Comparisons Of Cisco Firewalls Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This research paper is about comparisons about Cisco PIX (Private Internet Exchange), Checkpoint FW-1, and NetScreen Firewalls. First, I will talk about the concept of firewall. Then I will give a brief introduction for each of these three different firewalls, and some related background knowledge will be mentioned. After that, I will provide comparisons of them from perspectives like setup, platform, update, pricing, and so on. At the end of this research paper, a conclusion will be provided.

The Internet has been in our daily life for a fairly long time, lots of people are using the Internet every day. If you ever surf the Internet, you probably have heard the term "firewall", and even you have no idea about how it works exactly, but just from the word -firewall you can easily figure it out that firewalls are something can keep bad guys away from us.

At the very beginning, firewalls are just some access lists. Then, "a firewall has been a dedicated piece of hardware meant to allow two networks to communicate in a limited way. A typical setup is to allow users behind the firewall to access web pages and email without allowing users on the outside to access any computers on the internal network" (Daugherty, 2005). In figure 1, we can see that how a typical firewall works. That firewall only let the one has permission to go through, which is computer C, and deny the access of any other computers.

Figure 1

A Firewall Example

C:\Documents and Settings\roger\桌面\firewall_diag.gif

(Bleeping Computer, 2004)

Since the recent a few years, "software firewalls have come into use, and they pose a cost effective solution for many users, such as those with home or small office broadband networks" (Daugherty, 2005). In that case, no matter what kind of firewalls you have, the objective is the same -protecting your properties. It functions like the door of your apartment, and without your permission, no one should be able to go through that door. Next, I will introduce a few mainstream firewalls, and do a comparison among them.

Introduction of the Three Different Firewalls

Cisco Secure PIX Firewall

Cisco in the world of networking is like Microsoft in the world of operation systems. Cisco PIX is a series of Cisco products. Cisco PIX was one of the first products in the firewall market. They are popular IP firewalls and NAT (network address translation) appliances.

Cisco Secure PIX Firewall is a combination of hardware and software. It is able to hide the entire intranet from the dangerous outside world. Cisco PIX has several different series, for example, Cisco PIX 501, Cisco PIX 515, Cisco PIX 525, Cisco PIX 535 and so on. The bigger the number is, the newer the firewall is, and it will be more powerful, and it also will be more processor intense. In Table 1, we can have an overall idea about Cisco PIX series firewalls.

Table 1

Cisco PIX Series











CPU speed

133 MHz

433 MHz

600 MHz

1 GHz

Default RAM

16 MB

64 (128) MB

128 (256) MB

512 (1024) MB

There are two ways to manage Cisco Secure PIX Firewall. The first one is through command line interface (CLI), and we can access CLI by the serial console, or remotely by protocols like SSH or telnet. SSH is recommended, since it is more secure than telnet. The second way to manage PIX is through graphical user interface (GUI) which is provided by programs like PIX Firewall Manager (PFM), PIX Device Manager (PDM), or Adaptive Security Device Manager (ASDM), depend on the different versions of PIX OS (PIX operating system). A PIX OS is custom-written proprietary, and it was called Finesse.

Figure 2 demonstrates how a common Cisco Secure PIX Firewall works. In this figure, the firewall plays the role of a safe guard to observe and control the traffic flow among the internal network, external network, and the DMZ (demilitarized zone).

Figure 2

How Cisco PIX Works

C:\Documents and Settings\roger\桌面\configuring_pix_firewall.jpg


According to Newman (2003), the basic functions of Cisco PIX Firewalls include "Embedded operating system, Adaptive Security Algorithm (ASA), cut-through proxy, Virtual private network (VPN) support, URL filtering control, and hot standby failover capabilities." The Embedded OS is able to provide a certain level of speed and some protection. ASA is the core of Cisco PIX Firewalls. It provides controlling and stateful inspection for the traffic flow, and it also provides some extra security, since it is able to "[randomize] the TCP sequence numbers of outgoing packets in an effort to make them more difficult to predict by hackers" (Newman, 2003). The feature of Cut-through proxy makes Cisco PIX Firewalls have the ability of authentication, which means a PIX Firewall can control who is able to across. So, a user is required to have a valid combination of username and password to access the system. A VPN creates secure tunnels from point to point in a network.

Only devices with the correct 'key' will be able to work within the VPN. The VPN network can be residing within a normal company LAN (Local Area Network), and/or over public networks such as Internet. VPN also allow for different sites to be connected together over Internet in save and secure way. Another common use is for travelers to use VPN when connecting their laptop from a hotel room to the corporate network. (

Cisco PIX Firewalls support two kinds of VPNs, remote-access VPNs and site-to-site VPNs. Those main protocols which they are able to support include Internet Protocol Security (IPSec), Point to Point Tunneling Protocol (PPTP), and Layer 2 Tunneling Protocol (L2TP). Cisco PIX firewalls' URL filtering feature also has an advanced function which is content filtering. That allows those firewalls to capture WWW requests, so the user traffic will be monitored. About the feature of hot standby failover, "hot standby means that this failover occurs without the need for a power reset that other systems can require. This failover capability helps provide a fault-tolerant firewall system with reduced human intervention" (Newman, 2003). And also according to Newman (2003), "failover is the capability to link two PIX firewalls together, creating an active and a standby failover configuration. If the active firewall fails, the standby firewall assumes the IP and MAC addresses of the once-active, failed firewall".

Checkpoint Firewall-1

Checkpoint FW-1 was developed by Check Point Software Technologies. It is "the industry's leading firewall solution, delivering the most secure line of defense. Using INSPECT, the most adaptive and intelligent inspection technology, FireWall-1 integrates both network and application-layer firewall protection" (Check Point, n.d.). Checkpoint FireWall-1 has a powerful tool - FireWall-1's Inspection Module, which is able to analyze packet flow and extract relevant information about the communications and applications. This module is also able to learn those protocols and applications. According to Goncalves (2000), this module is in the operation system kernel, "below the Network layer, at the lowest software level. By inspecting communications at this level, FireWall-1 can intercept and analyze all packets before they reach the operating systems. No packet is processed by any of the higher protocol layers unless FireWall-1 verifies that it complies with the enterprise security policy (p.423).

Checkpoint FireWall-1's stateful inspection is able to track and control following things: the information from all those layers in a packet, those states from previous communications, states from other applications, and also, the evaluation based on previous three factors will be provided. Comparing Checkpoint FireWall-1's stateful inspection with traditional firewall structures, traditional firewall structures have poor security and cannot screening above network layer. For example, for common packet filtering, FTP filtering for instance, packet filters will either leave every single port which are greater than 1023 to open, or shut down all those ports, and the latter option will obviously block all the other services. And another traditional firewall structure is application layer gateways, which will provide better security than packet filtering does, but has terrible scalability, since the client/server model will be broken.

Checkpoint FW-1's stateful inspection has a unique INSPECT Engine, which controls the traffic between networks. There are three major advantages of Checkpoint FW-1's INSPECT Engine. First, it is dynamically loaded into the OS kernel between Layer2 and Layer3, which "imposes negligible overhead in processing. Also, no context switching is required, and low-latency operation is achieved" (Goncalves, 2000). Second, Checkpoint FW-1's INSPECT Engine uses some great techniques like caching and hash tables, and this technique can be used to "unify multiple object instances and to efficiently access data" (Goncalves, 2000). The last one is that the "generic and simple inspection mechanisms are combined with a packet inspection optimizer, which ensures optimal utilization of modern CPU and OS designs" (Goncalves, 2000).

NetScreen Firewalls

The operating system which NetScreen Firewalls use is called ScreenOS, and it can provide a GUI to operate the firewall. "NetScreen combines a purpose-built hardware platform with custom Application Specific Integrated Circuits (ASICs) and a finely tuned real-time operating system to achieve wirespeed firewalling without sacrificing security"(NetScreen Technologies Inc., n.d.a). NetScreen offers a series of firewall, and the following Table 2 provides summary information about these firewalls.

Table 2

NetScreen Firewalls Series

C:\Documents and Settings\roger\桌面\QQ截图未命名.bmp

(NetScreen Technologies Inc., n.d.)

NetScreen Firewalls support three different operation modes, and they are transparent mode, network address translation (NAT) mode, and route mode. The default mode is the transparent mode. In transparent mode, "[packets] that originate from the trusted network are not changed as they pass through the firewall ports. The firewall is transparent to systems communicating through it when acting as a layer 2 switch" (Bayley, 2002). NetScreen Firewalls routes at network layer in the NAT mode. All the packets coming from trusted network to the untrusted networks will be modified. According to Bayley (2002), "[the] trusted host IP address is always mapped to the untrusted public IP address. The trusted IP addresses are thereby hidden by the firewall. In NAT mode, the source port is also modified using PAT or port address translation. The original source port is changed to a random source port generated." NetScreen firewalls will control traffic at network layer in the route mode. Also, some public IP addresses will be required for both trusted and untrusted ports. Additionally, addresses of trusted network will not be modified when these packets exiting the untrusted networks.

Comparison among Three Different Firewalls

In this section I will provide a comparison among Cisco Secure PIX, Checkpoint FireWall-1, and NetScreen Firewalls from several different perspectives include hardware, software, configuration, performance, pricing, flexibility, and so on. I will use Cisco PIX 535 as a Cisco firewall example and NetScreen-5200 for NetScreen, since they are fairly advanced products.

Hardware & Software

According to (n.d.), Cisco PIX 535 (see Figure 3) has two single port 10/100 PCI card interfaces, and nine expansion PCI slots. Among those PCI slots, four of them are 66 MHz and five of them are 33 MHz. One power supply is offered, and they also offer an option for a DC power supply. Cisco PIX 535 has two software options: restricted software license and unrestricted software license. For the former one, it has 512 MB RAM and up to eight interfaces; for the latter one, it has 1 GB RAM and up to ten interfaces, and a fail-over software option.

Figure 3

Cisco PIX 535 Security Appliance Front & Back

C:\Documents and Settings\roger\桌面\148993.jpg

C:\Documents and Settings\roger\桌面\148994.jpg


Checkpoint FireWall-1 is a software-based firewall. It can be supported on various platforms, include HP-PA-RISC 700/800, Sun SPARC, and Intel x86 and Pentium. FireWall-1 can run on different OS, include different editions of Unix, Microsoft Windows, IBM AIX, SunOS and so on. It requires 20 MB disk space and 16-32 MB memory. It could be managed by Cisco IOS and Bay Networks, but not required.

NetScreen-5200 (Figure 4) has two slots, one for management and one for a secure port, "in a 2U (rack unit) high chassis. It is ideally suited for applications requiring a small number of ports (8 or 26) with high throughput, especially where space is a concern. The NetScreen-5200 has a throughput of up to 4 Gbps of Firewall and 2 Gbps of 3DES VPN processing"(NetScreen Technologies Inc. n.d.b). It also has two power supplies for power redundancy.

Additionally, since hardware-based firewalls have their own processors, they are normally boot faster than software-based firewalls, and that means Checkpoint FireWall-1 will boot slower than Cisco PIX 535 and NetScreen-5200.

Figure 4


G:\firewall\Netscreen防火墙资æ-™å…‰ç›˜\NetScreen防火墙资æ-™å…‰ç›˜ï¼ˆV1)\Part II 产品资æ-™\Icon & Photo\ns5200_rgb.JPG



According to Roble Systems Consulting (2001), "Cisco's documentation is often conflicting, fails to explain which version of the PIX OS a certain configuration will or will not work under, and seems to be constantly changing. Admins who need to setup multiple VPNs and lack an in depth understanding of IPsec should consider FW-1 despite the high price of Checkpoint VPN modules". So, configuring Checkpoint FireWall-1 is much easier than configuring Cisco Secure PIX 535. Configuring NetScreen-5200 can be done through ScreenOS, which is not that complicated either.

Performance & Capacity

Cisco PIX 535 supports up to 1.7 Gbps firewall performance, and support 168-bit 3DES IPSec VPN with up to 425 Mbps throughput with VAC+ or 100 Mbps with VAC. According to (n.d.), it also support 128-bit AES IPSec VPN with up to 495 Mbps throughput with VAC+, and 256-bit AES IPSec VPN with up to 425 Mbps throughput with VAC+. Cisco PIX 535 supports up to 2,000 simultaneous VPN tunnels.

Checkpoint FireWall-1 supports up to 1.67 Gbps firewall performance, and supports 168-bit 3DES IPSec VPN with up to 137 Mbps throughput.

NetScreen-5200 supports up to 4 Gbps firewall performance, 1 million concurrent sessions, and supports 3DES IPSec VPN with up to 2 Gbps throughput. Also, NetScreen-5200 supports up to 25,000 IPSec tunnels. (NetScreen, 2003)


According to NetScreen Technologies Inc. (2002a), Cisco "PIX 535 includes the unrestricted bundle ($59,000), a second AC power supply ($2,500), four GBIC cards ($3,000 each) and the 3DES license ($1,000)", and the total price will be $74,500.

About NetScreen-5200, "configuration includes 8 GigE secure port module, two AC power supplies, full ScreenOS software, and zero virtual systems" (NetScreen Technologies Inc., 2002a), and that will be $99,000 totally.

For Checkpoint FireWall-1, "Check Point firewall/VPN license for 250 IP addresses ($49,995 + $10,995) 4 built-in 10/100 interfaces, 4 GBIC interface modules ($12,000), VPN accelerator card ($2,000), second AC power supply ($1,900). Does not include Unlimited user license, HA or FloodGate licenses" (NetScreen Technologies Inc., 2002b), and the total price is $76,890.


Here is a table (Table 3), which can provide an overall idea about the comparison among Cisco Secure PIX, Checkpoint FireWall-1, and NetScreen Firewalls.

Table 3

Firewall Comparison

Cisco PIX 535


Checkpoint FireWall-1

Max firewall performance

1.7 Gbps (less under varying session loads or packet loss thresholds)

4 Gbps

1.67 Gbps

Small packet firewall performance

~129 Mbps, NAT

performance unknown

2.4 Gbps, 1.6 Gbps with NAT

175 Mbps, NAT performance unknown

Max 3DES/SHA-1 VPN performance

110 Mbps

2 Gbps

137 Mbps with accelerator card

Small packet 3DES/SHA-perf.

~29 Mbps

700 Mbps (1.2 Gbps with


14 Mbps

New TCP sessions per second







license req. & accelerator card

VPN Tunnels




Redundant, hot swappable DC or AC power supplies




Transparent mode option




IP addresses supported



Licensing through Check Point


Configured List Price




(Resources from


In this research paper, I introduced three major firewalls from three different vendors briefly. And I also compared each firewall with each other from several perspectives. Among these firewalls, NetScreen-5200 is a really powerful and has some cool features, but the entire company was sold. Right now, NetScreen is just a part of Jupiter Networks. But those technologies and firewalls still exist.

Checkpoint FireWall-1 is the only one based on software, and it is very popular. According to Roble Systems Consulting (2001), "Checkpoint FW-1 has been the firewall market leader since shortly after its introduction in 1994/95. Its well designed GUI interface was, and still is, the best visual interface to any firewall product. This intuitive interface makes FW-1 easy to work with even for those new to firewalls." But there is a drawback: we have to use that GUI, and there is no command line access.

As far as I can see, it looks like that Cisco Secure PIX 535 is not that "cool" as the other two. Maybe there are some features which I have no knowledge about. Also, Cisco is a great company, and I know they already have some new powerful products out there which I haven't look into yet. But everyone is working on something. It's a competitive world after all. Anyway, I need to know more about all kinds of firewalls, for my study and future career path.