Thông tin tài liệu
Cisco Press
201 West 103rd Street
Indianapolis, IN 46290 USA
Cisco Press
CCSP Self-Study
CCSP Cisco Secure PIX Firewall
Advanced Exam Certification Guide
0678_fmi.book Page i Friday, February 28, 2003 4:21 PM
www.dbeBooks.com - An Ebook Library
ii
CCSP Self-Study
CCSP Cisco Secure PIX Firewall
Advanced Exam Certification Guide
Greg Bastien, Christian Degu
Copyright© 2003 Cisco Systems, Inc.
Published by:
Cisco Press
201 West 103rd Street
Indianapolis, IN 46290 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying and recording, or by any information storage and retrieval system, without
written permission from the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
First Printing March 2003
Library of Congress Cataloging-in-Publication Number: 2002107269
ISBN: 1-58720-067-8
Warning and Disclaimer
This book is designed to provide information about the Cisco Secure PIX Firewall Advanced Exam (CSPFA 9E0-111
and 642-521) for the Cisco Certified Security Professional. Every effort has been made to make this book as complete
and accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither
liability nor responsibility to any person or entity with respect to any loss or damages arising from the information
contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted
with care and precision, undergoing rigorous development that involves the unique expertise of members of the pro-
fessional technical community.
Reader feedback is a natural continuation of this process. If you have any comments regarding how we could
improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at
feedback@ciscopress.com. Please be sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.
0678_fmi.book Page ii Friday, February 28, 2003 4:21 PM
iii
Publisher John Wait
Editor-In-Chief John Kane
Cisco Representative Anthony Wolfenden
Cisco Press Program Manager Sonia Torres Chavez
Cisco Marketing Communications Manager Scott Miller
Cisco Marketing Program Manager Edie Quiroz
Executive Editor Brett Bartow
Acquisitions Editor Michelle Grandin
Production Manager Patrick Kanouse
Senior Development Editor Christopher Cleveland
Project Editor Marc Fowler
Copy Editor Gayle Johnson
Technical Editors Will Aranha
Mesfin Goshu
Jonathan Limbo
Gilles Piché
CD Content Jonathan Limbo
Team Coordinator Tammi Ross
Book Designer Gina Rexrode
Cover Designer Louisa Adair
Compositor Mark Shirar
Indexer Larry Sweazy
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
European Headquarters
Cisco Systems Europe
11 Rue Camille Desmoulins
92782 Issy-les-Moulineaux
Cedex 9
France
http://www-europe.cisco.com
Tel: 33 1 58 04 60 00
Fax: 33 1 58 04 61 00
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-7660
Fax: 408 527-0883
Asia Pacific Headquarters
Cisco Systems Australia,
Pty., Ltd
Level 17, 99 Walker Street
North Sydney
NSW 2059 Australia
http://www.cisco.com
Tel: +61 2 8448 7100
Fax: +61 2 9957 4350
Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on
the Cisco Web site at www.cisco.com/go/offices
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Cost
a
Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kon
g
Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexic
o
The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romani
a
Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Swede
n
Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietna
m
Zimbabwe
Copyright © 2000, Cisco Systems, Inc. All rights reserved. Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA,
CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing,
FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The
iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX,
ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router,
Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are
service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco
Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX,
LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems,
Inc. or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (0010R)
0678_fmi.book Page iii Friday, February 28, 2003 4:21 PM
iv
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital-
ized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book
should not be regarded as affecting the validity of any trademark or service mark.
0678_fmi.book Page iv Friday, February 28, 2003 4:21 PM
v
About the Authors
Greg Bastien,
CCNP, CCSP, CISSP, currently works as a senior network security engineer for True North Solu-
tions, Inc. as a consultant to the U.S. Department of State. He is an adjunct professor at Strayer University, teaching
networking and network security classes. He completed his undergraduate and graduate degrees at Embry-Riddle
Aeronautical University while on active duty as a helicopter flight instructor in the U.S. Army. He lives with his
wife, two sons, and two dogs in Monrovia, Maryland.
Christian Degu,
CCNP, CCDP, CCSP, currently works as a consulting engineer to the Federal Energy Regulatory
Commission. He is an adjunct professor at Strayer University, teaching computer information systems classes. He
has a master’s degree in computer information systems. He resides in Alexandria, Virginia.
0678_fmi.book Page v Friday, February 28, 2003 4:21 PM
vi
About the Technical Reviewers
Will Aranha
is currently a principal security engineer with Symantec Corp. His primary job is as a technical prod-
uct manager, which includes determining new product support, baselining, and providing technical training to the
security engineering staff. Aranha is well-versed in many information security products and practices. Along with
numerous firewall/VPN and IDS deployments, both domestic and international, he provides third-tier technical sup-
port to a 24/7 Security Operations Center, serving as a subject matter expert for all Managed Services supported
products. Aranha has also contributed to the growth and success of the start-up company Riptech, Inc., which was
acquired by Symantec Corp. It is now the premier security solutions provider in the market. In his free time, he has
completed many industry-leading security certifications.
Mesfin Goshu,
CCIE No. 8350, is a system engineer for Metrocall Wireless Inc., the second-biggest wireless com-
pany in the U.S. He is responsible for designing, maintaining, troubleshooting, and securing Metrocall’s backbone.
He has been with Metrocall for almost six years. He has an extensive background in OSPF, BGP, MPLS, and net-
work security. He has a BSc in computer and information science and civil engineering. He currently is working
toward an MSc in telecommunications. As a senior network engineer, he has worked for INS and the Pentagon as a
contractor. He has been in the networking field for more than nine years.
Jonathan Limbo
, CCIE Security No. 10508, is currently working as a Security and VPN support engineer acting
as escalation for PIX issues as well as for other security and VPN products. Jonathan has worked in the IT industry
for 5 years, most of which as a Network Engineer.
Gilles Piché
is a security consultant who has been working in the Network Security field in Canada for over 6
years. Prior to that, he did contract work with the Canadian government in a network engineering capacity. Gilles is
also a Cisco Certified Security Instructor and has been teaching Cisco Security courses for Global Knowledge Net-
work (Canada) for the last 2 years.
0678_fmi.book Page vi Friday, February 28, 2003 4:21 PM
vii
Dedications
To Ingrid, Joshua, and Lukas. Thank you for putting up with me while I was locked in the office.—Greg
To my father, Aberra Degu, and my mother, Tifsehit Hailegiorgise. Thank you for inspiring me and loving me as
you have. To my brother, Petros, and sisters, Hiwote and Lula, I love you guys. —Christian
0678_fmi.book Page vii Friday, February 28, 2003 4:21 PM
viii
Acknowledgments
Writing this book has been a difficult and time-consuming yet extremely rewarding project. Many have contributed
in some form or fashion to the publishing of this book. We would especially like to thank the Cisco Press team,
including Michelle Grandin, Acquisitions Editor, and Christopher Cleveland, Senior Development Editor, for their
guidance and encouragement throughout the entire writing process. We would also like to thank the technical
reviewers, who had to endure our draft manuscripts and who helped us remain on track throughout the process.
0678_fmi.book Page viii Friday, February 28, 2003 4:21 PM
ix
Contents at a Glance
Introduction xxii
Chapter 1
Network Security 3
Chapter 2
Firewall Technologies and the Cisco PIX Firewall 13
Chapter 3
The Cisco Secure PIX Firewall 23
Chapter 4
System Maintenance 47
Chapter 5
Understanding Cisco PIX Firewall Translation and Connections 65
Chapter 6
Getting Started with the Cisco PIX Firewall 91
Chapter 7
Configuring Access 111
Chapter 8
Syslog 129
Chapter 9
Cisco PIX Firewall Failover 143
Chapter 10
Virtual Private Networks 159
Chapter 11
PIX Device Manager 209
Chapter 12
Content Filtering with the Cisco PIX Firewall 245
Chapter 13
Overview of AAA and the Cisco PIX Firewall 257
Chapter 14
Configuration of AAA on the Cisco PIX Firewall 273
Chapter 15
Attack Guards and Multimedia Support 313
Appendix A
Answers to the “Do I Know This Already?” Quizzes and Q&A Questions 331
Appendix B
Case Study and Sample Configuration 377
Glossary
409
Index
425
0678_fmi.book Page ix Friday, February 28, 2003 4:21 PM
x
Contents
Introduction xxii
Chapter 1
Network Security 3
Vulnerabilities 3
Threats 4
Types of Attacks 4
Reconnaissance Attacks 5
Access Attacks 5
Denial of Service (DoS) Attacks 6
Network Security Policy 7
Step 1: Secure 8
Step 2: Monitor 8
Step 3: Test 8
Step 4: Improve 8
AVVID and SAFE 9
What Is AVVID? 9
What Is SAFE? 10
Q&A 11
Chapter 2
Firewall Technologies and the Cisco PIX Firewall 13
How to Best Use This Chapter 13
“Do I Know This Already?” Quiz 13
Foundation Topics 15
Firewall Technologies 15
Packet Filtering 15
Proxy 16
Stateful Inspection 16
Cisco PIX Firewall 17
Secure Real-Time Embedded System 17
Adaptive Security Algorithm (ASA) 17
Cut-Through Proxy 18
Redundancy 18
Foundation Summary 19
Q&A 20
0678_fmi.book Page x Friday, February 28, 2003 4:21 PM
[...]... Cisco Secure PIX 501 30 Cisco Secure PIX 506 31 Cisco Secure PIX 515 33 Cisco Secure PIX 520 35 Cisco Secure PIX 525 38 Cisco Secure PIX 535 39 Foundation Summary 42 Q&A 44 Chapter 4 System Maintenance 47 How to Best Use This Chapter 47 “Do I Know This Already?” Quiz 47 Foundation Topics 48 Accessing the Cisco PIX Firewall 48 Accessing the Cisco PIX Firewall with Telnet 48 Accessing the Cisco PIX Firewall. .. two Cisco programs that can help companies design and implement sound security policies, processes, and architecture • Chapter 2, Firewall Technologies and the Cisco PIX Firewall —This chapter covers the different firewall technologies and the Cisco PIX Firewall It examines the design of the PIX Firewall and discusses some of that design’s security advantages • Chapter 3, “The Cisco Secure PIX Firewall —Chapter... 9E0-111 CSPFA 3.0, Cisco Secure PIX Firewall Advanced Exam By Summer 2003, a new exam will be available to certification candidates taking the PIX exam: 642-521 Note that the renumbering signifies that those passing this exam will be considered recertified at the CCNA or CCDA level There are no significant changes between the 9E0-111 exam and the 642-521 exam 9E0-100 CSIDS 3.0, Cisco Secure Intrusion Detection... continually monitor the Cisco Systems site for course and exam updates at www .cisco. com/go/training Table I-2 CCSP Certification Exams Exam Number Exam Name Comments on Upcoming Exam Changes 640-100 MCNS 3.0, Managing Cisco Network Security In Summer 2003, a new exam, SECUR 642-501, will become available This exam will eventually replace the 640-100 exam If recertification candidates pass this exam, they will... Using the PIX Firewall DHCP Server 101 Configuring the PIX Firewall DHCP Client 102 Configuring Time Settings on the Cisco PIX Firewall 102 Network Time Protocol (NTP) 102 PIX Firewall System Clock 104 Sample PIX Configuration 105 Foundation Summary 107 Q&A 108 Chapter 7 Configuring Access 111 “Do I Know This Already?” Quiz 111 Foundation Topics 112 Configuring Inbound Access Through the PIX Firewall. .. Chapter 3 The Cisco Secure PIX Firewall 23 How to Best Use This Chapter 23 “Do I Know This Already?” Quiz 23 Foundation Topics 25 Overview of the Cisco PIX Firewall 25 Adaptive Security Algorithm (ASA) 25 Cut-Through Proxy 26 Cisco PIX Firewall Models and Features 27 Intrusion Protection 28 AAA Support 28 X.509 Certificate Support 28 Network Address Translation/Port Address Translation 29 Firewall Management... allow for remote management of the PIX • Chapter 5, “Understanding Cisco PIX Firewall Translation and Connections”—This chapter covers the different transport protocols and how the PIX Firewall handles them It also discusses network addressing and how the PIX can alter node or network addresses to secure those elements • Chapter 6, “Getting Started with the Cisco PIX Firewall —This is where we really... I-1 CSPFA Foundation Topics Reference Number Exam Topic Description 1 Firewalls Firewalls process network traffic in three different ways Chapter 2 discusses these technologies and their advantages 2 PIX Firewall overview Chapter 2 explains the PIX Firewall s design and its advantages compared to other firewall products 3 PIX Firewall models Currently, the PIX Firewall has six different models Chapter 3... 13 Overview of AAA and the Cisco PIX Firewall 257 How to Best Use This Chapter 257 “Do I Know This Already?” Quiz 257 Foundation Topics 259 Overview of AAA and the Cisco PIX Firewall 259 Definition of AAA 259 AAA and the Cisco PIX Firewall 260 Cut-Through Proxy 260 Supported AAA Server Technologies 262 0678_fmi.book Page xvii Friday, February 28, 2003 4:21 PM xvii Cisco Secure Access Control Server... Introduction The primary goal of this book is to help you prepare to pass either the 9E0-111 or 642-521 Cisco Secure PIX Firewall Advanced (CSPFA) exams as you strive to attain the CCSP certification, or a focused PIX certification Who Should Read This Book? Network security is a very complex business The Cisco PIX Firewall performs some very specific functions as part of the security process It is very important . 30 Virtual Private Networks (VPNs) 30 Cisco Secure PIX 501 30 Cisco Secure PIX 506 31 Cisco Secure PIX 515 33 Cisco Secure PIX 520 35 Cisco Secure PIX 525 38 Cisco Secure PIX 535 39 Foundation Summary. Library ii CCSP Self-Study CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide Greg Bastien, Christian Degu Copyright© 2003 Cisco Systems, Inc. Published by: Cisco Press 201. Chapter 2 Firewall Technologies and the Cisco PIX Firewall 13 Chapter 3 The Cisco Secure PIX Firewall 23 Chapter 4 System Maintenance 47 Chapter 5 Understanding Cisco PIX Firewall
Ngày đăng: 25/03/2014, 11:08
Xem thêm: ccsp cisco secure pix firewall advanced exam certification guide, ccsp cisco secure pix firewall advanced exam certification guide