HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
Register your product to gain access to bonus material or receive a coupon.
The complete guide to the most popular Cisco PIX®, ASA, FWSM, and IOS® firewall security features
Every organization has data, facilities, and workflow processes that are critical to their success. As more organizations make greater use of the Internet, defending against network attacks becomes crucial for businesses. Productivity gains and returns on company investments are at risk if the network is not properly defended. Firewalls have emerged as the essential foundation component in any network security architecture.
Cisco ASA and PIX Firewall Handbook is a guide for the most commonly implemented features of the popular Cisco Systems® firewall security solutions. This is the first book to cover the revolutionary Cisco ASA and PIX® version 7 security appliances. This book will help you quickly and easily configure, integrate, and manage the entire suite of Cisco® firewall products, including Cisco ASA, PIX version 7 and 6.3, the Cisco IOS router firewall, and the Catalyst Firewall Services Module (FWSM). Organized by families of features, this book helps you get up to speed quickly and efficiently on topics such as file management, building connectivity, controlling access, firewall management, increasing availability with failover, load balancing, logging, and verifying operation. Shaded thumbtabs mark each section for quick reference and each section provides information in a concise format, with background, configuration, and example components. Each section also has a quick reference table of commands that you can use to troubleshoot or display information about the features presented. Appendixes present lists of well-known IP protocol numbers, ICMP message types, and IP port numbers that are supported in firewall configuration commands and provide a quick reference to the many logging messages that can be generated from a Cisco PIX, ASA, FWSM, or IOS firewall.
Whether you are looking for an introduction to the firewall features of the new ASA security appliance, a guide to configuring firewalls with the new Cisco PIX version 7 operating system, or a complete reference for making the most out of your Cisco ASA, PIX, IOS, and FWSM firewall deployments, Cisco ASA and PIX Firewall Handbook helps you achieve maximum protection of your network resources.
“Many books on network security and firewalls settle for a discussion focused primarily on concepts and theory. This book, however, goes well beyond these topics. It covers in tremendous detail the information every network and security administrator needs to know when configuring and managing market-leading firewall products from Cisco.”
—Jason Nolet, Sr. Director of Engineering, Security Technology Group, Cisco Systems
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Introduction
Chapter 1 Firewall Overview
1-1: Overview of Firewall Operation
Initial Checking
Xlate Lookup
Conn Lookup
ACL Lookup
Uauth Lookup
Inspection Engine
1-2: Inspection Engines for ICMP, UDP, and TCP
ICMP Inspection
UDP Inspection
TCP Inspection
TCP Normalization
Other Firewall Operations
1-3: Hardware and Performance
1-4: Basic Security Policy Guidelines
Further Reading
Chapter 2 Configuration Fundamentals
2-1: User Interface
User Interface Modes
User Interface Features
2-2: Firewall Features and Licenses
Upgrading a License Activation Key
2-3: Initial Firewall Configuration
Chapter 3 Building Connectivity
3-1: Configuring Interfaces
Basic Interface Configuration
Configuring IPv6 on an Interface
Configuring the ARP Cache
Configuring Interface MTU and Fragmentation
Configuring an Interface Priority Queue
Firewall Topology Considerations
3-2: Configuring Routing
Using Routing Information to Prevent IP Address Spoofing
Configuring Static Routes
Configuring RIP to Exchange Routing Information
Configuring OSPF to Exchange Routing Information
3-3: DHCP Server Functions
Using the Firewall as a DHCP Server
Relaying DHCP Requests to a DHCP Server
3-4: Multicast Support
Multicast Overview
Multicast Addressing
Forwarding Multicast Traffic
IGMP: Finding Multicast Group Recipients
PIM: Building a Multicast Distribution Tree
Configuring PIM
Configuring Stub Multicast Routing (SMR)
Configuring IGMP Operation
Stub Multicast Routing Example
PIM Multicast Routing Example
Verifying IGMP Multicast Operation
Verifying PIM Multicast Routing Operation
Chapter 4 Firewall Management
4-1: Using Security Contexts to Make Virtual Firewalls
Security Context Organization
Sharing Context Interfaces
Issues with Sharing Context Interfaces
Configuration Files and Security Contexts
Guidelines for Multiple-Context Configuration
Initiating Multiple-Context Mode
Navigating Multiple Security Contexts
Configuring a New Context
Allocating Firewall Resources to Contexts
Verifying Multiple-Context Operation
4-2: Managing the Flash File System
Using the PIX6.x Flash File System
Navigating a PIX 7.x or FWSM Flash File System
Administering a PIX 7.x or FWSM Flash File System
Identifying the Operating System Image
Upgrading an Image from the Monitor Prompt
Upgrading an Image from an Administrative Session
4-3: Managing Configuration Files
Managing the Startup Configuration
Saving a Running Configuration
Importing a Configuration
4-4: Managing Administrative Sessions
Console Connection
Telnet Sessions
SSH Sessions
PDM/ASDM Sessions
User Session Banners
Monitoring Administrative Sessions
4-5: Firewall Reloads and Crashes
Reloading a Firewall
Obtaining Crash Information
4-6: Monitoring a Firewall with SNMP
Overview of Firewall SNMP Support
SNMP Configuration
Chapter 5 Managing Firewall Users
5-1: Managing Generic Users
Authenticating and Authorizing Generic Users
Accounting of Generic Users
5-2: Managing Users with a Local Database
Authenticating with Local Usernames
Authorizing Users to Access Firewall Commands
Accounting of Local User Activity
5-3: Defining AAA Servers for User Management
5-4: Configuring AAA to Manage Administrative Users
Enabling AAA User Authentication
Enabling AAA Command Authorization
Enabling AAA Command Accounting
5-5: Configuring AAA for End-User Cut-Through Proxy
Authenticating Users Passing Through
Authorizing User Activity with TACACS+ Servers
Authorizing User Activity with RADIUS Servers
Keeping Accounting Records of User Activity
AAA Cut-Through Proxy Configuration Examples
5-6: Firewall Password Recovery
Recovering a PIX or ASA Password
Recovering an FWSM Password
Chapter 6 Controlling Access Through the Firewall
6-1: Transparent Firewall Mode
Configuring a Transparent Firewall
6-2: Routed Firewall Mode and Address Translation
Defining Access Directions
Types of Address Translation
Handling Connections Through an Address Translation
Static NAT
Policy NAT
Identity NAT
NAT Exemption
Dynamic Address Translation (NAT or PAT)
Controlling Traffic
6-3: Controlling Access with Access Lists
Defining Object Groups
Configuring an Access List
Access List Examples
Monitoring Access Lists
6-4: Filtering Content
Configuring Content Filters
Content-Filtering Examples
6-5: Defining Security Policies in a Modular Policy Framework
Classifying Traffic
Defining a Policy
Default Policy Definitions
6-6: Application Inspection
Configuring Application Inspection
6-7: Shunning Traffic
Shun Example
Chapter 7 Increasing Firewall Availability with Failover
7-1: Firewall Failover Overview
How Failover Works
Firewall Failover Roles
Detecting a Firewall Failure
Failover Communication
Active-Active Failover Requirements
7-2: Configuring Firewall Failover
7-3: Firewall Failover Configuration Examples
Active-Standby Failover Example with PIX Firewalls
Active-Standby Failover Example with FWSM
Active-Active Failover Example
7-4: Managing Firewall Failover
Displaying Information About Failover
Debugging Failover Activity
Manually Intervening in Failover
7-5: Upgrading Firewalls in Failover Mode
Upgrading an Active-Standby Failover Pair
Upgrading an Active-Active Failover Pair
Chapter 8 Firewall Load Balancing
8-1: Firewall Load Balancing Overview
8-2: Firewall Load Balancing in Software
IOS FWLB Configuration Notes
IOS FWLB Configuration
IOS Firewall Load-Balancing Example
Displaying Information About IOS FWLB
8-3: Firewall Load Balancing in Hardware
FWLB in Hardware Configuration Notes
CSM FWLB Configuration
CSM Firewall Load-Balancing Example
Displaying Information About CSM FWLB
8-4: Firewall Load-Balancing Appliance
CSS FWLB Configuration
CSS Appliance Firewall Load-Balancing Example
Displaying Information About CSS FWLB
Chapter 9 Firewall Logging
9-1: Managing the Firewall Clock
Setting the Clock Manually
Setting the Clock with NTP
9-2: Generating Logging Messages
Syslog Server Suggestions
Logging Configuration
Verifying Message Logging Activity
Manually Testing Logging Message Generation
9-3: Fine-Tuning Logging Message Generation
Pruning Messages
Changing the Message Severity Level
Access List Activity Logging
9-4: Analyzing Firewall Logs
Chapter 10 Verifying Firewall Operation
10-1: Checking Firewall Vital Signs
Using the Syslog Information
Checking System Resources
Checking Stateful Inspection Resources
Checking Firewall Throughput
Checking Inspection Engine and Service Policy Activity
Checking Failover Operation
Checking Firewall Interfaces
10-2: Watching Data Pass Through a Firewall
Using Capture
Using Debug Packet
10-3: Verifying Firewall Connectivity
Step 1: Test with Ping Packets
Step 2: Check the ARP Cache
Step 3: Check the Routing Table
Step 4: Use Traceroute to Verify the Forwarding Path
Step 5: Check the Access Lists
Step 6: Verify Address Translation Operation
Step 7: Look for Active Shuns
Step 8: Check User Authentication
Step 9: See What Has Changed
Chapter 11 Cisco IOS Firewall: Controlling Access
11-1: IOS Transparent Firewall
Configuring a Transparent IOS Firewall
11-2: Configuring Network Address Translation
NAT Operation
Using Static Address Translations
Using Dynamic Address Translations
11-3: Configuring IOS Firewall Stateful Inspection
How CBAC Works
Configuring CBAC Inspection
CBAC Example
Monitoring CBAC Operation
11-4: HTTP, Java, and URL Filtering
Monitoring URL Filtering
Chapter 12 Cisco IOS Firewall: Managing Activity
12-1: Synchronizing the IOS Firewall Clock
Setting the Clock Manually
Setting the Clock with NTP
12-2: Configuring IOS Firewall Logging
Syslog Server Suggestions
Logging Configuration
IOS Firewall Logging Messages
12-3: Using Authentication Proxy to Manage User Access
Configuring Authentication Proxy
Authentication Proxy Example
Chapter 13 Intrusion Detection System (IDS) Sensors
13-1: IDS Overview
Cisco Embedded IDS Sensor Availability
IDS Alarms
13-2: IDS Embedded Sensor Configuration
Locating the Signature Definitions
Using a Signature Update with an IOS IPS Sensor
Configuring an Embedded IDS Sensor
IDS Sensor Examples
13-3: Monitoring IDS Activity
Verifying Syslog Operation
Verifying Post Office Operation
Verifying IDS Activity on a Router Sensor
Verifying IDS Activity on a Firewall Sensor
13-4: IDS Sensor Signature List
Appendix A Well-Known Protocol and Port Numbers
A-1: IP Protocol Numbers
A-2: ICMP Message Types
A-3: IP Port Numbers
Appendix B Security Appliance Logging Messages
B-1: Alerts–Syslog Severity Level 1 Messages
B-2: Critical–Syslog Severity Level 2 Messages
B-3: Errors–Syslog Severity Level 3 Messages
B-4: Warnings–Syslog Severity Level 4 Messages
B-5: Notifications–Syslog Severity Level 5 Messages
B-6: Informational–Syslog Severity Level 6 Messages
B-7: Debugging–Syslog Severity Level 7 Messages