The complete guide to the most popular Cisco PIX®, ASA, FWSM, and IOS® firewall security features
- Learn about the various firewall models, user interfaces, feature sets, and configuration methods
- Understand how a Cisco firewall inspects traffic
- Configure firewall interfaces, routing, IP addressing services, and IP multicast support
- Maintain security contexts and Flash and configuration files, manage users, and monitor firewalls with SNMP
- Authenticate, authorize, and maintain accounting records for firewall users
- Control access through the firewall by implementing transparent and routed firewall modes, address translation, traffic filtering, user authentication, content filtering, application inspection, and traffic shunning
- Increase firewall availability with firewall failover operation
- Understand how firewall load balancing works
- Generate firewall activity logs and learn how to analyze the contents of the log
- Verify firewall operation and connectivity and observe data passing through a firewall
- Control access and manage activity on the Cisco IOS firewall
- Configure a Cisco firewall to act as an IDS sensor
Every organization has data, facilities, and workflow processes that are critical to their success. As more organizations make greater use of the Internet, defending against network attacks becomes crucial for businesses. Productivity gains and returns on company investments are at risk if the network is not properly defended. Firewalls have emerged as the essential foundation component in any network security architecture.
Cisco ASA and PIX Firewall Handbook is a guide for the most commonly implemented features of the popular Cisco Systems® firewall security solutions. This is the first book to cover the revolutionary Cisco ASA and PIX® version 7 security appliances. This book will help you quickly and easily configure, integrate, and manage the entire suite of Cisco® firewall products, including Cisco ASA, PIX version 7 and 6.3, the Cisco IOS router firewall, and the Catalyst Firewall Services Module (FWSM). Organized by families of features, this book helps you get up to speed quickly and efficiently on topics such as file management, building connectivity, controlling access, firewall management, increasing availability with failover, load balancing, logging, and verifying operation. Shaded thumbtabs mark each section for quick reference and each section provides information in a concise format, with background, configuration, and example components. Each section also has a quick reference table of commands that you can use to troubleshoot or display information about the features presented. Appendixes present lists of well-known IP protocol numbers, ICMP message types, and IP port numbers that are supported in firewall configuration commands and provide a quick reference to the many logging messages that can be generated from a Cisco PIX, ASA, FWSM, or IOS firewall.
Whether you are looking for an introduction to the firewall features of the new ASA security appliance, a guide to configuring firewalls with the new Cisco PIX version 7 operating system, or a complete reference for making the most out of your Cisco ASA, PIX, IOS, and FWSM firewall deployments, Cisco ASA and PIX Firewall Handbook helps you achieve maximum protection of your network resources.
“Many books on network security and firewalls settle for a discussion focused primarily on concepts and theory. This book, however, goes well beyond these topics. It covers in tremendous detail the information every network and security administrator needs to know when configuring and managing market-leading firewall products from Cisco.”
—Jason Nolet, Sr. Director of Engineering, Security Technology Group, Cisco Systems
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
About the Author
David Hucaby, CCIE® No. 4594, is a lead network engineer for the University of Kentucky, where he works with healthcare networks based on the Cisco Catalyst, IP Telephony, PIX, and VPN product lines. David was one of the beta reviewers of the PIX version 7 Firewall operating system software.
Most Helpful Customer Reviews
I recently read the book titled ¿Cisco ASA and PIX Firewall Handbook¿ by David Hucaby. ISBN: 1587051583. I¿ve been working with Cisco PIX firewall¿s for several years and while they are fairly straight forward to configure the basic function of the system, some of the more robust features of the product can be complex in concept. This is certainly the case when considering all of the new features of the PIX 7.0 code. This title does an outstanding job at bridging the information gap for the old crusties that have used PIX for years. Each section is laid out to explain and contrast how each feature is configured for the Cisco PIX, the new Adaptive Security Appliance, and the Firewall Switch Module and for the IOS Firewall code. It has everything you should and need to know to administer the equipment effectively. There is little fluff or filler in these pages. Mostly straight to the point configuration examples that allow the readers to maximize their time getting work done. I was really excited when I saw that Cisco Press was coming out with a title that covers the new Cisco ASA (Adaptive Security Appliance). My excitement quickly turned to confusion when I started reading through the title. Aside from the great documentation on the PIX, FWSM and FW IOS, it¿s very difficult to identify what information pertains to the Adaptive Security Appliance. I¿m still not clear why this book claims to include information on the ASA. It¿s either ignorance on my part or there is not enough content in the book to justify the title. This observation in no way takes away from the book rich information regarding the FWSM 2.x, PIX 6.x and PIX 7.x. Since the title was published not long after the PIX 7.0 code was released, I wonder if it was too soon to cover a topic so new in a book. The author however, covers the main features of 7.0 very well and it¿s extremely helpful to have this handbook for those transitioning to the new PIX 7.0 code. I think this title is best suited for any person that administers Cisco security devices like the Cisco PIX, the FWSM or running Cisco Firewall IOS in their environment. The title covers more detail that what the Cisco on-line (CCO) has to offer in most cases. The title picks up where the product command reference and configuration examples leave off. Certainly a must have title for any security administrator to have in order to ensure that the equipment is leveraged to it¿s maximum potential and to minimize mis-configurations that may contribute to increased exposure or unintended security risks. There aren¿t many diagrams in the book however there are diagrams where they serve best. Most of the book in centered on the CLI configuration of the equipment. Administrators that rely or use the web interface to configure these devices won¿t see much supporting information on the web interface. In my opinion, that¿s a good thing, because administrators should know what¿s going on under the covers of any GUI interface for independency and security reasons. Some of the sections that I found the most beneficial where the sections that cover the new features like Transparent Firewall Mode, Active-Active Failover and Using Security Contexts to Make Virtual Firewalls. These are all new features that have a lot a benefit. When learning something new, it¿s always good to get as much information about the subject as possible. It helps to formulate a solid understanding of the new topic. All-in-All this is a great title worthy of the Cisco Press legacy. The author has done a great job covering all the essentials in one easy to grab title.
Cisco ASA and PIX Firewall Handbook (ISBN 1-58705-158-3) by David Hucaby is an intermediate to advanced level book on Cisco firewalls. It primarily concentrates on the Cisco PIX firewall (which now apparently is becoming known as Cisco security appliance) but also provides coverage of the Firewall Services Module (found in Cisco¿s high end switches) and the IOS software firewall. Simply put, the author does a superb job of presenting a complex and broad subject in relatively easy-to-understand terms. Nevertheless, if you do not have any experience with Cisco firewalls, this book is not for you. Rather it is meant for someone who has been working with PIX firewalls but wants to gain a better and more in-depth understanding of the subject matter with an eye towards how to get something done ¿ hence the term ¿handbook¿ in the title of the book. If you¿re sitting at a bookstore browsing through a number of books on PIX firewall trying to decide which one to buy, skim through chapter 3 in this book. If you¿re really pressed for time, read through the coverage of VLAN hopping and firewall topology considerations in this chapter. If you¿re still not impressed by level of knowledge that the author brings to the table, either you already know so much that you don¿t need this book (and probably should think about writing one yourself if you¿re half-way-decent in conveying your ideas) or the material is too advanced for you and you¿d be better off getting an introductory book on the topic. For an average network security engineer responsible for maintaining the Cisco firewall series of appliances, the material presented in this book is invaluable (and up-to-date). Of course the material is not always revelatory throughout the book. There are sections which present information that most Cisco admins would already know. But nevertheless the author uses certain stylistic practices which are most helpful in understanding the differences between various areas of coverage. For example, for every command presented in the book, the author makes it a point to lay out the syntax for PIX v. 6.3, PIX v. 7.0 and FWSM next to each other. Further, whenever necessary, the author highlights the additional functionality found in version 7.0 and how it differs from version 6.3 in the PIX firewall. For example, the coverage of FW contexts (virtual FWs), new in version 7.0, is covered in sufficient detail ¿ enough so that the administrator can actually implement it in his/her environment if needed. (By the way, this section is a good illustration of the author¿s knowledge about the inner workings of the Cisco firewalls and provides for an enlightening look at how traffic actually passes through the FW.) In all fairness, I must point out that I was little disappointed in not finding any coverage of VPN tunnels in managing/administering the FWs. There is hardly any coverage given to the topic of remotely managing FWs (on the outside interface) while (IMHO) it happens to be a critical element of any FW administration scheme. Even though the author refers the reader to another book (Cisco IPSec VPN Handbook) for coverage of VPN functionality, I feel that the topic of FW management is simply not complete without discussing remote management ¿ and tunneling is necessary when management has to be done from the outside. Nevertheless, I hope that the author can take this into consideration if a decision is ever made to issue a second edition. Overall, this is a must-have book for any Network Security Engineer working with Cisco FWs. I highly recommend it and look forward to reading other books by this author.
I do not think the subtitle ¿The Complete Guide to the most popular Cisco firewall security features¿ goes to the level of credit that this book truly goes too. David Hucaby did not only write a guide, he wrote a book that will clearly sit on my quick grab shelf right next to my desk for years to come (or until the next version). For as the introduction states ¿the book is meant to be used as a tool in every day activities.¿ and that is clearly what it does. David wrote for both from the introduction and the structure of the book to the index, a complete guide and tool that deserves ranting and raving. As you begin flipping through the book the knowledge and understanding of how a security engineers or administrator operate becomes clear. While the structure alone being designed to support both chapters and sections within the chapters, help to ensure details are easily located and quickly referenced. Combine with the detailed index in this book, ensure he does not miss a beat. From the beginning you see the level of both understanding and time that was done when David wrote this book. Not only is David¿s book designed to be more than a reference guide. By going through the step by step process and understanding, but it details numerous features, commands and methods to help individuals understand what they are seeing or expecting. While exploring the book I found several nice facts including a quick bit in chapter 3 ¿Configuring Interfaces¿ where David talks about Priority Queue and the differences between current 6.x and new 7.x code. As we have learned with PIX code up to version 7.x it was all best-effort, but then has begun to change for the future. Thus this section while small is an excellent section to show the detail packed and excellent example of why this book needs to be on every security engineers and administrators desk or bookshelf. Other features in this book is provide us the reader with excellent examples of the evolution of Cisco¿s firewall operating code as it moves from version 6.x to 7.x platform. Cisco has begun to introduction new features and support new platforms like the Firewall Service Module (FWSM) and the new Cisco ASA into an already growing product line in high demand. With the book David spends time showing how the same configuration items behave with each different code level or hardware platform that Cisco has introduced and currently supports. This alone can clearly help any individual attempting to understand and compare Cisco Firewalls product lines. Yet while this is another excellent example of why the book is a must have, the final that comes to mind is the detailed Appendix¿s that David has included from a complete list of error codes for all PIX syslog errors or messages to A ¿Well-Known Protocol and Port Numbers¿ section. At one point I found myself looking from chapter to chapter and spot to spot without realizing I was jumping around. Cause regardless of where you are in the book you too will find yourself jumping around to either review something or cross-reference an item. If I was to change anything in the book, it would be the cover cause the material is as perfect as possible considering the length and time clearly spent learning and comparing the differences that the book contains. Why do I say the cover needs to be changed you ask? Well I think that as a security engineer or administrator you will be referencing this material so much that the soft cover will become damaged and show the wear and tear that comes with true usage and appreciation of a book of this caliber.
David Hucaby demonstrated his flair for Cisco Security offerings with his clear and concise presentation of the Cisco Adaptive Security Appliance and Cisco PIX Security appliance. This book was surprisingly easy to read for such a highly technical text. Within the first three hours of my receiving the text, I had already gone through the first four chapters. The layout of the text endears it to Cisco Solutions professionals. Organized into thirteen chapters, the text starts with a brief overview of firewall technology and quickly delves into Cisco IOS commands to demonstrate the concepts described. Hucaby presents the materials in a logical order, starting from Chapter one on firewall overview, chapter 2 reviews basic configuration options for the Cisco PIX and ASA platforms. Chapter three on connectivity explores interface and VLAN connectivity with specific examples. IP version 6 connectivity was also described here. The book moves into more device and user management and firewall policy settings in chapters 4 through five and discussed fault tolerance and reliability in firewall designs in chapter 7 Chapter eight provided more hands-on treatment of firewall reliability with an in-depth description of failover implementations for Cisco firewall load balancing appliance (FWLB). Not a generic text on firewall or security, this book is essentially a Cisco Security Implementation manual and its title should be taken literarily. The material is presented in a manner that lends itself to junior to intermediate Cisco security device administrators. The deep emphasis on Cisco Technology in this volume, limits the texts utility to non Cisco device administrators and thus the over all reader base of the text. A CCNP candidate or PIX firewall specialist is sure to benefit from owning a copy of Hucaby¿s book, as would CCIE Security certification candidates. If your job is to manage Cisco PIX, ASA and related devices, then owning a copy of Hucaby¿s text will be well worth it. Independent consultants will also benefit from the reference like collection of materials in this handbook. If you expect this book to provide you with insight into generic firewall technology, you will find only limited help here. Also if you do not expect to implement Cisco Security solutions, you do not need a copy. The treatment on syslog, without any mention of the state of the art in syslog technology (syslog-ng) leaves one wondering when the book was written. This is really a difficult text to review, given the excellent presentation skill demonstrated by the author in his presentation of the material, the ease with which one can get through the materials, the scope of the technical how-to, presented by the author, and yet, the obvious gap in presenting the state of the art in the industry as against just being Cisco centric. I will rate this book 3 out of 5. A great book for Cisco professionals, particularly PIX, FWSM (firewall switch module), ASA and IOS security administrators, Cisco centric network designers and managers and aspiring Cisco Security certification candidates. Mostly of little use to non-Cisco professional.
The subtitle for Cisco ASA and PIX firewall Handbook states that it is 'the complete guide' for PIX, ASA, FWSM, and IOS Firewall features. I have read other books on the PIX and the IOS Firewall and I agree that Hucaby is very thorough in walking the reader through the configuration and management of these devices. This is not a book to gain a basic understanding of network security, but is written with the intermediate to advanced network administrator in mind. Hucaby has good concise coverage of concepts while diving into the minutia of configuration examples. Case studies are used, but not to verbose. Hucaby simply states the goals and shows you the configurations in an outlined format. The structure of each chapter includes a description, steps to configure, sample configurations, and how to verify a feature is functioning. One of the appendices is invaluable for understanding the PIX and IOS Firewall logs. They are grouped by the alert levels. The other appendix charts the IP protocol numbers and TCP/UDP port numbers, also handy for reference when configuring. This book will now replace an older title I had on the PIX Firewall as my desk reference. I will also consult it when configuring the other firewall appliances. If you work through this book with your equipment, perhaps the greatest benefit will be the understanding you will gain for interpreting error logs. This will benefit both security as well as troubleshooting. During my first reading through of the book, I found useful commands that I was unaware of and do not show up when typing a question mark at the command prompt. Because of this I was able to more accurately view the traffic from a recent setup and had more confidence in knowing that it was working correctly. Primarily because the title is so concise, yet thorough, I rate this book 5 stars and look forward to reading more books by this author.