For the past few months Network Computing has been investigating some of the newer features and models of the Cisco PIX family of firewalls. We've taken a peek at PIX OS 6.0 and its new PIX Device Manager (PDM), test-driven the high-availability features of the PIX, gone deeper into our investigation of CSPM (Cisco Secure Policy Manager), and deployed the PIX 506 at a remote site. Although Cisco still faces a number of challenges, the competition better take notice: Cisco is making the right moves in the right direction with its PIX line of firewalls.
PIXen in the Lab
My first task was to get the PIX 506, a small firewall unit aimed at the SOHO (small office/home office) market, up and running at one of our remote sites. Despite its smaller form factor (it's a stand-alone unit), fewer ports (only three) and lower CPU power, the 506 operates the same as other PIX units. Instead of simply deploying the PIX 506 and administering it over telnet or SSH (Secure Shell), I decided to test the new management features of the upcoming PIX 6.0 OS. This release has some interesting additions, the most significant being the Cisco PIX Device Manager (PDM). PDM is a new Java-based GUI management console that allows for remote administration of the units over basic HTTP with SSL (Secure Sockets Layer). PDM doesn't replace CSPM, one of Cisco's enterprise framework products but serves as a compact, single-device-management tool. PDM runs on any JVM (Java Virtual Machine), and I had no problems running it on Microsoft Internet Explorer 5.x and Netscape Communicator 4.7.
PDM: Pretty Darn Manageable
PDM is an interesting move for Cisco, as its previous attempts at providing GUI-based PIX management tools have been nothing short of disastrous. PDM is a joy to use, however -- one of the few Java applets I have ever found helpful. PDM provides users with a remote, secure and visually pleasing method of configuring and maintaining PIX firewalls. Using PDM, administrators can configure NAT rules, protocol rules, PIX device parameters, real-time monitoring and graphing systems -- just about anything you'd want to do with a basic firewall. PDM also does something unique: It brings users the convenience of visual rule-set depiction without alienating CLI (command-line interface) junkies.
For example, PDM lets you perform most functions in the GUI, yet still allows you to submit direct command-line queries to the PIX. In a world where layers of abstraction are being shoved down our throats, I found this GUI-CLI balance incredibly refreshing. Best of all, PDM is downloaded to your browser over HTTPS (HTTP Secure) anytime you need to use it.
Moving to the enterprise front, I decided to get friendly with the PIX 525 series. The Chicago partner lab I tested it in uses a combination of PIXes, Nokia-Check Point Software Technologies devices, Linux and Cisco routers for its firewall needs. The lab supports production VPNs, a dozen operating systems and multiple Ethernet segments. When I received the PIX 525s running PIX OS 5.2, I moved one into the position of our outermost production firewall. The device took the place of an older PIX 520 that was running a 4.x version of the PIX operating system.
Running the 525
For those who have been away from the PIX for a while, Cisco apparently is making a push to retreat from its conduit notation and making use of the more traditional ACLs (access-control lists). Although conduits are still supported, you can use only one notation or the other. The newer PIX OSes support the older configuration file formats, but I opted for ACLs. This made my life easier, because newer documentation and sample configurations use ACLs. After a few hours of retooling my brain and attempting to think like a router jockey, I was up and running.
I ran the single PIX 525 in the pole position for a few weeks, then I decided to move it into high-availability/failover mode. Much to my surprise, the process was painless. The failover capabilities of the PIX come in two flavors: state based and nonstate based. Stateful failover allows the firewalls to maintain actual session states, providing an almost seamless transition from one unit to the other. Stateless failover lets the secondary unit assume the role of the primary, but all sessions then have to be re-created upon failover. Neither feature supports VPN failover, and I'm not sure why anyone would want to use stateless failover.
Configuring the pair for stateful failover consisted of four simple steps: making configuration changes to place the interfaces and firewall into failover mode, attaching a proprietary failover cable between the two PIX units, placing a crossover cable between two of the interfaces (used for state data) and turning on the secondary unit. There were no elaborate synchronization procedures, no places to mess up a mirror configuration and, essentially, no hassle. I didn't even have to log into the second unit -- I just had to power it on. In fact, I did the whole thing while other people were working, and no one even noticed. The process took 20 minutes -- tops. The revamped documentation Cisco ships with the PIX is an immense help and is loaded with sample configurations.
For the next few weeks my favorite pastime became yanking out the power cable from one of the two PIXes every other day. Although this made my colleagues nervous for the first week, they relaxed when my 20th cord-ripping session hadn't resulted in even a hiccup.
VPN Voyage
I also took the VPN functionality for a quick test-drive. After banging my head against the wall for a few days, I was finally told not to use the Cisco PIX VPN client but instead to use the Cisco Secure VPN Concentrator client. Sure enough, the Concentrator client worked like a charm. I had our Microsoft Windows machines tunneling into our test segment and authenticating (via RADIUS) without problems. Because Cisco's VPN product family comprises myriad assimilations, some confusion remains as to which clients apply to which VPN products. Fortunately, Cisco is attempting to solve this problem by moving to a single client; it has promised that version 3.0 of the VPN client will bring an end to this client craziness.
Cisco also released the PIX 535, its first gigabit-equipped firewall, earlier this year. The PIX units are solid-state appliances, are easy to configure for stateful failover, offer easy-to-use GUI management and have inexpensive VPN licensing ($250 for 100 users). What else makes the PIX an extremely desirable enterprise solution? Price. At $27,000 for a pair of PIX 525s and an unlimited session license, Cisco's competitors better watch out: The PIX is coming on strong.
Greg Shipley is director of security services for Chicago-based Neohapsis. Send your comments on this article to him at gshipley@neohapsis.com.
REPORTS
ANALYTICS
Follow 
