When it comes to the Internet, everyone is familiar with the name Cisco, mainly for routers, which are, incidentally, used by a large number of ISPs around the globe for backbone connectivity that makes the Internet work. However, not many associate the company with firewalls. Cisco also makes a very popular and excellent series of firewalls, the PIX series. 

Cisco is normally associated with making products for the high-end and not for smaller segments. But the firewall we looked at, the Secure PIX 506, is for the SOHO segment with the power that Cisco’s high-end products come with. 

The PIX boasts of a huge number of features and offers enterprise-class security in a product aimed for a smaller setup. Some of the features include the use of the Adaptive Security Algorithm for stateful security of all TCP/IP sessions (which provides a high level of security), prevention of Denial of Service (DoS) attacks, a Java Applet filter,VPN, and support for multimedia applications like VoIP.

The PIX is a neat-looking blue box and you may even mistake it for a Cisco router. It is, amazingly, a full-fledged computer with a P/200 MHz MMX processor, 32 MB RAM, 8 MB of Flash RAM, and a proprietary embedded OS.

The documentation is excellent and comes with dozens of examples covering most situations that you may encounter. The easiest way is to type in one of the sample files and then just cut and paste it into the PIX. Also, if you’ve used a Cisco router, you would be familiar with the command set and its usage. Once you figure it out, you can replicate the setup for other locations of your organization in a matter of seconds by just making a few changes.

For our tests, our first policy was ‘deny all’. Nothing was allowed to come into our private network and that worked quite well. The firewall blocked every incoming packet.

We then decided to open up a few things like ‘allow traffic to go out using NAT’. That also worked well. Our machines on the private network were able to access the outside networks and still nothing was allowed inwards. Then, as a final test we installed a few Trojans and known vulnerabilities on our private network, but without opening the ports for them.

They were still not accessible from the outside. Finally, to make sure that our network was actually reachable, we set up a Web server and assigned it one of our public IP addresses. It was reachable. However, if we did not permit it from our policies and configuration, the Web server would not be accessible from outside. The firewall was doing a good job there.

One of the things that firewalls are expected to do these days is content filtering. The PIX, unfortunately, does not do content filtering directly, but uses a third-party software. The package called Websense is very powerful at doing this. Using Websense you can generate some eye-opening reports on Internet usage in your organization and then set your policies accordingly.

If you are curious as to what is happening on the PIX, you can view the details from the logs that it maintains. The logs are fully compatible with the BSD style syslog and if you have any system on your network capable of accepting syslogs, you can have the logs sent there and then use a variety of tools to analyze them. (The PIX comes with a 30-day trial version of a log analysis program which can produce some excellent reports.) 

Finally, a word of caution. Just because you’ve installed a firewall doesn’t mean you can take it easy and forget about it. You need to constantly check with the vendor for updates on the firmware and any vulnerabilities that may come up in the version of software that you may be using. Firewalls also provide security between networks, and these days the biggest threat is from within your own network first and then from the outside. So make sure that you keep your network tightly secured. Security is not a one-time solution; it’s a way of life.

Kishore Bhargava