Introduction.  Firewalls are special routers that intercept and control traffic between a private network and public networks, especially on the Internet.  A normal router might serve as a firewall if it is configured so that all traffic in and out of the private network must flow through it.  But in and of itself, this is not adequately secure so that other features need to be implemented to increase the firewall's viability.  

It is also important to remember that firewalls work both to keep certain traffic outside of a particular network and certain traffic inside the network.  For example, everyone is aware the dangers that e-mails containing viruses present and a lot of effort is expended to keep these out.  On the other hand, if people are shopping at the on-line store you just developed you don't want them to also be able to gain access to things like your pay and social security number.

The following image represents the sort of funnel point required to implement a firewall.



Firewalls chart a defensive landscape and rely on policy to determine what sorts of messages should get through and with what other subnetworks.  Depending on the operating system, the classification of these outside networks can be quite rigid or flexible.

The simplest form of network security technology is an access list.  These lists restrict certain traffic from gaining access into or outside the private network.  They can filter packets based on three criteria:

  • Source IP address
  • Destination IP address
  • Port number

While much more can be said about these access lists, some other features you might want to have from your firewall are

  • tracking internetwork sessions
  • using internally assigned addresses to hide your true internal IP addresses
  • proxy servers
  • denial of service attack detection
  • network based application recognition
  • blocking of particular coding approaches that are susceptible to misuse
  • searching for known viruses
  • encryption
  • router authentication
  • VPN and QoS service
  • dynamic port mapping
  • audit trails
  • firewall management
  • redundancy/failover
  • time based access lists

CISCO Routers.  All of the above features and more can be can be obtained from Cisco routers by adding their IOS Firewall feature set.  Thus you can make use of equipment you already have.  Though the standard configurations have an inside router between the internal network and the firewall and another router outside the firewall connecting to the rest of the Internet.  This is illustrated in the following diagram.



Obviously, these sorts of things can be configured in a number of different ways, depending on your situation.  For example, maybe you only want one router with firewall capability performing all of the shielding, routing and filtering functions.

CISCO Firewalls.  Cisco also offers a several lines of products that are dedicated to firewall function.  These make use of a different technology than just enhanced IOS.  These products are called Cisco Secure PIX Firewalls.  They have three special advantages over the IOS implementation.

  • Integrated Hardware/Software - integrated for specialized heavy duty performance
  • Adaptive Security Algorithm - a cut through proxy architecture for higher performance
  • Integrated VPN Option

Without going into a lot of details, the following table summarizes Cisco PIX firewalls.


Secure Pix
Firewall 506
Secure Pix
Firewall 515
Secure Pix
Firewall 520
Secure Pix
Firewall 525
Secure Pix
Firewall 535
Market SOHO Small/medium business and remote offices Large enterprises with complex high end traffic Enterprise and service providers Enterprise and service providers
Processor 200 MHz 200 MHz 233 MHz 600 MHz 1 GHz
RAM 32MB 32 - 64MB 128MB < 256MB 1GB
Interfaces Dual integrated 10BaseT 
Fast Ethernet
Dual integrated 10/100BaseT 
Fast Ethernet
Dual integrated 10/100BaseT 
Fast Ethernet
Dual integrated 10/100BaseT 
Fast Ethernet
Eight Gigabit Ethernet or 10/100 Fast Ethernet single VAC
Connections 10 Mbps throughput 120 Mbps throughput;
50,000 - 100,000 concurrent connections
370 Mbps throughput;  250,000 concurrent connections 370 Mbps throughput;  280,000 concurrent connections 1 Gbps throughput;  500,000 concurrent connections;  2,000 simultaneous VPN tunnels
NIC Support Ethernet Fast Ethernet Fast Ethernet, Token Ring, FDDI Fast Ethernet, Gigabit Ethernet, Token Ring, FDDI Fast Ethernet, Gigabit Ethernet, Token Ring, FDDI


This information will be updated intermittently.   In addition, I will post some offerings from CISCO competitors while trying to focus on those with largest market share.  Any assistance in this will be greatly appreciated.