Synopses & Reviews
Product Description
Firewalls have ample recognition as key elements on the field of protecting networks. Even though this is not a new subject, many important concepts and resources, that could be helpful to designing a secure network, are often overlooked or even ignored. This book unveils the potential of Cisco firewall products and functionalities and demonstrates how they can be grouped, on a structured manner, in order to build security solutions. The text is written in such a way that instructive linkages between theory and practice are naturally created, thus contributing to a better understanding of the most relevant concepts, and preparing the reader for the production of solid designs.
The motivation for writing this book is associated with a simple axiom assumed: the better you understand how individual features operate, the better you can use them for design purposes. After all, producing better security designs is the aim of anyone truly committed to security.
The book is organized in 17 chapters, as follows:
Chapter 1. Firewalls and Network Security
Chapter 2. Cisco Firewall Families Overview
Chapter 3. Configuration Fundamentals
Chapter 4. Learn the Tools. Know the Firewall
Chapter 5. Firewalls in the Network Topology
Chapter 6. Virtualization in the Firewall World
Chapter 7. Through ASA without NAT
Chapter 8. Through ASA using NAT
Chapter 9. Classic IOS Firewall Overview
Chapter 10. IOS Zone Policy Firewall Overview
Chapter 11. Additional Protection Mechanisms
Chapter 12. Application Inspection
Chapter 13. Inspection of Voice Protocols
Chapter 14. Identity on Cisco Firewalls
Chapter 15. Firewalls and IP Multicast
Chapter 16. Cisco Firewalls and IPv6
Chapter 17. Firewall Interactions
Appendix A - NAT and ACL changes in ASA 8.3
Foreword (by Yusuf Bhaiji)
Networks today have outgrown exponentially both in size and complexity, becoming more multifaceted and increasingly challenging to secure. The blueprint of a core network requires a strong foundation, which can be simply provided with an integrated firewall architecture cemented at the core of the system. Today, the firewall has become a core entity within a network and an integral part of every network infrastructure.
Cisco Firewalls by Alexandre M. S. P. Moraes, has taken a stab at unleashing some of the fundamentally missed concepts, providing readers with a complete library of the entire family of Cisco Firewall products in a single binder.
Alexandre has used a unique approach in explaining the concepts and architecture of the firewall technology. His distinct style has proven his skill at writing on a difficult subject using easy to understand illustrations that walk the reader through a step-by-step approach that shows the theory in action. He has combined some of the commonly used tools with the outputs from several commands to demonstrate the understanding of the technology and exemplifying how it works.
Cisco Firewalls is unlike any other book on this subject and cannot be categorized as a configuration guide or command syntax manual. It provides the readers with the key tools and essential techniques to understand the wide-ranging Cisco firewall portfolio. Whether you are just a beginner trying to learn Cisco firewalls or an experienced engineer looking for a reference, there is something for everyone in this book at varying levels.
Cisco Firewalls is an essential reference in designing, implementing, and maintaining today's highly secured networks. It is a must read and a must have in your collection - Magnum Opus
Yusuf Bhaiji; Sr. Manager, Expert Certifications (CCIE, CCDE, CCAr)
Alexandre has worked with Cisco Security technologies since the year 2000 and is a well recognized expert in the LATAM Security community. He is a frequent speaker at Cisco Networkers and other Security conferences and has helped on training partners and customers in Brazil. In this book, he proposes a totally different approach to the important subject of Firewalls: instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. From the configuration fundamentals to advanced topics such as Voice Inspection, Multicast, IPv6 and Identity-based firewalls, the book unveils important details about the operations of Cisco firewalls solutions, enabling the reader to better use this knowledge on Security Design. A must read
Luc Billot, Security Consulting Engineer at Cisco (Emerging Markets and European Market)
I think that Alexandre's book could have the alternative title 'Cisco Firewalls illustrated'. The way in which he links theory and practice is really insightful and greatly helps on understanding individual features and making better use of them for Security design. Definitely a reference work in the subject
Louis Senecal, CCIE 2198, Consulting Systems Engineer, Cisco (Canada)
In this fully illustrated tour to the world of Cisco Firewalls, Alexandre devotes a great deal of attention to Data Center related topics. Network Virtualization architecture and protection of environments that include Virtual Machines figure among the important subjects covered in the book. For those that want to benefit from Virtualization without compromising Security, this work is highly recommended.
David Gonzalez, CISSP #99462, Consulting Systems Engineer at Cisco ( LATAM)
Review
Alexandre has worked with Cisco security technologies since the year 2000 and is a well recognized expert in the LATAM security community. He is a frequent speaker at Cisco Networkers and other security conferences and has helped in training partners and customers in Brazil. In this book, he proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. From the configuration fundamentals to advanced topics such as voice inspection, multicast, IPv6 and identity-based firewalls, the book unveils important details about the operations of Cisco firewall solutions, enabling the reader to better use this knowledge on security design. A must-read !
--Luc Billot, Security Consulting Engineer at Cisco (Emerging Markets and European Market)
I think that Alexandre's book could have the alternative title 'Cisco Firewalls Illustrated.' The way in which he links theory and practice is really insightful and greatly helps in understanding individual features and making better use of them for security design. Definitely a reference work in the subject !
--Louis Senecal, CCIE 2198, Consulting Systems Engineer, Cisco (Canada)
In this fully illustrated tour of the world of Cisco Firewalls, Alexandre devotes a great deal of attention to data center-related topics. Network virtualization architecture and the protection of environments that include virtual machines figure among the important subjects covered in the book. For those that want to benefit from virtualization without compromising security, this work is highly recommended.
--David Gonzalez, CISSP #99462, Consulting Systems Engineer at Cisco ( LATAM)
Synopsis
Cisco Firewalls thoroughly explains Cisco's full spectrum of network and application firewall products, features, and solutions, and shows how they can add value to network security designs and operations. In this book, a leading Cisco security expert shows how to optimize the placement of Cisco firewalls, grouping and structuring them to build highly-secure self-defending networks. The book begins with a discussion of Cisco's classic stateful firewall solutions, including PIX/ASA, FWSM, and the IOS Firewall. Next, it covers application-oriented Cisco firewall offerings such as the ACE XML Gateway with web application firewall, and the Ironport Web Security Appliance. For each product, the author also explores tools for verifying correct operation, and for troubleshooting and resolving problems. This is the first book to show how to protect Unified Communications systems using Cisco firewalls. It also presents unprecedented coverage of firewall integration with other security elements such as IPS, VPNs, and load balancers; as well as two full chapters on IPv6 firewalls.
Synopsis
Cisco Firewalls Concepts, design and deployment for Cisco Stateful Firewall solutions
In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action.A must read Luc Billot, Security Consulting Engineer at Cisco
Cisco Firewalls thoroughly explains each of the leading Cisco firewall products, features, and solutions, and shows how they can add value to any network security design or operation. The author tightly links theory with practice, demonstrating how to integrate Cisco firewalls into highly secure, self-defending networks. Cisco Firewalls shows you how to deploy Cisco firewalls as an essential component of every network infrastructure. The book takes the unique approach of illustrating complex configuration concepts through step-by-step examples that demonstrate the theory in action. This is the first book with detailed coverage of firewalling Unified Communications systems, network virtualization architectures, and environments that include virtual machines. The author also presents indispensable information about integrating firewalls with other security elements such as IPS, VPNs, and load balancers; as well as a complete introduction to firewalling IPv6 networks. Cisco Firewalls will be an indispensable resource for engineers and architects designing and implementing firewalls; security administrators, operators, and support professionals; and anyone preparing for the CCNA Security, CCNP Security, or CCIE Security certification exams.
Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a Systems Engineer for Cisco Brazil since 1998 in projects that involve not only Security and VPN technologies but also Routing Protocol and Campus Design, IP Multicast Routing, and MPLS Networks Design. He coordinated a team of Security engineers in Brazil and holds the CISSP, CCSP, and three CCIE certifications (Routing/Switching, Security, and Service Provider). A frequent speaker at Cisco Live, he holds a degree in electronic engineering from the Instituto Tecnologico de Aeronautica (ITA Brazil).
. Create advanced security designs utilizing the entire Cisco firewall product family
. Choose the right firewalls based on your performance requirements
. Learn firewall configuration fundamentals and master the tools that provide insight about firewall operations
. Properly insert firewalls in your network s topology using Layer 3 or Layer 2 connectivity
. Use Cisco firewalls as part of a robust, secure virtualization architecture
. Deploy Cisco ASA firewalls with or without NAT
. Take full advantage of the classic IOS firewall feature set (CBAC)
. Implement flexible security policies with the Zone Policy Firewall (ZPF)
. Strengthen stateful inspection with antispoofing, TCP normalization, connection limiting, and IP fragmentation handling
. Use application-layer inspection capabilities built into Cisco firewalls
. Inspect IP voice protocols, including SCCP, H.323, SIP, and MGCP
. Utilize identity to provide user-based stateful functionality
. Understand how multicast traffic is handled through firewalls
. Use firewalls to protect your IPv6 deployments
This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.
"
Synopsis
Cisco Firewalls
Concepts, design and deployment for Cisco Stateful Firewall solutions
“ In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. A must read!” —Luc Billot, Security Consulting Engineer at Cisco
Cisco Firewalls thoroughly explains each of the leading Cisco firewall products, features, and solutions, and shows how they can add value to any network security design or operation. The author tightly links theory with practice, demonstrating how to integrate Cisco firewalls into highly secure, self-defending networks. Cisco Firewalls shows you how to deploy Cisco firewalls as an essential component of every network infrastructure. The book takes the unique approach of illustrating complex configuration concepts through step-by-step examples that demonstrate the theory in action. This is the first book with detailed coverage of firewalling Unified Communications systems, network virtualization architectures, and environments that include virtual machines. The author also presents indispensable information about integrating firewalls with other security elements such as IPS, VPNs, and load balancers; as well as a complete introduction to firewalling IPv6 networks. Cisco Firewalls will be an indispensable resource for engineers and architects designing and implementing firewalls; security administrators, operators, and support professionals; and anyone preparing for the CCNA Security, CCNP Security, or CCIE Security certification exams.
Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a Systems Engineer for Cisco Brazil since 1998 in projects that involve not only Security and VPN technologies but also Routing Protocol and Campus Design, IP Multicast Routing, and MPLS Networks Design. He coordinated a team of Security engineers in Brazil and holds the CISSP, CCSP, and three CCIE certifications (Routing/Switching, Security, and Service Provider). A frequent speaker at Cisco Live, he holds a degree in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil).
· Create advanced security designs utilizing the entire Cisco firewall product family
· Choose the right firewalls based on your performance requirements
· Learn firewall configuration fundamentals and master the tools that provide insight about firewall operations
· Properly insert firewalls in your network’s topology using Layer 3 or Layer 2 connectivity
· Use Cisco firewalls as part of a robust, secure virtualization architecture
· Deploy Cisco ASA firewalls with or without NAT
· Take full advantage of the classic IOS firewall feature set (CBAC)
· Implement flexible security policies with the Zone Policy Firewall (ZPF)
· Strengthen stateful inspection with antispoofing, TCP normalization, connection limiting, and IP fragmentation handling
· Use application-layer inspection capabilities built into Cisco firewalls
· Inspect IP voice protocols, including SCCP, H.323, SIP, and MGCP
· Utilize identity to provide user-based stateful functionality
· Understand how multicast traffic is handled through firewalls
· Use firewalls to protect your IPv6 deployments
This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.
About the Author
Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a systems engineer for Cisco Brazil since 1998, in projects that involve not only security and VPN technologies but also routing protocol and campus design, IP multicast routing, and MPLS networks design. He has supported large enterprise and public sector accounts and, for almost three years, coordinated a team of Security engineers in Brazil. Alexandre holds the CISSP, CCSP, and 03 CCIE certifications (routing/switching, security, and service provider). Alexandre, a frequent speaker at Cisco Live, graduated in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil) and has never hidden his sincere passion for mathematics (mainly the fields of synthetic geometry and trigonometry). Alexandre maintains a personal blog in which he discusses topics related to networking and security technologies at http://alexandremspmoraes.wordpress.com/.
Table of Contents
Foreword
Introduction
Chapter 1: Firewalls and Network Security
Security Is a Must. But, Where to Start?
Firewalls and Domains of Trust
Firewall Insertion in the Network Topology
Routed Mode Versus Transparent Mode
Network Address Translation and Port Address Translation
Main Categories of Network Firewalls
Packet Filters
Circuit-Level Proxies
Application-Level Proxies
Stateful Firewalls
The Evolution of Stateful Firewalls
Application Awareness
Identity Awareness
Leveraging the Routing Table for Protection Tasks
Virtual Firewalls and Network Segmentation
What Type of Stateful Firewall?
Firewall Appliances
Router-Based Firewalls
Switch-Based Firewalls
Classic Topologies Using Stateful Firewalls
Stateful Firewalls and Security Design
Stateful Firewalls and VPNs
Stateful Firewalls and Intrusion Prevention
Stateful Firewalls and Specialized Security Appliances
Summary
Chapter 2: Cisco Firewall Families Overview
Overview of ASA Appliances
Positioning of ASA Appliances
Firewall Performance Parameters
Overview of ASA Hardware Models
Overview of the Firewall Services Module
Overview of IOS-Based Integrated Firewalls
Integrated Services Routers
Aggregation Services Routers
Summary
Chapter 3: Configuration Fundamentals
Device Access Using the CLI
Basic ASA Configuration
Basic Configuration for ASA Appliances Other Than 5505
Basic Configuration for the ASA 5505 Appliance
Basic FWSM Configuration
Remote Management Access to ASA and FWSM
Telnet Access
SSH Access
HTTPS Access Using ASDM
IOS Baseline Configuration
Configuring Interfaces on IOS Routers
Remote Management Access to IOS Devices
Remote Access Using Telnet
Remote Access Using SSH
Remote Access Using HTTP and HTTPS
Clock Synchronization Using NTP
Obtaining an IP Address Through the PPPoE Client
DHCP Services
Summary
Further Reading
Chapter 4: Learn the Tools. Know the Firewall
Using Access Control Lists Beyond Packet Filtering
Event Logging
Debug Commands
Flow Accounting and Other Usages of Netflow
Enabling Flow Collection on IOS
Traditional Netflow
Netflow v9 and Flexible Netflow
Enabling NSEL on an ASA Appliance
Performance Monitoring Using ASDM
Correlation Between Graphical Interfaces and CLI
Packet Tracer on ASA
Packet Capture
Embedded Packet Capture on an ASA Appliance
Embedded Packet Capture on IOS
Summary
Chapter 5: Firewalls in the Network Topology
Introduction to IP Routing and Forwarding
Static Routing Overview
Basic Concepts of Routing Protocols
RIP Overview
Configuring and Monitoring RIP
EIGRP Overview
Configuring and Monitoring EIGRP
EIGRP Configuration Fundamentals
Understanding EIGRP Metrics
Redistributing Routes into EIGRP
Generating a Summary EIGRP Route
Limiting Incoming Updates with a Distribute-List
EIGRP QUERY and REPLY Messages
EIGRP Stub Operation
OSPF Overview
Configuring and Monitoring OSPF
OSPF Configuration Fundamentals
OSPF Scenario with Two Areas
Configuring Authentication for Routing Protocols
Bridged Operation
Summary
Chapter 6: Virtualization in the Firewall World
Some Initial Definitions
Starting with the Data Plane: VLANs and VRFs
Virtual LANs
VRFs
VRF-Aware Services
Beyond the Data Plane—Virtual Contexts
Management Access to Virtual Contexts
Allocating Resources to Virtual Contexts
Interconnecting Virtual Elements
Interconnecting VRFs with an External Router
Interconnecting Two Virtual Contexts That Do Not Share Any Interface
Interconnecting Two FWSM Contexts That Share an Interface
Interconnecting Two ASA Contexts That Share an Interface
Issues Associated with Security Contexts
Complete Architecture for Virtualization
Virtualized FWSM and ACE Modules
Segmented Transport
Virtual Machines and the Nexus 1000V
Summary
Chapter 7: Through ASA Without NAT
Types of Access Through ASA-Based Firewalls
Additional Thoughts About Security Levels
Internet Access Firewall Topology
Extranet Topology
Isolating Internal Departments
ICMP Connection Examples
Outbound Ping
Inbound Ping
Windows Traceroute Through ASA
UDP Connection Examples
Outbound IOS Traceroute Through ASA
TCP Connection Examples
ASA Flags Associated with TCP Connections
TCP Sequence Number Randomization
Same Security Access
Handling ACLs and Object-Groups
Summary
Chapter 8: Through ASA Using NAT
Nat-Control Model
Outbound NAT Analysis
Dynamic NAT
Dynamic PAT
Identity NAT
Static NAT
Policy NAT
Static Policy NAT
Dynamic Policy NAT
Dynamic Policy PAT
NAT Exemption
NAT Precedence Rules
Address Publishing for Inbound Access
Publishing with the static Command
Publishing with Port Redirection
Publishing with NAT Exemption
Inbound NAT Analysis
Dynamic PAT for Inbound
Identity NAT for Inbound
NAT Exemption for Inbound
Static NAT for Inbound
Dual NAT
Disabling TCP Sequence Number Randomization
Defining Connection Limits with NAT Rules
Summary
Chapter 9: Classic IOS Firewall Overview
Motivations for CBAC
CBAC Basics
ICMP Connection Examples
UDP Connection Examples
TCP Connection Examples
Handling ACLs and Object-Groups
Using Object-Groups with ACLs
CBAC and Access Control Lists
IOS NAT Review
Static NAT
Dynamic NAT
Policy NAT
Dual NAT
NAT and Flow Accounting
CBAC and NAT
Summary
Chapter 10: IOS Zone Policy Firewall Overview
Motivations for the ZFW
Building Blocks for Zone-Based Firewall Policies
ICMP Connection Examples
UDP Connection Examples
TCP Connection Examples
ZFW and ACLs
ZFW and NAT
ZFW in Transparent Mode
Defining Connection Limits
Inspection of Router Traffic
Intrazone Firewall Policies in IOS 15.X
Summary
Chapter 11: Additional Protection Mechanisms
Antispoofing
Classic Antispoofing Using ACLs
Antispoofing with uRPF on IOS
Antispoofing with uRPF on ASA
TCP Flags Filtering
Filtering on the TTL Value
Handling IP Options
Stateless Filtering of IP Options on IOS
IP Options Drop on IOS
IP Options Drop on ASA
Dealing with IP Fragmentation
Stateless Filtering of IP Fragments in IOS
Virtual Fragment Reassembly on IOS
Virtual Fragment Reassembly on ASA
Flexible Packet Matching
Time-Based ACLs
Time-Based ACLs on ASA
Time-Based ACLs on IOS
Connection Limits on ASA
TCP Normalization on ASA
Threat Detection on ASA
Summary
Further Reading
Chapter 12: Application Inspection
Inspection Capabilities in the Classic IOS Firewall
Application Inspection in the Zone Policy Firewall
DNS Inspection in the Zone Policy Firewall
FTP Inspection in the Zone Policy Firewall
HTTP Inspection in the Zone Policy Firewall
IM Inspection in the Zone Policy Firewall
Overview of ASA Application Inspection
DNS Inspection in ASA
DNS Guard
DNS Doctoring
DNS Inspection Parameters
Some Additional DNS Inspection Capabilities
FTP Inspection in ASA
HTTP Inspection in ASA
Inspection of IM and Tunneling Traffic in ASA
Botnet Traffic Filtering in ASA
Summary
Further Reading
Chapter 13: Inspection of Voice Protocols
Introduction to Voice Terminology
Skinny Protocol
H.323 Framework
H.323 Direct Calls
H.323 Calls Through a Gatekeeper
Session Initiation Protocol (SIP)
MGCP Protocol
Cisco IP Phones and Digital Certificates
Advanced Voice Inspection with ASA TLS-Proxy
Advanced Voice Inspection with ASA Phone-Proxy
Summary
Further Reading
Chapter 14: Identity on Cisco Firewalls
Selecting the Authentication Protocol
ASA User-Level Control with Cut-Through Proxy
Cut-Through Proxy Usage Scenarios
Scenario 1: Simple Cut-Through Proxy (No Authorization)
Scenario 2: Cut-Through Proxy with Downloadable ACEs
Scenario 3: Cut-Through Proxy with Locally Defined ACL
Scenario 4: Cut-Through Proxy with Downloadable ACLs
Scenario 5: HTTP Listener
IOS User-Level Control with Auth-Proxy
Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries
Scenario 2: IOS Auth-Proxy with Downloadable ACLs
Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy
User-Based Zone Policy Firewall
Establishing user-group Membership Awareness in IOS - Method 1
Establishing user-group Membership Awareness in IOS - Method 2
Integrating Auth-Proxy and the ZFW
Administrative Access Control on IOS
Administrative Access Control on ASA
Summary
Chapter 15: Firewalls and IP Multicast
Review of Multicast Addressing
Overview of Multicast Routing and Forwarding
The Concept of Upstream and Downstream Interfaces
RPF Interfaces and the RPF Check
Multicast Routing with PIM
Enabling PIM on Cisco Routers
PIM-DM Basics
PIM-SM Basics
Finding the Rendezvous Point on PIM-SM Topologies
Inserting ASA in a Multicast Routing Environment
Enabling Multicast Routing in ASA
Stub Multicast Routing in ASA
ASA Acting as a PIM-SM Router
Summary of Multicast Forwarding Rules on ASA
Summary
Further Reading
Chapter 16: Cisco Firewalls and IPv6
Introduction to IPv6
Overview of IPv6 Addressing
IPv6 Header Format
IPv6 Connectivity Basics
Handling IOS IPv6 Access Control Lists
IPv6 Support in the Classic IOS Firewall
IPv6 Support in the Zone Policy Firewall
Handling ASA IPv6 ACLs and Object-Groups
Stateful Inspection of IPv6 in ASA
Establishing Connection Limits
Setting an Upper Bound for Connections Through ASA
IPv6 and Antispoofing
Antispoofing with uRPF on ASA
Antispoofing with uRPF on IOS
IPv6 and Fragmentation
Virtual Fragment Reassembly on ASA
Virtual Fragment Reassembly on IOS
Summary
Further Reading
Chapter 17: Firewall Interactions
Firewalls and Intrusion Prevention Systems
Firewalls and Quality of Service
Firewalls and Private VLANs
Firewalls and Server Load Balancing
Firewalls and Virtual Machines
Protecting Virtual Machines with External Firewalls
Protecting Virtual Machines Using Virtual Firewall Appliances
Firewalls and IPv6 Tunneling Mechanisms
Firewalls and IPsec VPNs
Classic IPsec Site-to-Site for IOS
IPsec Site-to-Site Using a Virtual Tunnel Interface (VTI)
IPsec Site-to-Site Using a GRE Tunnel
NAT in the Middle of an IPsec Tunnel
Post-Decryption Filtering in ASA
Firewalls and SSL VPNs
Clientless Access
Client-Based Access (AnyConnect)
Firewalls and MPLS Networks
Borderless Networks Vision
Summary
Further Reading
Appendix A: NAT and ACL Changes in ASA 8.3
Index