Authors: David W. Chapman and Andy Fox
Publisher: Cisco Press
There’s no question whether a firewall is an important part of the overall security architecture. One of the biggest players in the networking and security hardware market is certainly Cisco so there’s no wonder many organizations worldwide use Cisco PIX Firewalls. This book is intended for that specific audience – Cisco PIX Firewall users, both novices and advanced. This book is a must if you’re preparing for the Cisco Security Specialist 1 PIX exam.
About the authors
David W. Chapman, Jr., CCNP, CCDP, CSS-1, is a Cisco Security Instructor with Global Knowledge. As Course Director for the Cisco Secure PIX Firewall course, David is charged with maintaining the integrity and quality of the course offering and mentoring instructors new to the course. His protocol expertise includes TCP/IP, IPSec, BGP, IPX, SNA, AppleTalk, Frame Relay, PPP, HDLC, LLC, and NetBIOS/SMB.
An interview with David W. Chapman is available here.
Andy Fox, CCNA, CCDA, CSS-1 is a Certified Cisco Systems Instructor with Global Knowledge. Andy has been teaching Cisco Certified Classes for more than six years and is the Course Director for the Managing Cisco Network Security course. Andy began his career in Computer Science as a Computer Operator in the Air Force.
Inside the book
The book starts with an introduction to network security where the authors explain why network security is necessary, they categorize network security threats, talk about security breaches and the network security policy.
When it comes to security breaches, the authors categorize network attacks into three categories: Reconnaissance attacks, Access attacks and Denial of Service attacks. All of these types are described on their own but we are not presented with too many details since the audience of this book is supposed to have basic IP operation knowledge and be acquainted with security concepts in order to use this book’s full potential.
As we move on, we are introduced to Cisco PIX Firewall software and hardware. The authors define firewalls and present the types of firewalls that have been put into three categories: packet filters, proxy filters and stateful packet filters. After this brief introduction comes a presentation of the features and benefits of PIX Firewalls. We are presented with detailed information for the following models:
- The Cisco Secure PIX 506 – intended for high-end, small office/home office (SOHO) organizations
- The Cisco Secure PIX 515 – intended for small/medium business and remote office deployments
- The Cisco Secure PIX 520 – intended for large enterprise organizations and complex, high-end traffic environments
- The Cisco Secure PIX 525 – intended for enterprise and service provider use
- The Cisco Secure PIX 535 – intended for enterprise and service provider use
All the models are explained in great detail with descriptions of the controls, connectors as well as front and back panel features. All the data is backed up by illustrations that show what each model looks like. This is excellent if you want to find out all the details about a model from the ground up.
Now that the models have been properly introduced, the authors go on to discuss the working and upgrading of the Cisco PIX Firewall software image. What you learn about here is how to administer any Cisco device with the command line interface or with the graphical user interfaces: the PIX Firewall Manager ad the PIX Device Manager. When it comes to PIX Firewall maintenance, the authors don’t leave anything to chance and they present a lot of details. What would information of this sort be without coverage of an installation of a new PIX Firewall or a software upgrade? These are covered nicely as we move to find out more on password recovery.
The next step is learning to configure the Cisco PIX Firewall. The authors say that we have to keep in mind that a two-interface PIX is configured in the same way as a six-interface PIX. This is because the ASA (Adaptive Security Algorithm) uses the concept of security levels, and they are covered as the first step. You’ll also learn about the six basic commands for Cisco PIX Firewall configuration.
The authors progress by explaining how the PIX Firewall processes inbound and outbound transmissions by giving a brief overview of two protocols: TCP and UDP. After the overview we get a few pages on PIX Firewall translations.
Almost in every firewall configuration the system administrator has to allow a certain amount of access from the outside. What the authors are explaining next is how to configure access through the Cisco PIX Firewall. We are introduced to the static and conduit commands, additional methods of access through the PIX, and we learn about configuring multiple interfaces.
The PIX Firewall generates syslog messages for system events. We are presented with an entire chapter dedicated to the analysis of the syslog configuration commands and you’ll understand how these commands affect the way the PIX handles syslog messages.
What follows is an overview of the AAA (Authentication, Authorization and Accounting) configuration on the Cisco PIX Firewall. Among other things, the authors: define AAA, explain what a cut-through proxy operation is, inform us on what AAA protocols and servers the PIX Firewall supports. We are also presented with the installation of CSACS on Windows NT. CSACS is an application that provides AAA services. Although we find a variety of screenshots and diagrams that are a very good complement to the text through the book, there is an amusing screenshot in this chapter. It’s the screenshot of a standard Windows Installation Wizard. I don’t think that the audience of this book needs to see that screenshot; they should be familiar with installing software if they plan on working with a PIX Firewall.
If you want your PIX Firewall to securely handle multichannel TCP applications, you’ll get a nice introduction to the concepts and configuration elements necessary in chapter nine. You’ll be introduced to advanced protocol handling, multimedia support and attack guards.
What if a PIX Firewall fails? Another one immediately takes its place. To get acquainted with the firewall failover we are shown when a failover occurs and we are also presented with the following topics: the failover operation, configuration replication, failover monitoring, fail back rules, interface testing, and more.
Need a secure VPN? You’ll learn that the Cisco Secure PIX Firewall enables a secure VPN. The authors proceed by describing how IPSec for PIX Firewalls can be configured. There’s also material on scale PIX Firewall VPNs and we get many examples of topologies and configurations. As the topics in this chapter are rather complex, there’s a reference section at the end of it that should give you enough additional reading material – very useful.
The following section introduces the features of the Cisco IOS Firewall, which is a security-specific option for Cisco IOS Software. Some of the covered topics in this section are: the Cisco IOS Firewall context-based access control configuration, port-to-application mapping, and more.
The last chapter gives you all the information you need to understand and configure the Cisco IOS Firewall Authentication Proxy. What the authors write about here is: the AA server configuration, AA configuration, authentication proxy configuration, etc. To end in style, the six appendixes provide a valuable amount of information.
My 2 cents
The authors state that the goal of this book is help users refresh their knowledge of basic PIX operation as well as to dwell into more advanced configurations. Do they succeed in accomplishing this? Completely. The authors managed to put a lot of knowledge into this book, and combine it with useful diagrams and screenshots to facilitate the understanding of the material. To help the readers get the most of this book at the end of each chapter there’s a few questions that you can use to test yourself. At the end of the book you can read the answers to all the questions.
If you’re a PIX user this book should definitely be on your bookshelf, you’re going to benefit a lot from it.