Virtual Firewall
Beginning with PIX Firewall Version 7.0, you can logically partition a single PIX firewall into multiple logical PIX firewalls. Each logical PIX firewall can have its own security policy and administration control. This logical PIX firewall is called a Security Context, which is discussed next.
Security Context
Depending on your type of platform and the license, you can have up to 50 security contexts on the PIX, which means you can create up to 50 logical PIXen out of a single PIX firewall. As mentioned before, each security context is an independent firewall with its own security policy, interfaces, and administrators. Almost all the required features to provide the firewalling are possible with multiple contexts: firewall features, IPS, and management, to name a few. Note, however, that with multiple mode some of the features are not supported, including VPN (you can still establish VPN for management purposes only), Web VPN, Dynamic Routing protocols, and Multicast.
As soon as you convert the PIX firewall from single to multiple mode, it creates the system resource space and the admin context:
-
System Resource After converting into multiple mode, when you log in to the PIX, you are taken to the System Resource space. From System Resource, the system administrator adds and manages contexts. The System Resource configuration identifies basic settings for the PIX firewall. The system Resource space does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses the admin context, which can have interface and network connectivity.
-
Admin Context The admin context is created as soon as you convert the PIX firewall into multiple mode. It is just like any other context, except that users for admin context can access system administrator rights and can access the system and all other contexts. Typically, the admin context provides network access to network-wide resources, such as a syslog server or a context configuration server.
-
User Security Context Apart from the admin context, you can create an individual security context. The limit is up to 50 based on your PIX model. Each security context is just like a single PIX firewall.
How the Virtual Firewall Works
When PIX operates in multiple context mode, each packet that enters the PIX firewall must be classified, so that the PIX can determine to which context it should send a packet. This is the job of a component of the PIX software called classifier. To classify the packets, the classifier goes through the following order to check with the destination IP address of the packet:
1. | Context Interface IP Address If the destination address of the packet is the interface IP address of the context (for instance, outside the interface IP address of a context) that means the packet is for a specific context, hence the classifier marks the packet for that context. An example of these types of packets is an SSH connection to a specific context to mange the context. |
2. | Source Interface (VLAN) If the destination address of the packet is not one of the interface IP addresses of the context, the next check is performed based on the source VLAN of the packet. For example, if Ethernet 1 and Ethernet 2 interfaces are connected to VLAN100 and VLAN200, respectively, and if these interfaces are mapped to the context 1 and context 2, when the packet enters into PIX through Ethernet 1, the classifier will forward the packet to context 1, which is obvious. To make it little more complex, assume that Ethernet 1 is configured as trunks for VLAN100 and VLAN200, and VLAN100 is mapped to context1 and VLAN200 is mapped to context 2. With this setup, if the packet reaches to the PIX using VLAN 200, the classifier will forward the packet to context 2. Figure 3-7 shows an example to illustrate this point.
Figure 3-7. Source VLAN Varies with Multiple Contexts
This example shows VLAN 10, 20, and 30 mapped to separate contexts, so for outbound traffic; the classification will be made based on these sources' VLAN. Note that the PIX inside interface can be configured as a trunk for these VLANs, and then mapped to the individual VLAN to the respective contexts. For example, VLAN 10 should be mapped to Context A. For return traffic, the classifier would already know which context the return traffic belongs to. Even though the outside VLAN 500 is shared for the outside interface across all three contexts, the classifier builds up the knowledge base on which context the return packet should belong to based on the source address translation of the initial outbound traffic. |
3. | Destination Address If the packet is not destined for the interface IP address of any context, and if the source VLAN of the packet is shared as shown in Figure 3-8 for the inbound connection, the classifier makes the decision on which context the packet needs to be forwarded based on the destination IP address.
Figure 3-8. VLAN Sharing with Multiple ContextsTherefore, PIX classifier needs to have the knowledge of the destination network for each context. The classifier learns this destination network based on the translation configured on the contexts. Figure 3-8 illustrates this point. |
For inbound traffic initiated from outside, the classifier looks only at static statements where the global interface matches the source interface of the packet. So in Figure 3-6, to allow the inbound connection initiated from outside, configure static NAT on each classifier for the inside network.