Editing Cisco PIX (section)

==PIX==
=== History ===
PIX was originally conceived in early 1994 by John Mayes of Redwood City, California and designed and coded by [[Brantley Coile]] of Athens, Georgia. The PIX name is derived from its creators' aim of creating the functional equivalent of an [[IP PBX]] to solve the then-emerging registered [[IP address]] shortage. At a time when NAT was just being investigated as a viable approach, they wanted to conceal a block or blocks of IP addresses behind a single or multiple registered IP addresses, much as PBXs do for internal phone extensions. When they began, RFC 1597 and RFC 1631 were being discussed, but the now-familiar [[Private network|RFC 1918]] had not yet been submitted.

The design, and testing were carried out in 1994 by John Mayes, Brantley Coile and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing of PIX serial number 000000 was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX quickly became one of the leading enterprise firewall products and was awarded the Data Communications Magazine "Hot Product of the Year" award in January 1995.<ref>{{cite web |url=http://www.jma.com/The_History_of_the_PIX_Firewall/NTI_files/DataComm_Jan_1995.pdf| title=History of NTI and the PIX Firewall by John Mayes}}</ref>

Shortly before Cisco acquired Network Translation in November 1995, Mayes and Coile hired two longtime associates, Richard (Chip) Howes and Pete Tenereillo, and shortly after acquisition 2 more longtime associates, Jim Jordan and Tom Bohannon. Together they continued development on Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the [[Cisco LocalDirector|LocalDirector]].

On January 28, 2008, Cisco announced the end-of-sale and [[end-of-life (product)|end-of-life]] dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008. The last day to purchase accessories and licenses was January 27, 2009. Cisco ended support for Cisco PIX Security Appliance customers on July 29, 2013.<ref>{{cite web |title = End of Sale for Cisco PIX Products |publisher=Cisco |date=2008-01-28 |url=http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/qa_eos_for_sale_for_cisco_pix_products_customer.html |accessdate= 2008-02-20}}</ref><ref>{{cite web |title=Cisco PIX 500 Series Security Appliances - Retirement Notification |publisher=Cisco |date = 2013-07-29 |url=https://www.cisco.com/c/en_intl/obsolete/security/cisco-pix-500-series-security-appliances.html |accessdate=2018-11-04}}</ref>

In May 2005, Cisco introduced the ASA which combines functionality from the PIX, VPN 3000 series and [[Intrusion-prevention system|IPS]] product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.<ref>{{cite web |url=http://www.cisco.com/en/US/docs/security/asa/asa80/license/opensrce.html |title=Cisco open source license page |accessdate=2007-08-21}}</ref>

=== Software ===
The PIX runs a custom-written proprietary [[operating system]] originally called Finese (''Fast Internet Service Executive''), but {{as of |2014 |lc=on}} the software is known simply as PIX OS. Though classified as a [[network layer firewall|network-layer firewall]] with [[stateful firewall|stateful inspection]], technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket-based connections (a port and an IP Address: port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an [[Access Control List]] (ACL) or by a ''conduit''. Administrators can configure the PIX to perform many functions including [[network address translation]] (NAT) and [[port address translation]] (PAT), as well as serving as a [[virtual private network]] (VPN) endpoint appliance.

The PIX became the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the firewall to apply additional security policies to connections identified as using specific protocols. Protocols for which specific fixup behaviors were developed include DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as ''outside'' interface) for each DNS request from a client on the protected (known as ''inside'') interface. "Inspect" has superseded "fixup" in later versions of PIX OS.

The Cisco PIX was also one of the first commercially available security appliances to incorporate [[IPSec]] VPN gateway functionality.

Administrators can manage the PIX via a [[command line interface]] (CLI) or via a [[graphical user interface]] (GUI). They can access the CLI from the serial console, telnet and [[Secure Shell|SSH]]. GUI administration originated with version 4.1, and it has been through several incarnations:<ref>{{cite web |url=http://www.cisco.com/warp/public/110/41.shtml#nine |title=FAQs for Cisco PFM | accessdate=2007-06-19}}
</ref><ref>
{{cite web |url=http://www.cisco.com/en/US/docs/security/pix/pix63/pdm30/installation/guide/pdm_ig.html |title=Documentation on Cisco PDM |accessdate=2007-06-19}}
</ref><ref>
{{cite web |url=http://www.cisco.com/en/US/products/ps6121/products_user_guide_book09186a00806aea58.html |title=Documentation on Cisco ASDM |accessdate=2007-06-19 |archiveurl=https://web.archive.org/web/20070616121501/http://www.cisco.com/en/US/products/ps6121/products_user_guide_book09186a00806aea58.html <!-- Bot retrieved archive --> |archivedate=2007-06-16}}
</ref>

* PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client
* PIX Device Manager (PDM) for PIX OS version 6.x, which runs over [[https]] and requires [[Java (programming language)|Java]]
* Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS.

Because Cisco acquired the PIX from Network Translation, the CLI originally did not align with the [[Cisco IOS]] syntax. Starting with version 7.0, the configuration became much more IOS-like.

=== Hardware ===
[[File:Cisco-PIX-515-hdr-0a.jpg|thumb|PIX 515 with top cover removed]]

The original NTI PIX and the PIX Classic had cases that were sourced from [[Original equipment manufacturer|OEM]] provider Appro. All flash cards and the early encryption acceleration cards, the PIX-PL and PIX-PL2, were sourced from Productivity Enhancement Products (PEP).<ref>{{cite web|url=http://www.jma.com/PIX_History/NTI_1994-1995_files/Manufacturing_Plan.jpg|title=Notes on PIX production}}{{Dead link|date=July 2019 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> Later models had cases from Cisco OEM manufacturers.

The PIX was constructed using [[Intel]]-based/Intel-compatible motherboards; the PIX 501 used an [[Am5x86]] processor, and all other standalone models used Intel [[80486]] through Pentium III processors.

The PIX [[Bootstrapping|boots]] off a proprietary [[Industry Standard Architecture|ISA]] [[flash memory]] [[daughtercard]] in the case of the NTI PIX, PIX Classic, 10000, 510, 520, and 535, and it boots off integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9. The latter is the part code for the PIX technology implemented in the Fire Wall Services Module, for the Catalyst 6500 and the 7600 Router.