Traffic flow considerations for the Cisco PIX Firewall

In most small environments, firewalls are deployed in simple, common schemes, such as a firewall with three "legs": one for the Internet, one for the intranet and one for a DMZ. Another common scheme is two firewalls in series, where you have the intranet, a firewall, the DMZ, another firewall and finally the Internet. But as time goes by, things seem to become more complex. Some designs can get fairly contorted, putting firewalls in awkward positions that can compromise your security if you're not careful.

In any event, you need to pay attention to how traffic flows through your firewall. And this is particularly true of the Cisco PIX Firewall. While it's one of the most highly regarded firewalls, it does have some quirks that may not be obvious to the casual observer.

• Learn the basic preparation and configuration required to use the network firewall features of the Cisco PIX Firewall.
• Find out how Cisco rated in Information Security magazine's pick for network firewall of the year.
• Cisco offers security certification.

Primarily, you should make sure that the security levels on the interfaces reflect the realities of the traffic that flows through your network. This is because of the way the Adaptive Security Algorithm works. For starters, the ASA sets the default permissions. By default traffic is allowed to pass from an interface with a "higher" security level to a "lower" security level (such as from the Inside (100) to Outside (0) interfaces) but not from lower to higher. However, you may be tempted to override those with access-control lists, because, for example, another administrator wants to place a server in a zone where it really doesn't belong, and expects you to secure it anyway. Or maybe you want traffic to go in and out of a zone through the same interface.

So, you can configure the PIX in this manner, and it will block traffic like you configure, but what you need to realize is that you may not be getting the benefit of all the PIX's stateful features, again because of the way the ASA works. Specifically, features like the inspection engines and HTTP(S) and FTP filtering only work in one direction. For example, SMTP inspection is only from lower to higher interfaces, while NetBIOS inspection only applies from higher to lower interfaces. Filtering is only from higher to lower.

Thus, you may be paying for and expecting the robust protection of a top-shelf firewall, but designing yourself into a level of protection not much better than ACLs on a regular router. So as a general rule of thumb, don't put any security device into an unconventional situation without some due diligence.

One last caveat: The details of the behavior of these features may change as new versions of the PIX OS are released, so don't rely on my examples above to guide your design; check it yourself on CCO.

About the author
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

This tip originally appeared on our sister site, SearchNetworking.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Security: Tools, Products, Software,   Network Firewalls, Routers and Switches,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Network Firewalls, Routers and Switches How to prepare for a secure network hardware upgrade Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bastion host  (SearchSecurity.com) firewall  (SearchSecurity.com) Firewall Builder  (SearchSecurity.com) screened subnet  (SearchSecurity.com) virus  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.