Introduction

Good security administration is labor-intensive, and therefore organizations often find it difficult to maintain the security of a large number of internal machines. To protect their machines from outside subversion, organizations often erect a security wall, or "perimeter." Machines inside the perimeter communicate with the rest of the enterprise (or the Internet) only through a small set of carefully managed machines called firewalls. These devices allow for access controls that might not be native to the protected hosts; in addition, they can provide authorization or audit controls at the network layer.

Increasingly, these firewalls provide additional security or performance services; since they sit at a point in the network that mediates all communication with the end host, various kinds of service extensions can naturally be integrated into them.

Even in high-security environments, where the resources to harden and provide ongoing security support for the end application are available, firewalls can play an important role. In addition to the features described previously, firewalls can support the concept of defense in depth: Multiple protective technologies support higher levels of trust in case of error or omission at one layer. Having multiple controls also supports the concept of separation of duties: Different groups can support application layer and network layer securities, ensuring that no single person or group can compromise the system. Firewalls are thus an essential part of every network security design.

Cisco's PIX firewalls are a series of appliances that offer world-class security and high levels of performance and...