For simplified management, the Cisco PIX Firewall series includes the Firewall Manager, a Java-based graphical user interface (GUI) configuration tool that lets you click on a PIX Firewall icon to retrieve, edit, and centrally manage security policies. With management reports, network managers can perform statistical analysis on unauthorized users, amounts of traffic, and event logging for potential cost accounting. Network managers can also use Universal Resource Locator (URL) accounting to monitor which Web sites their users visit most. And by setting thresholds, the Cisco PIX Firewall series can automatically provide real-time alerts of any attempted firewall breaches through e-mail or page notification. The Cisco PIX Firewall series can also block out unwanted Java applets.

• Less complex and more robust than packet-filtering

• No downtime required for installation

• No day-to-day management required

• No upgrading of hosts or routers

• Full outbound Internet access from unregistered internal hosts

• Does not require additional registered IP addresses for network expansion

• Allows use of Address Allocation for Private Internets (RFC 1918) or registered IP addresses

• No user impact--nondisruptive to existing LANs

• Interoperable with Cisco IOS-based routers

Cisco's PIX Firewall series gains further dramatic performance advantage through a new feature called cut-though proxy. Whereas UNIX-based proxy servers are an ideal platform and can provide user authentication and maintain "state" (information about a packet's origin and destination) to offer good security, their performance suffers because they process all packets at the application layer (Layer 7) of the OSI model, which is highly CPU-intensive.

The cut-through proxy feature of the Cisco PIX Firewall, on the other hand, challenges a user initially at the application layer, like a proxy server. But once the user is authenticated against an industry-standard database based on Terminal Access Controller Access Control System (TACACS)+ or Remote Authentication Dial-In User Service (RADIUS), and access policy is checked, the Cisco PIX Firewall series shifts the session flow, and all traffic thereafter flows directly and quickly between the two parties, while maintaining session state without compromising any security over traditional proxy-based firewalls. This cut-through capability allows the Cisco PIX Firewall series to perform dramatically faster than proxy servers.

• Strong, stateful connection-oriented protection to restrict unauthorized users from accessing network resources

• Cut-through proxy to allow both inbound and outbound Internet access based on industry-standard protocols such as TACACS+ and RADIUS

• Support for over 16,000 simultaneous connections

• Enhanced, easy-to-use Firewall Manager for configuring multiple Cisco PIX Firewall series

• Third network interface for platform extensibility and security policy enforcement on publicly accessible services (WWW, mail, DNS, etc.)

• Oracle SQL*Net access through the Cisco PIX Firewall series for secure client/server applications

• Support of Cisco IOS-style command-line interface

• Failover/hot standby for high reliability

• True Network Address Translation (NAT) as specified in RFC 1631

• Port Address Translation (PAT) to further expand a company's address pool-one IP address supports more than 64,000 hosts, 16,384 simultaneously

• Net Aliasing to transparently merge overlapping networks with the same IP address space

• For networks with registered IP addresses, nontranslation allows use of existing registered IP numbers

• Transparent support for all common TCP/IP Internet services, such as WWW, File Transfer Protocol (FTP), Telnet, Archie, gopher, and rlogin

• Support of multimedia data types, including Progressive Networks' RealAudio, Xing Technologies' Streamworks, White Pines' CuSeeMe, Vocal Tec's Internet Phone, VDOnet's VDOLive, Microsoft's NetShow, VXtreme Web Theatre 2; and Intel's Internet Video Phone and Microsoft's NetMeeting (based on H.323 standards)

• Blocking of potentially dangerous Java applets

• Secure, real-time system

• Multiple login levels supported

• Support of Simple Network Management Protocol (SNMP) traps

• Management reports and URL accounting features

• Auditing provided through syslog

• Syslog Management Information Base (MIB) support

• URL and FTP accounting to allow auditing of Web usage

• Remote-procedure call (RPC) support

• Mail Guard to remove need for external mail relay workstation in perimeter network

• SYN Flood Defender-protects the host on the private network from denial of service attacks

• NetBIOS translation-support for Microsoft Networking client and server communication through the Cisco PIX Firewall series

• Two hardware platforms (PIX and PIX 10000) to meet a range of performance and scalability needs, from 45 Mb/s to greater than 90 Mb/s

Also available is the Cisco PIX Private Link encryption card. With this card, companies can dramatically reduce telecommunications costs by having options to dedicated leased lines and sending encrypted IP packets over any public IP-based network, such as the Internet. With a Cisco PIX Private Link encryption card at each PIX Firewall site, companies can be assured of secure communications through the Internet. The encryption card uses the Data Encryption Standard (DES) algorithm and the Internet Engineering Task Force's (IETF's) Authentication Header/Encapsulating Security Payload (AH/ESP) protocols (RFCs 1826 and 1827, respectively).

Other products included in the Cisco PIX Firewall series are a 10/100-Mbps Ethernet network interface card (NIC), and a 4/16-Mbps Token Ring NIC. An optional cable supports a failover/hot standby firewall to eliminate a single point of failure.