Finesse Operating System
Finesse is the Cisco
proprietary real-time operating system that runs directly on the hardware of
the PIX Security Appliance and the Adaptive Security Appliance. It is a
non-UNIX, non-Windows NT, and IOS-like operating system.
Use of Finesse
eliminates the risks associated with general-purpose operating systems
. It enables the
PIX Security Appliance to deliver outstanding performance with up to 1,000,000
simultaneous connections depending on the model. This number is significantly
greater than any software-based firewall.
The Adaptive Security
Algorithm
The heart of the security appliances is the Adaptive Security
Algorithm (ASA) algorithm. The ASA algorithm maintains the secure perimeters
between the networks controlled by the security appliance. The stateful,
connection-oriented ASA algorithm design creates session flows based on source
and destinations addresses. It randomizes TCP sequence numbers, port numbers,
and additional TCP flags before completion of the connection. This function is
always in operation, monitoring return packets to ensure they are valid, and
allows one-way, inside to outside, connections without an explicit
configuration for each internal system and application. The randomizing of the
TCP sequence numbers is to minimize the risk of a TCP sequence number attack.
Because of the ASA algorithm, the security appliance is less complex and more
robust than a packet filtering-designed firewall.
Stateful packet
filtering is a secure method of analyzing data packets that places extensive
information about a data packet into a table. Each time a TCP connection is
established for inbound or outbound connections through the security appliance,
the information about the connection is logged in a stateful session flow
table. For a session to be established, information about the connection must
match information stored in the table. With this methodology, the stateful
filters work on the connections and not the packets, making it a more stringent
security method with its sessions immune to hijacking.
Stateful packet
filtering performs the functions shown in Figure
.