Features
Benefit
Highly Reliable and Expandable Security Appliance
Purpose-Built Security Appliance
¡E Uses a proprietary, hardened operating system that eliminates the security
risks associated with general-purpose operating systems ¡E
Combines Cisco product quality with no moving parts to provide a highly
reliable security platform
¡E Supports redundant
AC or DC power supplies for improved platform resiliency
Fast Ethernet and Gigabit Ethernet Expansion Options
¡E Supports easy installation of additional network interfaces via four
66 Mhz/64-bit and five 33 MHz/32-bit PCI expansion slots
¡E Supports expansion
cards including single-port Fast Ethernet, four-port Fast Ethernet and
single-port Gigabit Ethernet cards
Hardware VPN Acceleration
¡E Delivers high speed VPN services through the addition of either a VPN
Accelerator Card (VAC) or a VPN Accelerator Card+ (VAC+)-Unrestricted
(UR), Failover (FO) and Failover-Active/Active (FO-AA) models have integrated
hardware VPN acceleration services
Integration with Leading Third-Party Solutions
¡E Supports the broad range of Cisco Technology Developer partner solutions
that provide URL filtering, content filtering, virus protection, scalable
remote management, and more
Industry Certifications and Evaluations
¡E Earned numerous leading industry certifications and evaluations, including:
¡VCommon Criteria
Evaluated Assurance Level 4 (EAL4)
¡VICSA Labs Firewall
4.0 Certification, Corporate RSSP Category
Advanced Firewall Services
Stateful Inspection Firewall
¡E Provides wide-range of perimeter network security services to prevent
unauthorized network access
¡E Delivers robust
stateful inspection firewall services which track the state of all network
communications
¡E Provides flexible
access-control capabilities for more than 100 predefined applications,
services, and protocols, with the ability to define custom applications
and services
¡E Supports inbound/outbound
ACLs for interfaces, time-based ACLs, and per-user/per-group policies
for improved control over network and application usage
¡E Simplifies management
of security policies by giving administrators the ability to create re-usable
network and service object groups that can be referenced by multiple security
policies, simplifying initial policy definition and ongoing policy maintenance
Advanced Application and Protocol Inspection
¡E Integrates 30 specialized inspection engines that provide rich application
control and security services for protocols such as Hypertext Transfer
Protocol (HTTP), File Transfer Protocol (FTP), Extended Simple Mail Transfer
Protocol (ESMTP), Domain Name System (DNS), Simple Network Management
Protocol (SNMP), Internet Control Message Protocol (ICMP), SQL*Net, Network
File System (NFS), H.323 Versions 1-4, Session Initiation Protocol (SIP),
Cisco Skinny Client Control Protocol (SCCP), Real-Time Streaming Protocol
(RTSP), GPRS Tunneling Protocol (GTP), Internet Locator Service (ILS),
Sun Remote Procedure Call (RPC), and many more
Modular Policy Framework
¡E Provides a powerful, highly flexible framework for defining flow- or
class-based policies, enabling administrators to identify a network flow
or class based on a variety of conditions, and then apply a set of customizable
services to each flow/class
¡E Improves control
over applications by introducing ability to have flow- or class-specific
firewall/inspection policies, QoS policies, connection limits, connection
timers, and more
Security Contexts
¡E Enables creation of multiple security contexts (virtual firewalls)
within a single Cisco PIX Security Appliance, with each conxt having its
own set of security policies, logical interfaces, and administrative domain
¡E Supports four licensed
levels of security contexts: 5, 10, 20, and 50 (maximum number of security
contexts supported based on model of Cisco PIX Security Appliance)
¡E Provides businesses
a convenient way of consolidating multiple firewalls into a single physical
appliance or failover pair, yet retaining the ability to manage each of
these virtual instances separately
¡E Enables service
providers to deliver resilient multi-tenant firewall services with a pair
of redundant appliances
Layer 2 Transparent Firewall
¡E Supports deployment of a Cisco PIX Security Appliance in a secure Layer
2 bridging mode, providing rich Layer 2-7 firewall security services for
the protected network while remaining "invisible" to devices
on each side of it
¡E Simplifies Cisco
PIX Security Appliance deployments in existing network environments by
not requiring businesses to re-address the protected networks
¡E Supports creation
of Layer 2 security perimeters by enforcing administrator defined Ethertype-based
access control policies for Layer 2 network traffic
Multi-Vector Attack Protection
¡E Provides wealth of advanced attack protection services to defend businesses
from many popular forms of attacks, including denial-of-service (DoS)
attacks, fragmented attacks, replay attacks, and malformed packet attacks
¡E Delivers advanced
TCP stream reassembly and traffic normalization services to assist in
detecting hidden application and protocol layer attacks
¡E Integrates with
Cisco Network Intrusion Prevention System (IPS) solutions to identify
and dynamically block or shun hostile network nodes
Authentication, Authorization, and Accounting (AAA) Support
¡E Integrates with popular AAA services via TACACS+ and RADIUS, with support
for redundant servers for increased AAA services resiliency
¡E Provides highly
flexible user and administrator authentication services, dynamic per-user/per-group
policies, and administrator privilege control through tight integration
with Cisco Secure Access Control Server (ACS)
Robust IPSec VPN Services
Cisco Easy VPN Server
¡E Delivers feature-rich remote access VPN concentrator services for up
to 2000 remote software- or hardware-based VPN clients
¡E Pushes VPN policy
dynamically to Cisco Easy VPN Remote-enabled solutions (such as the Cisco
VPN Client) upon connection, helping to ensure that the latest corporate
VPN security policies are used
¡E Performs VPN client
security posture checks when a VPN connection attempt is received, including
enforcing usage of authorized host-based security products (such as the
Cisco Security Agent) and verifying its version number and status prior
to letting the remote user access the corporate network
¡E Provides administrators
precise control over what different types of VPN clients (software client,
router, VPN 3002, and PIX) are allowed to connect based on type of client,
operating system installed, and version of VPN client software
¡E Supports automatic
software updates of Cisco VPN Clients and Cisco 3002 Hardware VPN Clients,
with the ability to trigger updates when VPN connections are established,
or on-demand for currently connected VPN clients
¡E Extends VPN reach
into environments using NAT or Port Address Translation (PAT), via support
of a variety of TCP and UDP-based NAT traversal methods including the
Internet Engineering Task Force (IETF) draft standard
Cisco VPN Client
¡E Includes a free unlimited license for the highly acclaimed, industry-leading
Cisco VPN Client
¡E Available on wide-range
of platforms including Microsoft Windows 98, ME, NT, 2000, XP; Sun Solaris;
Intel-based Linux distributions; and Apple Macintosh OS X
¡E Provides many innovative
features including dynamic security policy downloading from Cisco Easy
VPN Server-enabled products, automatic failover to backup Easy VPN Servers,
administrator customizable distributions, and more
¡E Integrates with
the award-winning Cisco Security Agent (CSA) for comprehensive endpoint
security
Site-to-Site VPN
¡E Supports IKE and IPSec VPN standards
¡E Extends networks
securely over the Internet by helping to ensure data privacy, data integrity,
and strong authentication with remote networks and remote users
¡E Improves network
reliability and performance through support of OSPF dynamic routing and
reverse-route injection over site-to-site VPN tunnels
Native Integration with Popular User Authentication Services
¡E Provides convenient method for authenticating VPN users through native
integration with popular authentication services including Microsoft Active
Directory, Microsoft Windows Domains, Kerberos, LDAP, and RSA SecurID
(without requiring a separate RADIUS/TACACS+ server to act as an intermediary)
X.509 Certificate and CRL Support
¡E Supports Simple Certificate Enrollment Protocol (SCEP)-based enrollment
and manual enrollment with leading X.509 solutions from Baltimore, Cisco,
Entrust, iPlanet/Netscape, Microsoft, RSA, and VeriSign
¡E Interoperates with
large-scale Public Key Infrastructure (PKI) deployments through n-tiered
certificate hierarchy support
Resilient Architecture
Active/Active and Active/Standby Stateful Failover
¡E Ensures resilient network protection for businesses through the award-winning
high availability services provided by certain models of Cisco PIX 535
Security Appliances
¡E Supports Active/Standby
failover services as a cost-effective high availability solution, where
one failover pair member operates in hot-standby mode acting as a complete
redundant system that maintains current session state information for
the active unit
¡E Delivers advanced
Active/Active failover services where both Cisco PIX Security Appliances
in a failover pair actively pass network traffic simultaneously and share
state information bi-directionally, enabling support for asymmetric routing
environments and effectively doubling the throughput of the failover pair
for bursty network traffic conditions
¡E Supports long-distance
failover enabling geographic separation of failover pair members, providing
another layer of protection
VPN Stateful Failover
¡E Maximizes VPN connection uptime with new Active/Standby stateful failover
for VPN connections
¡E Synchronizes all
security association (SA) state information and session key material between
failover pair members, providing a highly resilient VPN solution
¡E Note: This feature
is available on Unrestricted (UR), Failover (FO), and Failover-Active/Active
(FO-AA) models only.
Zero-Downtime Software Upgrades
¡E Enables businesses to perform software maintenance release upgrades
on Cisco PIX Security Appliance failover pairs without impacting network
uptime or connections through the support of state-sharing between mixed
Cisco PIX Security Appliance Software versions (running version 7.0(1)
or higher)
Intelligent Networking Services
VLAN-Based Virtual Interfaces
¡E Provides increased flexibility when defining security policies and
eases overall integration into switched network environments by supporting
the creation of logical interfaces based on IEEE 802.1q VLAN tags, and
the creation of security policies based on these virtual interfaces
¡E Supports multiple
virtual interfaces on a single physical interface through VLAN trunking,
with support for multiple VLAN trunks per Cisco PIX Security Appliance
¡E Supports up to
150 total VLANs on Cisco PIX 535 Security Appliances
QoS Services
¡E Delivers per-flow, policy-based QoS services, with support for LLQ
and traffic policing for prioritizing latency-sensitive network traffic
and limiting bandwidth usage of administrator-specified applications
¡E Enables businesses
to have end-to-end QoS policies for their extended network
OSPF Dynamic Routing
¡E Provides comprehensive OSPF dynamic routing services using technology
based on world-renowned Cisco IOS Software
¡E Offers improved
network reliability through fast route convergence and secure, efficient
route distribution
¡E Delivers a secure
routing solution in environments using NAT through tight integration with
Cisco PIX Security Appliance NAT services
¡E Supports MD5-based
OSPF authentication, in addition to plaintext OSPF authentication, to
prevent route spoofing and various routing-based DoS attacks
¡E Provides route
redistribution between OSPF processes, including OSPF, static, and connected
routes
¡E Supports load balancing
across equal-cost multipath routes
PIM Multicast Routing
¡E Streamlines the delivery of multimedia traffic in video-conferencing,
collaborative computing, and mission critical real-time enterprise applications
through full PIM-Sparse Mode v2 and Bidirectional-PIM routing support
(based on world-class Cisco IOS multicast technology)
IPv6 Networking
¡E Provides access control and deep inspection firewall services for native
IPv6 network environments and mixed IPv4/IPv6 network environments through
dual-stack support
¡E Delivers IPv6-enabled
inspection services for HTTP, FTP, SMTP, ICMP, TCP, and UDP-based applications
¡E Supports SSHv2,
telnet, HTTP/HTTPS, and ICMP-based management over IPv6
Dynamic Host Control Protocol (DHCP) Server
¡E Provides DHCP server services on one or more interfaces, allowing devices
to obtain IP addresses dynamically
¡E Includes extensions
for automated provisioning of Cisco IP phones and Cisco SoftPhone IP telephony
solutions
DHCP Relay
¡E Forwards DHCP requests from internal devices to an administrator-specified
DHCP server, enabling centralized distribution, tracking and maintenance
of IP addresses
NAT/PAT Support
¡E Provides rich dynamic, static, and policy-based NAT, and PAT services
Flexible Management Solutions
CiscoWorks VPN/Security Management Solution (VMS)
¡E Provides a comprehensive management suite for large scale Cisco security
product deployments
¡E Integrates policy
management, software maintenance and security monitoring in a single management
console
Cisco Adaptive Security Device Manager (ASDM)
¡E World-class Web-based GUI enables simple, secure remote management
of Cisco PIX Security Appliances
¡E Provides a wide
range of informative, real-time, and historical reports which give critical
insight into usage trends, performance baselines, and security events
Auto Update
¡E Provides "touchless" secure remote management of Cisco PIX
Security Appliance configuration and software images via a unique "push/pull"
management model
¡E Next-generation
secure Extensible Markup Language (XML) over HTTPS management interface
can be used by Cisco and third-party management applications for remote
Cisco PIX Security Appliance configuration management, inventory, software
image management/deployment and monitoring
¡E Integrates with
CiscoWorks Management Center for Firewalls and Auto Update Server for
robust, scalable remote management of up to 1000 Cisco PIX Security Appliances
(per management server)
Cisco PIX Command Line Interface (CLI)
¡E Allows customers to use existing Cisco IOS Software CLI knowledge for
easy installation and management without additional training
¡E Supports improved
ease-of-use with services such as command completion, context-sensitive
help, and command aliasing
¡E Accessible through
variety of methods including console port, Telnet, and SSHv2
Command-Level Authorization
¡E Gives businesses the ability to create up to 16 customizable administrative
roles/profiles for managing a Cisco PIX Security Appliance (monitoring
only, read-only access to configuration, VPN administrator, firewall/NAT
administrator, etc.)
¡E Uses either the
internal administrator database or outside sources via TACACS+, such as
Cisco Secure ACS
SNMP and Syslog Support
¡E Supports Cisco IPSec Flow Monitoring SNMP MIB, providing a wealth of
VPN flow statistics including tunnel uptime, bytes/packets transferred,
and more
|