The Cisco PIX firewall is an advanced product and has many different options for supporting various application-layer protocols as well as protecting against network-layer attacks. It also supports content filtering for outbound Web access, intrusion detection, various routing options such as RIP and stub multicast routing, and DHCP server and client functionality.

Many protocols embed extra IP address information inside the exchanged packets or negotiate additional connections on nonfixed ports in order to function properly. These functions are handled by the PIX application inspection feature (also known as fixup). PIX supports FTP clients and servers in active and passive modes, DNS, RSH, RPC, SQL*Net, and LDAP protocols. It also supports various streaming protocols such as Real-Time Streaming Protocol, NetShow, and VDO Live. Another set of supported protocols includes all H.323, SCCP, and SIP all used in VoIP applications. The PIX monitors passing packets for the embedded information and updates its tables or permits embryonic connections according to this information. It is also able to NAT these embedded addresses in several cases.

Content filtering features on the PIX can be used to enforce a company's acceptable use policy. The PIX can interface with Websense (www.websense.com) or N2H2 (www.n2h2.com) servers and deny or allow internal clients access specific Web sites. The PIX is also able to filter out Java applets and ActiveX code from incoming Web pages to protect clients against malicious code.

The PIX firewall supports the same set of atomic intrusion detection signatures as the Cisco IOS firewall. This...