Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010183939 | TK5105.59 H84 2008 | Open Access Book | Book | Searching... |
Searching... | 30000003481441 | TK5105.59 H84 2008 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Cisco ASA, PIX, and FWSM Firewall Handbook , Second Edition, is a guide for the most commonly implemented features of the popular Cisco® firewall security solutions. Fully updated to cover the latest firewall releases, this book helps you to quickly and easily configure, integrate, and manage the entire suite of Cisco firewall products, including ASA, PIX®, and the Catalyst® Firewall Services Module (FWSM).
Organized by families of features, this book helps you get up to speed quickly and efficiently on topics such as file management, building connectivity, controlling access, firewall management, increasing availability with failover, load balancing, logging, and verifying operation. Sections are marked by shaded tabs for quick reference, and information on each feature is presented in a concise format, with background, configuration, and example components. Whether you are looking for an introduction to the latest ASA, PIX, and FWSM devices or a complete reference for making the most out of your Cisco firewall deployments, Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition, helps you achieve maximum protection of your network resources. "Many books on network security and firewalls settle for a discussion focused primarily on concepts and theory. This book, however, goes well beyond these topics. It covers in tremendous detail the information every network and security administrator needs to know when configuring and managing market-leading firewall products from Cisco." --Jason Nolet, Vice President of Engineering, Security Technology Group, Cisco David Hucaby, CCIE® No. 4594, is a lead network engineer for the University of Kentucky, where he works with health-care networks based on the Cisco Catalyst, ASA, FWSM, and VPN product lines. He was one of the beta reviewers of the ASA 8.0 operating system software. Learn about the various firewall models, user interfaces, feature sets, and configuration methods Understand how a Cisco firewall inspects traffic Configure firewall interfaces, routing, IP addressing services, and IP multicast support Maintain security contexts and flash and configuration files, manage users, and monitor firewalls with SNMP Authenticate, authorize, and maintain accounting records for firewall users Control access through the firewall by implementing transparent and routed firewall modes, address translation, and traffic shunning Define security policies that identify and act on various types of traffic with the Modular Policy Framework Increase firewall availability with firewall failover operation Understand how firewall load balancing works Generate firewall activity logs and learn how to analyze the contents of the log Verify firewall operation and connectivity and observe data passing through a firewall Configure Security Services Modules, such as the Content Security Control (CSC) module and the Advanced Inspection Processor (AIP) module This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. Category: Networking: Security Covers: Cisco ASA 8.0, PIX 6.3, and FWSM 3.2 version firewallsAuthor Notes
David Hucaby , CCIE No. 4594, is a lead network engineer for the University of Kentucky, where he works with health-care networks based on the Cisco Catalyst, ASA, FWSM, and VPN product lines. He was one of the beta reviewers of the ASA 8.0 operating system software. He has a B.S. and M.S. in electrical engineering from the University of Kentucky. He is the author of three other books from Cisco Press: CCNP BCMSN Official Exam Certification Guide , Cisco Field Manual: Router Configuration , and Cisco Field Manual: Catalyst Switch Configuration .
He lives in Kentucky with his wife, Marci, and two daughters.
Excerpts
Excerpts
Cisco ASA, PIX, and FWSM Firewall Handbook Introduction This book focuses on the complete product line of Cisco firewall hardware: the PIX and ASA Security Appliance families and the Catalyst Firewall Services Module (FWSM). Of the many sources of information and documentation about Cisco firewalls, very few provide a quick and portable solution for networking professionals. This book is designed to provide a quick and easy reference guide for all the features that can be configured on any Cisco firewall. In essence, an entire bookshelf of firewall documentation, along with other networking reference material, has been "squashed" into one handy volume. This book covers only the features that can be used for stateful traffic inspection and overall network security. Although Cisco firewalls can also support VPN functions, those subjects are not covered here. This book is based on the most current Cisco firewall software releases available at press time--ASA release 8.0(1) and FWSM release 3.2(1). In the book, you will find ASA, PIX, and FWSM commands presented side-by-side for any specific task. The command syntax is shown with a label indicating the type of software that is running, according to the following convention: ASA --Refers to any platform that can run ASA release 7.0(1) or later. This can include the ASA 5500 family, as well as the PIX 500 family. For example, even though a PIX 535 can run a specific build of the ASA 8.0(1) code, the commands are still labeled "ASA" to follow the operating system being used. PIX --Refers to a PIX release 6.3. FWSM --Refers to FWSM release 3.1(1) or later. If you are using an earlier version of software, you might find that the configuration commands differ slightly. With the advent of the ASA platform, Cisco began using different terminology: firewalls became known as security appliances because of the rich security features within the software and because of the modular nature of the ASA chassis. This new terminology has been incorporated in this book where appropriate. However, the term firewall is still most applicable here because this book deals with both security appliances and firewalls embedded within Catalyst switch chassis. As you read this book, keep in mind that the terms firewall and security appliance are used interchangeably. How This Book Is Organized This book is meant to be used as a tool in your day-to-day tasks as a network or security administrator, engineer, consultant, or student. I have attempted to provide a thorough explanation of many of the more complex firewall features. When you better understand how a firewall works, you will find it much easier to configure and troubleshoot. This book is divided into chapters that present quick facts, configuration steps, and explanations of configuration options for each Cisco firewall feature. The chapters and appendixes are as follows: Chapter 1, "Firewall Overview" --Describes how a Cisco firewall inspects traffic. It also offers concise information about the various firewall models and their performance. Chapter 2, "Configuration Fundamentals" --Discusses the Cisco firewall user interfaces, feature sets, and configuration methods. Chapter 3, "Building Connectivity" --Explains how to configure firewall interfaces, routing, IP addressing services, and IP multicast support. Chapter 4, "Firewall Management" --Explains how to configure and maintain security contexts, flash files, and configuration files; how to manage users; and how to monitor firewalls with SNMP. Chapter 5, "Managing Firewall Users" --Covers the methods you can use to authenticate, authorize, and maintain accounting records for a firewall's administrative and end users. Chapter 6, "Controlling Access Through the Firewall" --Describes the operation and configuration of the transparent and routed firewall modes, as well as address translation. Other topics include traffic shunning and threat detection. Chapter 7, "Inspecting Traffic" --Covers the Modular Policy Framework, which is used to define security policies that identify and act on various types of traffic. The chapter also discusses the application layer inspection engines that are used within security policies, as well as content filtering. Chapter 8, "Increasing Firewall Availability with Failover" --Explains firewall failover operation and configuration, offering high availability with a pair of firewalls operating in tandem. Chapter 9, "Firewall Load Balancing" --Discusses how firewall load balancing works and how it can be implemented in a production network to distribute traffic across many firewalls in a firewall farm. Chapter 10, "Firewall Logging" --Explains how to configure a firewall to generate an activity log, as well as how to analyze the log's contents. Chapter 11, "Verifying Firewall Operation" --Covers how to check a firewall's vital signs to determine its health, how to verify its connectivity, and how to observe data that is passing through it. Chapter 12, "ASA Modules" --Discusses the Security Services Modules (SSMs) that can be added into an ASA chassis, along with their basic configuration and use. Appendix A, "Well-Known Protocol and Port Numbers" --Presents lists of well-known IP protocol numbers, ICMP message types, and IP port numbers that are supported in firewall configuration commands. Appendix B, "Security Appliance Logging Messages" --Provides a quick reference to the many logging messages that can be generated from an ASA, PIX, or FWSM firewall. How to Use This Book The information in this book follows a quick-reference format. If you know what firewall feature or technology you want to use, you can turn right to the section that deals with it. The main sections are numbered with a quick-reference index that shows both the chapter and the section (for example, 3-3 is Chapter 3, section 3). You'll also find shaded index tabs on each page, listing the section number. Feature Description Each major section begins with a detailed explanation of or a bulleted list of quick facts about the feature. Refer to this information to quickly learn or review how the feature works. Configuration Steps Each feature that is covered in a section includes the required and optional commands used for common configuration. The difference is that the configuration steps are presented in an outline format. If you follow the outline, you can configure a complex feature or technology. If you find that you do not need a certain feature option, skip over that level in the outline. In some sections, you will also find that each step in a configuration outline presents the commands from multiple firewall platforms side-by-side in a concise manner. You can stay in the same configuration section no matter what type or model of firewall you are dealing with. Sample Configurations Each section includes an example of how to implement the commands and their options. Examples occur within the configuration steps, as well as at the end of a main section. I have tried to present the examples with the commands listed in the order you would actually enter them to follow the outline. Many times, it is more difficult to study and understand a configuration example from an actual firewall because the commands are displayed in a predefined order--not in the order you entered them. Where possible, the examples have also been trimmed to show only the commands presented in the section. Displaying Information About a Feature Each section includes plenty of information about the commands you can use to show information about that firewall feature. I have tried to provide examples of this output to help you interpret the same results on your firewall. (c) Copyright Pearson Education. All rights reserved. Excerpted from Cisco ASA, PIX, and FWSM Firewall by Dave Hucaby All rights reserved by the original copyright owners. Excerpts are provided for display purposes only and may not be reproduced, reprinted or distributed without the written permission of the publisher.Table of Contents
Foreword | p. xxii |
Introduction xxiii | |
Chapter 1 Firewall Overview 31 | p. 1 |
Overview of Firewall Operation | p. 4 |
Initial Checking | p. 5 |
Xlate Lookup | p. 6 |
Conn Lookup | p. 7 |
ACL Lookup | p. 8 |
Uauth Lookup | p. 8 |
Inspection Engine | p. 9 |
1-2 Inspection Engines for ICMP, UDP, and TCP 9ICMP Inspection | p. 10 |
A Case Study in ICMP Inspection | p. 12 |
UDP Inspection 13TCP Inspection | p. 15 |
Additional TCP Connection Controls | p. 17 |
TCP Normalization | p. 18 |
Other Firewall Operations | p. 19 |
1-3 Hardware and Performance | p. 19 |
1-4 Basic Security Policy Guidelines | p. 21 |
Further Reading | p. 24 |
Chapter 2 Configuration Fundamentals | p. 27 |
2-1 User Interface | p. 27 |
User Interface Modes | p. 28 |
User Interface Features | p. 29 |
Entering Commands | p. 29 |
Command Help | p. 31 |
Command History | p. 32 |
Searching and Filtering Command Output | p. 32 |
Terminal Screen Format | p. 34 |
2-2 Firewall Features and Licenses | p. 34 |
Upgrading a License Activation Key | p. 40 |
2-3 Initial Firewall Configuration | p. 41 |
Chapter 3 Building Connectivity | p. 45 |
3-1 Configuring Interfaces | p. 45 |
Surveying Firewall Interfaces | p. 46 |
Configuring Interface Redundancy | p. 48 |
Basic Interface Configuration | p. 50 |
Interface Configuration Examples | p. 58 |
Configuring IPv6 on an Interface | p. 60 |
Testing IPv6 Connectivity | p. 67 |
Configuring the ARP Cache | p. 68 |
Configuring Interface MTU and Fragmentation | p. 70 |
Configuring an Interface Priority Queue | p. 73 |
Displaying Information About the Priority Queue | p. 77 |
Firewall Topology Considerations | p. 77 |
Securing Trunk Links Connected to Firewalls | p. 79 |
Bypass Links | p. 81 |
3-2 Configuring Routing | p. 83 |
Using Routing Information to Prevent IP Address Spoofing | p. 84 |
Configuring Static Routes | p. 86 |
Static Route Example | p. 89 |
Favoring Static Routes Based on Reachability | p. 89 |
Reachable Static Route Example | p. 92 |
Configuring RIP to Exchange Routing Information | p. 95 |
RIP Example | p. 97 |
Configuring EIGRP to Exchange Routing Information | p. 97 |
An EIGRP Configuration Example | p. 101 |
Configuring OSPF to Exchange Routing Information | p. 101 |
OSPF Routing Scenarios with a Firewall | p. 102 |
OSPF Used Only on the Inside | p. 102 |
OSPF Used Only on the Outside | p. 102 |
OSPF Used on Both Sides of the Firewall (Same Autonomous System) | p. 103 |
OSPF Used on Both Sides of the Firewall (Different Autonomous Systems) | p. 104 |
Configuring OSPF | p. 105 |
Redistributing Routes from Another Source into OSPF | p. 112 |
OSPF Example | p. 115 |
3-3 DHCP Server Functions | p. 116 |
Using the Firewall as a DHCP Server | p. 117 |
DHCP Server Example | p. 120 |
Updating Dynamic DNS from a DHCP Server | p. 120 |
Verifying DDNS Operation | p. 123 |
Relaying DHCP Requests to a DHCP Server | p. 124 |
DHCP Relay Example | p. 125 |
3-4 Multicast Support | p. 126 |
Multicast Overview | p. 126 |
Multicast Addressing | p. 127 |
Forwarding Multicast Traffic | p. 128 |
Multicast Trees | p. 128 |
Reverse Path Forwarding | p. 128 |
IGMP: Finding Multicast Group Recipients | p. 129 |
IGMPv1 | p. 129 |
IGMPv2 | p. 130 |
PIM: Building a Multicast Distribution Tree | p. 130 |
PIM Sparse Mode | p. 131 |
PIM RP Designation | p. 136 |
Configuring PIM | p. 137 |
Using a Multicast Boundary to Segregate Domains | p. 142 |
Filtering PIM Neighbors | p. 143 |
Filtering Bidirectional PIM Neighbors | p. 144 |
Configuring Stub Multicast Routing (SMR) | p. 145 |
Configuring IGMP Operation | p. 147 |
Stub Multicast Routing Example | p. 150 |
PIM Multicast Routing Example | p. 151 |
Verifying IGMP Multicast Operation | p. 151 |
Verifying PIM Multicast Routing Operation | p. 152 |
Chapter 4 Firewall Management | p. 157 |
4-1 Using Security Contexts to Make Virtual Firewalls | p. 157 |
Security Context Organization | p. 158 |
Sharing Context Interfaces | p. 158 |
Issues |