TABLE OF CONTENTS The Cisco PIX firewall has been providing the ability to secure application protocols for many years now, and version 7.0 is no exception. The ability to correct or compensate for native insecurities in an application is a prime requirement for security. This feature is called application inspection in version 7.0. Prior to the release of version 7.0, the PIX firewall handled application inspection through the fixup feature. In version 7.0, this has been replaced by protocol inspection, which is configured and deployed as a subset of modular policy framework (MPF), which allows for flexible and easily reusable modular configuration of inspection features. Similar to the modular quality of service functionality in Cisco IOS software, MPF is configured in three steps class-maps, policy-maps, and service-policies which will be discussed in full detail later.
Although it is still possible to configure fixup in version 7.0, any such commands are automatically converted to the new protocol inspection commands. Therefore, it is desirable to use the new command set to avoid confusion between entered and displayed configuration, and to take advantage of the flexibility of the new protocol inspection methodology (see Figure 5.1). Using the MPF-based commands also reduces potential complexity in the way that fixup commands are translated; because of the added granularity and flexibility and MPF provides, conversion of fixup commands may not occur exactly as you might expect. As well, in future PIX releases the fixup commands will no longer be supported, and you will be required...
