THE UNTOLD STORY: How the PIX Firewall and NAT Saved the Internet

god internet security would have been a nightmare with the end to end principal intact

This is some really well done internet history! Thanks!

When I shifted from ISDN to ADSL I needed a NAT router that wasn't pricey so I found an old DEC PC, two NIC's and a Linux-based NAT.

NAT was and is a bad idea. It stops the internet from being P2P. IPv6 solved this tho, so that's something at least.

I wrote articles in 2000 which pushed NAT into the limelight. I also had a small hand in 1997 in the formation and adoption of IPv6.

My first IT job in 2004 I was doing help desk and we had a Cisco PIX and I thought it was the coolest thing ever and it was my first time learning about network security. Now I'm a security consultant but I haven't thought about the PIX in years. This was a cool trip down memory lane.

Background music ruins informative tubes.👎

The pix was my first firewall I learned to configure, and was what I compared others to followed by sourcefire which then once again was acquired by Cisco!

That's pretty cool. I've recycled a lot of these firewalls over the years. It is interesting to know why they are designed the way they are and not using proprietary hardware.

Legendary and people take for granted.

I built an ISP together with a friend from the early 90ies on. In our business, I think we barely used NAT until we (well, more HE, my friend, but that’s another story) sold in 2000. But where I needed NAT, I just used Linux with masquerading. Never had a PIIX.

All i can say is "WOW" this is high-quality

My first exposure to NAT was in 1997 with a Webramp M3 appliance. It was an impressive little device that had the ability to use 3 dial-up serial port modems via DB9 connectors. I hooked up a small medical office to the internet with the M3. It would provide enough private IP space to allow their 10 or so user devices to get on the internet to do basic tasks such as email and light web browser use. Web sites were simple back then so it worked out rather well.

That’s pretty telling when the guy that invented NAT agreed with his critics and decided to focus on IPv6 instead.

One of the PIX missfeatires was that it did not allow TCP connections with ECN (Enhanced Congestion Notification) TCP feature to be established. I don't know if Cisco was slow to fix.the issue, or POX sites were slow to rill out new firmware - but for a while this was a huge issue where ECN and PIX did collide. Linux (and presumably other OSs) support forums were full of it. To this day this is the first thought when the PIX is mentioned somewhere.

I started my career not long before these came out & still have an HA pair of 535s in my legacy lab.

Loved the PIX firewalls

SIP ALG in a nutshell

STUN should have a video with NAT, a very important development.

and ever since the late 1990s i HATED NAT and always saw it as only a temporary bad workaround. At that time e.g. i used IP-to-IP telephony to my girlfriend living abroad, and one day this no longer worked because i no longer had a proper IP address..... ever since the early 2000s i loved IPv6. It makes thinks so easy, no more NAT, no more distinguishing between private and public ... and easy properly dividing IPv6 addresses into a host and client part. Any we now have 2024 and ipv6 is still being soooooooooooooo slow in implementation. Right up to date THE MAIN PROBLEM for IPv4 + NAT is the reachability from outside. Only with things like port-forwarding is it possible to make devices being reached directly from the internet. With ipv6 any device can have its own proper world-wide unique address, just like in the original concept of the internet, so if it wants, it can always be reached. And i do not understand why we wre still using NAT and so many things on the internet have no ipv6 right up to now. Are people really so lazy?

If you can leave some parts of this video uncontaminated by extraneous and distracting "music" (particularly percussion) why not leave it out altogether?

I saw a Cisco 2500 series router in your cabinet. Long time ago I configured and distributed these boxes. Since then, many things have changed, but some not. Bitter sweet memories.

IP masquerading

I started my networking career by transferring connections from PIX to ASA so this really brought some good memories 😊. And some not so great when remembering how the PIX died just before I had setup all the connections and fw rules to the ASA 😂

Great video but drop the horrible background music!!

And as result of it we got abandoning of P2P concept and everything got over centralized and monopolized. Classic example of short sighted solution

I think TCP Slow Start might even be a bigger deal, after all NAT greatly reduced IPv6 adoption long term

The irony is, you still have holdouts like me still using ipv4 behind a nat router. Lol

Why is the music loud 😭

I'm so hard rn.

I need to go check the basement. My mid-90s first NAT router was a used small form-factor x86 PC running MS-DOS with two Ethernet cards and software by somebody I can't recall. I soon moved to an early SMC Barricade box.

I was in my late 20’s in 94 and landed my first job in the industry. It was at an ISP, I had no experience and zero college…I helped customers connect their Win 3.1.1 and Macs to the internet (good ol’ Trumpet).

Dial-up uses could get a /26 for a little extra monthly fee and all T1 or Frame-Relay customers got full Class C blocks….mostly unused of course

Its been a while since I touched my Cisco CCNA thingy, this video is somewhat helpful on trying to refresh it abit haha

Decommission IPv4 and use IPv6 instead

IPv4 must die

alternate title, how the PIX and NAT delayed ipv6 indefinitely

I respectfully and strongly disagree with the notion "saved". It resulted in the E2E model breaking, and cemented the inequality of servers and clients. It has set back service development of the things we could do on the real Internet in favour of immense effort being spent on accommodating the brokenness of the NAT model.
The proper solution was, is, and will continue to be IPv6. Anything blocking it is rearranging deck chairs.

If you've studied the 7 layer OSI model (I first did back in 1990-91), NAT shouldn't seem too revolutionary...I mean, you can swap out layer 3 and 4 and leave 5-7 intact

yeah i know this story

ipv6

well I'm glad the internet got saved lol

Limiting the growth of the internet wasn’t such a bad idea. Just look at how many complete morons there are on social media. If they were kept off the internet would be a better place 😂

Oh, you know IPv4 and IPv6. IPv5? The idea was to not use IP addresses at all but to use Routing Labels....like MPLS. The research into IPv5 lead to MPLS.

What is the music playing at the end? I love it!

While PAT is commonly reffered to simply as NAT (which is an umrella term that encompasses PAT among others), It's a bit odd that the whole video is about PAT, yet it's not mentioned even once (or I missed it?)

The pix snd nat basically killed the proxy firewall which would have been much more secure in the long run since that's what we have all the time anyway now for the most part. If all machines had been addressable to each other, we might have had a much higher software quality and not delegated security to the network layer so the application people could continue to ignore writing quality software resilient to attackers.

I remember when we first got the nat software, but the name of it escapes me. I work with IPv4 on several networks every single day, and I know it fairly well, but IPv6 is a total mystery to me and I admit I have avoided using it totally.

Cisco, wow. Haven't thought about them in a few years. If you really wanted to feel humbled around 2000, you took a Cisco Certification test. Those tests were written by a group of autistic sadists. I remember the first one I took vividly. CCNA. I spent three full hours reading multiple choice questions where every answer looked right or every answer looked wrong. I was panicking because I had studied hard and I felt helpless with each question. In the end I was checking out of the test and told the gal running the main desk that I would see her again when I retook the test. She pointed to the pages coming out of a printer and said she didn't think so. I had a score in the area of 950 out of 1000. I couldn't believe it. The people who wrote those tests were some evil demons.