Book Excerpt: Cisco Secure Internet Security Solutions, part 2
Are you considering the purchase of a Cisco firewall? This excerpt from the Cisco Press book, Cisco Secure Internet Security Solutions, deals with their Secure Private Internet Exchange Firewall, or PIX. Part 2 of Chapter 4 covers basic configuration commands and parameters.
Cisco Secure Internet Security Solutions - Chapter 4
Cisco Secure PIX Firewall - Part 2
by Andrew Mason, Mark Newcomb
This section defines terms and gives explanations of how different scenarios require different hardware and software configurations.
The basic PIX configuration is extremely simple. By default, this configuration allows outgoing packets and responsive packets into the LAN. This configuration also denies all ICMP packets traversing the PIX from the outside to the inside, even when such a packet is in response to a ping issued from the inside.
Like any other Cisco IOS, the Cisco PIX has a command-line interface (CLI). There is a user mode and an enable mode. For the moment, you will configure the PIX by connecting the console port on the PIX to a serial port on a computer using the cable you received with the PIX Firewall. Some of the commands will be familiar and some will be new. Each scenario in this section builds on the previous scenario.
If by issuing a show config command you see a number of items not shown on a particular configuration, do not panic. The PIX enters a number of defaults into the configuration when booting. These defaults can be changed. This chapter will deal with the most frequently used commands first. If you simply cannot wait to see what a command does, look in the index and jump ahead to the section concerning that command.
The basic configuration for the PIX is illustrated in Figure 4-5. In this scenario, the PIX is used to protect a single LAN from the Internet. Notice in Figure 4-5 that the perimeter router and the connection between the perimeter router and the outside interface of the PIX are unprotected. The perimeter router should be hardened against attacks--especially DoS attacks--because it is not protected by the PIX Firewall. Chapter 10, "Securing the Corporate Network," deals with securing a perimeter router. Any device that is outside of the PIX Firewall cannot be protected by the PIX. If possible, only the perimeter router should reside on the unprotected side of the network. Take a few minutes to study Figure 4-5, which you can use to define terms such as inside, outside, protected, and unprotected.
As shown in Figure 4-5, there is an inside and an outside interface on the PIX. The outside interface is less trusted than the inside interface. The inside interface has a security level of 100. The outside interface has a security level of 0. The security level is what determines whether packets originating from a particular interface are trusted by another interface. The higher the security level, the more an interface is trusted. This premise becomes more important as you build systems with multiple DMZs. When packets are trusted, they are allowed through an interface by default. When packets are not trusted, they are not allowed through by default.