Getting Started with the PIX Security Appliance
Security levels

The security level designates whether an interface is trusted, and more protected, or untrusted, and less protected, relative to another interface. An interface is considered trusted in relation to another interface if its security level is higher than the security level of the other interface, and is considered in relation to another interface if its security level is lower than the security level of the other interface.

The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level. Conversely, an interface with a lower security level cannot access an interface with a higher security level without an access control list (ACL). Security levels range from 0 to 100. The rollover text in Figure documents the specific rules for these security levels.

The following are examples of different interface connections between the PIX Security Appliance and other perimeter devices:

  • Higher security level interface to a lower security level interface – For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface of the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization.
  • Lower security level interface to a higher security level interface – For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization is used.
  • Same secure interface to a same secure interface – No traffic flows between two Interfaces with the same security level.
NOTE:

The PIX Security Appliance can support up to fourteen interfaces depending on the model and license.