Overview

Cisco Firewalls Concepts, design and deployment for Cisco Stateful Firewall solutions   “ In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. A must read!” —Luc Billot, Security Consulting Engineer at Cisco   Cisco Firewalls thoroughly explains each of the leading Cisco firewall products, features, and solutions, and shows how they can add value to any network security design or operation. The author tightly links theory with practice, demonstrating how to integrate Cisco firewalls into highly secure, self-defending networks. Cisco Firewalls shows you how to deploy Cisco firewalls as an essential component of every network infrastructure. The book takes the unique approach of illustrating complex configuration concepts through step-by-step examples that demonstrate the theory in action. This is the first book with detailed coverage of firewalling Unified Communications systems, network virtualization architectures, and environments that include virtual machines. The author also presents indispensable information about integrating firewalls with other security elements such as IPS, VPNs, and load balancers; as well as a complete introduction to firewalling IPv6 networks. Cisco Firewalls will be an indispensable resource for engineers and architects designing and implementing firewalls; security administrators, operators, and support professionals; and anyone preparing for the CCNA Security, CCNP Security, or CCIE Security certification exams.   Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a Systems Engineer for Cisco Brazil since 1998 in projects that involve not only Security and VPN technologies but also Routing Protocol and Campus Design, IP Multicast Routing, and MPLS Networks Design. He coordinated a team of Security engineers in Brazil and holds the CISSP, CCSP, and three CCIE certifications (Routing/Switching, Security, and Service Provider). A frequent speaker at Cisco Live, he holds a degree in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil).   ·        Create advanced security designs utilizing the entire Cisco firewall product family ·        Choose the right firewalls based on your performance requirements ·        Learn firewall  configuration fundamentals and master the tools that provide insight about firewall operations ·        Properly insert firewalls in your network’s topology using Layer 3 or Layer 2 connectivity ·        Use Cisco firewalls as part of a robust, secure virtualization architecture ·        Deploy Cisco ASA firewalls with or without NAT ·        Take full advantage of the classic IOS firewall feature set (CBAC) ·        Implement flexible security policies with the Zone Policy Firewall (ZPF) ·        Strengthen stateful inspection with antispoofing, TCP normalization, connection limiting, and IP fragmentation handling ·        Use application-layer inspection capabilities built into Cisco firewalls ·        Inspect IP voice protocols, including SCCP, H.323, SIP, and MGCP ·        Utilize identity to provide user-based stateful functionality ·        Understand how multicast traffic is handled through firewalls ·        Use firewalls to protect your IPv6 deployments   This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.

Full Product Details

Author:   Alexandre M.S.P. Moraes
Publisher:   Pearson Education (US)
Imprint:   Cisco Press
Dimensions:   Width: 18.90cm , Height: 4.60cm , Length: 22.90cm
Weight:   1.426kg
ISBN:  

9781587141096

ISBN 10:   1587141094
Pages:   912
Publication Date:   16 June 2011
Audience:   Professional and scholarly ,  Professional & Vocational
Format:   Paperback
Publisher's Status:   Out of Print
Availability:   In Print  
Limited stock is available. It will be ordered for you and shipped pending supplier's limited stock.

Table of Contents

Foreword Introduction   Chapter 1: Firewalls and Network Security Security Is a Must. But, Where to Start? Firewalls and Domains of Trust Firewall Insertion in the Network Topology     Routed Mode Versus Transparent Mode     Network Address Translation and Port Address Translation Main Categories of Network Firewalls     Packet Filters     Circuit-Level Proxies     Application-Level Proxies     Stateful Firewalls The Evolution of Stateful Firewalls     Application Awareness     Identity Awareness     Leveraging the Routing Table for Protection Tasks     Virtual Firewalls and Network Segmentation What Type of Stateful Firewall?     Firewall Appliances     Router-Based Firewalls     Switch-Based Firewalls Classic Topologies Using Stateful Firewalls Stateful Firewalls and Security Design     Stateful Firewalls and VPNs     Stateful Firewalls and Intrusion Prevention     Stateful Firewalls and Specialized Security Appliances Summary   Chapter 2: Cisco Firewall Families Overview Overview of ASA Appliances     Positioning of ASA Appliances     Firewall Performance Parameters     Overview of ASA Hardware Models Overview of the Firewall Services Module Overview of IOS-Based Integrated Firewalls     Integrated Services Routers     Aggregation Services Routers Summary   Chapter 3: Configuration Fundamentals Device Access Using the CLI Basic ASA Configuration     Basic Configuration for ASA Appliances Other Than 5505     Basic Configuration for the ASA 5505 Appliance Basic FWSM Configuration Remote Management Access to ASA and FWSM     Telnet Access     SSH Access     HTTPS Access Using ASDM IOS Baseline Configuration     Configuring Interfaces on IOS Routers Remote Management Access to IOS Devices     Remote Access Using Telnet     Remote Access Using SSH     Remote Access Using HTTP and HTTPS Clock Synchronization Using NTP Obtaining an IP Address Through the PPPoE Client DHCP Services Summary Further Reading   Chapter 4: Learn the Tools. Know the Firewall Using Access Control Lists Beyond Packet Filtering Event Logging Debug Commands Flow Accounting and Other Usages of Netflow     Enabling Flow Collection on IOS     Traditional Netflow     Netflow v9 and Flexible Netflow     Enabling NSEL on an ASA Appliance Performance Monitoring Using ASDM Correlation Between Graphical Interfaces and CLI Packet Tracer on ASA Packet Capture     Embedded Packet Capture on an ASA Appliance     Embedded Packet Capture on IOS Summary   Chapter 5: Firewalls in the Network Topology Introduction to IP Routing and Forwarding Static Routing Overview Basic Concepts of Routing Protocols RIP Overview     Configuring and Monitoring RIP EIGRP Overview     Configuring and Monitoring EIGRP         EIGRP Configuration Fundamentals         Understanding EIGRP Metrics         Redistributing Routes into EIGRP         Generating a Summary EIGRP Route         Limiting Incoming Updates with a Distribute-List         EIGRP QUERY and REPLY Messages         EIGRP Stub Operation OSPF Overview     Configuring and Monitoring OSPF         OSPF Configuration Fundamentals         OSPF Scenario with Two Areas Configuring Authentication for Routing Protocols Bridged Operation Summary   Chapter 6: Virtualization in the Firewall World Some Initial Definitions Starting with the Data Plane: VLANs and VRFs     Virtual LANs     VRFs VRF-Aware Services Beyond the Data Plane—Virtual Contexts Management Access to Virtual Contexts Allocating Resources to Virtual Contexts Interconnecting Virtual Elements     Interconnecting VRFs with an External Router     Interconnecting Two Virtual Contexts That Do Not Share Any Interface     Interconnecting Two FWSM Contexts That Share an Interface     Interconnecting Two ASA Contexts That Share an Interface Issues Associated with Security Contexts Complete Architecture for Virtualization     Virtualized FWSM and ACE Modules     Segmented Transport     Virtual Machines and the Nexus 1000V Summary   Chapter 7: Through ASA Without NAT Types of Access Through ASA-Based Firewalls Additional Thoughts About Security Levels     Internet Access Firewall Topology     Extranet Topology     Isolating Internal Departments ICMP Connection Examples     Outbound Ping     Inbound Ping     Windows Traceroute Through ASA UDP Connection Examples     Outbound IOS Traceroute Through ASA TCP Connection Examples     ASA Flags Associated with TCP Connections     TCP Sequence Number Randomization Same Security Access Handling ACLs and Object-Groups Summary   Chapter 8: Through ASA Using NAT Nat-Control Model Outbound NAT Analysis     Dynamic NAT     Dynamic PAT     Identity NAT     Static NAT     Policy NAT         Static Policy NAT         Dynamic Policy NAT         Dynamic Policy PAT     NAT Exemption     NAT Precedence Rules Address Publishing for Inbound Access     Publishing with the static Command     Publishing with Port Redirection     Publishing with NAT Exemption Inbound NAT Analysis     Dynamic PAT for Inbound     Identity NAT for Inbound     NAT Exemption for Inbound     Static NAT for Inbound Dual NAT Disabling TCP Sequence Number Randomization Defining Connection Limits with NAT Rules Summary   Chapter 9: Classic IOS Firewall Overview Motivations for CBAC CBAC Basics ICMP Connection Examples UDP Connection Examples TCP Connection Examples Handling ACLs and Object-Groups     Using Object-Groups with ACLs     CBAC and Access Control Lists IOS NAT Review     Static NAT     Dynamic NAT     Policy NAT     Dual NAT     NAT and Flow Accounting CBAC and NAT Summary   Chapter 10: IOS Zone Policy Firewall Overview Motivations for the ZFW Building Blocks for Zone-Based Firewall Policies ICMP Connection Examples UDP Connection Examples TCP Connection Examples ZFW and ACLs ZFW and NAT ZFW in Transparent Mode Defining Connection Limits Inspection of Router Traffic Intrazone Firewall Policies in IOS 15.X Summary   Chapter 11: Additional Protection Mechanisms Antispoofing     Classic Antispoofing Using ACLs     Antispoofing with uRPF on IOS     Antispoofing with uRPF on ASA TCP Flags Filtering Filtering on the TTL Value Handling IP Options     Stateless Filtering of IP Options on IOS     IP Options Drop on IOS     IP Options Drop on ASA Dealing with IP Fragmentation     Stateless Filtering of IP Fragments in IOS     Virtual Fragment Reassembly on IOS     Virtual Fragment Reassembly on ASA Flexible Packet Matching Time-Based ACLs     Time-Based ACLs on ASA     Time-Based ACLs on IOS Connection Limits on ASA TCP Normalization on ASA Threat Detection on ASA Summary Further Reading   Chapter 12: Application Inspection Inspection Capabilities in the Classic IOS Firewall Application Inspection in the Zone Policy Firewall DNS Inspection in the Zone Policy Firewall FTP Inspection in the Zone Policy Firewall HTTP Inspection in the Zone Policy Firewall IM Inspection in the Zone Policy Firewall Overview of ASA Application Inspection DNS Inspection in ASA     DNS Guard     DNS Doctoring     DNS Inspection Parameters     Some Additional DNS Inspection Capabilities FTP Inspection in ASA HTTP Inspection in ASA Inspection of IM and Tunneling Traffic in ASA Botnet Traffic Filtering in ASA Summary Further Reading   Chapter 13: Inspection of Voice Protocols Introduction to Voice Terminology Skinny Protocol H.323 Framework     H.323 Direct Calls     H.323 Calls Through a Gatekeeper Session Initiation Protocol (SIP) MGCP Protocol Cisco IP Phones and Digital Certificates Advanced Voice Inspection with ASA TLS-Proxy Advanced Voice Inspection with ASA Phone-Proxy Summary Further Reading   Chapter 14: Identity on Cisco Firewalls Selecting the Authentication Protocol ASA User-Level Control with Cut-Through Proxy     Cut-Through Proxy Usage Scenarios         Scenario 1: Simple Cut-Through Proxy (No Authorization)         Scenario 2: Cut-Through Proxy with Downloadable ACEs         Scenario 3: Cut-Through Proxy with Locally Defined ACL         Scenario 4: Cut-Through Proxy with Downloadable ACLs         Scenario 5: HTTP Listener IOS User-Level Control with Auth-Proxy     Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries     Scenario 2: IOS Auth-Proxy with Downloadable ACLs     Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy User-Based Zone Policy Firewall     Establishing user-group Membership Awareness in IOS - Method 1     Establishing user-group Membership Awareness in IOS - Method 2     Integrating Auth-Proxy and the ZFW Administrative Access Control on IOS Administrative Access Control on ASA Summary   Chapter 15: Firewalls and IP Multicast Review of Multicast Addressing Overview of Multicast Routing and Forwarding     The Concept of Upstream and Downstream Interfaces     RPF Interfaces and the RPF Check Multicast Routing with PIM     Enabling PIM on Cisco Routers     PIM-DM Basics     PIM-SM Basics     Finding the Rendezvous Point on PIM-SM Topologies Inserting ASA in a Multicast Routing Environment     Enabling Multicast Routing in ASA     Stub Multicast Routing in ASA     ASA Acting as a PIM-SM Router Summary of Multicast Forwarding Rules on ASA Summary Further Reading   Chapter 16: Cisco Firewalls and IPv6 Introduction to IPv6 Overview of IPv6 Addressing IPv6 Header Format IPv6 Connectivity Basics Handling IOS IPv6 Access Control Lists IPv6 Support in the Classic IOS Firewall IPv6 Support in the Zone Policy Firewall Handling ASA IPv6 ACLs and Object-Groups Stateful Inspection of IPv6 in ASA Establishing Connection Limits     Setting an Upper Bound for Connections Through ASA IPv6 and Antispoofing     Antispoofing with uRPF on ASA     Antispoofing with uRPF on IOS IPv6 and Fragmentation     Virtual Fragment Reassembly on ASA     Virtual Fragment Reassembly on IOS Summary Further Reading   Chapter 17: Firewall Interactions Firewalls and Intrusion Prevention Systems Firewalls and Quality of Service Firewalls and Private VLANs Firewalls and Server Load Balancing Firewalls and Virtual Machines     Protecting Virtual Machines with External Firewalls     Protecting Virtual Machines Using Virtual Firewall Appliances Firewalls and IPv6 Tunneling Mechanisms Firewalls and IPsec VPNs     Classic IPsec Site-to-Site for IOS     IPsec Site-to-Site Using a Virtual Tunnel Interface (VTI)     IPsec Site-to-Site Using a GRE Tunnel     NAT in the Middle of an IPsec Tunnel     Post-Decryption Filtering in ASA Firewalls and SSL VPNs     Clientless Access     Client-Based Access (AnyConnect) Firewalls and MPLS Networks Borderless Networks Vision Summary Further Reading   Appendix A: NAT and ACL Changes in ASA 8.3   Index  

Reviews

Alexandre has worked with Cisco security technologies since the year 2000 and is a well recognized expert in the LATAM security community. He is a frequent speaker at Cisco Networkers and other security conferences and has helped in training partners and customers in Brazil. In this book, he proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. From the configuration fundamentals to advanced topics such as voice inspection, multicast, IPv6 and identity-based firewalls, the book unveils important details about the operations of Cisco firewall solutions, enabling the reader to better use this knowledge on security design. A must-read ! --Luc Billot, Security Consulting Engineer at Cisco (Emerging Markets and European Market) I think that Alexandre's book could have the alternative title 'Cisco Firewalls Illustrated.' The way in which he links theory and practice is really insightful and greatly helps in understanding individual features and making better use of them for security design. Definitely a reference work in the subject ! --Louis Senecal, CCIE 2198, Consulting Systems Engineer, Cisco (Canada) In this fully illustrated tour of the world of Cisco Firewalls, Alexandre devotes a great deal of attention to data center-related topics. Network virtualization architecture and the protection of environments that include virtual machines figure among the important subjects covered in the book. For those that want to benefit from virtualization without compromising security, this work is highly recommended. --David Gonzalez, CISSP #99462, Consulting Systems Engineer at Cisco ( LATAM)

Alexandre has worked with Cisco security technologies since the year 2000 and is a well recognized expert in the LATAM security community. He is a frequent speaker at Cisco Networkers and other security conferences and has helped in training partners and customers in Brazil. In this book, he proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. From the configuration fundamentals to advanced topics such as voice inspection, multicast, IPv6 and identity-based firewalls, the book unveils important details about the operations of Cisco firewall solutions, enabling the reader to better use this knowledge on security design. A must-read ! --Luc Billot, Security Consulting Engineer at Cisco (Emerging Markets and European Market) I think that Alexandre's book could have the alternative title 'Cisco Firewalls Illustrated.' The way in which he links theory and practice is really insightful and greatly helps in understanding individual features and making better use of them for security design. Definitely a reference work in the subject ! --Louis Senecal, CCIE 2198, Consulting Systems Engineer, Cisco (Canada) In this fully illustrated tour of the world of Cisco Firewalls, Alexandre devotes a great deal of attention to data center-related topics. Network virtualization architecture and the protection of environments that include virtual machines figure among the important subjects covered in the book. For those that want to benefit from virtualization without compromising security, this work is highly recommended. --David Gonzalez, CISSP #99462, Consulting Systems Engineer at Cisco ( LATAM)

Author Information

Alexandre Matos da Silva Pires de Moraes , CCIE No. 6063, has worked as a systems engineer for Cisco Brazil since 1998, in projects that involve not only security and VPN technologies but also routing protocol and campus design, IP multicast routing, and MPLS networks design. He has supported large enterprise and public sector accounts and, for almost three years, coordinated a team of Security engineers in Brazil. Alexandre holds the CISSP, CCSP, and 03 CCIE certifications (routing/switching, security, and service provider). Alexandre, a frequent speaker at Cisco Live, graduated in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil) and has never hidden his sincere passion for mathematics (mainly the fields of synthetic geometry and trigonometry). Alexandre maintains a personal blog in which he discusses topics related to networking and security technologies at http://alexandremspmoraes.wordpress.com/.

Tab Content 6

Author Website:  

Customer Reviews

Recent Reviews

No review item found!

Add your own review!

Countries Available

All regions