- Network
- A
A brief history of Cisco PIX Firewall
Today we will say a few words about another workhorse of network building. A device notable not only for its functionality but also for its mass production. Inexpensive, practical, and ideally suited to the needs of the SMB segment in the second half of the 1990s and early 2000s.
So, as stated in Wikipedia, Cisco PIX (Private Internet eXchange) was one of the first in its segment, a popular firewall with network address translation (NAT/PAT) capabilities.
We owe the appearance of the PIX firewall to a small company called Network Translation Inc. (hereinafter NTI), which released the first version of the device for hiding private networks in 1994. It was founded in 1994, and the software was written by a single person, Brantley Coile. As participants in the events later described, they were inspired to make an analog of the office PBX (Private Branch eXchange), allowing internal subscribers to access the public telephone network.
The PIX OS operating system provided firewall functionality at the 4th level of the OSI model, with stateful inspection through a special type of rule (conduits). PIX OS supported named ACLs, NAT (yes, only NAT), and for the first time, packet filtering specific to the protocol (ftp, dns, smtp, etc.). All this, despite its young age, gave NTI leading positions in the industry, and the specialized magazine Data Communications even awarded PIX the "Hot Product of the Year" award in January 1995:
As a hardware platform, a regular x86 was used. Since it was assumed that this would be a specialized device for NAT of a private network to an external one, it had only two network interfaces, outside and inside, with security levels of 0 and 100, respectively. Until PIX version 5.2, it was not possible to change the names of the interfaces.
In general, if we delve a little deeper into the issue, although there were several publications in specialized print media, the need to allocate separate address blocks for private networks was first documented only in March 1994 (http://www.ietf.org/rfc/rfc1597.txt), and the principle of network address translation was fixed in May 1994 (http://www.ietf.org/rfc/rfc1631.txt). So NTI was indeed at the forefront of scientific and technological progress.
In 1995, there was a rather murky story, as a result of which NTI, which had existed for only a year by that time and had actually created a new market segment, was acquired by Cisco. In our history, the abbreviations NTI and PIX OS no longer appear, and two new devices come to the fore - the Cisco LocalDirector load balancer and the Cisco PIX Firewall. Both inherit most of the PIX OS code, but the version for PIX was called Finesse OS (although old-timers don't care, they continue to call all Cisco firewall software PIX OS). The code was written by the same Brantley Coile and his associates.
Although LocalDirector was a year ahead of its competitors, F5 and HydraWeb, immediately capturing a large market share, and existed until 2004, we will talk about it another time.
After transitioning to Cisco, the first software release numbered 2.5 was released, shortly followed by 3.1, and then releases 4.x, 4.1, 2, 3, and 4.4, after which there was a long break. The customer base was growing, and sales were rapidly increasing. Why improve something that was already perfect.
And so, the PIX Firewall Classic takes the stage. Everything is the same as it was and will continue to be, on the x86 platform. To segment the market, there was a software limitation on the number of simultaneous TCP sessions - 32, 256, 1024, 4096, 16384. Supported network cards were 10/100Mbps BaseT Ethernet and 4/16Mbps Token Ring. The height of the case was determined by the use of a Pentium II CPU in Slot 1 form factor.
Next, the PIX 10000 model was released, followed by PIX 510 and PIX 520 (Here: Rutube/YouTube you can see their inner workings). All of them used a standard 3.5" floppy drive with a capacity of 1.44MB for storing and running system software. Accordingly, the software update process involved replacing one floppy disk with another and then rebooting the box. There was also built-in flash memory for storing the configuration, initially with a capacity of 256KB, later gradually increased to 512KB, 2MB, 8MB, and finally 16MB.
Configuring the device was not the easiest task. To allow incoming traffic, rules of the conduits type were used, to restrict outgoing traffic, rules of the outbound type were used, which could have exceptions using the except operators. There were also ACLs that were applied with the apply command.
For example, to allow external SMTP traffic from host 10.10.25.10 to server 192.168.1.49 located inside the network, we write:
$ static -a 10.10.26.147 192.168.1.49 secure
$ conduit 10.10.26.147 tcp:10.10.25.10/32-25
And this is how you could prohibit internal users from accessing a specific IP address:
$ access_list 12 deny 192.168.146.201 255.255.255.255 80
$ access_list 12 deny 192.168.146.202 255.255.255.255 80
$ apply 12 outgoing_dest
Everything was fine until the release of Finesse OS 5.0, which no longer fit on a floppy disk. Of course, a workaround was devised, with a bootloader loaded from the floppy disk, and the operating system downloaded over the network via tftp, but it was not the same. Although the idea of loading via tftp was recognized as successful and the same mechanism was implemented for IOS. Just in case.
It should be noted that PIX supported VPN even before the IPSec standard was formed. It is clear that compatibility in this case was limited, and the configuration looked like specifying the address of the remote host and the preshared key. And a separate card was required for encryption, and only DES was supported. This technology was called PrivateLink and PIX could connect, in addition to another PIX, with LocalDirector and early versions of IOS. Later, PrivateLink-2 was released, which already supported 3DES and the speeds were twice as high.
As usual, platform limitations sometimes created monsters. To overcome the limited capabilities of PIX in traffic routing and support for other types of interfaces, the AccessPro router product was offered for some time, which occupied a couple of ISA slots (due to its size) and was a 2500 router with IOS 10.0 on board. Access to its console was carried out using the "session" command. As with tftp loading, everyone liked the approach so much that the combination of a hedgehog and a snake using mezzanines is still used by Cisco (Cisco router 1861, Firepower, etc.).
PIX Firewall Software v5.2 became the final version for version 5. It included support for DHCP as a client and server, initial intrusion detection tools (53 predefined signatures), support for SSH, RADIUS, and, in my opinion, most importantly, support for PAT.
But! August 2001 came and Cisco PIX Firewall Version 6.0(1) was released. As you noticed, the Finesse OS name was also buried.
Also, the model range changed. The old models were replaced by PIX 506, 515, 525 (600-MHz Intel Pentium III Processor up to 256MB of RAM) and 535 (1 GHz Intel Pentium III Processor, up to 1GB of RAM). Models 506 and 515 were very quickly replaced by the same ones, only with a faster CPU and with the letter E in the name. The cases were unified with the 2600 and 3600 series models. The floppy drives were decided to be removed, and the proprietary 16MB Flash was left.
To use version 6.0, PIX Firewall had to have at least 32 MB of RAM and 16 MB of Flash. The PIX 506 model had only 8MB of memory, but it was allowed to work with version 6.0(1). Just like the slightly later PIX 501 model, look at what a beauty! By the way, did you know that it was from this tiny device that the FWSM module originated? The daring developers exported the PIX 501 code base at the start of FWSM development (FWSM version 1.1.1, WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz).
In addition to simplifying configuration (but conduits were still left) and expanding functionality, the Cisco PIX Device Manager (PDM) was introduced for the first time as an individual graphical way to manage the firewall. From this moment, the process of configuring the device moved out of the 18+ category for most usage scenarios.
Until version 6.2, nothing particularly interesting happened, but in 6.2 we were delighted to see LAN-based failover, Bidirectional Network Address Translation (NAT), and Packet capture! Yes, there was nothing to debug traffic with before. Although there was debug packet, it was not the same at all.
In 2005, Cisco PIX Security Appliance Software Version 7.0 was released, with support for the PIX 515/515E, 525, 535 models, and the new ASA series devices.
And in this version, PIX OS almost acquired the form in which it exists now (but NAT became acceptable for the human psyche only in version 8, already on ASA).
Support for VPN Client, AnyConnect, site-to-site VPN, context support, Adaptive Security Device Manager (ASDM), and a key generator available to everyone have made these devices truly one of the most widespread firewalls working in the field of network technologies.
On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for Cisco PIX 500 Security Appliances. Sales ended in July 2008, and support ended in July 2013.
Yes, there were better firewalls. It is clear that the same CheckPoint version 6.0 totally surpassed PIX in capabilities. But overall, it was still hard to find its equal. Branch firewalls of large companies and banks, network segmentation with trading platforms and exchanges, small companies - yes, PIXes were everywhere.
By the way, there was even a project called Franken-PIX, where enthusiasts made PIX from an ordinary PC. Usually, everything ended with the absence of a 16MB ISA Flash, as it was not sold and was only available to PIX owners, which made the idea somewhat pointless.
Personally, I didn't do anything unnatural with PIX, but on the ASA 5520/5540, I replaced the CPU from Celeron to a full-fledged Pentium IV with hyperthreading, achieving increased temperature and performance.
Below is a finger-made photo of my home lab from 2011, and the top honorary place in this pyramid is occupied by PIX 501.
Write comment