Cisco turns up speed, adds VoIP and VPN support to firewall boxes

SAN JOSE - Cisco last week released new versions of its PIX firewalls that the company says will process filtered IP traffic more quickly than previous PIX devices, and support IP voice protocols and VPN tunnel encryption.

PIX 506E and 515E could be used to secure branch offices or teleworker connections with firewall packet inspection. The new PIXs also can double as VPN devices, capable of connecting remote users to a main site over an IP Security encrypted tunnel. A new operating system for PIX also supports H.323 and Session Initiation Protocol (SIP), two popular IP telephony protocols that are being supported on a firewall device for the first time.

Both PIX firewalls come in the same form factor as their predecessors, but with increased processing and throughput speeds. The 506E, intended for small offices or teleworkers, supports up to 25 attached VPN tunnels and can push 17M bit/sec of Triple-DES traffic over a network. PIX 515E for midsize or large branch offices can support 2,500 VPN connections and move 63M bit/sec of Triple-DES traffic.

A South Carolina engineering firm with more than 3,000 employees recently ran the new firewalls through beta testing. "We were looking for increased data throughput for our encrypted tunnels," says a network engineer, who asked not to be named.

The enhanced PIX devices replaced PIX 506 and 515 firewalls used to connect CAD engineers in a remote office to the company's main site.

"Many of our remote users thought they were connected to a machine on our LAN segment, whereas before they could see an obvious lag in response time" when accessing resources over the VPN, the engineer says.

In addition to the new PIX products, Cisco's PIX OS 6.2 software for all PIX products includes new IP telephony, failover and teleworker features. The software can provide port address translation for SIP and H.323 IP telephony traffic to secure IP telephony traffic, whereas before companies that wanted to mask VoIP traffic through their PIX firewalls had to open a "pinhole" in the device, thus letting H.323 or SIP traffic pass through unfiltered. Some observers have called that technique a major flaw with IP telephony security.

PIX OS 6.2 software lets PIX 506 and 501 users attach to a central-office VPN more easily by downloading VPN policies and key encryption settings from a centrally managed VPN device instead of having to individually configure VPN settings on individual firewalls.

Cisco says PIX OS improves failover configuration on all PIX devices by letting firewall failover occur over a LAN connection instead of a direct serial cable connection between two PIXs on a network.

Cisco's PIX firewalls compete with products from Avaya, Check Point Software, Enterasys Networks, Nokia and NetScreen Technologies, among others.

PIX 506E and 515E start at $1,700 and $3,500, respectively. PIX OS 6.2 will be available later this month free to Cisco customers with a support contract.