|
|Cisco IOS Routers|
|Cisco PIX Firewalls|
|Cisco VPN 3000 Concentrators|
|Asymmetric (public key) encryption algorithms|
|Symmetric encryption algorithms|
|Perfect Forward Secrecy (Diffie-Hellman key negotiation)|
|X.509 certificate authorities|
|X.509 certificate enrollment protocols|
|Flash memory, minimum|
|Expansion cards supported|
Support services are available from Cisco partners as well as from Cisco. The Cisco SMARTnet service augments customer support resources. It provides 24x7x 365 access to technical resources (both online and via telephone), the ability to download updated system software, and hardware advance replacement.