cut-through proxy is a feature unique to pix firewall that allows user-based authentication of inbound or outbound connections. unlike a proxy server that analyzes every packet at layer seven of the osi model, a time- and processing-intensive function, the pix firewall first queries an authentication server,and when the connection is approved, establishes a data flow. all traffic thereafter flows directly and quickly between the two parties.

    this feature allows security policies to be enforced on a per-user id basis. connections have to be authenticated with a user id and password before they can be established. supports authentication and authorization. the user id and password are entered via an initial http, telnet, or ftp connection.

    cut-through proxy allows a much finer level of administrative control over connections compared to checking source ip addresses. when providing inbound authentication, appropriate controls need to be applied to the user id and passwords used by external users (one-time passwords are recommended in this instance).