Skip to main content

Difference between PIX and ASA firewalls

 What is a Cisco PIX?

A Cisco PIX is a dedicated hardware firewall appliance. All Cisco PIX versions have model numbers in the 500s. The most popular model for home offices and small networks is the PIX 501; many midsize companies use the PIX 515 as a corporate firewall.

PIX firewalls run the PIX operating system. While the PIX OS is quite similar to the Cisco IOS, there are enough differences to cause some frustration for users more familiar with IOS.

The firewall sports the PIX Device Manager (PDM) for a graphical interface. This GUI is a Java application downloaded through a Web browser.
Typically, a PIX firewall has an outside interface that connects to the inside of an Internet router and goes to the public Internet. It also has an inside interface that connects to a LAN switch, going to the private internal network.

What is a Cisco ASA?

A Cisco ASA is a new firewall and anti-malware security appliance from Cisco Systems. (Don't confuse this product with what a PIX uses for stateful packet filtering—the adaptive security algorithm, or ASA.) ASA models are all in the 5500 series. The Enterprise Editions include four versions: Firewall, IPS, Anti-X, and VPN. There's also a Business Edition for small to midsize companies.

In total, there are five models of the Cisco ASA. All run the ASA version 7.2.2 software, and the interface is much like the Cisco PIX. Both the Cisco PIX and ASA models vary in performance, but the ASA's lowest model offers much more performance than the base PIX.

Like the PIX, the ASA can also serve as an intrusion prevention system (IPS) and VPN concentrator. In fact, the ASA could take the place of three separate devices—a Cisco PIX firewall, a Cisco VPN 3000 Series Concentrator, and a Cisco IPS 4000 Series Sensor.

PIX vs. ASA

While the PIX is an excellent firewall, the landscape of security has changed over the years. It's no longer sufficient to protect your network with a stateful packet filtering firewall. There are so many new threats to a network—including viruses, worms, unwanted applications (e.g., P2P, games, instant messaging), phishing, and application-layer attacks.

When a device does protect against this variety of threats, we say it offers "anti-X" capability or "multi-threat" protection. But the PIX just hasn't been able to offer this level of protection.
Most organizations don't want to have a PIX performing stateful firewall filtering and some other appliance protecting you from other threats. Instead, they want an "all-in-one" device—or a unified threat management (UTM) device.

The ASA does offer protection from these different types of attacks. It can even be more of a UTM device—however, it needs a Content Security and Control Security Service Module (CSC-SSM) to be a real UTM. This is the module in an ASA that performs the anti-X functions. Without the CSC-SSM, the ASA functions more like a PIX.

Labels:

Comments

Post a Comment

Popular posts from this blog

Basic Rules of Checkpoint Firewall

Managing the Firewall Rule Base: Explicit and Implied Rules These are the types of rules in the Rule Base: Explicit rules - Rules that you create to configure which connections the Firewall allows Implied rules - Rules that are based on settings in the Global Properties menu Implied rules allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections option allows packets that control these services: ·          Installing the security policy on a Security Gateway ·          Sending logs from a Security Gateway to the Security Management server ·          Connecting to third party applications, such as RADIUS and TACACS authentication servers Order of Rule Enforcement: Make sure that you understand the importance of the order of rule enforcement to maximize the security of t...
Post a Comment
Read more

ASA TCP Connection Flags

When troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network. Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command. ASA# show conn protocol tcp 101 in use, 5589 most used TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saAUIO TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:0...
Post a Comment
Read more

How to Set Up an IPSec Tunnel On PAN-OS - Palo Alto Firewalls

Set Up an IPSec Tunnel  The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.  If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID a...
Post a Comment
Read more