cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
0
Helpful
12
Replies

pix 501 why prefer over router?

sarahr202
Level 5
Level 5

Hi every body!

I was reading about the pix 501 and its features. One of the features, is firewall by nat. Without upgrate, pix 501 can perform nat for only 10 devices. i understand that this is end-of -sale device. But before that, why would an engineer choose to use pix 501 instead of routers ?

For example, pix e0--------------------e0Re1--------------internet

In above case, i have to use three public ip address, one on e0 of pix,one on e0R, one on e1 on R, then not more than 10 devices behind pix(501) can access the internet at the same time.

The above topology can be designed in cost-effective manner by not using the pix at all

private network-------------e0R1e1-------------internet.

The benefits are:

1) only one public ip address is needed.

2) more than 10 devices can access the internet

3) require one maintenance license compared to two in first case, one for pix, one for router.

So during its life-time, why would an engineer prefer pix 501 over routers to implement firewall?

Thanks a lot!

6 Accepted Solutions

Accepted Solutions

Yudong Wu
Level 7
Level 7

IOS router only has limited Firewall feature. This is one of the reasons.

View solution in original post

Jon Marshall
Hall of Fame
Hall of Fame

Sarah

if the presentation to the Internet was ethernet then instead of

pix e0--------------------e0Re1--------------internet

you could

For example, pix e0--------------------internet

It's true that routers can do firewalling as well but CBAC (the IOS FW feature set) runs in software not hardware so there is a performance hit. Also there is a good argument sometimes to have a device for firewalling that can't act as a full blown router etc.

Pix 501's also have 4 ethernet ports. For a small office which is what it was designed for this might be all the internal ports you need and therefore one device can both firewall and provide internal communication if the number of internal machines is less than 4.

Jon

View solution in original post

Richard Burts
Hall of Fame
Hall of Fame

Sarah

There are several reasons why an engineer might have chosen a PIX over a router:

- the PIX is a purpose built firewall and some would believe that it does that function better than a router.

- the PIX does stateful inspection of traffic passing through. Until fairly recently the router did not do stateful inspection.

- you may think this is a continuation of the previous point or you may agree that it is a new point, but the PIX does deep packet inspection and can make sure that the traffic streams conform to the expectations of the protocols being used. The router is not so good at deep packet inspection.

- one of the approaches to security that is frequently adopted is sometimes called defense in depth or may be called layered protection. With the router and the PIX you have 2 layers with each device providing its own service and its own contribution to the security of the network. With just the router you have 1 layer - and you have a single box which if compromised gives the attacker access to the network. With PIX and router there are 2 devices which must be compromised.

HTH

Rick

HTH

Rick

View solution in original post

Sarah

Stateful inpsection is primarily concerned with TCP connections. When a TCP connection is setup there are certain TCP flags set in the packets. I suspect you already know this but just in case.

Client A talks to server B on TCP port 80.

1) A sends first packet with TCP flag SYN set.

2) B responds with TCP SYN and TCP ACK set.

3) A responds with TCP ACK set.

Once the above has been done the client and server communicate using ACK flags for the packets.

So a stateful firewall checks these flags eg.

client A -> firewall -> Server B

client A sends packet with SYN set. Firewall records this packet.

Server B sends a response with SYN/ACK set. Firewall has record of A sending packet with SYN set and knows that the response from B should be SYN/ACK so it allows return traffic.

So firewall has allowed the return traffic based on the "state" of the connection.

Lets say server B sends SYN/ACK without client A sending SYN packet fisrt. Firewall checks it's state table and cannot find a corresponding SYN packet from client so drops packet.

Stateful firewalling really only applies to TCP. For UDP/ICMP the firewall simply uses a timer - ie. it sees a UDP connection going out so it expects to see the reply within a certain time limit. If it does the return packet is allowed in. If not it is dropped.

Finally stateful firewalls are not the same as proxy firewalls. Stateful firewalls check TCP flags as described. Proxy firewall actually "understand" the specific protocol in use eg. FTP/SMTP etc.. and can recognise valid and invalid commands.

The Pix/ASA firewalls are primarily stateful firewalls with elements of proxy firewalling. The proxy firewalling elemenets on a pix are the "fixup" commands. On the ASA they are the "inspect" commands.

Jon

View solution in original post

"I want to know about stateful inspection of traffic. What do we mean by stateful inspection? how does it differ from the inspection the old routers perform? "

In short, stateful inspection tracks what it sees as a conversation's "state". Generally when a conservation is started from the "inside", it's recorded as being active, i.e. the FW keeps track so that "outside" traffic is allowed through the FW as part of the same conversation. If the FW considers the conversation closed (inactive) it blocks outside traffic. (Usually outside traffic not part of any inside started conversation would also be blocked.) In Jon's post, a TCP FIN (or RST) would be one method of closing an active TCP conversation.

A non-stateful rule would usually just look at addresses and/or ports and allow or disallow traffic transit without trying to keep track of the conversation's state. For instance, any traffic from the outside directed to an internal FTP server that was TCP on FTP ports might be permitted.

A stateful rule would might allow TCP on FTP ports to any internal host provided the conversation was started on the internal host.

[edit]

BTW: Although FW usually targets traffic from the "outside", stateful, on some devices, can also be used from outside to inside.

View solution in original post

"Here the tcp flags, resetbit and ack bit are checked as well. The only difference is in stateful inspection the SYN bit is also inspected. Am i correct? "

No, because a TCP packet could be forged. A stateful connection would only allow traffic from 199.199.199.10 if it "knew" there was an active TCP conversation between 199.199.199.10 and 190.190.190.190 (and likely started from 190.190.190.190). This example ACL is "stateless" (although not of much risk since 190.190.190.190 should drop unexpected packets from 190.190.190.10).

[edit]

Jon, hope you don't mind my jumping on a question directed to you, but saw it just a I finished my post.

View solution in original post

12 Replies 12

Yudong Wu
Level 7
Level 7

IOS router only has limited Firewall feature. This is one of the reasons.

Jon Marshall
Hall of Fame
Hall of Fame

Sarah

if the presentation to the Internet was ethernet then instead of

pix e0--------------------e0Re1--------------internet

you could

For example, pix e0--------------------internet

It's true that routers can do firewalling as well but CBAC (the IOS FW feature set) runs in software not hardware so there is a performance hit. Also there is a good argument sometimes to have a device for firewalling that can't act as a full blown router etc.

Pix 501's also have 4 ethernet ports. For a small office which is what it was designed for this might be all the internal ports you need and therefore one device can both firewall and provide internal communication if the number of internal machines is less than 4.

Jon

Thanks for your reply Jon!

"It's true that routers can do firewalling as well but CBAC (the IOS FW feature set) runs in software not hardware so there is a performance hit".

Does pix perform firewall operation in hardware?

The pix and ASA are optimized for firewall functions whereas with routers the firewall functionality is one of many functions that a router should be capable of.

So a pix firewalls primary purpose is to do stateful packet inspection and it will be optimised for this. This is not the primary purpose of a router.

Jon

Richard Burts
Hall of Fame
Hall of Fame

Sarah

There are several reasons why an engineer might have chosen a PIX over a router:

- the PIX is a purpose built firewall and some would believe that it does that function better than a router.

- the PIX does stateful inspection of traffic passing through. Until fairly recently the router did not do stateful inspection.

- you may think this is a continuation of the previous point or you may agree that it is a new point, but the PIX does deep packet inspection and can make sure that the traffic streams conform to the expectations of the protocols being used. The router is not so good at deep packet inspection.

- one of the approaches to security that is frequently adopted is sometimes called defense in depth or may be called layered protection. With the router and the PIX you have 2 layers with each device providing its own service and its own contribution to the security of the network. With just the router you have 1 layer - and you have a single box which if compromised gives the attacker access to the network. With PIX and router there are 2 devices which must be compromised.

HTH

Rick

HTH

Rick

Thanks for your reply Rick!

In nut shell,you pointed out 2 reasons.

1) deeper inspection of packets

2) security approach( defense in depth)

I want to know about stateful inspection of traffic. What do we mean by stateful inspection? how does it differ from the inspection the old routers perform?

If you have any good link or can elaborate on it, i would really appreciate that.

thanks a lot!

Sarah

Stateful inpsection is primarily concerned with TCP connections. When a TCP connection is setup there are certain TCP flags set in the packets. I suspect you already know this but just in case.

Client A talks to server B on TCP port 80.

1) A sends first packet with TCP flag SYN set.

2) B responds with TCP SYN and TCP ACK set.

3) A responds with TCP ACK set.

Once the above has been done the client and server communicate using ACK flags for the packets.

So a stateful firewall checks these flags eg.

client A -> firewall -> Server B

client A sends packet with SYN set. Firewall records this packet.

Server B sends a response with SYN/ACK set. Firewall has record of A sending packet with SYN set and knows that the response from B should be SYN/ACK so it allows return traffic.

So firewall has allowed the return traffic based on the "state" of the connection.

Lets say server B sends SYN/ACK without client A sending SYN packet fisrt. Firewall checks it's state table and cannot find a corresponding SYN packet from client so drops packet.

Stateful firewalling really only applies to TCP. For UDP/ICMP the firewall simply uses a timer - ie. it sees a UDP connection going out so it expects to see the reply within a certain time limit. If it does the return packet is allowed in. If not it is dropped.

Finally stateful firewalls are not the same as proxy firewalls. Stateful firewalls check TCP flags as described. Proxy firewall actually "understand" the specific protocol in use eg. FTP/SMTP etc.. and can recognise valid and invalid commands.

The Pix/ASA firewalls are primarily stateful firewalls with elements of proxy firewalling. The proxy firewalling elemenets on a pix are the "fixup" commands. On the ASA they are the "inspect" commands.

Jon

Thanks Jon for awesome reply!

routerA

access-list 110 permit tcp host 199.199.199.10 host 190.190.190.190 established

int e0

ip access-group 110 in

Here the tcp flags, resetbit and ack bit are checked as well. The only difference is in stateful inspection the SYN bit is also inspected. Am i correct?

"Here the tcp flags, resetbit and ack bit are checked as well. The only difference is in stateful inspection the SYN bit is also inspected. Am i correct? "

No, because a TCP packet could be forged. A stateful connection would only allow traffic from 199.199.199.10 if it "knew" there was an active TCP conversation between 199.199.199.10 and 190.190.190.190 (and likely started from 190.190.190.190). This example ACL is "stateless" (although not of much risk since 190.190.190.190 should drop unexpected packets from 190.190.190.10).

[edit]

Jon, hope you don't mind my jumping on a question directed to you, but saw it just a I finished my post.

Thanks Josephoherty!

Your welcome, and perhaps just a bit off topic, there's also reflective access lists that can be configured w/o FW feature set. See http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_ip_filter_ps6350_TSD_Products_Configuration_Guide_Chapter.html for more information.

"I want to know about stateful inspection of traffic. What do we mean by stateful inspection? how does it differ from the inspection the old routers perform? "

In short, stateful inspection tracks what it sees as a conversation's "state". Generally when a conservation is started from the "inside", it's recorded as being active, i.e. the FW keeps track so that "outside" traffic is allowed through the FW as part of the same conversation. If the FW considers the conversation closed (inactive) it blocks outside traffic. (Usually outside traffic not part of any inside started conversation would also be blocked.) In Jon's post, a TCP FIN (or RST) would be one method of closing an active TCP conversation.

A non-stateful rule would usually just look at addresses and/or ports and allow or disallow traffic transit without trying to keep track of the conversation's state. For instance, any traffic from the outside directed to an internal FTP server that was TCP on FTP ports might be permitted.

A stateful rule would might allow TCP on FTP ports to any internal host provided the conversation was started on the internal host.

[edit]

BTW: Although FW usually targets traffic from the "outside", stateful, on some devices, can also be used from outside to inside.

Review Cisco Networking for a $25 gift card