Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Bronze

pix 501 why prefer over router?

Hi every body!

I was reading about the pix 501 and its features. One of the features, is firewall by nat. Without upgrate, pix 501 can perform nat for only 10 devices. i understand that this is end-of -sale device. But before that, why would an engineer choose to use pix 501 instead of routers ?

For example, pix e0--------------------e0Re1--------------internet

In above case, i have to use three public ip address, one on e0 of pix,one on e0R, one on e1 on R, then not more than 10 devices behind pix(501) can access the internet at the same time.

The above topology can be designed in cost-effective manner by not using the pix at all

private network-------------e0R1e1-------------internet.

The benefits are:

1) only one public ip address is needed.

2) more than 10 devices can access the internet

3) require one maintenance license compared to two in first case, one for pix, one for router.

So during its life-time, why would an engineer prefer pix 501 over routers to implement firewall?

Thanks a lot!

6 ACCEPTED SOLUTIONS

Accepted Solutions

Re: pix 501 why prefer over router?

IOS router only has limited Firewall feature. This is one of the reasons.

Hall of Fame Super Blue

Re: pix 501 why prefer over router?

Sarah

if the presentation to the Internet was ethernet then instead of

pix e0--------------------e0Re1--------------internet

you could

For example, pix e0--------------------internet

It's true that routers can do firewalling as well but CBAC (the IOS FW feature set) runs in software not hardware so there is a performance hit. Also there is a good argument sometimes to have a device for firewalling that can't act as a full blown router etc.

Pix 501's also have 4 ethernet ports. For a small office which is what it was designed for this might be all the internal ports you need and therefore one device can both firewall and provide internal communication if the number of internal machines is less than 4.

Jon

Hall of Fame Super Silver

Re: pix 501 why prefer over router?

Sarah

There are several reasons why an engineer might have chosen a PIX over a router:

- the PIX is a purpose built firewall and some would believe that it does that function better than a router.

- the PIX does stateful inspection of traffic passing through. Until fairly recently the router did not do stateful inspection.

- you may think this is a continuation of the previous point or you may agree that it is a new point, but the PIX does deep packet inspection and can make sure that the traffic streams conform to the expectations of the protocols being used. The router is not so good at deep packet inspection.

- one of the approaches to security that is frequently adopted is sometimes called defense in depth or may be called layered protection. With the router and the PIX you have 2 layers with each device providing its own service and its own contribution to the security of the network. With just the router you have 1 layer - and you have a single box which if compromised gives the attacker access to the network. With PIX and router there are 2 devices which must be compromised.

HTH

Rick

Hall of Fame Super Blue

Re: pix 501 why prefer over router?

Sarah

Stateful inpsection is primarily concerned with TCP connections. When a TCP connection is setup there are certain TCP flags set in the packets. I suspect you already know this but just in case.

Client A talks to server B on TCP port 80.

1) A sends first packet with TCP flag SYN set.

2) B responds with TCP SYN and TCP ACK set.

3) A responds with TCP ACK set.

Once the above has been done the client and server communicate using ACK flags for the packets.

So a stateful firewall checks these flags eg.

client A -> firewall -> Server B

client A sends packet with SYN set. Firewall records this packet.

Server B sends a response with SYN/ACK set. Firewall has record of A sending packet with SYN set and knows that the response from B should be SYN/ACK so it allows return traffic.

So firewall has allowed the return traffic based on the "state" of the connection.

Lets say server B sends SYN/ACK without client A sending SYN packet fisrt. Firewall checks it's state table and cannot find a corresponding SYN packet from client so drops packet.

Stateful firewalling really only applies to TCP. For UDP/ICMP the firewall simply uses a timer - ie. it sees a UDP connection going out so it expects to see the reply within a certain time limit. If it does the return packet is allowed in. If not it is dropped.

Finally stateful firewalls are not the same as proxy firewalls. Stateful firewalls check TCP flags as described. Proxy firewall actually "understand" the specific protocol in use eg. FTP/SMTP etc.. and can recognise valid and invalid commands.

The Pix/ASA firewalls are primarily stateful firewalls with elements of proxy firewalling. The proxy firewalling elemenets on a pix are the "fixup" commands. On the ASA they are the "inspect" commands.

Jon

Super Bronze

Re: pix 501 why prefer over router?

"I want to know about stateful inspection of traffic. What do we mean by stateful inspection? how does it differ from the inspection the old routers perform? "

In short, stateful inspection tracks what it sees as a conversation's "state". Generally when a conservation is started from the "inside", it's recorded as being active, i.e. the FW keeps track so that "outside" traffic is allowed through the FW as part of the same conversation. If the FW considers the conversation closed (inactive) it blocks outside traffic. (Usually outside traffic not part of any inside started conversation would also be blocked.) In Jon's post, a TCP FIN (or RST) would be one method of closing an active TCP conversation.

A non-stateful rule would usually just look at addresses and/or ports and allow or disallow traffic transit without trying to keep track of the conversation's state. For instance, any traffic from the outside directed to an internal FTP server that was TCP on FTP ports might be permitted.

A stateful rule would might allow TCP on FTP ports to any internal host provided the conversation was started on the internal host.

[edit]

BTW: Although FW usually targets traffic from the "outside", stateful, on some devices, can also be used from outside to inside.

Super Bronze

Re: pix 501 why prefer over router?

"Here the tcp flags, resetbit and ack bit are checked as well. The only difference is in stateful inspection the SYN bit is also inspected. Am i correct? "

No, because a TCP packet could be forged. A stateful connection would only allow traffic from 199.199.199.10 if it "knew" there was an active TCP conversation between 199.199.199.10 and 190.190.190.190 (and likely started from 190.190.190.190). This example ACL is "stateless" (although not of much risk since 190.190.190.190 should drop unexpected packets from 190.190.190.10).

[edit]

Jon, hope you don't mind my jumping on a question directed to you, but saw it just a I finished my post.

12 REPLIES

Re: pix 501 why prefer over router?

IOS router only has limited Firewall feature. This is one of the reasons.

Hall of Fame Super Blue

Re: pix 501 why prefer over router?

Sarah

if the presentation to the Internet was ethernet then instead of

pix e0--------------------e0Re1--------------internet

you could

For example, pix e0--------------------internet

It's true that routers can do firewalling as well but CBAC (the IOS FW feature set) runs in software not hardware so there is a performance hit. Also there is a good argument sometimes to have a device for firewalling that can't act as a full blown router etc.

Pix 501's also have 4 ethernet ports. For a small office which is what it was designed for this might be all the internal ports you need and therefore one device can both firewall and provide internal communication if the number of internal machines is less than 4.

Jon

Bronze

Re: pix 501 why prefer over router?

Thanks for your reply Jon!

"It's true that routers can do firewalling as well but CBAC (the IOS FW feature set) runs in software not hardware so there is a performance hit".

Does pix perform firewall operation in hardware?

Hall of Fame Super Blue

Re: pix 501 why prefer over router?

The pix and ASA are optimized for firewall functions whereas with routers the firewall functionality is one of many functions that a router should be capable of.

So a pix firewalls primary purpose is to do stateful packet inspection and it will be optimised for this. This is not the primary purpose of a router.

Jon

Hall of Fame Super Silver

Re: pix 501 why prefer over router?

Sarah

There are several reasons why an engineer might have chosen a PIX over a router:

- the PIX is a purpose built firewall and some would believe that it does that function better than a router.

- the PIX does stateful inspection of traffic passing through. Until fairly recently the router did not do stateful inspection.

- you may think this is a continuation of the previous point or you may agree that it is a new point, but the PIX does deep packet inspection and can make sure that the traffic streams conform to the expectations of the protocols being used. The router is not so good at deep packet inspection.

- one of the approaches to security that is frequently adopted is sometimes called defense in depth or may be called layered protection. With the router and the PIX you have 2 layers with each device providing its own service and its own contribution to the security of the network. With just the router you have 1 layer - and you have a single box which if compromised gives the attacker access to the network. With PIX and router there are 2 devices which must be compromised.

HTH

Rick

Bronze

Re: pix 501 why prefer over router?

Thanks for your reply Rick!

In nut shell,you pointed out 2 reasons.

1) deeper inspection of packets

2) security approach( defense in depth)

I want to know about stateful inspection of traffic. What do we mean by stateful inspection? how does it differ from the inspection the old routers perform?

If you have any good link or can elaborate on it, i would really appreciate that.

thanks a lot!

Hall of Fame Super Blue

Re: pix 501 why prefer over router?

Sarah

Stateful inpsection is primarily concerned with TCP connections. When a TCP connection is setup there are certain TCP flags set in the packets. I suspect you already know this but just in case.

Client A talks to server B on TCP port 80.

1) A sends first packet with TCP flag SYN set.

2) B responds with TCP SYN and TCP ACK set.

3) A responds with TCP ACK set.

Once the above has been done the client and server communicate using ACK flags for the packets.

So a stateful firewall checks these flags eg.

client A -> firewall -> Server B

client A sends packet with SYN set. Firewall records this packet.

Server B sends a response with SYN/ACK set. Firewall has record of A sending packet with SYN set and knows that the response from B should be SYN/ACK so it allows return traffic.

So firewall has allowed the return traffic based on the "state" of the connection.

Lets say server B sends SYN/ACK without client A sending SYN packet fisrt. Firewall checks it's state table and cannot find a corresponding SYN packet from client so drops packet.

Stateful firewalling really only applies to TCP. For UDP/ICMP the firewall simply uses a timer - ie. it sees a UDP connection going out so it expects to see the reply within a certain time limit. If it does the return packet is allowed in. If not it is dropped.

Finally stateful firewalls are not the same as proxy firewalls. Stateful firewalls check TCP flags as described. Proxy firewall actually "understand" the specific protocol in use eg. FTP/SMTP etc.. and can recognise valid and invalid commands.

The Pix/ASA firewalls are primarily stateful firewalls with elements of proxy firewalling. The proxy firewalling elemenets on a pix are the "fixup" commands. On the ASA they are the "inspect" commands.

Jon

Bronze

Re: pix 501 why prefer over router?

Thanks Jon for awesome reply!

routerA

access-list 110 permit tcp host 199.199.199.10 host 190.190.190.190 established

int e0

ip access-group 110 in

Here the tcp flags, resetbit and ack bit are checked as well. The only difference is in stateful inspection the SYN bit is also inspected. Am i correct?

Super Bronze

Re: pix 501 why prefer over router?

"Here the tcp flags, resetbit and ack bit are checked as well. The only difference is in stateful inspection the SYN bit is also inspected. Am i correct? "

No, because a TCP packet could be forged. A stateful connection would only allow traffic from 199.199.199.10 if it "knew" there was an active TCP conversation between 199.199.199.10 and 190.190.190.190 (and likely started from 190.190.190.190). This example ACL is "stateless" (although not of much risk since 190.190.190.190 should drop unexpected packets from 190.190.190.10).

[edit]

Jon, hope you don't mind my jumping on a question directed to you, but saw it just a I finished my post.

Bronze

Re: pix 501 why prefer over router?

Thanks Josephoherty!

Super Bronze

Re: pix 501 why prefer over router?

Your welcome, and perhaps just a bit off topic, there's also reflective access lists that can be configured w/o FW feature set. See http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_ip_filter_ps6350_TSD_Products_Configuration_Guide_Chapter.html for more information.

Super Bronze

Re: pix 501 why prefer over router?

"I want to know about stateful inspection of traffic. What do we mean by stateful inspection? how does it differ from the inspection the old routers perform? "

In short, stateful inspection tracks what it sees as a conversation's "state". Generally when a conservation is started from the "inside", it's recorded as being active, i.e. the FW keeps track so that "outside" traffic is allowed through the FW as part of the same conversation. If the FW considers the conversation closed (inactive) it blocks outside traffic. (Usually outside traffic not part of any inside started conversation would also be blocked.) In Jon's post, a TCP FIN (or RST) would be one method of closing an active TCP conversation.

A non-stateful rule would usually just look at addresses and/or ports and allow or disallow traffic transit without trying to keep track of the conversation's state. For instance, any traffic from the outside directed to an internal FTP server that was TCP on FTP ports might be permitted.

A stateful rule would might allow TCP on FTP ports to any internal host provided the conversation was started on the internal host.

[edit]

BTW: Although FW usually targets traffic from the "outside", stateful, on some devices, can also be used from outside to inside.

217
Views
0
Helpful
12
Replies
CreatePlease to create content