Firewall Technologies and the Cisco Security Appliance
Secure Real-Time Embedded System
Unlike most firewalls, Cisco Security Appliance using Software Version 7.0 or greater runs
on a single, proprietary, embedded system. Whereas most firewalls run a firewall application
over a general-purpose operating system, the Security Appliance has a single system that is
responsible for operating the device. This single system is beneficial for the following reasons:
■ Better security—A Cisco Security Appliance operating environment is a single system
that was designed with functionality and security in mind. Because there is no separation
between the operating system and the firewall application, there are no known
vulnerabilities to exploit.
■ Better functionality—The combined operating environment requires fewer steps when
you configure the system. For example, if multiple IP addresses are bound to the external
interface of an application firewall that runs over a general operating system, you must
configure the networking portions (that is, Address Resolution Protocol [Proxy ARP]
entries and routing) on the operating system and then apply the ACLs or rules in the
firewall application. On the Cisco Security Appliance, all these functions are combined
into a single system. As soon as an IP address is bound to an interface, the PIX Firewall
automatically replies to ARP requests for that address without it having to be specifically
configured.
■ Better performance—Because the operating environment is a single unit, it allows for
streamlined processing and much greater performance. The Cisco PIX 535 Firewall can
handle 500,000 concurrent connections while maintaining stateful inspection of all
connections.