Scale PIX Firewall VPNs

Scale PIX Firewall VPNs

The Cisco Secure PIX Firewall support of the IETF IPSec standard allows an organization to scale its VPNs with much lower administrative costs. The IPSec use of public digital keys administered by a CA, a third-party vendor that registers public keys, allows for tremendous flexibility and scalability in the evolution of the network.

Basic PIX Firewall features that further enhance the scalability of the network security strategy include NAT/PAT, extensive protocol support such as PPPoE and DHCP, the variety of interface NICs to support various connectivity solutions, and PIX Firewall series capability to support from 64,000 to 256,000 simultaneous connections. This strategy protects the organization’s investment in security technology.

Network Management Options

PIX Firewalls with VPN support are incorporated into several Cisco network management software solutions. Some of the key examples are introduced in the next paragraphs.

CiscoWorks VPN/Security Management Solution (VMS)

CiscoWorks VPN/Security Management Solution (VMS) is Cisco’s flagship integrated security management solution, which provides web-based tools for configuring, monitoring, and troubleshooting enterprise VPNs, PIX, and IOS firewalls, along with network and host-based intrusion detection systems (IDS). CiscoWorks VMS is an integral part of the SAFE strategy for network security.

A key component of CiscoWorks VMS is the CiscoWorks Management Center for PIX Firewalls and Auto Update Server Software that provides unprecedented manageability for the PIX Firewall devices. The Management Center maintains the Web-based “look and feel” of its smaller cousin, the Cisco PIX Device Manager, but provides centralized management scalability for up to 1,000 Cisco PIX Firewalls.

CiscoWorks VMS is composed of a series of tools that reside on a network management server (or servers), such as Windows 2000 Professional or Server.

Cisco Secure Policy Manager (CSPM)

With Cisco Secure Policy Manager (CSPM), it’s possible to configure, manage, and monitor end-to-end any Cisco Systems security networks. CSPM is a policy-based product that allows abstracting the complexities of security networking to create high-level security policies, which are independent of underlying device platforms and software releases. CSPM is Cisco’s strategic security management platform for Cisco Secure PIX Firewalls, Cisco Secure IOS Firewalls, Cisco IOS VPN routers, and Cisco Secure Intrusion Detection System (IDS) sensors.

CSPM provides the following benefits:

  • Time savings using a configuration GUI

  • Centralized configuration and monitoring of remote security devices

  • Enhanced scalability by using policy inheritance

  • Easy security device monitoring with e-mail notification and basic reports

Latest versions of CSPM can be installed on systems running Windows 2000 Professional or Windows 2000 Server with at least Service Pack 2. Earlier versions support Windows NT 4.0 with Service Pack 6a. The GUI in client/server installations can be installed on Windows 95, 98, 2000, and NT 4.0 systems. Report viewing is available through Netscape or Microsoft web browsers using Secure Socket Layer (SSL).

Cisco PIX Device Manager

The Cisco PDM is a browser-based configuration tool for configuring and monitoring the PIX Firewall. This is particularly useful for those administrators who lack a solid knowledge of the PIX Firewall command-line interface (CLI). By using a web browser to activate PDM, it can be used to configure and monitor multiple PIX Firewall units from a single workstation. Figure 21-3 shows the System Properties page of the PDM.

Click To expand
Figure 21-3: Basic PIX Firewall supporting PPPoE

PDM facilitates configuring the PIX Firewall unit using a Windows-like interface with drop-down menus and browser features, which are then converted internally to the correct CLI commands for the PIX unit to process. PDM performs the following functions.

Configuration wizards, such as the Startup Wizard and VPN Wizard, provide step-by- step instructions through otherwise complex configuration tasks.

PDM monitoring features include real-time graphs and data, including connection, IDS, and throughput information for the selected PIX Firewall. You can view up to five days of historical data. The tabbed-page graphical interface with Windows Explorer–like controls on the left side makes it easy to check the setting, configuration, or performance.

The PIX Device Manager is covered in greater detail in the next chapter.

Part III: Virtual Private Networks (VPNs)