Handling Advanced Protocols

• Many applications use more than one connection to operate; only one of these connections occurs on a well-known port, whereas others use dynamically assigned port numbers, which are negotiated in the process of communication. This makes firewalling by means of access lists very difficult. The PIX supports application inspection for many such protocols, which allows it to operate correctly with them.

• The main command used to configure application inspection is the fixup command. It can be used for simpler protocols such as FTP, SMTP, or RSH.

• Newer versions of the PIX firewall offer support for various VoIP protocols, such as H.323, SCCP, and SIP.

Filtering Web Traffic

• Filtering Web traffic can be useful in two main cases. The first is if you want to use your firewall to enforce security policies such as an acceptable use policy, which may specify that internal users cannot use the company's Internet connection to browse certain categories of Web sites. The second is to protect internal users from malicious Web servers that embed these executable applets in their Web pages, because such executable content can contain viruses or Trojan horses.

• The PIX supports two types of content filtering servers: Websense and N2H2. The main commands for configuring this feature are filter-url and url-server. The PIX also provides many commands for monitoring and tuning the filtering process.

• Active code filtering is limited to stripping and tags from the source of inbound Web pages. This stripping...