Device Options
Finesse Operating System

Finesse Operating System
Finesse is the Cisco proprietary real-time operating system that runs directly on the hardware of the PIX Security Appliance and the Adaptive Security Appliance. It is a non-UNIX, non-Windows NT, and IOS-like operating system.

Use of Finesse eliminates the risks associated with general-purpose operating systems . It enables the PIX Security Appliance to deliver outstanding performance with up to 1,000,000 simultaneous connections depending on the model. This number is significantly greater than any software-based firewall.

The Adaptive Security Algorithm
The heart of the security appliances is the Adaptive Security Algorithm (ASA) algorithm. The ASA algorithm maintains the secure perimeters between the networks controlled by the security appliance. The stateful, connection-oriented ASA algorithm design creates session flows based on source and destinations addresses. It randomizes TCP sequence numbers, port numbers, and additional TCP flags before completion of the connection. This function is always in operation, monitoring return packets to ensure they are valid, and allows one-way, inside to outside, connections without an explicit configuration for each internal system and application. The randomizing of the TCP sequence numbers is to minimize the risk of a TCP sequence number attack. Because of the ASA algorithm, the security appliance is less complex and more robust than a packet filtering-designed firewall.

Stateful packet filtering is a secure method of analyzing data packets that places extensive information about a data packet into a table. Each time a TCP connection is established for inbound or outbound connections through the security appliance, the information about the connection is logged in a stateful session flow table. For a session to be established, information about the connection must match information stored in the table. With this methodology, the stateful filters work on the connections and not the packets, making it a more stringent security method with its sessions immune to hijacking.

Stateful packet filtering performs the functions shown in Figure .