Cut-Through Proxy
Cut-through proxy is a feature on the Cisco Security Appliance that allows transparent AAA
services and a seamless connection through the firewall to the destination. It provides
significantly better performance than application-proxy firewalls because it completes user
authentication at the application layer, verifies authorization against the security policy, and
then opens the connection as authorized by the security policy. In other words, the
connection request needs to go up to the application layer only once to be authorized. After
that, all authorized traffic is passed at the lower layers, dramatically increasing the rate at
which it can pass through the firewall.
There are four ways to connect to the Cisco PIX Firewall and activate the cut-through proxy:
■ HTTP
■ FTP
■ Telnet
■ SSH
The firewall responds to each of these connections with a username and password prompt.
Figure 17-1 shows the Telnet user authentication prompt. The user information is either
authenticated against a local database on the PIX Firewall or forwarded to an AAA server
for authentication. After the user is authenticated, the firewall completes the connection that
is requested (if authorized).