Cisco PIX

Cisco PIX (Private Internet eXchange) was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

In 2005, Cisco introduced the newer Cisco Adaptive Security Appliance (Cisco ASA), that inherited many of the PIX features, and in 2008 announced PIX end-of-sale.

The PIX technology was sold in a blade, the FireWall Services Module (FWSM), for the Cisco Catalyst 6500 switch series and the 7600 Router series, but has reached end of support status as of September 26, 2007.[1]

PIX

History

PIX was originally conceived in early 1994 by John Mayes of Redwood City, California and designed and coded by Brantley Coile of Athens, Georgia. The PIX name is derived from its creators' aim of creating the functional equivalent of an IP PBX to solve the then-emerging registered IP address shortage. At a time when NAT was just being investigated as a viable approach, they wanted to conceal a block or blocks of IP addresses behind a single or multiple registered IP addresses, much as PBXs do for internal phone extensions. When they began, RFC 1597 and RFC 1631 were being discussed, but the now-familiar RFC 1918 had not yet been submitted.

The design, and testing were carried out in 1994 by John Mayes, Brantley Coile and Johnson Wu of Network Translation, Inc., with Brantley Coile being the sole software developer. Beta testing of PIX serial number 000000 was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX quickly became one of the leading enterprise firewall products and was awarded the Data Communications Magazine "Hot Product of the Year" award in January 1995.[2]

Shortly before Cisco acquired Network Translation in November 1995, Mayes and Coile hired two longtime associates, Richard (Chip) Howes and Pete Tenereillo, and shortly after acquisition 2 more longtime associates, Jim Jordan and Tom Bohannon. Together they continued development on Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector.

On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008. The last day to purchase accessories and licenses was January 27, 2009. Cisco ended support for Cisco PIX Security Appliance customers on July 27, 2013.[3]

In May 2005, Cisco introduced the ASA which combines functionality from the PIX, VPN 3000 series and IPS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.[4]

Software

The PIX runs a custom-written proprietary operating system originally called Finese (Fast Internet Service Executive), but as of 2014 the software is known simply as PIX OS. Though classified as a network-layer firewall with stateful inspection, technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket-based connections (a port and an IP Address: port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List (ACL) or by a conduit. Administrators can configure the PIX to perform many functions including network address translation (NAT) and port address translation (PAT), as well as serving as a virtual private network (VPN) endpoint appliance.

The PIX became the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the firewall to apply additional security policies to connections identified as using specific protocols. Protocols for which specific fixup behaviors were developed include DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Inspect" has superseded "fixup" in later versions of PIX OS.

The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.

Administrators can manage the PIX via a command line interface (CLI) or via a graphical user interface (GUI). They can access the CLI from the serial console, telnet and SSH. GUI administration originated with version 4.1, and it has been through several incarnations:[5][6][7]

Examples of emulators include PEMU and Dynagen, and with NetworkSims.com ProfSIMs (Networksims) for a simulator.

Because Cisco acquired the PIX from Network Translation, the CLI originally did not align with the Cisco IOS syntax. Starting with version 7.0, the configuration became much more IOS-like. As the PIX only supports IP traffic (as opposed to IPX, DECNet, etc.), in most configuration commands "ip" is omitted. The configuration is upwards-compatible, but not downwards-compatible. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting, as long as the configuration was using ACLs, versus conduits and "outbounds". This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relatively recent models, the flash memory size of only 8 MB prevents official upgrading to version 7.x, although 7.x can be installed on a 506E using monitor mode up to version 7.1(2). The 8 MB flash size only allows for installation of the PIX OS software, not the ASDM software (GUI). For the PIX 515(E) to run version >7.0, a doubling of the memory size is required (32->64 MB for restricted and 64->128 MB for Unrestricted/Failover licenses). A 515(E) UR/FO can run 7.0 with 64 MB memory installed, but that is not recommended as larger configuration and session/xlate tables can exceed the available memory.

Cisco ASA includes the capability of detecting and terminating connections via Dead Connection Detection (DCD).[8]

Hardware

PIX 515 with top cover removed

The original NTI PIX and the PIX Classic had cases that were sourced from OEM provider Appro. All flash cards and the early encryption acceleration cards, the PIX-PL and PIX-PL2, were sourced from Productivity Enhancement Products (PEP).[9] Later models had cases from Cisco OEM manufacturers.

The PIX was constructed using Intel-based/Intel-compatible motherboards; the PIX 501 used an AMD 5x86 processor, and all other standalone models used Intel 80486 through Pentium III processors. Nearly all PIXs used Ethernet NICs with Intel 82557, 82558, and 82559 network chipsets, but some older models are occasionally found with 3COM 3c590 and 3c595 Ethernet cards, Olicom-based Token-Ring cards, and Interphase-based FDDI cards.

Some Intel-based Ethernet cards for the PIX are identified at boot with the designation "mcwa" (Multi Cast Work Around). This designation denotes a multicast receive bug in the card's firmware.

Both the PIX 510 and 520 share basic components, such as motherboard, chassis, NICs, flash cards, etc., with the Cisco LocalDirector 416/420/430, the Service Selector Gateway 6510 (SSG-6510), and the Cisco Cache Engine CE2050, though the latter two run VxWorks, rather than a Finesse derivative.

The PIX boots off a proprietary ISA flash memory daughtercard in the case of the NTI PIX, PIX Classic, 10000, 510, 520, and 535, and it boots off integrated flash memory in the case of the PIX 501, 506/506e, 515/515e, 525, and WS-SVC-FWM-1-K9. The latter is the part code for the PIX technology implemented in the Fire Wall Services Module, for the Catalyst 6500 and the 7600 Router.

The PIX535 has a PCI-X 66 MHz/64 bit bus for expansion slots. This results in a much higher cleartext throughput, as the PCI bus is no longer the bottleneck (the PCI bus is 33 MHz and 32 bits, resulting in maximum throughput of 1.2 GBit without overhead taken in account). As the lower Cisco ASA models use a PCI bus, the PIX535 was faster for cleartext than its successor ASA, until the introduction of the ASA5580.

Specifications

Latest models
Model 501 506e 515e 525 535 FWSM
Introduced 2001 2002 2002 2000 2000 2003
Discontinued 2008 2008 2008 2008 2008 2012
CPU type AMD
SC520 5x86
Intel
Celeron
(Mendocino SL36A)
Intel
Celeron
(Mendocino SL3BA)
Intel
Pentium III
(Coppermine)
Intel
Pentium III
(Coppermine)
One Intel Pentium III and three IBM 4GS3 PowerNP network processors
CPU speed 133 MHz 300 MHz 433 MHz 600 MHz 1 GHz 1 GHz
Chipset AMD
SC520
Intel
440BX
Seattle
Intel
440BX
Seattle
Intel
440BX
Seattle
Broadcom
Serverworks
RCC
?
Default RAM 16 MB 32 MB 64 (128) MB 128 (256) MB 512 (1024) MB 1 GB
Boot flash device Onboard Onboard Onboard Onboard ISA card &
Onboard
Onboard
Default flash 8 MB 8 MB 16 MB 16 MB 16 MB 128 MB
Boot flash chips 1 x 28F640 1 x 28F640 1 x E28F128J3 1 x EF28F128J3 2 x i28F640J5 ATA CompactFlash
PIX BIOS flash chips 28F640 AM29F400B AM29F400B AM29F400B/
E28F400B5T
DA28F320J5
Minimum PIX OS version 6.1(1) 5.1(x) 5.1(x) 5.2(x) 5.3(x) FWSM 2.3(x)
Maximum PIX OS version officially supported Latest 6.3(x) Latest 6.3(x) 8.0.4 8.0.4 8.0.4 FWSM 4.0(x)
Max interfaces 2 2 3(6) 6(10) 8(14)
Fixed internal interface 10/100baseT 10/100baseT 10/100baseT 10/100baseT No No
Fixed external interface 10/100baseT 10/100baseT 10/100baseT 10/100baseT No No
PCI slots 0 0 2 3 9 1
Expansion cards supported No No 1 port FE,
4 port FE,
1 port 1000baseSX
1 port FE,
4 port FE,
1 port 1000baseSX
1 port FE,
4 port FE,
1 port 1000baseSX
Yes
Supports SSL VPN No No No No No No
VPN accelerator supported No No Yes Yes Yes No
Floppy drive No No No No No No
Failover supported No No Yes Yes Yes Yes
Model 501 506e 515e 525 535 FWSM
Older models
Model NTI PIX Classic
47-3158-01
10000 506 510 515 520
Introduced 1994 1995 1996 2000 1997 1999 1999
Discontinued 1995 1998 1998 2002 1999 2002 2001
CPU type Intel 486DX2/
Intel Pentium
Intel Pentium Intel
Pentium Pro
Intel
Pentium MMX
Intel
Pentium
Intel
Pentium MMX
Intel
Pentium II
(Deschutes)
CPU speed 66 / 90 MHz 100~133 MHz 200 MHz 200 MHz 166 MHz 200 MHz 233~350 MHz
Chipset Intel
430FX/TX
Intel
440FX
Natoma
Intel
430TX
Intel
430TX
Intel
430TX
440LX/BX
Balboa/
Seattle
Default RAM 4 MB 8 MB 16 MB 32 MB 16 MB 32 (64) MB 128 MB
Boot flash device ISA card ISA card ISA card Onboard ISA card Onboard ISA card
Default flash 512 KB 512 KB /
2 MB
2 MB 8 MB 2 MB 16 MB 2 MB / 16 MB
Boot flash chips 2 x i28f020 2 x i28f020 /
4 x 29C040
4 x 29C040 1 x i28F640J5 4 x 29C040 2 x i28F640J5 4 x 29C040 /
2 x i28F640J5
PIX BIOS flash chips AM28F256 AM28F256 AM28F256 AT29C257 AM28F256 AT29C257 AM28F256/
AT29C257
Minimum PIX OS version 1.x 2.x 4.4(x) 4.4(x) 4.4(x) 5.1(x) 4.4(x)
Maximum PIX OS version 4.2(2) 4.2(2)
5.1(x)
5.1(x) Latest 6.3(x) 5.3(4) Latest 8.x Latest 6.3(x)
Max interfaces 2 6(3) 8(6)
Fixed internal interface No No No 10baseT No 10/100baseT No
Fixed external interface No No No 10baseT No 10/100baseT No
PCI slots ? 4 4 0 4+ 2 4+
Expansion cards supported ? 1 port FE,
1 port Token Ring,
1 port FDDI
1 port FE,
1 port Token Ring,
1 port FDDI
No 1 port FE,
1 port Token Ring,
1 port FDDI
1 port FE,
4 port FE,
1 port 1000baseSX
1 port FE,
4 port FE,
1 port 1000baseSX
VPN accelerator supported Yes Yes Yes No Yes Yes Yes
Floppy drive Yes Yes Yes No Yes No Yes
Failover supported No No/Yes Yes No Yes Yes Yes
Model NTI PIX Classic 10000 506 510 515 520

Performance specifications

Models supported as of 27 June 2005[10][11]
Model PIX Classic PIX 10000 PIX 501 PIX 506 PIX 506e PIX 510 PIX 515 PIX 515e PIX 520 PIX 525 PIX 535 ASA 5520 FWSM
Cleartext throughput, Mbit/s 90 60 20 100 147 190 240 330 1655 450 5500
56-bit DES throughput, Mbit/s 6 20 n/a n/a n/a n/a ? n/a
168-bit Triple DES throughput, Mbit/s 3 6 16 10 / 63 (135) 20 / 63 (135) 20 30 / 72 (145) 50 / 100 (425) 225 n/a
AES-128 throughput, Mbit/s 4.5 30 45 / 130 65 / 135 110 / 495 225 n/a
AES-256 throughput, Mbit/s 3.4 25 35 / 130 50 / 135 90 / 425 225 n/a
Max simultaneous connections 16,000 7,500 10,000 25,000 64,000 / 128,000 48,000 / 130,000 256,000 140,000 / 280,000 250,000 / 500,000 280,000 999,900 total / 100,000 per second
Max simultaneous hosts (users) 10 / 50 / Unlimited Unlimited Unlimited 128 / 1000 / unlimited Unlimited Unlimited ? 256,000
Max number of ACL entries ? 80,000
Max simultaneous VPN peers 10 25 25 0 / 2000 0 / 2000 0 / 2000 750 IPSec, 750 SSL n/a
Model PIX Classic PIX 10000 PIX 501 PIX 506 PIX 506e PIX 510 PIX 515 PIX 515e PIX 520 PIX 525 PIX 535 ASA 5520 FWSM

Expansion cards

PIX 512KB flash memory card
PIX-PL2 encryption card
Flash cards
Ethernet cards
VPN/Encryption acceleration cards
FDDI and Token Ring cards

Adaptive Security Appliance (ASA)

The Adaptive Security Appliance is a network firewall made by Cisco. It was introduced in 2005 to replace the Cisco PIX line.[18] Along with stateful firewall functionality another focus of the ASA is Virtual Private Network (VPN) functionality. It also features Intrusion Prevention and Voice over IP. The ASA 5500 series was followed up by the 5500-X series. The 5500-X series focuses more on virtualization than it does on hardware acceleration security modules.

History

In 2005 Cisco released the 5510, 5520, and 5540.[19]

Software

The ASA continues using the PIX codebase but, when the ASA software transitioned from major version 7.X to 8,x, it moved from the Finesse/Pix OS operating system platform to the Linux operating system platform. It also integrates features of the Cisco IPS 4200 Intrusion prevention system, and the Cisco VPN 3000 VPN concentrator.[20]

Hardware

The ASA continues the PIX lineage of Intel 80x86 hardware.

Security Vulnerabilities

The Cisco PIX VPN product was hacked by the NSA-tied[21] group Equation Group somewhere before 2016. Equation Group developed a tool code-named BENIGNCERTAIN that reveals the pre-shared password(s) to the attacker (CVE-2016-6415[22]). Equation Group was later hacked by another group called The Shadow Brokers, which published their exploit publicly, among others.[23][24][25][26] According to Ars technica, the NSA likely used this vulnerability to wiretap VPN-connections for more than a decade, citing the Snowden leaks.[27]

The Cisco ASA-brand was also hacked by Equation Group. The vulnerability requires that both SSH and SNMP are accessible to the attacker. The codename given to this exploit by NSA was EXTRABACON. The bug and exploit (CVE-2016-6366[28]) was also leaked by The ShadowBrokers, in the same batch of exploits and backdoors. According to Ars Technica, the exploit can easily be made to work against more modern versions of Cisco ASA than what the leaked exploit can handle.[29]

See also

Footnotes

^ Only the first few NTI PIXs came with the 486 processor; the rest came with a Pentium processor.
^ The "inside" port is connected to an internal, unmanaged, auto-polarity 4 port switch.
^ Restricted package / Unrestricted package limits (referred to by Cisco as R and UR/FO/FO-AA, respectively). For PIX-525, RAM configurations above 384 MB are not supported by Cisco however up to 3x 256 MB work for a maximum of 768 MB.
^ According to Cisco, the 1000baseSX card is not officially supported by the 515/515e, but it will work.
^ VAC acceleration vs VAC+ (in parenthesis) acceleration (Implies Unrestricted package).
^ Older 520s made before February 2000 and with a serial number less than 18025677 shipped with a 2 MB flash card. Newer 520s shipped with a 16 MB flash card .
^ The WS-SVC-FWM-1-K9 blade has no fixed ports or internal expansion; it makes use of either VLAN interfaces (being used by physical interfaces on a remote switch) or the physical interfaces on the switch/router it is installed in.
^ PIX Classic firewalls with a serial number of 06002015 or lower came with a 512 KB flash card. Newer models came with a 2 MB flash card .
^ The WS-SVC-FWM-1-K9 blade only supports IPSec VPN for management. It doesn't have the ability to terminate a VPN connection for remote users.
^ The PIX 520 received updated PII processors as they became available, starting with the PII 233 and ending with the PII 350. The Intel-manufactured SE440BX-2 ATX motherboard in the 520 can support any Slot1 processor from the Celeron Covington, Celeron Mendocino, Pentium II Klamath, Pentium II Deschutes, and the Pentium III Katmai families, as long as the cpu uses 2.0 V core voltage and can run on a 66 or 100 MHz fsb. One may also use 133 MHz FSB CPUs, but they will run at lower speeds, for example a 933 MHz CPU for 133 MHz FSB will only run at 700 MHz. A slotket can also be used to install the newer 500 MHz - 1.1 GHz Socket 370 Pentium III Coppermine cpus, as long as the slotket provides a voltage regulator and manual bus speed selector. Using the PowerLeap PL-iP3 converter, Tualatin processors can be used. A BIOS upgrade to the latest level of the SE440-BX2 is required. Using the bus-speed settings on the Powerleap, speeds of 1.6 GHz are possible.
The PIX 520 rev A firewalls may use the Intel AL440LX motherboard instead of the SE440BX-2. The AL440LX may be replaced by a SE440BX-2 motherboard, which is found in the 520 rev B.[30]
^ Cannot be easily upgraded, due to clearance issues with the top cover.
^ In early 2005, Cisco indicated that PIX OS 7.x would only support the 515, 515e, 525, and 535, while a "stripped-down" version would eventually be released for the 501 and 506e. While not officially supported, it is actually possible to update the 506E to 7.x code by removing all GUI management software.
^ The maximum OS version one can run with a 512 KB card is 4.2(2). The maximum OS version one can run with a 2 MB card is 5.1(x). The maximum OS version with a 16 MB card is 6.3(5), unless one is using a PIX 535. OS version 5.2(4) and higher explicitly does not support the Intel 440FX chipset.
^ Shows flash chips on the 2 MB flash card versus the chips on the 16 MB flash card.
^ Various models of the 525 use different flash chips, probably due to differing production runs.
^ Shows flash chips on the 512 KB flash card versus the chips on the 2 MB flash card.
^ While the PIX 535 boots off of the same ISA flash card as some PIX 510s and 520s (the PIX-FLASH-16MB) its newer on-board PIX BIOS (version 4.x) overrides the PIX BIOS on the flash card (version 3.6) at boot.
^ Since both the 510 and 520 have standard ATX motherboards, the PCI slot count can be higher or lower than the default if the motherboard is replaced with a different one.
^ The performance figures cited here are highly changeable, as one can upgrade the CPU in the PIX 520 to a 1 GHz Pentium III, which will considerably increase its throughput in all of the below categories, putting it on a level with the 525 and 535.
^ According to a 2000 field notice, due to a "procedural error", PIX 525s with serial numbers 44480380055 through 44480480044 were manufactured with erroneous or omitted EEPROM programming in their 82559 chips that caused the onboard FastEthernet ports to behave erratically when set to full-duplex. Starting with PIX OS 5.3.1, the "eeprom update" command will reprogram the defective data and restore normal operation permanently. Viewing the field notice requires registration . Most, if not all, 525s in use today within that range have likely been corrected, but an unused or unopened unit within that range would still need the corrective action to be taken.
^ It is theoretically possible to upgrade the Socket 8 Pentium Pro processor in the PIX Classic and 10000 with either an Intel Pentium II Overdrive (300 or 333 MHz depending on the system bus speed) or a Powerleap PL-Pro/II Celeron adapter , both of which are long out of production. The Powerleap adapter natively can allow use of a 300 - 533 MHz Mendocino Celeron PPGA processor. Coupled with the Powerleap Neo S370 FC-to-PPG adapter, one can use a 533 - 766 MHz FC-PGA Coppermine-128 Celeron processor. However, the 60 or 66 MHz bus (no 100 MHz bus) and 72-pin SIMM memory limitations of the workstation-style 440FX board used limit the potential gains in performance to be had from such upgrades. Upgrading the motherboard to a compatible server-style 440FX board with DIMM slots may allow for the use of the 440FX chipset's theoretical limit of 1 GB of RAM, although if the motherboard is to be replaced, it may arguably be more cost-efficient to upgrade to a SE440BX-2 motherboard with a slocket and Tualatin Celeron CPU. It is also worthwhile to note that PIX OS later than 5.3.4 explicitly does not support the 440FX chipset.
^ The PIX 525 is known to come with a variety of processors including 1.65 V 600 MHz (SL3VH) and 1.75 V 600 MHz (SL5BT). It would appear that all 1.65 V to 1.75 V 100 MHz FSB CPUs would work, this has been substantiated to 1000 MHz with a SL5QV 1.75 V CPU.
^ The first PIX Classics did not support failover. Only after this feature debuted with the LocalDirector did it come to be included in the later PIX Classics.[31]

PIX 506E overclocked specs

^ Proof of successful overclocking of Cisco Pix 506E with mainboard, socket and circuits modification for 1.2 GHz P3(Tualatin core) is on the photos. This mod was done by someone called i8.

^ The PIX 515E can be upgraded with the Coppermine P-III SL5QV 1Ghz processor. Due to heat concerns, it is advisable to remove the original heat sink heat transfer "sticker" and replace with good quality processor heat sink thermal compound.

References

  1. http://www.cisco.com/c/en/us/support/interfaces-modules/catalyst-6500-series-firewall-services-module/model.html
  2. "History of NTI and the PIX Firewall by John Mayes" (PDF).
  3. "End of Sale for Cisco PIX Products". Cisco. 2008-01-28. Retrieved 2008-02-20.
  4. "Cisco open source license page". Retrieved 2007-08-21.
  5. "FAQs for Cisco PFM". Retrieved 2007-06-19.
  6. "Documentation on Cisco PDM". Retrieved 2007-06-19.
  7. "Documentation on Cisco ASDM". Archived from the original on 2007-06-16. Retrieved 2007-06-19.
  8. Deal, Richard (2009). Cisco ASA Configuration. Networking Professional's Library. McGraw Hill Professional. p. 263. ISBN 9780071622684. Retrieved 2014-05-07. The timeout dcd parameter specifies that when a TCP session times out from the set connection timeout tcp command, the appliance should send a Dead Connection Detection (DCD) probe on the connection to both devices associated with the connection [...]. If one of the end devices doesn't respond [...] the appliance removes the connection.
  9. "Notes on PIX production".
  10. Cisco's PIX Brochure (page 2) Archived April 4, 2005, at the Wayback Machine.
  11. product pages
  12. 1 2 3 http://www.intel.com/support/network/sb/cs-012904.htm
  13. http://www.cisco.com/web/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a6.html
  14. http://www.cisco.com/en/US/products/hw/switches/ps700/products_field_notice09186a0080174a72.shtml
  15. http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a008057bf29.html
  16. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00800940f4.shtml
  17. http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a008059f93b.html
  18. Joseph, Muniz; McIntyre, Gary; AlFardan, Nadhem. Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press. ISBN 978-0134052014.
  19. Francis, Bob (May 9, 2005). "Security Takes Center Stage at Interop". InfoWorld. 27 (19): 16.
  20. http://www.ingrammicro.de/pdf/6778857.pdf
  21. "The NSA leak is real, Snowden Documents confirm". Retrieved 2016-08-19.
  22. "National vulnerability database record for BENIGNCERTAIN". web.nvd.nist.gov.
  23. "Researcher Grabs VPN Password With Tool From NSA Dump". Retrieved 2016-08-19.
  24. "NSA's Cisco PIX exploit leaks". www.theregister.co.uk.
  25. "Did the NSA Have the Ability to Extract VPN Keys from Cisco PIX Firewalls?". news.softpedia.com.
  26. "NSA Vulnerabilities Trove Reveals 'Mini-Heartbleed' For Cisco PIX Firewalls". www.tomshardware.com.
  27. "How the NSA snooped on encrypted Internet traffic for a decade". Retrieved 2016-08-22.
  28. "National vulnerability database record for EXTRABACON". web.nvd.nist.gov.
  29. "NSA-linked Cisco exploit poses bigger threat than previously thought". Retrieved 2016-08-24.
  30. "Cisco PIX 4.2 release notes". Retrieved 2008-07-10.
  31. "History of NTI and the PIX Firewall by Brantley Coile".
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.