Cisco ASA and PIX Firewall Handbook
The complete guide to the most popular Cisco PIX (R), ASA, FWSM, and IOS (R) firewall security featuresLearn about the various firewall models, user interfaces, feature sets, and configuration methods Understand how a Cisco firewall inspects traffic Configure firewall interfaces, routing, IP addressing services, and IP multicast support Maintain security contexts and Flash and configuration files, manage users, and monitor firewalls with SNMP Authenticate, authorize, and maintain accounting records for firewall users Control access through the firewall by implementing transparent and routed firewall modes, address translation, traffic filtering, user authentication, content filtering, application inspection, and traffic shunning Increase firewall availability with firewall failover operation Understand how firewall load balancing works Generate firewall activity logs and learn how to analyze the contents of the log Verify firewall operation and connectivity and observe data passing through a firewall Control access and manage activity on the Cisco IOS firewall Configure a Cisco firewall to act as an IDS sensorEvery organization has data, facilities, and workflow processes that are critical to their success. As more organizations make greater use of the Internet, defending against network attacks becomes crucial for businesses. Productivity gains and returns on company investments are at risk if the network is not properly defended. Firewalls have emerged as the essential foundation component in any network security architecture. Cisco ASA and PIX Firewall Handbook is a guide for the most commonly implemented features of the popular Cisco Systems (R) firewall security solutions. This is the first book to cover the revolutionary Cisco ASA and PIX (R) version 7 security appliances. This book will help you quickly and easily configure, integrate, and manage the entire suite of Cisco (R) firewall products, including Cisco ASA, PIX version 7 and 6.3, the Cisco IOS router firewall, and the Catalyst Firewall Services Module (FWSM). Organized by families of features, this book helps you get up to speed quickly and efficiently on topics such as file management, building connectivity, controlling access, firewall management, increasing availability with failover, load balancing, logging, and verifying operation. Shaded thumbtabs mark each section for quick reference and each section provides information in a concise format, with background, configuration, and example components. Each section also has a quick reference table of commands that you can use to troubleshoot or display information about the features presented. Appendixes present lists of well-known IP protocol numbers, ICMP message types, and IP port numbers that are supported in firewall configuration commands and provide a quick reference to the many logging messages that can be generated from a Cisco PIX, ASA, FWSM, or IOS firewall. Whether you are looking for an introduction to the firewall features of the new ASA security appliance, a guide to configuring firewalls with the new Cisco PIX version 7 operating system, or a complete reference for making the most out of your Cisco ASA, PIX, IOS, and FWSM firewall deployments, Cisco ASA and PIX Firewall Handbook helps you achieve maximum protection of your network resources. "Many books on network security and firewalls settle for a discussion focused primarily on concepts and theory. This book, however, goes well beyond these topics. It covers in tremendous detail the information every network and security administrator needs to know when configuring and managing market-leading firewall products from Cisco."-Jason Nolet, Sr. Director of Engineering, Security Technology Group, Cisco Systems This security book is part of the Cisco Press (R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
- Paperback | 840 pages
- 188 x 228 x 46mm | 1,401.59g
- 07 Jun 2005
- Pearson Education (US)
- Cisco Press
- Indianapolis, United States
Table of contents
IntroductionChapter 1 Firewall Overview1-1: Overview of Firewall OperationInitial CheckingXlate LookupConn LookupACL LookupUauth LookupInspection Engine1-2: Inspection Engines for ICMP, UDP, and TCPICMP InspectionUDP InspectionTCP InspectionTCP NormalizationOther Firewall Operations1-3: Hardware and Performance1-4: Basic Security Policy GuidelinesFurther ReadingChapter 2 Configuration Fundamentals2-1: User InterfaceUser Interface ModesUser Interface Features2-2: Firewall Features and LicensesUpgrading a License Activation Key2-3: Initial Firewall ConfigurationChapter 3 Building Connectivity3-1: Configuring InterfacesBasic Interface ConfigurationConfiguring IPv6 on an InterfaceConfiguring the ARP CacheConfiguring Interface MTU and FragmentationConfiguring an Interface Priority QueueFirewall Topology Considerations3-2: Configuring RoutingUsing Routing Information to Prevent IP Address SpoofingConfiguring Static RoutesConfiguring RIP to Exchange Routing InformationConfiguring OSPF to Exchange Routing Information3-3: DHCP Server FunctionsUsing the Firewall as a DHCP ServerRelaying DHCP Requests to a DHCP Server3-4: Multicast SupportMulticast OverviewMulticast AddressingForwarding Multicast TrafficIGMP: Finding Multicast Group RecipientsPIM: Building a Multicast Distribution TreeConfiguring PIMConfiguring Stub Multicast Routing (SMR)Configuring IGMP OperationStub Multicast Routing ExamplePIM Multicast Routing ExampleVerifying IGMP Multicast OperationVerifying PIM Multicast Routing OperationChapter 4 Firewall Management4-1: Using Security Contexts to Make Virtual FirewallsSecurity Context OrganizationSharing Context InterfacesIssues with Sharing Context InterfacesConfiguration Files and Security ContextsGuidelines for Multiple-Context ConfigurationInitiating Multiple-Context ModeNavigating Multiple Security ContextsConfiguring a New ContextAllocating Firewall Resources to ContextsVerifying Multiple-Context Operation4-2: Managing the Flash File SystemUsing the PIX6.x Flash File SystemNavigating a PIX 7.x or FWSM Flash File SystemAdministering a PIX 7.x or FWSM Flash File SystemIdentifying the Operating System ImageUpgrading an Image from the Monitor PromptUpgrading an Image from an Administrative Session4-3: Managing Configuration FilesManaging the Startup ConfigurationSaving a Running ConfigurationImporting a Configuration4-4: Managing Administrative SessionsConsole ConnectionTelnet SessionsSSH SessionsPDM/ASDM SessionsUser Session BannersMonitoring Administrative Sessions4-5: Firewall Reloads and CrashesReloading a FirewallObtaining Crash Information4-6: Monitoring a Firewall with SNMPOverview of Firewall SNMP SupportSNMP ConfigurationChapter 5 Managing Firewall Users5-1: Managing Generic UsersAuthenticating and Authorizing Generic UsersAccounting of Generic Users5-2: Managing Users with a Local DatabaseAuthenticating with Local UsernamesAuthorizing Users to Access Firewall CommandsAccounting of Local User Activity5-3: Defining AAA Servers for User Management5-4: Configuring AAA to Manage Administrative UsersEnabling AAA User AuthenticationEnabling AAA Command AuthorizationEnabling AAA Command Accounting5-5: Configuring AAA for End-User Cut-Through ProxyAuthenticating Users Passing ThroughAuthorizing User Activity with TACACS+ ServersAuthorizing User Activity with RADIUS ServersKeeping Accounting Records of User ActivityAAA Cut-Through Proxy Configuration Examples5-6: Firewall Password RecoveryRecovering a PIX or ASA PasswordRecovering an FWSM PasswordChapter 6 Controlling Access Through the Firewall6-1: Transparent Firewall ModeConfiguring a Transparent Firewall6-2: Routed Firewall Mode and Address TranslationDefining Access DirectionsTypes of Address TranslationHandling Connections Through an Address TranslationStatic NATPolicy NATIdentity NATNAT ExemptionDynamic Address Translation (NAT or PAT)Controlling Traffic6-3: Controlling Access with Access ListsDefining Object GroupsConfiguring an Access ListAccess List ExamplesMonitoring Access Lists6-4: Filtering ContentConfiguring Content FiltersContent-Filtering Examples6-5: Defining Security Policies in a Modular Policy FrameworkClassifying TrafficDefining a PolicyDefault Policy Definitions6-6: Application InspectionConfiguring Application Inspection6-7: Shunning TrafficShun ExampleChapter 7 Increasing Firewall Availability with Failover7-1: Firewall Failover OverviewHow Failover WorksFirewall Failover RolesDetecting a Firewall FailureFailover CommunicationActive-Active Failover Requirements7-2: Configuring Firewall Failover7-3: Firewall Failover Configuration ExamplesActive-Standby Failover Example with PIX FirewallsActive-Standby Failover Example with FWSMActive-Active Failover Example7-4: Managing Firewall FailoverDisplaying Information About FailoverDebugging Failover ActivityManually Intervening in Failover7-5: Upgrading Firewalls in Failover ModeUpgrading an Active-Standby Failover PairUpgrading an Active-Active Failover PairChapter 8 Firewall Load Balancing8-1: Firewall Load Balancing Overview8-2: Firewall Load Balancing in SoftwareIOS FWLB Configuration NotesIOS FWLB ConfigurationIOS Firewall Load-Balancing ExampleDisplaying Information About IOS FWLB8-3: Firewall Load Balancing in HardwareFWLB in Hardware Configuration NotesCSM FWLB ConfigurationCSM Firewall Load-Balancing ExampleDisplaying Information About CSM FWLB8-4: Firewall Load-Balancing ApplianceCSS FWLB ConfigurationCSS Appliance Firewall Load-Balancing ExampleDisplaying Information About CSS FWLBChapter 9 Firewall Logging9-1: Managing the Firewall ClockSetting the Clock ManuallySetting the Clock with NTP9-2: Generating Logging MessagesSyslog Server SuggestionsLogging ConfigurationVerifying Message Logging ActivityManually Testing Logging Message Generation9-3: Fine-Tuning Logging Message GenerationPruning MessagesChanging the Message Severity LevelAccess List Activity Logging9-4: Analyzing Firewall LogsChapter 10 Verifying Firewall Operation10-1: Checking Firewall Vital SignsUsing the Syslog InformationChecking System ResourcesChecking Stateful Inspection ResourcesChecking Firewall ThroughputChecking Inspection Engine and Service Policy ActivityChecking Failover OperationChecking Firewall Interfaces10-2: Watching Data Pass Through a FirewallUsing CaptureUsing Debug Packet10-3: Verifying Firewall ConnectivityStep 1: Test with Ping PacketsStep 2: Check the ARP CacheStep 3: Check the Routing TableStep 4: Use Traceroute to Verify the Forwarding PathStep 5: Check the Access ListsStep 6: Verify Address Translation OperationStep 7: Look for Active ShunsStep 8: Check User AuthenticationStep 9: See What Has ChangedChapter 11 Cisco IOS Firewall: Controlling Access11-1: IOS Transparent FirewallConfiguring a Transparent IOS Firewall11-2: Configuring Network Address TranslationNAT OperationUsing Static Address TranslationsUsing Dynamic Address Translations11-3: Configuring IOS Firewall Stateful InspectionHow CBAC WorksConfiguring CBAC InspectionCBAC ExampleMonitoring CBAC Operation11-4: HTTP, Java, and URL FilteringMonitoring URL FilteringChapter 12 Cisco IOS Firewall: Managing Activity12-1: Synchronizing the IOS Firewall ClockSetting the Clock ManuallySetting the Clock with NTP12-2: Configuring IOS Firewall LoggingSyslog Server SuggestionsLogging ConfigurationIOS Firewall Logging Messages12-3: Using Authentication Proxy to Manage User AccessConfiguring Authentication ProxyAuthentication Proxy ExampleChapter 13 Intrusion Detection System (IDS) Sensors13-1: IDS OverviewCisco Embedded IDS Sensor AvailabilityIDS Alarms13-2: IDS Embedded Sensor ConfigurationLocating the Signature DefinitionsUsing a Signature Update with an IOS IPS SensorConfiguring an Embedded IDS SensorIDS Sensor Examples13-3: Monitoring IDS ActivityVerifying Syslog OperationVerifying Post Office OperationVerifying IDS Activity on a Router SensorVerifying IDS Activity on a Firewall Sensor13-4: IDS Sensor Signature ListAppendix A Well-Known Protocol and Port NumbersA-1: IP Protocol NumbersA-2: ICMP Message TypesA-3: IP Port NumbersAppendix B Security Appliance Logging MessagesB-1: Alerts-Syslog Severity Level 1 MessagesB-2: Critical-Syslog Severity Level 2 MessagesB-3: Errors-Syslog Severity Level 3 MessagesB-4: Warnings-Syslog Severity Level 4 MessagesB-5: Notifications-Syslog Severity Level 5 MessagesB-6: Informational-Syslog Severity Level 6 MessagesB-7: Debugging-Syslog Severity Level 7 Messages
About David Hucaby
David Hucaby, CCIE (R) No. 4594, is a lead network engineer for the University of Kentucky, where he works with healthcare networks based on the Cisco Catalyst, IP Telephony, PIX, and VPN product lines. David was one of the beta reviewers of the PIX version 7 Firewall operating system software.