The PIX Security Appliance gains dramatic performance advantages
because of the cut-through proxy
. This is a
method of transparently verifying the identity of users at the firewall and
permitting or denying access to any TCP- or UDP-based application. This method
eliminates the price and performance impact that UNIX system-based firewalls
impose in similar configurations, and leverages the authentication and
authorization services of the Cisco Secure ACS.
The PIX Security
Appliance cut-through proxy challenges a user initially at the application
layer, and then authenticates against standard TACACS+, RADIUS, or local
databases. After the policy is checked, the PIX shifts the session flow, and
all traffic flows directly between the server and the client while maintaining
session state information.
To authenticate a cut-through proxy user, only
FTP, Telnet, HTTP and HTTPS sessions can be intercepted. More information on
the four authentication sessions is as follows:
- Telnet β The user gets a prompt generated by the PIX Security Appliance.
The user up to four chances to log in. If the username or password fails after
the fourth attempt, the PIX drops the connection.
- FTP βThe user gets a prompt from the FTP program. If the user enters an
incorrect password, the connection is dropped immediately.
- HTTP β The user sees a window generated by the web browser. If the user
enters an incorrect password, they are prompted again.
- HTTPS β The user gets a prompt generated by the PIX Security Appliance. The
user has up to three chances to log in. If the username or password fails after
the third attempt, the PIX drops the connection.
Keep in mind that browsers cache usernames and passwords. If the PIX
Security Appliance should be timing out an HTTP/HTTPS connection but it is not,
re-authentication may actually be taking place, with the web browser sending
the cached username and password back to the PIX. If Telnet and FTP seem to
work normally, but HTTP/HTTPS connections do not, this is usually the
reason.