|
|
The Cisco Secure PIX Firewall series delivers strong security in an easy-to-install, integrated hardware/software appliance that offers outstanding performance. The series allows you to rigorously protect your internal network from the outside world—providing full firewall security protection. Unlike typical CPU-intensive full-time proxy servers that perform extensive processing on each data packet at the application level, Cisco Secure PIX Firewalls use a non-UNIX, secure, real-time, embedded system. The Cisco Secure PIX Firewalls deliver superior performance of up to 250,000 simultaneous connections, over 6,500 connections per second, and nearly 170 megabits per second (Mbps) throughput. This level of performance is dramatically greater than that delivered by other appliance-like firewalls or those based on general-purpose operating systems.
Figure 18-4: Cisco Secure PIX Firewall 520 Rear View
Figure 18-5: Cisco Secure PIX Firewall 515 Front View
Figure 18-6: Cisco Secure PIX Firewall 515 rear View
Non-UNIX, secure, real-time, embedded system This design eliminates the risks associated with a general purpose operating system and allows the Cisco Secure PIX Firewall series to deliver outstanding performance—up to 250,000 simultaneous connections—dramatically greater than any UNIX-based firewall and without affecting end-user performance. Less complex and more robust than packet-filtering; higher performance and more scalable than application proxy firewalls The heart of the PIX Firewall series is the adaptive security algorithm (ASA), which maintains the secure perimeters between the networks controlled by the firewall. The stateful, connection-oriented ASA design creates session flows based on source and destination addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP flags. All inbound and outbound traffic is controlled by applying security policy to connection table entries. User authentication and authorization with cut-through proxy Cisco Secure PIX Firewall series gains further dramatic performance advantage through its patented method of transparently verifying the identity of users at the firewall and permitting or denying access to any TCP- or UDP-based application. This method eliminates the price/performance impact UNIX-based firewalls impose in similar configurations, and leverages the authentication and authorization services of CiscoSecure Access Control Server. For more information on CiscoSecure Access Control Server, available for both Windows NT and UNIX (Solaris), see the chapter "CiscoSecure Access Control Server Software." Centralized configuration and management with the PIX Firewall Manager This Java-based graphical user interface (GUI) configuration tool lets the administrator use a Web browser to retrieve, edit, and centrally manage security policies. Separate tabs provide access to configuration information common to all PIX Firewalls being managed and to built-in reports for user-based accounting for web sites visited and volume of files transferred. The PIX Firewall Manager can automatically provide real-time alerts of any attempted firewall breaches through e-mail or pager notification. Platform extensibility To provide platform extensibility without sacrificing the benefits of an embedded system, the PIX Firewall series includes two hardware platforms, the PIX Firewall 515 and 520, which support a broad range of network interface cards (NICs). Standard NICs include single- or four-port 10/100 Ethernet cards, 4/16 Token Ring cards, and dual-attached multimode FDDI cards. FDDI cards and four-port Ethernet cards are supported in PIX beginning with version 4.4. Failover/hot standby upgrade option The PIX Firewall failover option ensures high availability and eliminates a single point of failure. With two PIX Firewalls running in parallel, if one malfunctions, the second PIX Firewall transparently maintains security operations. Synchronized configurations for effective recovery from hardware failure Simplified TFTP boot function allows consistent synchronization of multiple device configurations. Cisco Secure PIX Firewall Series
Product Overview
Key Features and Benefits
Specifications
Hardware
|
Description |
PIX Firewall 515-R |
PIX Firewall 515-UR |
PIX Firewall 520 |
PIX Firewall 520-DC |
|---|---|---|---|---|
|
Hardware Case |
19-in. rack-mountable (comes with rack-mount hardware) |
19-in. rack-mountable (comes with rack-mount hardware) |
19-in. rack-mountable (comes with rack-mount hardware) |
19-in. rack-mountable (comes with rack-mount hardware) |
|
Random Access Memory |
32 MB |
64 MB |
128 MB |
128 MB |
|
Console Port |
RJ-45 |
RJ-45 |
DB-9 EIA/TIA-232 |
DB-9 EIA/TIA-232 |
|
Boot/Update Device |
TFTP only |
TFTP only |
3.5-in. floppy disk drive |
3.5-in. floppy disk drive |
|
DB-25 EIA/TIA-232 |
DB-25 EIA/TIA-232 |
DB-25 EIA/TIA-232 |
DB-25 EIA/TIA-232 |
. Failover requires special, Cisco cable
|
Description |
PIX Firewall 515-R |
PIX Firewall 515-UR |
PIX Firewall 520 |
PIX Firewall 520-DC |
|---|---|---|---|---|
|
Autoswitching |
100-240 VAC |
100-240 VAC |
100-240 VAC |
-48 VDC |
|
Frequency |
50-60 Hz |
50-60 Hz |
50-60 Hz |
— |
|
Current |
1.5-0.75 Amps |
1.5-0.75 Amps |
4-2 Amps |
4 Amps |
|
Description |
PIX Firewall 515-R |
PIX Firewall 515-UR |
PIX Firewall 520 |
PIX Firewall 520-DC |
|---|---|---|---|---|
|
Dimensions (H x W x D) |
1.72 x 16.82 x 11.8 in. (4.4 x 42.7 x 29.9 cm) |
1.72 x 16.82 x 11.8 in. (4.4 x 42.7 x 29.9 cm) |
5.21 x 16.82 x 17.5 in. (13.2 x 42.7 x 44.5 cm) |
5.21 x 16.82 x 17.5 in. (13.2 x 42.7 x 44.5 cm) |
|
Weight |
11 lb. (4.9 kg) |
11 lb. (4.9 kg) |
21 lb. (9.5 kg) |
21 lb. (9.5 kg) |
|
Operating Temperature |
-25 to 113°F (-5 to +45°C) |
-25 to 113°F (-5 to +45°C) |
-25 to 113°F (-5 to +45°C) |
-25 to 113°F (-5 to +45°C) |
|
Storage Temperature |
-77 to 158°F (-25 to +70°C) |
-77 to 158°F (-25 to +70°C) |
-77 to 158°F (-25 to +70°C) |
-77 to 158°F (-25 to +70°C) |
|
Operational Humidity |
95% relative humidity (RH) |
95% relative humidity (RH) |
95% relative humidity (RH) |
95% relative humidity (RH) |
|
Operational Altitude |
9843 ft (3000m), 77°F (25°C) |
9843 ft (3000m), 77°F (25°C) |
9843 ft (3000m), 77°F (25°C) |
9843 ft (3000m), 77°F (25°C) |
|
Heat Dissipation (Worst Case with Full Power Usage) |
160.37 BTU/hr |
160.37 BTU/hr |
863.27 BTU/hr |
863.27 BTU/hr |
PIX 520 - Connection licenses available for 128, 1024, and Unrestricted (more than 250,000) simultaneous connections
PIX 515 - Only unrestricted licenses available
PIX 520 - Ethernet, FDDI and Token Ring available
PIX 515 - Restricted (no failover, 32 MB RAM, no option cards, 2 ethernet interfaces only)
PIX 515 - Unrestricted (64 MB RAM, failover, up to 6 ethernet interfaces)
PIX 515 - Ethernet only
Adaptive security algorithm (ASA)
Cut-through proxy authenticates, authorizes, and enhances performance
Multiple interface support (10/100 Mbps ethernet, Token Ring, FDDI)
Up to 6 ethernet interfaces
Failover/hot standby; synchronized configurations
True Network Address Translation (NAT) as specified in RFC 1631
Port Address Translation (PAT) further expands a company`s address pool-one IP address supports more than 64,000 hosts
Mail Guard removes need for external mail relay server in perimeter network
TACACS+, Radius authentication
DNS Guard transparently protects outbound name and address lookups
Flood Guard and Fragmentation Guard protect against denial of service attacks
Java blocking eliminates potentially dangerous Java applets (not compressed or archived)
Extremely high-performance URL filtering that surpasses the competition in any enterprise-scale network
Cisco IOS-style command-line interface
Extended authentication, authorization, and accounting capabilities
Net Aliasing transparently merges overlapping networks with the same IP address space
Enhanced granularity of inbound access (conduits)
Allows use of existing registered IP addresses
Extended access lists
Ability to customize protocol ports
Support for private networking of virtual sites at greater than 45 MB using Cisco proprietary Private Link 2.
Enhanced customization of syslog messages
Simple Network Management Protocol (SNMP) and syslog for remote management
Reliable syslogging using either TCP or UDP
Extended transparent application support (both with and without NAT enabled) includes:
Sun remote procedure call (RPC)
Microsoft Networking client and server communication (NetBIOS over IP) using NAT
Multimedia, including Progressive Networks` RealAudio, Xing Technologies` Streamworks, White Pines` CuSeeMe, Vocal Tec`s Internet Phone, VDOnet`s VDOLive, Microsoft`s NetShow, VXtreme Web Theatre 2; and Intel`s Internet Video Phone and Microsoft`s NetMeeting (based on H.323 standards)
Oracle SQL*Net client and server communication
Hosted on a Windows NT 4.0 platform (required) Service Pack 4 compliant
Each PIX Firewall Manager supports up to 10 PIX Firewalls for full logging, and configuration for up to 10 PIX Firewalls
E-mail and pager alarms can be set based on single events or after a threshold is reached
Built-in reports to display FTP and URL activity per user on a daily basis
All configuration information sent between PIX Firewalls and PIX Firewall Manager are protected by a shared secret/secure hash algorithm (MD5)
Strong authentication (one-time password) support for PIX Firewall management sessions can be provided by CiscoSecure or other TACACS+ or RADIUS server
For additional specifications, see the Cisco Secure PIX Firewall datasheet on the Cisco Web at www.cisco.com. For software options for the Cisco Secure PIX Firewall Series, see PIX Firewall Software in the following table.
| Part Description | Part Number |
|---|---|
| PIX Firewall Solutions | |
| PIX Private Link 2 card | PIX-PL2 |
| PIX Private Link 2 card, spare | PIX-PL2= |
| ONE 10/100 Mbps ETHERNET INTERFACES, RJ45 | PIX-1FE |
| ONE 10/100 Mbps ETHERNET INTERFACES, RJ45 | PIX-1FE= |
| Single Gigabit Ethernet Interface for PIX Firewall | PIX-1GE= |
| PIX Four-port 10/100 Ethernet interface | PIX-4FE |
| PIX Four-port 10/100 Ethernet interface | PIX-4FE= |
| ONE 4/16 Mbps TOKEN-RING INTERFACE | PIX-1TR |
| ONE 4/16 Mbps TOKEN-RING INTERFACE | PIX-1TR= |
| FAILOVER UPGRADE KIT - SW V3.0 OR LATER | PIX-FO= |
| FDDI Interface for the PIX Firewall | PIX-FDDI |
| PIX FDDI Card | PIX-FDDI= |
| Accessory Kit associated with PIX Software version 4.4 | ACC-PIX500-4.4 |
| 32 MB FRU Memory for PIX 515 | PIX-515-MEM-32= |
| PIX 515 Restricted to Unrestricted Software License Upgrade | PIX-515-SW-UPG= |
| Blank to fill unused option slot on PIX 515 | PIX-BLANK-SLOT |
| PIX 515 Chassis only | PIX-515 |
| PIX 515 Unrestricted Function software license | PIX-515UR-SW |
| PIX 520 Chassis only | PIX-520 |
| PIX 520, -48VDC power chassis only | PIX-520-DC |
| PIX Midrange license | PIX-CONN-1K |
| PIX Entry level license | PIX-CONN-128 |
| PIX Unrestricted license | PIX-CONN-UR |
| PIX lic upgd entrylevel to midrange | PIX-CONN-128-1K= |
| PIX lic upgd entrylevel to unrestricted | PIX-CONN-128-UR= |
| PIX lic upgd midrange to unrestricted | PIX-CONN-1K-UR= |
| PIX Software Upgrade for Non-Support Customers | PIX-CONN-VER= |
| 128 MB Mem Upg for PIX Firewall Models Prior to 500 Series | PIX-MEM-UPG-128= |
| 128 MB Memory Upgrade for PIX Firewall Models 510 and 520 | PIX-MEM-5XX-128= |
| PIX Firewall Software | |
| PIX Software Upgrade for Non-Support Customers | PIX-CONN-VER= |
| PIX Software version 4.4 | SF-PIX-4.4 |
| PIX version 4.4 software for 515 chassis. TFTP only. | SF-PIX515-4.4 |
| PIX v5.0 software for the PIX chassis | SF-PIX-5.0 |
| PIX 515 Restricted Function software license | PIX-515R-SW |
| PIX Firewall Bundles | |
| PIX 515 Failover (Chassis, software, two 10/100 ports) | PIX-515-FO-BUN |
| PIX 515R Bundle (Chassis, restricted SW, 2 FE ports) | PIX-515-R-BUN |
| PIX 515R Bundle (Chassis, unrestricted SW, 2 FE ports) | PIX-515-UR-BUN |
| PIX 515-R DC Bundle (Chassis, R software, two 10/100 ports) | PIX-515-DC-R-BUN |
| PIX 515-UR DC Bundle(Chassis, UR software, two 10/100 ports) | PIX-515-DC-UR-BUN |
| Entry level PIX Firewall 520, two 10/100 Enet NICs | PIX-520-128-CH |
| Midrange PIX Firewall 520, two 10/100 Enet NICs | PIX-520-1K-CH |
| PIX 520 Failover (Chassis, software, two 10/100 ports) | PIX-520-FO-BUN |
| Unrestricted PIX Firewall 520, two 10/100 Enet NICs | PIX-520-UR-CH |
| PIX Firewall Crypto | |
| PIX 3DES Software License Without Client Software | PIX-VPN-3DES= |
| PIX Firewall Accessories | |
| Manufacturing Accessory Kit for PIX version 5.0 | ACC-5.0-PIX |
| PIX 520 Accessory Kit for 5.0 Software Version | ACC-PIX500-5.0 |
|
Description |
Part Number |
|---|---|
|
PIX SMARTnet maintenance—all versions |
CON-SNT-PIX |
|
PIX SMARTnet maintenance—all versions (two-tier products) |
CON-SNT-PKG12 |