Well, only mostly dead. Today, July 28th, 2008 is the last day you can purchase a PIX firewall appliance from Cisco, ending one of the longest and most successful lives of a gateway security product ever. The PIX (Private Internet Exchange) was the first Network Address Translation device and later evolved into a statefull firewall. See this introductory piece on the PIX by Johna Till Johnson in the January, 1995 issue of Data Communications Magazine. Cisco acquired the PIX with Network Translations, Inc. along with its inventors, John Mayes, Brantley Coile and Johnson Wu. From there the PIX grew into a multi-billion dollar franchise out selling its nearest competitors, Checkpoint, and Netscreen.
Incidently, the founder of Netscreen, Ken Xie, was actually a PIX firewall administrator at Phillips electronics when he thought up the idea of a hardware accelerated firewall appliance. Ken went on to found Fortinet as well, the latest evolution in the history of firewall appliances.
You may recall the early religious wars between proxy and statefull firewalls. Cisco PIX pretty much put a nail in that coffin. The Gauntlet proxy firewall died a rapid death in the hands of Network Associates (now McAffee) and the rest of the proxy firewalls, Sidewinder, Cyberguard, etc. have been rolled up into Secure Computing where they are serving a niche market within the defense department.
According to Cisco they will continue to sell add-ons to the PIX series until next year and will support the product until 2013, which has got to be one of the most responsible end-of-life programs in the history of networking and security. While the latest version of PIX is compatible with the first version of Cisco's replacement security appliance, the ASA, from here on they diverge as ASA moves to a Linux based OS.
Cisco, of course, means for its installed base of PIX customers to migrate to the newer, more expensive, ASA platform. While there is no need to panic at the EOS of PIX I would take this opportunity to re-evaluate your gateway security platforms. A lot has changed in network security in the 13 years since PIX was introduced.
Firewall migration can be fraught with risk. Rule sets are like new government agencies, they have a way of growing forever. I have not seen an installed firewall that did not have unused or redundant rules in it - things that detract from its auditability. I have talked to admins that have over a thousand individual rules on their firewalls.
But there is hope. Just in recent months I have started to see usable firewall rule analysis and management tools. I mentioned Algosec's product in my roundup of RSA this year. There are products from Tufin Technologies, another Israeli startup and Athena Security, based in Illinois, that could be used for not only firewall rule cleanup but a tool for transitioning off of PIX to a modern platform (even to ASA). But AlgoSec is the only one with a specific migration capability. Solsoft is also used to manage multiple firewall platforms and could be used for migration purposes. Many of the firewall vendors have tools for capturing and converting rule sets but so far AlgoSec is the only one that has built an easy to use tool set for accompishing the transition.
Follow these steps when changing firewall platforms:
Step 1. Import the rule base from your legacy PIX.
Step 2. Clean up that rule base. Algosec can even identify rules that are never used so you can eliminate them. All of these products are building in compliance modules that allow you to compare your rules to best practices.
Step 3. Install the cleaned up rule base on the new platform.
Algosec has published a conversion guide from PIX to ASA. Here is a simple example of a conversion from Cisco PIX 535 to an ASA5500:
But why stop there? Now is your chance to evaluate the competition. Juniper, Checkpoint, and Fortinet would be my short list. ( I have to disclose my bias because of course you love the platform you know. I worked at Fortinet for a year and I just recently completed Fortigate certification training. )
Regardless of your eventual choice in security platform, treat the passing of PIX as an opportunity to upgrade to a modern system with higher through-put, enhanced security features, route-based IPSec, easy HA (high availability) and a useable web interface.
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The Leader in Network Knowledge
Inaccuracies abound
Unfortunately, you're pushing words without doing your homework again. If you're going to post a link about migrating from PIX to ASA, you could simply google "convert pix to asa" and the first link would actually take you to Cisco's guide for migration. (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808554ed.shtml) I know how much you like propping up the little companies, and Algosec has some neat things it can do, but it's not *necessary* for a successful migration.
Furthermore, your statement "Cisco, of course, means for its installed base of PIX customers to migrate to the newer, more expensive, ASA platform." is also untrue. The ASA platform is a cheaper and faster platform with significantly more features. I'd like to know how you're able to say "more expensive" for the ASAs. A PIX 525 UR which (list price) cost $12,995 and provided 330 Mbps of firewalling compared to an ASA 5520 which provides 450 Mbps of firewalling and costs only $7,995. Looks like "more for less" to me which I don't consider "more expensive".
If you're advocating that people re-evaluate their Cisco firewalls, then why aren't you advocating the same thing for every time the software renewals come up for Check Point? Seems like you're just beating up on Cisco because they're the big guy...
Calling a spade a spade,
// Chris
The opinions in this posting are my own and do not necessarily represent the views of my company.
Wow Chris...
You must work for Cisco, huh?
Seeing all those potential sales fly out the window because there are better solutions now must really make you feel angry.
Calm down with the rage man.
Well, umm...
If Google is your main research tool fine. In case you did not get the gist of the post it was to encourage people to look at new platforms. Not much advise to give if I use the first hit on Google now is there?
Yup, Cisco is the big guy. So, yes I am going to beat them up. Just as I always have. The rest of the world has moved on from CLI, when is Cisco?
If you think I in some way favor Checkpoint you are guilty of pushing words yourself without using your friendly Google research tool.
Try Googling 'stiennon check point'. The first hit is my diatribe against Checkpoint.
Sometimes I wish there were a "vendor" filter for comments. I would have to deal with a lot less grief. Ah well...
Re: Well, um...
With the reference to Google, I was simply pointing out that you could do a bit more fact checking and how simple it would be to do so. Your implication that a 3rd party tool is required for a migration makes the process sound more difficult and costly than it truly is.
When is Cisco going to move from the CLI? I'd encourage you to take a look at Cisco Security Manager (for centralized management) or Adaptive Security Device Manager (for single device management of PIX/ASA/FWSM). I came from Check Point (google my name and you'll see that I've actually written books on them while I worked there), so I'm most comfortable with a GUI and I seem to do just fine (and so do my customers who have moved from Check Point to Cisco).
If there were a vendor filter, or a reseller filter, people like JJ and I would not be able to rebuke the FUD you're throwing around and trying to tear down all the vendors. Often times we speak on behalf of our customers' mindset. All any of the vendors really want is a fair playing field and I don't think pointing out when someone is slanting it is inherently bad, it just makes your life more difficult.
Cheers,
// Chris
The opinions in this posting are my own and do not necessarily represent the views of my company.
Whats wrong with the CLI?
Why would anyone want to get rid of CLI which is one of the most powerful and flexible interfaces available. Yes it generally requires more knowledge and effort at first but its hard to go back to a slow GUI after working with it.
Plus when security really matters only allowing management via a serial port is a great way to make sure there is no way to get to the management of that system and that means CLI. And yes I know you can lock down management to a specific port but consider if these edge devices get compromised they then have a nice backdoor entrance to the management network.
In any case, when it is up to me I will only purchase a firewall that includes a CLI along with a GUI. Pretty much all the good firewalls have a good CLI *and* GUI Cisco, Juniper, Secure, and Fortinet.
--j
I totally missed that CLI knock...?
Was that Stiennon?
Why the heck would we ever want to move completely away from CLI? Half the freaking problems we have is that companies attempted to dumb things down for folks so much that they glossed over real issues in hopes of creating a "user-friendly" GUI.
Jeremiah is spot on.
Give me a black screen and a prompt any day. If you take that away completely then you have something to hide anyway imo. I gotta at least audit what you have me doing in the GUI and several of the products now actually construct what the CLI commands look like while you do it in the other interface.
D
Move from CLI?
I can't stand that response "move on from CLI".
Wait oh that's right because we need more point and click admins in this world. They haven't created enough garbage on the internet and at companies.
CLI requires more knowledge but it also requires more knowledge, which requires more knowledge. Any dip can click a radio button and type an ip address, it takes a technologist to understand what it all does and how it works.
Cisco really needs to move on from CLI, I agree. Their router line is not selling, their switches aren't installed everywhere, the PIX/ASA isn't very successful.
What a second just woke up from a nightmare, Cisco owns these spaces because of the admins and engineers who understand technology and thrive on CLI, because of the knowledge required.
GO HOME and write about the demise of Windows XP or something with a GUI.
Move on From CLI?
Just because you use a CLI does not mean you have more knowledge. I have been designing fiber-optic transport systems for 15 years. The equipment used includes CLIs as well as advanced GUIs. 99% of the time I use the GUI. It allows the user to configure the device while thinking about what is being done, not remembering obscure CLI commands.
Don't kid yourself. Cisco's encouraged use of the CLI is a marketing tool as much as anything. Techs are being churned out by the tech schools with CCNA as their credentials. If Cisco CLI is all they know, who's equipment are they going to buy?
It's worth noting...
It's worth noting that Cisco also released a tool (for free) to convert configs from PIX to ASA that runs on Mac, Windows, or anything that runs Java (i.e. Linux) which you can download from the PIX download page (meaning you need a registered login) at: http://www.cisco.com/cgi-bin/tablebuild.pl/pix
Wow Chirs...
You must work for Cisco, huh?
Seeing all those potential sales fly out the window because there are better solutions now must really make you feel angry.
Calm down with the rage man.