White Paper: Guardian of the network

Although the Internet can increase a company’s profits, it can make it more vulnerable to intruders. One way to prevent this is...

Although the Internet can increase a company’s profits, it can make it more vulnerable to intruders. One way to prevent this is by the use of a firewall.


Guardian of the network


Although the Internet can increase a company's profits, it can make it more vulnerable to intruders. One way to prevent this is by the use of a firewall


With the spectacular growth of the Internet and online access, companies that do business on the Internet face greater security threats. For the past several years, the only protection standing between an organisation's intellectual assets and the Internet was a router. Routers use packet-filtering technology and access control lists (ACLs) to restrict access to particular computers and networks. For instance, with an ACL filter, a company can restrict all File Transfer Protocol traffic from leaving a specific network segment. This option is cost effective because most companies already have installed routers. Routers also offer high performance.

For other companies, however, this security may be insufficient because packet filters typically cannot maintain session state. Instead, packet filters must analyse the "acknowledgment" field in a packet to ensure session establishment, which is not foolproof. For greater security, companies must consider additional options and should augment router security with a standalone firewall.

Body Text

The concept behind firewalls has been around for at least 10 years. Earlier generations of firewalls used a dual-homed UNIX host and were called proxy servers. A proxy server is an application gateway or circuit-level gateway that runs on top of a general-purpose operating system such as UNIX or Windows NT. With a proxy server, users gain access to a network by going through a process that establishes user authentication and authorisation policy.

But this security comes at a cost to performance. Firstly, proxy servers work at the application layer of the OSI model. Operating at this layer is process intensive and therefore proxy servers consume many CPU cycles. Each TCP session initiates a process on a proxy server. Therefore, 300 users will generate 300 processes, resulting in poor performance through a proxy-server firewall. Because this architecture does not scale well, companies will be unable to fully utilise high-speed Internet connections.

In addition, maintaining proxy servers is expensive because of the size and "openness" of the UNIX operating system. While openness makes UNIX an ideal development platform, it makes UNIX a vulnerable foundation for a firewall. Many of the Computer Emergency Response Team (CERT) advisories pertain to UNIX. Therefore, at a minimum, the openness of UNIX requires that companies devote considerable resources and time to patch and maintain the base foundation of their UNIX-based firewalls.

Cisco's PIX firewall series

Cisco Systems PIX Firewall series is designed to address many of the security issues facing companies without the overhead and performance limitations of proxy servers. Cisco's PIX Firewall's use the adaptive security algorithm (ASA) to ensure the security of the important information. Each time a TCP connection is established for inbound or outbound connections through the PIX Firewall, the information about the connection is logged in a stateful session flow table. The table contains the source and destination addresses, port numbers, TCP sequencing information and additional flags for each TCP connection associated with that particular connection. This information creates a connection object in the PIX Firewall series. Thereafter, inbound and outbound packets are compared against session flows in the connection table and are permitted through the Cisco PIX Firewall only if an appropriate connection exists to validate their passage. This connection object is temporarily set up until the connection is terminated.

For security, the ASA takes the source and destination addresses and ports, TCP sequence numbers and additional TCP flags, and hashes the IP header information. The hashing acts like a fingerprint - it creates a code that uniquely identifies the client initiating the inbound or outbound connection. For hackers to penetrate the firewall to an end client, they would have to obtain not only the IP address but also the port number and the TCP sequence numbers and additional IP flags.

Cisco's PIX Firewall series logs all these connections as well as other authorised and unauthorised attempts. It also provides detailed audit trails using the standard Berkeley UNIX logging mechanism (syslog). Cisco's PIX Firewall series also supports Simple Network Management Protocol (SNMP) traps. Users can also generate reports using the PIX Firewall series web-browser reporting tools including real-time alerts through email and pager. Cisco's PIX Firewall series also allows users to filter out Java applets that could threaten corporate resources.

Lowest cost of ownership

Cisco's PIX Firewall series can be configured quickly using a web-based graphic-user interface. In one portion of a window, the user sees a graphic illustration that highlights all of the Cisco Firewalls in the network. Another portion of the window lists the available configuration commands. After selecting a Cisco PIX Firewall series, the user selects the appropriate configuration function and begins configuring the PIX Firewall series.

Cisco's PIX Firewall series run on Flash memory, no hard drive is required to improve the mean time between failures. For even higher reliability, Cisco devised a failover/hot standby upgrade option which eliminates a single point of failure. With two PIX Firewall series running in parallel; if one malfunctions, the second PIX Firewall series transparently maintains the security operations. These features extend network uptime.

The PIX Firewall series also handles multimedia applications. To use multimedia applications, PIX does the traditional time-consuming tasks of specially configuring the firewall or the web browser at each PC or workstation.

Cut-through proxy delivers dramatic performance gains

The PIX Firewall challenges a user initially at the application layer, like a proxy server. But once the user is authenticated against an industry-standard database based on the TACACS+ or RADIUS and policy is checked, the PIX Firewall series shifts the session flow and all traffic thereafter flows directly and quickly between the two parties while maintaining session state. This cut-through capability allows the PIX Firewall series to improve performance. The PIX Firewall series can be configured to authenticate both inbound and outbound connections through the firewall.

Network security: a two-tiered approach

Cisco recommends a two-tiered security approach. Companies should locate their external servers - Internet servers, mail, public FTP and others ( behind the first tier, which is known as the demilitarised zone (DMZ). To access this tier, users come through a router that provides initial security. Beyond this first tier is Cisco's PIX Firewall series which represents the second-tier security perimeter. In case there is a breach of security in the DMZ, Cisco's PIX Firewall series acts as a security barrier to prevent outside users from gaining access to the corporate private network where private servers, mail hubs and private clients are located.

Security and Internet multimedia applications

Internet multimedia applications are becoming more popular as companies and users experience the extraordinary impact of using these applications.

But handling multimedia applications represents a considerable security threat because of their extra throughput demands, which requires making more ports available. To accommodate the incoming data streams, a standard packet-filtering firewall must open one or more ports. These open ports are a security concern because they can allow outside hackers to determine the address of the internal client.

The increased data rate and data volume that characterise multimedia applications demand higher network performance, and they can strain administrative resources.

Network managers need a powerful and easily managed way to deliver multimedia to users without high administration costs. Network managers must also be able to control multimedia ( to shut it down when it becomes an excessive strain on network resources and to prevent unauthorised network access via the enormous data stream of a multimedia connection.

Cisco, through its PIX Firewall series, believes it has the desired features to provide security in an easily managed, scalable and secure manner.

Compiled by Paul Phillips

(c) Cisco Systems

Read more on Antivirus, firewall and IDS products