SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
Cisco Firewalls
Concepts, design and deployment for Cisco Stateful Firewall solutions
“ In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. A must read!” —Luc Billot, Security Consulting Engineer at Cisco
Cisco Firewalls thoroughly explains each of the leading Cisco firewall products, features, and solutions, and shows how they can add value to any network security design or operation. The author tightly links theory with practice, demonstrating how to integrate Cisco firewalls into highly secure, self-defending networks. Cisco Firewalls shows you how to deploy Cisco firewalls as an essential component of every network infrastructure. The book takes the unique approach of illustrating complex configuration concepts through step-by-step examples that demonstrate the theory in action. This is the first book with detailed coverage of firewalling Unified Communications systems, network virtualization architectures, and environments that include virtual machines. The author also presents indispensable information about integrating firewalls with other security elements such as IPS, VPNs, and load balancers; as well as a complete introduction to firewalling IPv6 networks. Cisco Firewalls will be an indispensable resource for engineers and architects designing and implementing firewalls; security administrators, operators, and support professionals; and anyone preparing for the CCNA Security, CCNP Security, or CCIE Security certification exams.
Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a Systems Engineer for Cisco Brazil since 1998 in projects that involve not only Security and VPN technologies but also Routing Protocol and Campus Design, IP Multicast Routing, and MPLS Networks Design. He coordinated a team of Security engineers in Brazil and holds the CISSP, CCSP, and three CCIE certifications (Routing/Switching, Security, and Service Provider). A frequent speaker at Cisco Live, he holds a degree in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil).
· Create advanced security designs utilizing the entire Cisco firewall product family
· Choose the right firewalls based on your performance requirements
· Learn firewall configuration fundamentals and master the tools that provide insight about firewall operations
· Properly insert firewalls in your network’s topology using Layer 3 or Layer 2 connectivity
· Use Cisco firewalls as part of a robust, secure virtualization architecture
· Deploy Cisco ASA firewalls with or without NAT
· Take full advantage of the classic IOS firewall feature set (CBAC)
· Implement flexible security policies with the Zone Policy Firewall (ZPF)
· Strengthen stateful inspection with antispoofing, TCP normalization, connection limiting, and IP fragmentation handling
· Use application-layer inspection capabilities built into Cisco firewalls
· Inspect IP voice protocols, including SCCP, H.323, SIP, and MGCP
· Utilize identity to provide user-based stateful functionality
· Understand how multicast traffic is handled through firewalls
· Use firewalls to protect your IPv6 deployments
This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.
Cisco Firewall Configuration Fundamentals
Foreword
Introduction
Chapter 1: Firewalls and Network Security
Security Is a Must. But, Where to Start?
Firewalls and Domains of Trust
Firewall Insertion in the Network Topology
Routed Mode Versus Transparent Mode
Network Address Translation and Port Address Translation
Main Categories of Network Firewalls
Packet Filters
Circuit-Level Proxies
Application-Level Proxies
Stateful Firewalls
The Evolution of Stateful Firewalls
Application Awareness
Identity Awareness
Leveraging the Routing Table for Protection Tasks
Virtual Firewalls and Network Segmentation
What Type of Stateful Firewall?
Firewall Appliances
Router-Based Firewalls
Switch-Based Firewalls
Classic Topologies Using Stateful Firewalls
Stateful Firewalls and Security Design
Stateful Firewalls and VPNs
Stateful Firewalls and Intrusion Prevention
Stateful Firewalls and Specialized Security Appliances
Summary
Chapter 2: Cisco Firewall Families Overview
Overview of ASA Appliances
Positioning of ASA Appliances
Firewall Performance Parameters
Overview of ASA Hardware Models
Overview of the Firewall Services Module
Overview of IOS-Based Integrated Firewalls
Integrated Services Routers
Aggregation Services Routers
Summary
Chapter 3: Configuration Fundamentals
Device Access Using the CLI
Basic ASA Configuration
Basic Configuration for ASA Appliances Other Than 5505
Basic Configuration for the ASA 5505 Appliance
Basic FWSM Configuration
Remote Management Access to ASA and FWSM
Telnet Access
SSH Access
HTTPS Access Using ASDM
IOS Baseline Configuration
Configuring Interfaces on IOS Routers
Remote Management Access to IOS Devices
Remote Access Using Telnet
Remote Access Using SSH
Remote Access Using HTTP and HTTPS
Clock Synchronization Using NTP
Obtaining an IP Address Through the PPPoE Client
DHCP Services
Summary
Further Reading
Chapter 4: Learn the Tools. Know the Firewall
Using Access Control Lists Beyond Packet Filtering
Event Logging
Debug Commands
Flow Accounting and Other Usages of Netflow
Enabling Flow Collection on IOS
Traditional Netflow
Netflow v9 and Flexible Netflow
Enabling NSEL on an ASA Appliance
Performance Monitoring Using ASDM
Correlation Between Graphical Interfaces and CLI
Packet Tracer on ASA
Packet Capture
Embedded Packet Capture on an ASA Appliance
Embedded Packet Capture on IOS
Summary
Chapter 5: Firewalls in the Network Topology
Introduction to IP Routing and Forwarding
Static Routing Overview
Basic Concepts of Routing Protocols
RIP Overview
Configuring and Monitoring RIP
EIGRP Overview
Configuring and Monitoring EIGRP
EIGRP Configuration Fundamentals
Understanding EIGRP Metrics
Redistributing Routes into EIGRP
Generating a Summary EIGRP Route
Limiting Incoming Updates with a Distribute-List
EIGRP QUERY and REPLY Messages
EIGRP Stub Operation
OSPF Overview
Configuring and Monitoring OSPF
OSPF Configuration Fundamentals
OSPF Scenario with Two Areas
Configuring Authentication for Routing Protocols
Bridged Operation
Summary
Chapter 6: Virtualization in the Firewall World
Some Initial Definitions
Starting with the Data Plane: VLANs and VRFs
Virtual LANs
VRFs
VRF-Aware Services
Beyond the Data Plane—Virtual Contexts
Management Access to Virtual Contexts
Allocating Resources to Virtual Contexts
Interconnecting Virtual Elements
Interconnecting VRFs with an External Router
Interconnecting Two Virtual Contexts That Do Not Share Any Interface
Interconnecting Two FWSM Contexts That Share an Interface
Interconnecting Two ASA Contexts That Share an Interface
Issues Associated with Security Contexts
Complete Architecture for Virtualization
Virtualized FWSM and ACE Modules
Segmented Transport
Virtual Machines and the Nexus 1000V
Summary
Chapter 7: Through ASA Without NAT
Types of Access Through ASA-Based Firewalls
Additional Thoughts About Security Levels
Internet Access Firewall Topology
Extranet Topology
Isolating Internal Departments
ICMP Connection Examples
Outbound Ping
Inbound Ping
Windows Traceroute Through ASA
UDP Connection Examples
Outbound IOS Traceroute Through ASA
TCP Connection Examples
ASA Flags Associated with TCP Connections
TCP Sequence Number Randomization
Same Security Access
Handling ACLs and Object-Groups
Summary
Chapter 8: Through ASA Using NAT
Nat-Control Model
Outbound NAT Analysis
Dynamic NAT
Dynamic PAT
Identity NAT
Static NAT
Policy NAT
Static Policy NAT
Dynamic Policy NAT
Dynamic Policy PAT
NAT Exemption
NAT Precedence Rules
Address Publishing for Inbound Access
Publishing with the static Command
Publishing with Port Redirection
Publishing with NAT Exemption
Inbound NAT Analysis
Dynamic PAT for Inbound
Identity NAT for Inbound
NAT Exemption for Inbound
Static NAT for Inbound
Dual NAT
Disabling TCP Sequence Number Randomization
Defining Connection Limits with NAT Rules
Summary
Chapter 9: Classic IOS Firewall Overview
Motivations for CBAC
CBAC Basics
ICMP Connection Examples
UDP Connection Examples
TCP Connection Examples
Handling ACLs and Object-Groups
Using Object-Groups with ACLs
CBAC and Access Control Lists
IOS NAT Review
Static NAT
Dynamic NAT
Policy NAT
Dual NAT
NAT and Flow Accounting
CBAC and NAT
Summary
Chapter 10: IOS Zone Policy Firewall Overview
Motivations for the ZFW
Building Blocks for Zone-Based Firewall Policies
ICMP Connection Examples
UDP Connection Examples
TCP Connection Examples
ZFW and ACLs
ZFW and NAT
ZFW in Transparent Mode
Defining Connection Limits
Inspection of Router Traffic
Intrazone Firewall Policies in IOS 15.X
Summary
Chapter 11: Additional Protection Mechanisms
Antispoofing
Classic Antispoofing Using ACLs
Antispoofing with uRPF on IOS
Antispoofing with uRPF on ASA
TCP Flags Filtering
Filtering on the TTL Value
Handling IP Options
Stateless Filtering of IP Options on IOS
IP Options Drop on IOS
IP Options Drop on ASA
Dealing with IP Fragmentation
Stateless Filtering of IP Fragments in IOS
Virtual Fragment Reassembly on IOS
Virtual Fragment Reassembly on ASA
Flexible Packet Matching
Time-Based ACLs
Time-Based ACLs on ASA
Time-Based ACLs on IOS
Connection Limits on ASA
TCP Normalization on ASA
Threat Detection on ASA
Summary
Further Reading
Chapter 12: Application Inspection
Inspection Capabilities in the Classic IOS Firewall
Application Inspection in the Zone Policy Firewall
DNS Inspection in the Zone Policy Firewall
FTP Inspection in the Zone Policy Firewall
HTTP Inspection in the Zone Policy Firewall
IM Inspection in the Zone Policy Firewall
Overview of ASA Application Inspection
DNS Inspection in ASA
DNS Guard
DNS Doctoring
DNS Inspection Parameters
Some Additional DNS Inspection Capabilities
FTP Inspection in ASA
HTTP Inspection in ASA
Inspection of IM and Tunneling Traffic in ASA
Botnet Traffic Filtering in ASA
Summary
Further Reading
Chapter 13: Inspection of Voice Protocols
Introduction to Voice Terminology
Skinny Protocol
H.323 Framework
H.323 Direct Calls
H.323 Calls Through a Gatekeeper
Session Initiation Protocol (SIP)
MGCP Protocol
Cisco IP Phones and Digital Certificates
Advanced Voice Inspection with ASA TLS-Proxy
Advanced Voice Inspection with ASA Phone-Proxy
Summary
Further Reading
Chapter 14: Identity on Cisco Firewalls
Selecting the Authentication Protocol
ASA User-Level Control with Cut-Through Proxy
Cut-Through Proxy Usage Scenarios
Scenario 1: Simple Cut-Through Proxy (No Authorization)
Scenario 2: Cut-Through Proxy with Downloadable ACEs
Scenario 3: Cut-Through Proxy with Locally Defined ACL
Scenario 4: Cut-Through Proxy with Downloadable ACLs
Scenario 5: HTTP Listener
IOS User-Level Control with Auth-Proxy
Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries
Scenario 2: IOS Auth-Proxy with Downloadable ACLs
Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy
User-Based Zone Policy Firewall
Establishing user-group Membership Awareness in IOS - Method 1
Establishing user-group Membership Awareness in IOS - Method 2
Integrating Auth-Proxy and the ZFW
Administrative Access Control on IOS
Administrative Access Control on ASA
Summary
Chapter 15: Firewalls and IP Multicast
Review of Multicast Addressing
Overview of Multicast Routing and Forwarding
The Concept of Upstream and Downstream Interfaces
RPF Interfaces and the RPF Check
Multicast Routing with PIM
Enabling PIM on Cisco Routers
PIM-DM Basics
PIM-SM Basics
Finding the Rendezvous Point on PIM-SM Topologies
Inserting ASA in a Multicast Routing Environment
Enabling Multicast Routing in ASA
Stub Multicast Routing in ASA
ASA Acting as a PIM-SM Router
Summary of Multicast Forwarding Rules on ASA
Summary
Further Reading
Chapter 16: Cisco Firewalls and IPv6
Introduction to IPv6
Overview of IPv6 Addressing
IPv6 Header Format
IPv6 Connectivity Basics
Handling IOS IPv6 Access Control Lists
IPv6 Support in the Classic IOS Firewall
IPv6 Support in the Zone Policy Firewall
Handling ASA IPv6 ACLs and Object-Groups
Stateful Inspection of IPv6 in ASA
Establishing Connection Limits
Setting an Upper Bound for Connections Through ASA
IPv6 and Antispoofing
Antispoofing with uRPF on ASA
Antispoofing with uRPF on IOS
IPv6 and Fragmentation
Virtual Fragment Reassembly on ASA
Virtual Fragment Reassembly on IOS
Summary
Further Reading
Chapter 17: Firewall Interactions
Firewalls and Intrusion Prevention Systems
Firewalls and Quality of Service
Firewalls and Private VLANs
Firewalls and Server Load Balancing
Firewalls and Virtual Machines
Protecting Virtual Machines with External Firewalls
Protecting Virtual Machines Using Virtual Firewall Appliances
Firewalls and IPv6 Tunneling Mechanisms
Firewalls and IPsec VPNs
Classic IPsec Site-to-Site for IOS
IPsec Site-to-Site Using a Virtual Tunnel Interface (VTI)
IPsec Site-to-Site Using a GRE Tunnel
NAT in the Middle of an IPsec Tunnel
Post-Decryption Filtering in ASA
Firewalls and SSL VPNs
Clientless Access
Client-Based Access (AnyConnect)
Firewalls and MPLS Networks
Borderless Networks Vision
Summary
Further Reading
Appendix A: NAT and ACL Changes in ASA 8.3
Index