PIX 7 on the Mind - Part 1
PIX 7.x…. This long awaited release of the Cisco Firewall OS has finally been released and has had time to bake. I have had a chance to use some of its new features and definitely learned a few things. Of course the features of 7.0 were pretty large in itself with the advent of “Bridging Mode” and "Virtual Firewalls" PIX 7.0 is trying to be the all in one firewall. So when you upgrade the firewall a few things become apparent right away. First off the 7.0 command line is much more like a router than it is a traditional PIX. I think this is Cisco further assimilating the PIX technology into the Cisco technology collective. I am personally divided on this approach as it is now important to remember what mode you are in for certain commands where in the old days of PIX slinging you could execute almost all commands in the config mode. Having to traverse config levels like a router makes half your commands in a config file deal with moving around the OS and not real configuration commands.
Here is an example of old vs. new:
Changing interface details on PIX 6.x:
Changing interface details on PIX 7.x:
We had an interesting situation that would warrant the use of PIX 7.0. We had two external internet address spaces on the same physical link. Now the logistics of this project is that one space needs to be administered by one individual and the other by someone else. Now if this was the old days, it would be difficult to allow each person to administer the access list for its space only as the access lists are ultimately the same in PIX 6.x. Enter in Virtual Firewalls… Virtual firewalls was the answer here. Basically you create multiple images of the PIX OS and have each instance administered by the prospective admin. The virtual firewalls bind virtual interfaces to physical interfaces but for security they cannot affect the physical properties of the interfaces. This means that if an admin were to shutdown his virtual interface it would not affect any other virtual interface nor would it affect the physical interface. Also since each virtual firewall is separate each access list is wholly controlled by the virtual firewall admin.
Later I will show how to configure and use this virtual firewall and discuss the drawbacks of it as well.
Here is an example of old vs. new:
Changing interface details on PIX 6.x:
Changing interface details on PIX 7.x:
We had an interesting situation that would warrant the use of PIX 7.0. We had two external internet address spaces on the same physical link. Now the logistics of this project is that one space needs to be administered by one individual and the other by someone else. Now if this was the old days, it would be difficult to allow each person to administer the access list for its space only as the access lists are ultimately the same in PIX 6.x. Enter in Virtual Firewalls… Virtual firewalls was the answer here. Basically you create multiple images of the PIX OS and have each instance administered by the prospective admin. The virtual firewalls bind virtual interfaces to physical interfaces but for security they cannot affect the physical properties of the interfaces. This means that if an admin were to shutdown his virtual interface it would not affect any other virtual interface nor would it affect the physical interface. Also since each virtual firewall is separate each access list is wholly controlled by the virtual firewall admin.
Later I will show how to configure and use this virtual firewall and discuss the drawbacks of it as well.
