cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
382
Views
0
Helpful
2
Replies

PIX Not an Enterprise Solution?

firechicken
Level 1
Level 1

Hi all,

I had a co-worker tell me that the PIX is not an enterprise solution. Since I've never worked for a large corporation, I couldn't say if he was right or not.

Your thoughts? Also - has the PIX OS ever been compromised?

Thanks in advance!

Andrew

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Mr. Chicken,

The PIX is definately an enterprise solution. The different PIX models cater for home users right up to major corporations. The PIX-535 for example, can handle up to 500,000 connections and throughput of 1.7Gbps, if that's not an enterprise solution I don't know what is (we wouldn't be number 1 or 2 (depending on who you read) in the market without having an enterprise solution). The FWSM (PIX on a blade in a Cat6500) is the fastest firewall in the industry, 100,000 connections PER SECOND, 5Gbps throughput and a million connections in total.

You can read about the different PIX models (501 being the smallest up to the 535) here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheets_list.html

You can't really compromise the OS. If you mean has anyone ever passed traffic through a PIX when it was specifically denied, then as far as I know (been working with them for 5 years now), the answer is no.

Have hackers broken into servers behind PIX's, certainly, but they can only do it on the ports that you specifically allow through. For example, if you have an IIS web server inside then obviously you want to allow port 80 through to it. If there's a vulnerability in IIS that allows someone to take over that server then the PIX isn't going to stop that cause all it sees is port 80 traffic. It's important, like anything else to do with security, to keep all software (servers, firewalls, routers, gateways, etc) up to date with the latest patches.

You also can't telnet into the outside interface of a PIX, and we strongly recommend you only allow SSH access from the inside. Like any other device the PIX would be susceptible to a dictionary-type attack if someone had access to login to it, so that they could try and guess the password. It does post syslog messages when there's been too many invalid login attempts also.

Hope that helps.

The PIX is definitely an enterprise solution. We use the FWSMs, 535s and 515 in our organization and they all perform well. The PIX is very reliable and is as good as any firewall.

What is holding the PIX back is a true management solution. I know Cisco is looking at the Firewall MC to fit this role but it is not adequate when compared to CheckPoint Dashboard and Tracker for example.

When Cisco gets the management console correct then all will be good.

Review Cisco Networking for a $25 gift card