A single PIX Security Appliance can be partitioned into multiple virtual
firewalls, known as security contexts
. Each context is
an independent firewall, with its own security policy, interfaces, and
administrators. Multiple contexts are similar to having multiple stand-alone
PIX Security Appliances.
Each context has its own configuration that
identifies the security policy, interfaces, and almost all the options that can
be configured on a stand-alone PIX Security Appliance. If desired, individual
context administrators can be allowed to implement the security policy on the
context. Some resources are controlled by the overall system administrator,
such as VLANs and system resources, so that one context cannot affect other
contexts inadvertently.
The system administrator adds and manages contexts by configuring them in
the system configuration, which identifies basic settings for the PIX Security
Appliance. The system administrator has privileges to manage all contexts. The
system configuration does not include any network interfaces or network
settings for itself. Instead, when the system needs to access network
resources, such as downloading the contexts from the server, it uses one of the
contexts that is designated as the admin context.
The admin context is
just like any other context, except that when a user logs into the admin
context, for example, over an SSH connection, then that user has system
administrator rights, and can access the system execution space and all other
contexts. Typically, the admin context provides network access to network-wide
resources, such as a syslog server or context configuration server.
Multiple security contexts can be considered for use in the situations
listed in Figure
.
In the example in Figure
, a service
provider is using a single PIX Security Appliance divided into multiple
contexts to deliver the same service as multiple stand alone small PIX units.
By enabling multiple security contexts on the PIX, the service provider can
implement a cost-effective, space-saving solution that keeps all customer
traffic separate and secure, and also eases configuration.
Each context
has its own configuration file that identifies the security policy, interfaces,
and almost all the options that can be configured on a stand-alone PIX Security
Appliance
. Context
configurations can be stored on the local disk partition on the Flash memory
card, or they can be downloaded from a TFTP, FTP, or HTTP(S) server.
In
addition to individual security contexts, the firewall appliance also includes
a system configuration that identifies basic settings for the firewall
appliance, including a list of contexts. Like the single mode configuration,
this configuration resides as the "startup" configuration in the
flash partition.
Each packet that enters the PIX Security Appliance must
be classified, so that the PIX can determine to which context to send a packet.
The PIX checks for the following characteristics:
- Source interface, the source VLAN
- Destination address
The PIX Security Appliance uses the characteristic that is unique and
not shared across contexts. For example, if a VLAN is shared across contexts,
then the classifier uses the IP address. A VLAN interface can be shared so long
as each IP address space on that VLAN is unique, or overlapping IP addresses
can be used so long as the VLANs are unique. The example in Figure
shows multiple
contexts sharing an outside VLAN, while the inside VLANs are unique, allowing
overlapping IP addresses.