Cisco PIX

Last updated

Cisco PIX (Private Internet eXchange) was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

Contents

In 2005, Cisco introduced the newer Cisco Adaptive Security Appliance (Cisco ASA), that inherited many of the PIX features, and in 2008 announced PIX end-of-sale.

The PIX technology was sold in a blade, the FireWall Services Module (FWSM), for the Cisco Catalyst 6500 switch series and the 7600 Router series, but has reached end of support status as of September 26, 2007. [1]

PIX

History

PIX was originally conceived in early 1994 by John Mayes of Redwood City, California and designed and coded by Brantley Coile of Athens, Georgia. The PIX name is derived from its creators' aim of creating the functional equivalent of an IP PBX to solve the then-emerging registered IP address shortage. At a time when NAT was just being investigated as a viable approach, they wanted to conceal a block or blocks of IP addresses behind a single or multiple registered IP addresses, much as PBXs do for internal phone extensions. When they began, RFC 1597 and RFC 1631 were being discussed, but the now-familiar RFC 1918 had not yet been submitted.

The design, and testing were carried out in 1994 by John Mayes, Brantley Coile and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing of PIX serial number 000000 was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX quickly became one of the leading enterprise firewall products and was awarded the Data Communications Magazine "Hot Product of the Year" award in January 1995. [2]

Shortly before Cisco acquired Network Translation in November 1995, Mayes and Coile hired two longtime associates, Richard (Chip) Howes and Pete Tenereillo, and shortly after acquisition 2 more longtime associates, Jim Jordan and Tom Bohannon. Together they continued development on Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector.

On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008. The last day to purchase accessories and licenses was January 27, 2009. Cisco ended support for Cisco PIX Security Appliance customers on July 29, 2013. [3] [4]

In May 2005, Cisco introduced the ASA which combines functionality from the PIX, VPN 3000 series and IPS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination. [5]

Software

The PIX runs a custom-written proprietary operating system originally called Finese (Fast Internet Service Executive), but as of 2014 the software is known simply as PIX OS. Though classified as a network-layer firewall with stateful inspection, technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket-based connections (a port and an IP Address: port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List (ACL) or by a conduit. Administrators can configure the PIX to perform many functions including network address translation (NAT) and port address translation (PAT), as well as serving as a virtual private network (VPN) endpoint appliance.

The PIX became the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the firewall to apply additional security policies to connections identified as using specific protocols. Protocols for which specific fixup behaviors were developed include DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Inspect" has superseded "fixup" in later versions of PIX OS.

The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.

Administrators can manage the PIX via a command line interface (CLI) or via a graphical user interface (GUI). They can access the CLI from the serial console, telnet and SSH. GUI administration originated with version 4.1, and it has been through several incarnations: [6] [7] [8]

Because Cisco acquired the PIX from Network Translation, the CLI originally did not align with the Cisco IOS syntax. Starting with version 7.0, the configuration became much more IOS-like.

Hardware

PIX 515 with top cover removed Cisco-PIX-515-hdr-0a.jpg
PIX 515 with top cover removed

The original NTI PIX and the PIX Classic had cases that were sourced from OEM provider Appro. All flash cards and the early encryption acceleration cards, the PIX-PL and PIX-PL2, were sourced from Productivity Enhancement Products (PEP). [9] Later models had cases from Cisco OEM manufacturers.

The PIX was constructed using Intel-based/Intel-compatible motherboards; the PIX 501 used an Am5x86 processor, and all other standalone models used Intel 80486 through Pentium III processors.

The PIX boots off a proprietary ISA flash memory daughtercard in the case of the NTI PIX, PIX Classic, 10000, 510, 520, and 535, and it boots off integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9. The latter is the part code for the PIX technology implemented in the Fire Wall Services Module, for the Catalyst 6500 and the 7600 Router.

Adaptive Security Appliance (ASA)

The Adaptive Security Appliance is a network firewall made by Cisco. It was introduced in 2005 to replace the Cisco PIX line. [10] Along with stateful firewall functionality another focus of the ASA is Virtual Private Network (VPN) functionality. It also features Intrusion Prevention and Voice over IP. The ASA 5500 series was followed up by the 5500-X series. The 5500-X series focuses more on virtualization than it does on hardware acceleration security modules.

History

In 2005 Cisco released the 5510, 5520, and 5540 models. [11]

Software

The ASA continues using the PIX codebase but, when the ASA OS software transitioned from major version 7.X to 8.X, it moved from the Finesse/Pix OS operating system platform to the Linux operating system platform. It also integrates features of the Cisco IPS 4200 Intrusion prevention system, and the Cisco VPN 3000 Concentrator. [12]

Hardware

The ASA continues the PIX lineage of Intel 80x86 hardware.

Security vulnerabilities

The Cisco PIX VPN product was hacked by the NSA-tied [13] group Equation Group sometime before 2016. Equation Group developed a tool code-named BENIGNCERTAIN that reveals the pre-shared password(s) to the attacker (CVE - 2016-6415 [14] ). Equation Group was later hacked by another group called The Shadow Brokers, which published their exploit publicly, among others. [15] [16] [17] [18] According to Ars Technica, the NSA likely used this vulnerability to wiretap VPN-connections for more than a decade, citing the Snowden leaks. [19]

The Cisco ASA-brand was also hacked by Equation Group. The vulnerability requires that both SSH and SNMP are accessible to the attacker. The codename given to this exploit by NSA was EXTRABACON. The bug and exploit (CVE - 2016-6366 [20] ) was also leaked by The ShadowBrokers, in the same batch of exploits and backdoors. According to Ars Technica, the exploit can easily be made to work against more modern versions of Cisco ASA than what the leaked exploit can handle. [21]

On the 29th of January 2018 a security problem at the Cisco ASA-brand was disclosed by Cedric Halbronn from the NCC Group. A use after free-bug in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated remote attacker to cause a reload of the affected system or to remotely execute code. The bug is listed as CVE - 2018-0101. [22] [23] [24]

See also

Related Research Articles

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The two primary categories of application firewalls are network-based and host-based.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Cisco LocalDirector was a server load balancing appliance, discontinued in 2003, based on the Network Address Translation (NAT) technology Cisco Systems acquired when they bought Network Translation, Inc. The LocalDirector was conceived by John Mayes & Robert Andrews in late 1995 during a pre-acquisition meeting with Robert, Webmaster at Netscape Communications Corporation. During the meeting, Robert Andrews told John Mayes that there were, "probably 10 customers in the world with a load balancing problem". Because of this, the decision was made to begin development on the LocalDirector.

<span class="mw-page-title-main">Microsoft Forefront Threat Management Gateway</span>

Microsoft Forefront Threat Management Gateway, formerly known as Microsoft Internet Security and Acceleration Server, is a discontinued network router, firewall, antivirus program, VPN server and web cache from Microsoft Corporation. It ran on Windows Server and works by inspecting all network traffic that passes through it.

VPN-1 is a firewall and VPN product developed by Check Point Software Technologies Ltd.

Cisco NAC Appliance, formerly Cisco Clean Access (CCA), was a network admission control (NAC) system developed by Cisco Systems designed to produce a secure and clean computer network environment. Originally developed by Perfigo and marketed under the name of Perfigo SmartEnforcer, this network admission control device analyzes systems attempting to access the network and prevents vulnerable computers from joining the network. The system usually installs an application known as the Clean Access Agent on computers that will be connected to the network. This application, in conjunction with both a Clean Access server and a Clean Access Manager, has become common in many universities and corporate environments today. It is capable of managing wired or wireless networks in an in-band or out-of-band configuration mode, and Virtual Private networks (VPN) in an in-band only configuration mode.

Vyatta is a software-based virtual router, virtual firewall and VPN product for Internet Protocol networks. A free download of Vyatta has been available since March 2006. The system is a specialized Debian-based Linux distribution with networking applications such as Quagga, OpenVPN, and many others. A standardized management console, similar to Juniper JUNOS or Cisco IOS, in addition to a web-based GUI and traditional Linux system commands, provides configuration of the system and applications. In recent versions of Vyatta, web-based management interface is supplied only in the subscription edition. However, all functionality is available through KVM, serial console or SSH/telnet protocols. The software runs on standard x86-64 servers.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform by Intel

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

<span class="mw-page-title-main">Zeroshell</span> Linux distribution

Zeroshell is a small open-source Linux distribution for servers and embedded systems which aims to provide network services. Its administration relies on a web-based graphical interface; no shell is needed to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.

<span class="mw-page-title-main">Cisco Systems VPN Client</span>

Cisco Systems VPN Client is a software application for connecting to virtual private networks based on Internet Key Exchange version 1.

<span class="mw-page-title-main">NetScreen Technologies</span> American technology company that was acquired by Juniper Networks

NetScreen Technologies was an American technology company that was acquired by Juniper Networks for US$4 billion stock for stock in 2004.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005. It succeeded three existing lines of popular Cisco products:

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

POODLE is a security vulnerability which takes advantage of the fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014. On December 8, 2014, a variation of the POODLE vulnerability that affected TLS was announced.

ScreenOS is a real-time embedded operating system for the NetScreen range of hardware firewall devices from Juniper Networks.

<span class="mw-page-title-main">MikroTik</span> Company based in Riga, Latvia

MikroTik is a Latvian network equipment manufacturing company. MikroTik develops and sells wired and wireless network routers, network switches, access points, as well as operating systems and auxiliary software. The company was founded in 1996, and as of 2022, it was reported that the company employed 351 employees.

References

  1. "Cisco Services Modules - Support - Cisco".
  2. "History of NTI and the PIX Firewall by John Mayes" (PDF).
  3. "End of Sale for Cisco PIX Products". Cisco. 2008-01-28. Retrieved 2008-02-20.
  4. "Cisco PIX 500 Series Security Appliances - Retirement Notification". Cisco. 2013-07-29. Retrieved 2018-11-04.
  5. "Cisco open source license page" . Retrieved 2007-08-21.
  6. "FAQs for Cisco PFM" . Retrieved 2007-06-19.
  7. "Documentation on Cisco PDM" . Retrieved 2007-06-19.
  8. "Documentation on Cisco ASDM". Archived from the original on 2007-06-16. Retrieved 2007-06-19.
  9. "Notes on PIX production".[ permanent dead link ]
  10. Joseph, Muniz; McIntyre, Gary; AlFardan, Nadhem (29 October 2015). Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press. ISBN   978-0134052014.
  11. Francis, Bob (May 9, 2005). "Security Takes Center Stage at Interop". InfoWorld. 27 (19): 16.
  12. "Archived copy" (PDF). Archived from the original (PDF) on 2016-10-05. Retrieved 2016-02-11.{{cite web}}: CS1 maint: archived copy as title (link)
  13. "The NSA leak is real, Snowden Documents confirm". 19 August 2016. Retrieved 2016-08-19.
  14. "National vulnerability database record for BENIGNCERTAIN". web.nvd.nist.gov.
  15. "Researcher Grabs VPN Password With Tool From NSA Dump". 19 August 2016. Retrieved 2016-08-19.
  16. "NSA's Cisco PIX exploit leaks". www.theregister.co.uk.
  17. "Did the NSA Have the Ability to Extract VPN Keys from Cisco PIX Firewalls?". news.softpedia.com. 19 August 2016.
  18. "NSA Vulnerabilities Trove Reveals 'Mini-Heartbleed' For Cisco PIX Firewalls". www.tomshardware.com. 19 August 2016.
  19. "How the NSA snooped on encrypted Internet traffic for a decade". 19 August 2016. Retrieved 2016-08-22.
  20. "National vulnerability database record for EXTRABACON". web.nvd.nist.gov.
  21. "NSA-linked Cisco exploit poses bigger threat than previously thought". 23 August 2016. Retrieved 2016-08-24.
  22. "National vulnerability database record - CVE-2018-0101". web.nvd.nist.gov.
  23. "Advisory - Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability". tools.cisco.com.
  24. "CVE-2018-0101 - A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security A - CVE-Search". cve.circl.lu. 2023-08-15. Retrieved 2023-09-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.