Cisco PIX
reliable, independent, third-party sources. (August 2011) ) |
Cisco PIX (Private Internet eXchange) was a popular
In 2005, Cisco introduced the newer Cisco Adaptive Security Appliance (Cisco ASA), that inherited many of the PIX features, and in 2008 announced PIX end-of-sale.
The PIX technology was sold in a
PIX
History
PIX was originally conceived in early 1994 by John Mayes of Redwood City, California and designed and coded by Brantley Coile of Athens, Georgia. The PIX name is derived from its creators' aim of creating the functional equivalent of an IP PBX to solve the then-emerging registered IP address shortage. At a time when NAT was just being investigated as a viable approach, they wanted to conceal a block or blocks of IP addresses behind a single or multiple registered IP addresses, much as PBXs do for internal phone extensions. When they began, RFC 1597 and RFC 1631 were being discussed, but the now-familiar RFC 1918 had not yet been submitted.
The design, and testing were carried out in 1994 by John Mayes, Brantley Coile and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing of PIX serial number 000000 was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX quickly became one of the leading enterprise firewall products and was awarded the Data Communications Magazine "Hot Product of the Year" award in January 1995.[2]
Shortly before Cisco acquired Network Translation in November 1995, Mayes and Coile hired two longtime associates, Richard (Chip) Howes and Pete Tenereillo, and shortly after acquisition 2 more longtime associates, Jim Jordan and Tom Bohannon. Together they continued development on Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector.
On January 28, 2008, Cisco announced the end-of-sale and
In May 2005, Cisco introduced the ASA which combines functionality from the PIX, VPN 3000 series and
Software
The PIX runs a custom-written proprietary
The PIX became the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the firewall to apply additional security policies to connections identified as using specific protocols. Protocols for which specific fixup behaviors were developed include DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Inspect" has superseded "fixup" in later versions of PIX OS.
The Cisco PIX was also one of the first commercially available security appliances to incorporate
Administrators can manage the PIX via a
- PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client
- PIX Device Manager (PDM) for PIX OS version 6.x, which runs over https and requires Java
- Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS.
Because Cisco acquired the PIX from Network Translation, the CLI originally did not align with the Cisco IOS syntax. Starting with version 7.0, the configuration became much more IOS-like.
Hardware
The original NTI PIX and the PIX Classic had cases that were sourced from OEM provider Appro. All flash cards and the early encryption acceleration cards, the PIX-PL and PIX-PL2, were sourced from Productivity Enhancement Products (PEP).[9] Later models had cases from Cisco OEM manufacturers.
The PIX was constructed using
The PIX
Adaptive Security Appliance (ASA)
The Adaptive Security Appliance is a network firewall made by Cisco. It was introduced in 2005 to replace the Cisco PIX line.[10] Along with stateful firewall functionality another focus of the ASA is Virtual Private Network (VPN) functionality. It also features Intrusion Prevention and Voice over IP. The ASA 5500 series was followed up by the 5500-X series. The 5500-X series focuses more on virtualization than it does on hardware acceleration security modules.
History
In 2005 Cisco released the 5510, 5520, and 5540 models.[11]
Software
The ASA continues using the PIX codebase but, when the ASA OS software transitioned from major version 7.X to 8.X, it moved from the Finesse/Pix OS operating system platform to the Linux operating system platform. It also integrates features of the Cisco IPS 4200 Intrusion prevention system, and the Cisco VPN 3000 Concentrator.[12]
Hardware
The ASA continues the PIX lineage of Intel 80x86 hardware.
Security vulnerabilities
The Cisco PIX VPN product was hacked by the
The Cisco ASA-brand was also hacked by Equation Group. The vulnerability requires that both
On the 29th of January 2018 a security problem at the Cisco ASA-brand was disclosed by
See also
References
- ^ "Cisco Services Modules - Support - Cisco".
- ^ "History of NTI and the PIX Firewall by John Mayes" (PDF).
- ^ "End of Sale for Cisco PIX Products". Cisco. 2008-01-28. Retrieved 2008-02-20.
- ^ "Cisco PIX 500 Series Security Appliances - Retirement Notification". Cisco. 2013-07-29. Retrieved 2018-11-04.
- ^ "Cisco open source license page". Retrieved 2007-08-21.
- ^ "FAQs for Cisco PFM". Retrieved 2007-06-19.
- ^ "Documentation on Cisco PDM". Retrieved 2007-06-19.
- ^ "Documentation on Cisco ASDM". Archived from the original on 2007-06-16. Retrieved 2007-06-19.
- ^ "Notes on PIX production".[permanent dead link]
- ISBN 978-0134052014.
- ^ Francis, Bob (May 9, 2005). "Security Takes Center Stage at Interop". InfoWorld. 27 (19): 16.
- ^ "Archived copy" (PDF). Archived from the original (PDF) on 2016-10-05. Retrieved 2016-02-11.
{{cite web}}
: CS1 maint: archived copy as title (link) - ^ "The NSA leak is real, Snowden Documents confirm". 19 August 2016. Retrieved 2016-08-19.
- ^ "National vulnerability database record for BENIGNCERTAIN". web.nvd.nist.gov.
- ^ "Researcher Grabs VPN Password With Tool From NSA Dump". 19 August 2016. Retrieved 2016-08-19.
- ^ "NSA's Cisco PIX exploit leaks". www.theregister.co.uk.
- ^ "Did the NSA Have the Ability to Extract VPN Keys from Cisco PIX Firewalls?". news.softpedia.com.
- ^ "NSA Vulnerabilities Trove Reveals 'Mini-Heartbleed' For Cisco PIX Firewalls". www.tomshardware.com. 19 August 2016.
- ^ "How the NSA snooped on encrypted Internet traffic for a decade". 19 August 2016. Retrieved 2016-08-22.
- ^ "National vulnerability database record for EXTRABACON". web.nvd.nist.gov.
- ^ "NSA-linked Cisco exploit poses bigger threat than previously thought". 23 August 2016. Retrieved 2016-08-24.
- ^ "National vulnerability database record - CVE-2018-0101". web.nvd.nist.gov.
- ^ "Advisory - Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability". tools.cisco.com.
- ^ "CVE-2018-0101 - A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security A - CVE-Search". cve.circl.lu. 2023-08-15. Retrieved 2023-09-05.