PIX Firewall - a high performance dedicated firewall by Cisco

Are you looking for a dedicated firewall that is high on performance? Read the article to know the security features of PIX Firewall by Cisco.

If you don't want to learn a complex foreign operating system and even don't want to run the firewall on the operating system you use for applications, dedicated firewalls are the solution to your problem. These firewalls are computers which include built in operating systems and firewall software. Majority of them are special purpose UNIX machines based on Linux or BSD. The computers are meant exclusively for firewalling and have plenty of RAM, fast microprocessors and multiple network interfaces. Private Internet eXchange (PIX) Firewall by Cisco is one such dedicated firewall. It is based on Cisco's high speed custom routing hardware platform.

No throughput degradation occurs in its filtering process due to the high speed platform. PIX has custom real time firewall operating system and supports all TCP/IP based networks. The performance, which is rated very high at up to 170Mbps, is fast enough to filter OC-3 or ATM-155 network connections instantaneously. Firewalls based on standard PC hardware are no this fast because of the low speed PCI bus. As PIX supports URL filtration process by connecting with another URL filter server, administrators would require two machines for this firewall to work. It runs on its operating system using Flash memory. Thus, it does not require fans (the component which generally fails). Clearly, PIX is more reliable than usual hard disk based desktops.


Dedicated firewalls usually have web based interfaces so that they can be managed just by pointing the web browser to the firewall's IP address from inside the network. The Java based application of PIX runs on all platforms having Java virtual machines. The interface manages PIX firewalls and acts as a central point for administration and security control. It allows user based accounting and reporting about the websites visited, downloads, volume, etc. It also provides real time monitoring tools wherein the administrator is informed via email or pager notification in case an event is detected. Get a good security bulletin mailing list and modify PIX if you want. A command line interface is available through a serial interface. So, there is no need to manage the system locally.

Security features

Stateful inspection filter & Network Address Translator (NAT)
The connection oriented inspection filter provided by Cisco is named as Adaptive Security Algorithm (ASA) in the documentation. The filter ensures that only packets from trustworthy source pass through the network. A record of source, destination addresses and port numbers is maintained. PIX also performs NAT function. IP addresses are routed to their legal addresses.

Virtual Private Network (VPN)

VPN is an optional hardware adapter. It performs IPSec encryption with the help of Internet Key Exchange (IKE) to establish VPN tunnels. The tunnels can be formed only with other PIX firewalls or Cisco routers running the proprietary operating system. To connect securely to the firewall, remote clients can use Windows NT or 9x client software. The VPN technology developed by RedCreek Communications is being used.

High availability

Administrators can configure two PIX systems in parallel. One can be configured on the internal network and the other on the external network with a proprietary High Availability (HA) cable running between them. The benefit of this will be that if one system fails, the connection will not be affected. The other system will automatically assume the traffic flow.

Support for security zones

There are four security zones- external, internal, DMZ and a unique security zone. All these zones support servers like proxy servers and content filters. They also provide support to the missing proxy and content filter processes.

Java blocking filter

The firewall has a Java filter for HTTP. This was necessary as the email filter wasn't capable of stripping attachments, detecting malformed emails or blocking Active-X controls.

Pricing & support

To purchase the firewall, visit the official website of Cisco. The entry level version will cost you about $7000 through direct sales venues. The price is very high. This version can support two Ethernet connections and up to 50,000 connections simultaneously. The documentation you get at the time of purchase is easy to understand. All support is provided through email and telephone. There are Cisco certified support technicians to help. The firewall is easy to manage and you probably wouldn't need support.


PIX is one of the fastest firewalls. Most of the proprietary operating system firewalls lack the support for third party security software like virus scanners and content filters but PIX supports such software on a single machine. It supports FDDI, Token Ring, external security proxies, content filters and Ethernet. But if you notice, the content filters and proxy servers supported are very less. The interface support is also limited by proprietary network interfaces. Price is another concern. Though it is expensive, it is also one of the best-selling firewalls. PIX is a very high performance firewall and this is its major USP for which organizations buy it.

Also Read Xent Raptor - A superfast proxy firewall

More articles: Cisco Routers


No responses found. Be the first to comment...

  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name: