|
![]() |
|||
|
||||
OverviewCisco Firewalls Concepts, design and deployment for Cisco Stateful Firewall solutions “ In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. A must read!” —Luc Billot, Security Consulting Engineer at Cisco Cisco Firewalls thoroughly explains each of the leading Cisco firewall products, features, and solutions, and shows how they can add value to any network security design or operation. The author tightly links theory with practice, demonstrating how to integrate Cisco firewalls into highly secure, self-defending networks. Cisco Firewalls shows you how to deploy Cisco firewalls as an essential component of every network infrastructure. The book takes the unique approach of illustrating complex configuration concepts through step-by-step examples that demonstrate the theory in action. This is the first book with detailed coverage of firewalling Unified Communications systems, network virtualization architectures, and environments that include virtual machines. The author also presents indispensable information about integrating firewalls with other security elements such as IPS, VPNs, and load balancers; as well as a complete introduction to firewalling IPv6 networks. Cisco Firewalls will be an indispensable resource for engineers and architects designing and implementing firewalls; security administrators, operators, and support professionals; and anyone preparing for the CCNA Security, CCNP Security, or CCIE Security certification exams. Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a Systems Engineer for Cisco Brazil since 1998 in projects that involve not only Security and VPN technologies but also Routing Protocol and Campus Design, IP Multicast Routing, and MPLS Networks Design. He coordinated a team of Security engineers in Brazil and holds the CISSP, CCSP, and three CCIE certifications (Routing/Switching, Security, and Service Provider). A frequent speaker at Cisco Live, he holds a degree in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil). · Create advanced security designs utilizing the entire Cisco firewall product family · Choose the right firewalls based on your performance requirements · Learn firewall configuration fundamentals and master the tools that provide insight about firewall operations · Properly insert firewalls in your network’s topology using Layer 3 or Layer 2 connectivity · Use Cisco firewalls as part of a robust, secure virtualization architecture · Deploy Cisco ASA firewalls with or without NAT · Take full advantage of the classic IOS firewall feature set (CBAC) · Implement flexible security policies with the Zone Policy Firewall (ZPF) · Strengthen stateful inspection with antispoofing, TCP normalization, connection limiting, and IP fragmentation handling · Use application-layer inspection capabilities built into Cisco firewalls · Inspect IP voice protocols, including SCCP, H.323, SIP, and MGCP · Utilize identity to provide user-based stateful functionality · Understand how multicast traffic is handled through firewalls · Use firewalls to protect your IPv6 deployments This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks. Full Product DetailsAuthor: Alexandre M.S.P. MoraesPublisher: Pearson Education (US) Imprint: Cisco Press Dimensions: Width: 18.90cm , Height: 4.60cm , Length: 22.90cm Weight: 1.426kg ISBN: 9781587141096ISBN 10: 1587141094 Pages: 912 Publication Date: 16 June 2011 Audience: Professional and scholarly , Professional & Vocational Format: Paperback Publisher's Status: Out of Print Availability: In Print ![]() Limited stock is available. It will be ordered for you and shipped pending supplier's limited stock. Table of ContentsForeword Introduction Chapter 1: Firewalls and Network Security Security Is a Must. But, Where to Start? Firewalls and Domains of Trust Firewall Insertion in the Network Topology Routed Mode Versus Transparent Mode Network Address Translation and Port Address Translation Main Categories of Network Firewalls Packet Filters Circuit-Level Proxies Application-Level Proxies Stateful Firewalls The Evolution of Stateful Firewalls Application Awareness Identity Awareness Leveraging the Routing Table for Protection Tasks Virtual Firewalls and Network Segmentation What Type of Stateful Firewall? Firewall Appliances Router-Based Firewalls Switch-Based Firewalls Classic Topologies Using Stateful Firewalls Stateful Firewalls and Security Design Stateful Firewalls and VPNs Stateful Firewalls and Intrusion Prevention Stateful Firewalls and Specialized Security Appliances Summary Chapter 2: Cisco Firewall Families Overview Overview of ASA Appliances Positioning of ASA Appliances Firewall Performance Parameters Overview of ASA Hardware Models Overview of the Firewall Services Module Overview of IOS-Based Integrated Firewalls Integrated Services Routers Aggregation Services Routers Summary Chapter 3: Configuration Fundamentals Device Access Using the CLI Basic ASA Configuration Basic Configuration for ASA Appliances Other Than 5505 Basic Configuration for the ASA 5505 Appliance Basic FWSM Configuration Remote Management Access to ASA and FWSM Telnet Access SSH Access HTTPS Access Using ASDM IOS Baseline Configuration Configuring Interfaces on IOS Routers Remote Management Access to IOS Devices Remote Access Using Telnet Remote Access Using SSH Remote Access Using HTTP and HTTPS Clock Synchronization Using NTP Obtaining an IP Address Through the PPPoE Client DHCP Services Summary Further Reading Chapter 4: Learn the Tools. Know the Firewall Using Access Control Lists Beyond Packet Filtering Event Logging Debug Commands Flow Accounting and Other Usages of Netflow Enabling Flow Collection on IOS Traditional Netflow Netflow v9 and Flexible Netflow Enabling NSEL on an ASA Appliance Performance Monitoring Using ASDM Correlation Between Graphical Interfaces and CLI Packet Tracer on ASA Packet Capture Embedded Packet Capture on an ASA Appliance Embedded Packet Capture on IOS Summary Chapter 5: Firewalls in the Network Topology Introduction to IP Routing and Forwarding Static Routing Overview Basic Concepts of Routing Protocols RIP Overview Configuring and Monitoring RIP EIGRP Overview Configuring and Monitoring EIGRP EIGRP Configuration Fundamentals Understanding EIGRP Metrics Redistributing Routes into EIGRP Generating a Summary EIGRP Route Limiting Incoming Updates with a Distribute-List EIGRP QUERY and REPLY Messages EIGRP Stub Operation OSPF Overview Configuring and Monitoring OSPF OSPF Configuration Fundamentals OSPF Scenario with Two Areas Configuring Authentication for Routing Protocols Bridged Operation Summary Chapter 6: Virtualization in the Firewall World Some Initial Definitions Starting with the Data Plane: VLANs and VRFs Virtual LANs VRFs VRF-Aware Services Beyond the Data Plane—Virtual Contexts Management Access to Virtual Contexts Allocating Resources to Virtual Contexts Interconnecting Virtual Elements Interconnecting VRFs with an External Router Interconnecting Two Virtual Contexts That Do Not Share Any Interface Interconnecting Two FWSM Contexts That Share an Interface Interconnecting Two ASA Contexts That Share an Interface Issues Associated with Security Contexts Complete Architecture for Virtualization Virtualized FWSM and ACE Modules Segmented Transport Virtual Machines and the Nexus 1000V Summary Chapter 7: Through ASA Without NAT Types of Access Through ASA-Based Firewalls Additional Thoughts About Security Levels Internet Access Firewall Topology Extranet Topology Isolating Internal Departments ICMP Connection Examples Outbound Ping Inbound Ping Windows Traceroute Through ASA UDP Connection Examples Outbound IOS Traceroute Through ASA TCP Connection Examples ASA Flags Associated with TCP Connections TCP Sequence Number Randomization Same Security Access Handling ACLs and Object-Groups Summary Chapter 8: Through ASA Using NAT Nat-Control Model Outbound NAT Analysis Dynamic NAT Dynamic PAT Identity NAT Static NAT Policy NAT Static Policy NAT Dynamic Policy NAT Dynamic Policy PAT NAT Exemption NAT Precedence Rules Address Publishing for Inbound Access Publishing with the static Command Publishing with Port Redirection Publishing with NAT Exemption Inbound NAT Analysis Dynamic PAT for Inbound Identity NAT for Inbound NAT Exemption for Inbound Static NAT for Inbound Dual NAT Disabling TCP Sequence Number Randomization Defining Connection Limits with NAT Rules Summary Chapter 9: Classic IOS Firewall Overview Motivations for CBAC CBAC Basics ICMP Connection Examples UDP Connection Examples TCP Connection Examples Handling ACLs and Object-Groups Using Object-Groups with ACLs CBAC and Access Control Lists IOS NAT Review Static NAT Dynamic NAT Policy NAT Dual NAT NAT and Flow Accounting CBAC and NAT Summary Chapter 10: IOS Zone Policy Firewall Overview Motivations for the ZFW Building Blocks for Zone-Based Firewall Policies ICMP Connection Examples UDP Connection Examples TCP Connection Examples ZFW and ACLs ZFW and NAT ZFW in Transparent Mode Defining Connection Limits Inspection of Router Traffic Intrazone Firewall Policies in IOS 15.X Summary Chapter 11: Additional Protection Mechanisms Antispoofing Classic Antispoofing Using ACLs Antispoofing with uRPF on IOS Antispoofing with uRPF on ASA TCP Flags Filtering Filtering on the TTL Value Handling IP Options Stateless Filtering of IP Options on IOS IP Options Drop on IOS IP Options Drop on ASA Dealing with IP Fragmentation Stateless Filtering of IP Fragments in IOS Virtual Fragment Reassembly on IOS Virtual Fragment Reassembly on ASA Flexible Packet Matching Time-Based ACLs Time-Based ACLs on ASA Time-Based ACLs on IOS Connection Limits on ASA TCP Normalization on ASA Threat Detection on ASA Summary Further Reading Chapter 12: Application Inspection Inspection Capabilities in the Classic IOS Firewall Application Inspection in the Zone Policy Firewall DNS Inspection in the Zone Policy Firewall FTP Inspection in the Zone Policy Firewall HTTP Inspection in the Zone Policy Firewall IM Inspection in the Zone Policy Firewall Overview of ASA Application Inspection DNS Inspection in ASA DNS Guard DNS Doctoring DNS Inspection Parameters Some Additional DNS Inspection Capabilities FTP Inspection in ASA HTTP Inspection in ASA Inspection of IM and Tunneling Traffic in ASA Botnet Traffic Filtering in ASA Summary Further Reading Chapter 13: Inspection of Voice Protocols Introduction to Voice Terminology Skinny Protocol H.323 Framework H.323 Direct Calls H.323 Calls Through a Gatekeeper Session Initiation Protocol (SIP) MGCP Protocol Cisco IP Phones and Digital Certificates Advanced Voice Inspection with ASA TLS-Proxy Advanced Voice Inspection with ASA Phone-Proxy Summary Further Reading Chapter 14: Identity on Cisco Firewalls Selecting the Authentication Protocol ASA User-Level Control with Cut-Through Proxy Cut-Through Proxy Usage Scenarios Scenario 1: Simple Cut-Through Proxy (No Authorization) Scenario 2: Cut-Through Proxy with Downloadable ACEs Scenario 3: Cut-Through Proxy with Locally Defined ACL Scenario 4: Cut-Through Proxy with Downloadable ACLs Scenario 5: HTTP Listener IOS User-Level Control with Auth-Proxy Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries Scenario 2: IOS Auth-Proxy with Downloadable ACLs Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy User-Based Zone Policy Firewall Establishing user-group Membership Awareness in IOS - Method 1 Establishing user-group Membership Awareness in IOS - Method 2 Integrating Auth-Proxy and the ZFW Administrative Access Control on IOS Administrative Access Control on ASA Summary Chapter 15: Firewalls and IP Multicast Review of Multicast Addressing Overview of Multicast Routing and Forwarding The Concept of Upstream and Downstream Interfaces RPF Interfaces and the RPF Check Multicast Routing with PIM Enabling PIM on Cisco Routers PIM-DM Basics PIM-SM Basics Finding the Rendezvous Point on PIM-SM Topologies Inserting ASA in a Multicast Routing Environment Enabling Multicast Routing in ASA Stub Multicast Routing in ASA ASA Acting as a PIM-SM Router Summary of Multicast Forwarding Rules on ASA Summary Further Reading Chapter 16: Cisco Firewalls and IPv6 Introduction to IPv6 Overview of IPv6 Addressing IPv6 Header Format IPv6 Connectivity Basics Handling IOS IPv6 Access Control Lists IPv6 Support in the Classic IOS Firewall IPv6 Support in the Zone Policy Firewall Handling ASA IPv6 ACLs and Object-Groups Stateful Inspection of IPv6 in ASA Establishing Connection Limits Setting an Upper Bound for Connections Through ASA IPv6 and Antispoofing Antispoofing with uRPF on ASA Antispoofing with uRPF on IOS IPv6 and Fragmentation Virtual Fragment Reassembly on ASA Virtual Fragment Reassembly on IOS Summary Further Reading Chapter 17: Firewall Interactions Firewalls and Intrusion Prevention Systems Firewalls and Quality of Service Firewalls and Private VLANs Firewalls and Server Load Balancing Firewalls and Virtual Machines Protecting Virtual Machines with External Firewalls Protecting Virtual Machines Using Virtual Firewall Appliances Firewalls and IPv6 Tunneling Mechanisms Firewalls and IPsec VPNs Classic IPsec Site-to-Site for IOS IPsec Site-to-Site Using a Virtual Tunnel Interface (VTI) IPsec Site-to-Site Using a GRE Tunnel NAT in the Middle of an IPsec Tunnel Post-Decryption Filtering in ASA Firewalls and SSL VPNs Clientless Access Client-Based Access (AnyConnect) Firewalls and MPLS Networks Borderless Networks Vision Summary Further Reading Appendix A: NAT and ACL Changes in ASA 8.3 IndexReviewsAlexandre has worked with Cisco security technologies since the year 2000 and is a well recognized expert in the LATAM security community. He is a frequent speaker at Cisco Networkers and other security conferences and has helped in training partners and customers in Brazil. In this book, he proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. From the configuration fundamentals to advanced topics such as voice inspection, multicast, IPv6 and identity-based firewalls, the book unveils important details about the operations of Cisco firewall solutions, enabling the reader to better use this knowledge on security design. A must-read ! --Luc Billot, Security Consulting Engineer at Cisco (Emerging Markets and European Market) I think that Alexandre's book could have the alternative title 'Cisco Firewalls Illustrated.' The way in which he links theory and practice is really insightful and greatly helps in understanding individual features and making better use of them for security design. Definitely a reference work in the subject ! --Louis Senecal, CCIE 2198, Consulting Systems Engineer, Cisco (Canada) In this fully illustrated tour of the world of Cisco Firewalls, Alexandre devotes a great deal of attention to data center-related topics. Network virtualization architecture and the protection of environments that include virtual machines figure among the important subjects covered in the book. For those that want to benefit from virtualization without compromising security, this work is highly recommended. --David Gonzalez, CISSP #99462, Consulting Systems Engineer at Cisco ( LATAM) Alexandre has worked with Cisco security technologies since the year 2000 and is a well recognized expert in the LATAM security community. He is a frequent speaker at Cisco Networkers and other security conferences and has helped in training partners and customers in Brazil. In this book, he proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. From the configuration fundamentals to advanced topics such as voice inspection, multicast, IPv6 and identity-based firewalls, the book unveils important details about the operations of Cisco firewall solutions, enabling the reader to better use this knowledge on security design. A must-read ! --Luc Billot, Security Consulting Engineer at Cisco (Emerging Markets and European Market) I think that Alexandre's book could have the alternative title 'Cisco Firewalls Illustrated.' The way in which he links theory and practice is really insightful and greatly helps in understanding individual features and making better use of them for security design. Definitely a reference work in the subject ! --Louis Senecal, CCIE 2198, Consulting Systems Engineer, Cisco (Canada) In this fully illustrated tour of the world of Cisco Firewalls, Alexandre devotes a great deal of attention to data center-related topics. Network virtualization architecture and the protection of environments that include virtual machines figure among the important subjects covered in the book. For those that want to benefit from virtualization without compromising security, this work is highly recommended. --David Gonzalez, CISSP #99462, Consulting Systems Engineer at Cisco ( LATAM) Author InformationAlexandre Matos da Silva Pires de Moraes , CCIE No. 6063, has worked as a systems engineer for Cisco Brazil since 1998, in projects that involve not only security and VPN technologies but also routing protocol and campus design, IP multicast routing, and MPLS networks design. He has supported large enterprise and public sector accounts and, for almost three years, coordinated a team of Security engineers in Brazil. Alexandre holds the CISSP, CCSP, and 03 CCIE certifications (routing/switching, security, and service provider). Alexandre, a frequent speaker at Cisco Live, graduated in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil) and has never hidden his sincere passion for mathematics (mainly the fields of synthetic geometry and trigonometry). Alexandre maintains a personal blog in which he discusses topics related to networking and security technologies at http://alexandremspmoraes.wordpress.com/. Tab Content 6Author Website:Countries AvailableAll regions |