A Brief History of Cisco PIX Firewall
Today we will say a few words about another workhorse of network engineering. A device notable not only for its functionality, but also for its mass production. Inexpensive, practical and ideally suited to the needs of the SMB segment in the second half of 1990 and early 2000.
So, as stated in WikipediaCisco PIX (Private Internet eXchange) was one of the first in its segment, a popular firewall with the ability to translate network addresses (NAT/PAT).
We owe the appearance of the PIX firewall to a small company called Network Translation Inc. (hereinafter referred to as NTI), which released the first version of the device for hiding private networks in 1994. Actually, it was founded in 1994, and the software was written by one single person, Brantley Coile. As participants in the events later described, this feat was inspired by the desire to make an analogue of an office PBX (PBX – Private Branch eXchange), allowing internal subscribers to access the public telephone network.
The PIX OS operating system provided firewall functionality at Layer 4 of the OSI model, with stateful inspection through a special type of rules (conduits). PIX OS included support for named ACLs, NAT (yes, just NAT), and the first support for protocol-specific packet filtering (ftp, dns, smtp, etc.). All this, despite its young age, gave NTI a leading position in the industry; the specialized magazine Data Communications even awarded PIX a prize in January 1995.”Hot Product of the Year“:
The regular x86 was used as the hardware platform. Since it was assumed that this would be a specialized device for NATing a private network to the outside, it had only two network interfaces, outside and inside, with security levels of 0 and 100, respectively. Prior to PIX 5.2, it was not possible to change interface names.
In general, if we delve a little deeper into the issue, although there were several publications in specialized publications, for the first time the need to allocate separate blocks of addresses for private networks was documented only in March 1994 (http://www.ietf.org/rfc/rfc1597.txt), and the principle of network address translation was fixed in May 1994 (http://www.ietf.org/rfc/rfc1631.txt). So NTI was truly at the cutting edge of scientific and technological progress.
In 1995, a rather murky story happened, as a result of which NTI, which had existed for only a year at that point and had, in fact, created a new market segment, was purchased by Cisco. The abbreviations NTI and PIX OS are no longer used in our history, and two new devices are entering the scene – the Cisco LocalDirector load balancer and the Cisco PIX Firewall. Both inherit most of the PIX OS code, but the PIX version was called Finesse OS (although the old folks don't care, they continue to call all Cisco firewall software PIX OS). The code was still the same Brantley Coile comrades.
Although LocalDirector was a year ahead of its competitors, F5 and HydraWeb, which immediately grabbed a large market share, and existed until 2004, we’ll talk about it another time.
After the transition to Cisco, the first software release numbered 2.5 was released, after a short time 3.1, and then releases 4.x, 4.1, 2, 3 and 4.4, after which there was a long break. The customer base increased and sales grew rapidly. Why improve something that is already perfect?
And so, he comes on stage PIX Firewall Classic. Everything is the same as it was and as it will be in the future, on the x86 platform. To separate market segments, there was a software limit on the number of simultaneous TCP sessions – 32, 256, 1024, 4096, 16384. 10/100Mbps BaseT Ethernet and 4/16Mbps Token Ring network cards were supported. The height of the case was determined by the use of a Pentium II CPU Slot 1.
Next, the PIX 10000 model was released, and then the PIX 510 and PIX 520 (Here: Rutube/YouTube you can look at their inner world). All of them used a regular 3.5″ disk drive with a capacity of 1.44 MB to store and run system software. Accordingly, the software update process consisted of replacing one floppy disk with another, followed by rebooting the box. There was also built-in flash memory for storing the configuration, initially with a capacity of 256 KB, subsequently gradually increased to 512Kb, 2Mb, 8Mb and the final 16Mb.
Configuring the device was not the easiest task. To allow incoming traffic, rules like conduitsto restrict the outgoing type rule outboundwhich could have exceptions using the statements except. There were also ACLs that were used by the team apply.
For example, to allow external SMTP traffic from host 10.10.25.10 to server 192.168.1.49 located inside the network, we write:
$ static -a 10.10.26.147 192.168.1.49 secure
$ conduit 10.10.26.147 tcp:10.10.25.10/32-25
And this is how it was possible to prohibit internal users from going to a specific IP address:
$ access_list 12 deny 192.168.146.201 255.255.255.255 80
$ access_list 12 deny 192.168.146.202 255.255.255.255 80
$ apply 12 outgoing_dest
Everything was fine until the release of Finesse OS 5.0, which no longer fit on a floppy disk. Of course, a workaround was invented: the boot loader was loaded from the floppy disk, and the operating system was downloaded over the network with tftp, but this was no longer a cake. Although the idea of downloading via tftp was considered successful and the same mechanism was implemented for IOS. Just in case.
It must be said that PIX supported VPN even before the IPSec standard took shape. It is clear that compatibility in this case was limited, and the setup looked like specifying the address of a remote host and a preshared key. Well, encryption required a separate card, and only DES was supported. This technology was called PrivateLink and PIX could communicate, in addition to another PIX, with LocalDirector and earlier versions of IOS. Later, PrivateLink-2 was released, which already knew 3DES and the speeds were twice as high.
As usual, platform limitations sometimes gave rise to monsters. To overcome the meager capabilities of PIX in routing traffic and supporting other types of interfaces, a product was offered for some time AccessPro routerwhich occupied a couple of ISA slots (due to its size) and was a 2500 router with IOS 10.0 on board. His console was accessed using the “session” command. As with downloading via tftp, everyone liked the approach so much that crossing a hedgehog and a snake using mezzanines is still used by Cisco (Cisco router 1861, Firepower, etc.).
PIX Firewall Software v5.2 was the final version 5. It added DHCP client and server support, basic intrusion detection tools (53 predefined signatures), SSH support, RADIUS and, in my opinion, most importantly, support PAT.
But! August 2001 arrived and Cisco PIX Firewall Version 6.0(1) was released. As you noticed, the name Finesse OS was also buried.
Just like the lineup has changed. The old models were replaced by PIX 506, 515, 525 (600-MHz Intel Pentium III Processor, up to 256MB of RAM) and 535 (1 GHz Intel Pentium III Processor, up to 1GB of RAM). Models 506 and 515 were very quickly replaced by the same ones, only with a faster CPU and with the letter E in the name. The housings were unified with the 2600 and 3600 series models. They decided to remove the drives and leave the proprietary 16MB Flash.
To use version 6.0, PIX Firewall must have at least 32 MB of RAM and 16 MB of Flash. The PIX 506 model had only 8MB of memory, but it was allowed to work with version 6.0(1). Like the PIX 501 model that appeared a little later, look how handsome it is! By the way, did you know that it was from this little girl that the FWSM module came from? Dashing developers exported the PIX 501 code base when starting the development of FWSM (FWSM version 1.1.1, WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz).
In addition to simplifying configuration (but leaving the conduits for now) and expanding functionality, Cisco PIX Device Manager (PDM) was first introduced as an individual graphical way to manage the firewall. From this moment on, the process of setting up the hardware went out of the 18+ category for most use cases.
Until version 6.2, nothing particularly interesting happened, but in 6.2 we were delighted to see LAN-based failover, Bidirectional Network Address Translation (NAT) and Packet capture! Yes, before this there was nothing to debug traffic with. Although there was debug packet but it's not the same at all.
In 2005, Cisco PIX Security Appliance Software Version 7.0 was released, with support for the PIX 515/515E, 525, 535 and newfangled ASA series devices.
And in this version, PIX OS practically acquired the form in which it exists now (but NAT became acceptable for the human psyche only in version 8, already on ASA).
Support for VPN Client, AnyConnect, site-to-site VPN, support for contexts, Adaptive Security Device Manager (ASDM) and a key generator available to everyone – made these devices truly one of the most popular firewalls working in the field of network technologies.
And on January 28, 2008, Cisco announced end-of-sale and end-of-life dates for Cisco PIX 500 Security Appliances. Sales ended in July 2008 and support in July 2013.
Yes, there were better firewalls. It is clear that the same CheckPoint version 6.0 was completely superior in capabilities to PIX. But overall, he had yet to be found equal. MSE of branches of large companies and banks, separation of networks with trading platforms and exchanges, small companies – yes, there were plenty of PIXes everywhere.
By the way, there was even a Franken-PIX project, where enthusiasts made a PIX from an ordinary pussy. Usually it all ended with the absence of a 16MB ISA Flash, since it was not sold, but was only available to the owners of the PIX itself, which made the idea a little pointless.
Personally, I didn’t do anything unnatural with the PIX, but on the ASA 5520/5540 I changed the CPU from a Celeron to a full-fledged Pentium IV with hypertreading, achieving increased temperatures and performance.
Below is a photo taken with a finger of my home lab from 2011, and the top place of honor in this pyramid is occupied by PIX 501.
Well, that’s all for now, I’m tired of writing something. As usual, link to my channelI don’t sell anything, and occasionally I’m a graphomaniac.