Cisco press firewall fundamentals jun 2006 ISBN 1587052210 chm 15
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (7.91 MB, 679 trang )
FirewallFundamentals
ByWesNoonan,IdoDubrawsky
...............................................
Publisher:CiscoPress
PubDate:June02,2006
PrintISBN-10:1-58705-221-0
PrintISBN-13:978-1-58705-221-7
Pages:408
TableofContents|Index
Theessentialguidetounderstandingandusingfirewallstoprotectpersonalcomputers
andyournetwork
Aneasy-to-readintroductiontothemostcommonlydeployednetworksecurity
device
Understandthethreatsfirewallsaredesignedtoprotectagainst
Learnbasicfirewallarchitectures,practicaldeploymentscenarios,andcommon
managementandtroubleshootingtasks
Includesconfiguration,deployment,andmanagementchecklists
IncreasingrelianceontheInternetinbothworkandhomeenvironmentshasradically
increasedthevulnerabilityofcomputingsystemstoattackfromawidevarietyofthreats.
Firewalltechnologycontinuestobethemostprevalentformofprotectionagainstexisting
andnewthreatstocomputersandnetworks.Afullunderstandingofwhatfirewallscando,
howtheycanbedeployedtomaximumeffect,andthedifferencesamongfirewalltypes
canmakethedifferencebetweencontinuednetworkintegrityandcompletenetworkor
computerfailure.FirewallFundamentalsintroducesreaderstofirewallconceptsand
exploresvariouscommercialandopensourcefirewallimplementations--includingCisco,
Linksys,andLinux--allowingnetworkadministratorsandsmalloffice/homeofficecomputer
userstoeffectivelychooseandconfiguretheirdevices.FirewallFundamentalsiswrittenin
clearandeasy-to-understandlanguageandhelpsnoviceusersunderstandwhatfirewalls
areandhowandwheretheyareused.Itintroducesvarioustypesoffirewalls,first
conceptuallyandthenbyexplaininghowdifferentfirewallimplementationsactuallywork.
Italsoprovidesnumerousimplementationexamples,demonstratingtheuseoffirewallsin
bothpersonalandbusiness-relatedscenarios,andexplainshowafirewallshouldbe
installedandconfigured.Additionally,genericfirewalltroubleshootingmethodologiesand
commonmanagementtasksareclearlydefinedandexplained.
FirewallFundamentals
ByWesNoonan,IdoDubrawsky
...............................................
Publisher:CiscoPress
PubDate:June02,2006
PrintISBN-10:1-58705-221-0
PrintISBN-13:978-1-58705-221-7
Pages:408
TableofContents|Index
Copyright
AbouttheAuthors
AbouttheTechnicalReviewers
Acknowledgments
IconsUsedinThisBook
CommandSyntaxConventions
Introduction
PartI:IntroductiontoFirewalls
Chapter1.IntroductiontoFirewalls
WhatIsaFirewall?
WhatCanFirewallsDo?
WhatAretheThreats?
WhatAretheMotives?
SecurityPolicies
DeterminingIfYouNeedaFirewall
Summary
Chapter2.FirewallBasics
FirewallTaxonomy
FirewallProducts
FirewallTechnologies
OpenandClosedSourceFirewalls
Summary
Chapter3.TCP/IPforFirewalls
Protocols,Services,andApplications
InternetProtocol(IP)
TransmissionControlProtocol(TCP)
UserDatagramProtocol(UDP)
InternetControlMessageProtocol(ICMP)
AddressinginIPNetworks
NetworkAddressTranslation(NAT)
BroadcastandMulticast
IPServices
IPRouting
ApplicationsUsingIP
Summary
PartII:HowFirewallsWork
Chapter4.PersonalFirewalls:WindowsFirewallandTrendMicro'sPC-cillin
WindowsFirewallandWindowsXP
TrendMicro'sPC-cillinFirewallFeature
Summary
Chapter5.BroadbandRoutersandFirewalls
HowBroadbandRoutersandFirewallsWork
LinksysBroadbandRouters/Firewalls
LinksysRequirements
HowtheLinksysRouter/FirewallWorks
ConfiguringLinksys
LinksysChecklist
Summary
Chapter6.CiscoPIXFirewallandASASecurityAppliance
PIX/ASAFeatures
ChoosingBetweenthePIXandtheASA
CiscoPIXFirewallandASAModels
HowthePIX/ASAFirewallWorks
ConfiguringtheCiscoPIX/ASA
PIX/ASAChecklist
Summary
Chapter7.LinuxBasedFirewalls
NetFilterFeatures
NetFilterRequirements
HowNetFilterWorks
ConfiguringNetFilter
NetFilterChecklist
Summary
Chapter8.ApplicationProxyFirewalls
ApplicationLayerFiltering
ProxyServerFunctionality
LimitationsofApplicationProxyFirewalls
MicrosoftISAServer2004Firewall
Summary
Chapter9.WhereFirewallsFitinaNetwork
DifferentTypesofOfficeRequirements
Single-FirewallArchitectures
Dual-FirewallArchitecture
TheFirewallSystem
WherePersonal/DesktopFirewallsFitinaNetwork
WhereApplicationFirewallsFitinaNetwork
FirewallsandVLANs
UsingFirewallstoSegmentInternalResources
High-AvailabilityFirewallDesigns
Summary
PartIII:ManagingandMaintainingFirewalls
Chapter10.FirewallSecurityPolicies
WrittenSecurityPolicies
FirewallPolicies/Rulesets
Summary
Chapter11.ManagingFirewalls
DefaultPasswords
MaintainingtheUnderlyingPlatform
FirewallManagementInterface
ManagementAccess
CommonFirewallManagementTasks
Summary
Chapter12.WhatIsMyFirewallTellingMe?
FirewallsandLogging
FirewallLogReviewandAnalysis
FirewallForensics
Summary
Chapter13.TroubleshootingFirewalls
DevelopingaTroubleshootingChecklist
BasicFirewallTroubleshooting
AdvancedFirewallTroubleshooting
TroubleshootingExample
Summary
Chapter14.GoingBeyondBasicFirewallFeatures
ContentFiltering
PerformingApplicationFiltering
IntrusionDetectionandPrevention
VirtualPrivateNetworks
Summary
Endnotes
PartIV:Appendixes
AppendixA.FirewallandSecurityTools
CommonTroubleshootingTools
LoggingandLog-AnalysisTools
Security-TestingTools
AppendixB.FirewallandSecurityResources
Firewall-SpecificInformation
GeneralSecurityInformation
AdditionalReading
Index
Copyright
FirewallFundamentals
WesNoonan
IdoDubrawsky
Copyright©2006CiscoSystems,Inc.
Publishedby:
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedor
transmittedinanyformorbyanymeans,electronicor
mechanical,includingphotocopying,recording,orbyany
informationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbrief
quotationsinareview.
PrintedintheUnitedStatesofAmerica1234567890
FirstPrintingJune2006
LibraryofCongressCataloging-in-PublicationNumber:
2004114308
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobe
trademarksorservicemarkshavebeenappropriately
capitalized.CiscoPressorCiscoSystems,Inc.cannotattestto
theaccuracyofthisinformation.Useofaterminthisbook
shouldnotberegardedasaffectingthevalidityofany
trademarkorservicemark.
WarningandDisclaimer
Thisbookisdesignedtoprovideinformationaboutfirewalls.
Everyefforthasbeenmadetomakethisbookascompleteand
asaccurateaspossible,butnowarrantyorfitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthors,
CiscoPress,andCiscoSystems,Inc.shallhaveneitherliability
norresponsibilitytoanypersonorentitywithrespecttoany
lossordamagesarisingfromtheinformationcontainedinthis
bookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorand
arenotnecessarilythoseofCiscoSystems,Inc.
CorporateandGovernmentSales
CiscoPressoffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales.For
moreinformation,pleasecontact:U.S.Corporateand
GovernmentSales1-800-382-3419
ForsalesoutsideoftheU.S.pleasecontact:International
Sales1-317-581-3793
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksof
thehighestqualityandvalue.Eachbookiscraftedwithcare
andprecision,undergoingrigorousdevelopmentthatinvolves
theuniqueexpertiseofmembersfromtheprofessional
technicalcommunity.
Readers'feedbackisanaturalcontinuationofthisprocess.If
youhaveanycommentsregardinghowwecouldimprovethe
qualityofthisbook,orotherwisealterittobettersuityour
needs,youcancontactusthroughemailat
Pleasemakesuretoincludethe
booktitleandISBNinyourmessage.
Wegreatlyappreciateyourassistance.
Editor-in-Chief
PaulBoger
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgramManager
JeffBrady
ExecutiveEditor
BrettBartow
ProductionManager
PatrickKanouse
DevelopmentEditor
AndrewCupp
ProjectEditor
InteractiveComposition
Corporation
CopyEditor
InteractiveComposition
Corporation
TechnicalEditors
RandyIvener,EricSeagren
EditorialAssistant
RainaHan
BookandCoverDesigner
LouisaAdair
Composition
InteractiveComposition
Corporation
Indexer
TimWright
CorporateHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-4000
800553-NETS(6387)
Fax:408526-4100
EuropeanHeadquarters
CiscoSystemsInternationalBV
Haarlerbergpark
Haarlerbergweg13-19
1101CHAmsterdam
TheNetherlands
www-europe.cisco.com
Tel:310203571000
Fax:310203571100
AmericasHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-7660
Fax:408527-0883
AsiaPacificHeadquarters
CiscoSystems,Inc.
CapitalTower
168RobinsonRoad
#22-01to#29-01
Singapore068912
www.cisco.com
Tel:+6563177777
Fax:+6563177799
CiscoSystemshasmorethan200officesinthefollowing
countriesandregions.Addresses,phonenumbers,andfax
numbersarelistedontheCisco.comWebsiteat
www.cisco.com/go/offices.
Argentina•Australia•Austria•Belgium•Brazil•Bulgaria•
Canada•Chile•ChinaPRC•Colombia•CostaRica•Croatia•
CzechRepublic•Denmark•Dubai,UAE•Finland•France•
Germany•Greece•HongKongSAR•Hungary•India•
Indonesia•Ireland•Israel•Italy•Japan•Korea•
Luxembourg•Malaysia•Mexico•TheNetherlands•New
Zealand•Norway•Peru•Philippines•Poland•Portugal•
PuertoRico•Romania•Russia•SaudiArabia•Scotland•
Singapore•Slovakia•Slovenia•SouthAfrica•Spain•
Sweden•Switzerland•Taiwan•Thailand•Turkey•Ukraine•
UnitedKingdom•UnitedStates•Venezuela•Vietnam•
Zimbabwe
Copyright©2003CiscoSystems,Inc.Allrightsreserved.COP,
CCSP,theCiscoArrowlogo,theCiscoPoweredNetworkmark,
theCiscoSystemsVerifiedlogo,CiscoUnity,FollowMe
Browsing,FormShare,iQNetReadinessScorecard,Networking
Academy,andScriptSharearetrademarksofCiscoSystems,
Inc.;ChangingtheWayWeWork,Live,Play,andLearn,The
FastestWaytoIncreaseYourInternetQuotient,andiQuick
StudyareservicemarksofCiscoSystems,Inc.;andAironet,
ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,CCNA,CCNP,Cisco,
theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,the
CiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystems
Capital,theCiscoSystemslogo,EmpoweringtheInternet
Generation,Enterprise/Solver,EtherChannel,EtherSwitch,Fast
Step,GigaStack,InternetQuotient,IOS,IP/TV,iQExpertise,
theiQlogo,LightStream,MGX,MICA,theNetworkerslogo,
NetworkRegistrar,Packet,PK,Post-Routing,Pre-Routing,
RateMUX,RegistrarSlideCast,SMARTnet,StrataViewPlus,
Stratm,SwitchProbe,TeleRouter,TransPath,andVCOare
registeredtrademarksofCiscoSystems,Inc.and/orits
affiliatesintheU.S.andcertainothercountries.
AllothertrademarksmentionedinthisdocumentorWebsite
arethepropertyoftheirrespectiveowners.Theuseoftheword
partnerdoesnotimplyapartnershiprelationshipbetweenCisco
andanyothercompany.(0303R)
PrintedintheUSA
Dedication
ForSSgt.AnthonyL.Goodwin,USMC.KIA05/08/05.Semper
Fidelis,myfriendyouwillnotbeforgotten.
AbouttheAuthors
WesNoonan,CISA,isastaffqualityengineeratNetIQ
workingontheirsecuritysolutionsproductline.Weshasmore
than12yearsofindustryexperience,specializinginWindowsbasednetworksandnetworkinfrastructuresecuritydesignand
implementation.WesistheauthorofHardeningNetwork
Infrastructure(ISBN0072255021),isacontributing/co-author
ofCISSPTrainingGuide(ISBN078972801X)andHardening
NetworkSecurity(ISBN0072257032),andisatechnicaleditor
forHackingExposed:CiscoNetworks(ISBN0072259175).Wes
alsomaintainsaWindowsnetworksecurity"AsktheExperts"
sectionforTechtarget.com
( />WeslivesintheHouston,Texas,metropolitanareawithhiswife
andtwobulldogs.
IdoDubrawsky,CISSP,isthestrategicsecurityadvisorforthe
CommunicationsSectoratMicrosoft.Priortoworkingat
Microsoft,IdowastheownerandpresidentofSiliconSecurity,
Inc.(),amid-Atlanticnetwork
securityconsultingcompany,aswellastheactingnational
practiceleadforthesecurityconsultingpracticeat
AT&T/Callisma.BeforejoiningAT&T/Callisma,Idoworkedfor
morethanfouryearsatCiscoSystems,Inc.,asbothanetwork
securityengineeraswellasanetworksecurityarchitectonthe
SAFEproject.
AbouttheTechnicalReviewers
RandyIvener,CCIENo.10722,isasecurityspecialistwiththe
CiscoSystemsproductsecurityincidentresponseteam.Heisa
CISSPandASQCSQE.Randyhasspentmanyyearsasa
networksecurityconsultanthelpingcompaniesunderstandand
securetheirnetworks.Beforebecomingimmersedin
informationsecurity,hespenttimeinsoftwaredevelopment
andasatraininginstructor.RandygraduatedfromtheU.S.
NavalAcademyandholdsamaster'sdegreeinbusiness
administration.
EricS.Seagren,CISA,CISSP-ISSAP,SCNP,CCNA,MCP+I,
MCSE,andCNE,hasnineyearsofexperienceinthecomputer
industry,withthepastsevenyearsspentinthefinancial
servicesindustryworkingforaFortune100company.Eric
startedhiscomputercareerworkingonNovellserversand
performinggeneralnetworktroubleshootingforasmall
Houston-basedcompany.Whileworkinginthefinancialservices
industry,hisdutieshaveincludedserveradministration,
disasterrecoveryresponsibilities,businesscontinuity
coordinator,Y2Kremediation,andnetworkvulnerability
assessmentresponsibilities.Hehasspentthepastfewyearsas
anITarchitectandriskanalyst,designingandevaluating
secure,scalable,andredundantnetworks.EriclivesinMissouri
City,Texas.
Acknowledgments
FromWes:
I'dliketothankmywifeforonceagainsacrificingthetimeit
tookmetoworkonanotherbook.Icouldn'tdothiswithout
you.
IcouldnothavedonethishadBrianFordnotbeenwillingto
takeachanceonbringingmeinonthisproject.Likewise,I
appreciatethechancetoworkwithIdoDubrawskyandlook
forwardtofuturepartnerships.IwanttothankbothBrianand
Idofortheopportunityandprivilegeofworkingwiththemboth.
ToBrettBartowandAndrewCupp,Iknowwedroveyoucrazy
fromtimetotime,butthanksforbeingpatientandsticking
withusandprovidingtheguidanceandencouragementwe
neededtofinishthisproject.
ThankyoutomycolleaguesbothatCollectiveTechnologiesand
NetIQforgivingmetheopportunitytomatureandgrowasan
engineerandaperson.ToJeffPollardforgivingmethetimeI
neededtofinishthisproject,everyoneshouldbesoluckyasto
workforabosslikeyou.I'dalsoliketothankGeriWilliamsfor
providingtechnicalexpertiseonthelatenightsofwriting.I'dbe
remissifIdidn'tthankthetechnicalandcopyeditorsfor
helpingtoensurenotonlythetechnicalaccuracyofwhatI
wrote,butformakingmesoundfarmoreintelligentthanIam
bymakingitappearthatIhaveamuchbettergraspofEnglish
andthewrittenwordthanIdo!
Finally,thankyoutomyfamilyandfriendsforalloftheir
supportandencouragement.Roll20sandSemperFidelis.
FromIdo:
Iwouldliketothank,firstandforemost,mywife,whomI
dearlyloveandtreasureandwithoutwhomIwouldnotbe
whereIamtoday.Second,Iwishtogivemythankstomy
wonderfulchildren,whoaretrulythelightofmylife.Itook
timeawayfrommyfamilytowritethisbook,andtherewere
momentswhereIwishedtobetheremoreforthembutcould
notbe.Iloveallofyouwithallofmyheart.MayG-dblessyou
allandkeepyou.MayG-dshinehiscountenanceuponyouall
andbegracioustoyou.MayG-dlifthiscountenancetoyouall
andbringyoupeace.
IwishtoalsothankWesNoonanforagreeingtoworkonthis
projectasagreatco-authorandtothankBrettBartowforbeing
aspatientaneditorashehasbeen.Myschedule
notwithstanding,thishasbeenatrialforbothofthem,too.
ThanksalsotoBrianFordforbringingmeinonthisprojectand
forlisteningtomewhenIwasfrustratedwithit.
TomygoodfriendBenBazianwhohasbeenasourceofhumor
andgoodcounselwhenIneededitIwishtogiveaverybig
thankyou.AbigthanksalsogoestoNigelWillsonforbeinga
greatnationaldirectorfortheSecurityConsultingPracticeover
atAT&T.IalsowanttothankRicardoFarraj-Ruiz,Charles
Outlaw,andKarlWeaveroveratCRSintheLibraryofCongress
forbeinggreatpeopletoworkwith.Andlastbutcertainlynot
least,thankstoDavidBarakandPeterGriffinoverat
AT&T/Callisma.Davidhasamazedmewithhisvastknowledge
ofserviceproviderrouting,andPeterhasimmenseknowledge
intheopticalworldandinthatstrangeworldthatisCallisma
management.
IconsUsedinThisBook
CommandSyntaxConventions
Theconventionsusedtopresentcommandsyntaxinthisbook
arethesameconventionsusedintheIOSCommandReference.
TheCommandReferencedescribestheseconventionsas
follows:
Boldfaceindicatescommandsandkeywordsthatare
enteredliterallyasshown.Inactualconfigurationexamples
andoutput(notgeneralcommandsyntax),boldface
indicatescommandsthataremanuallyinputbytheuser
(suchasashowcommand).
Italicsindicateargumentsforwhichyousupplyactual
values.
Verticalbars|separatealternative,mutuallyexclusive
elements.
Squarebrackets[]indicateoptionalelements.
Braces{}indicatearequiredchoice.
Braceswithinbrackets[{}]indicatearequiredchoice
withinanoptionalelement.
Introduction
Firewallsareastaplecomponentofasecurenetworkintoday's
Internet.Thisbookprovidesnetworkadministratorswhoare
morefocusedonthecorenetworkservicesandendusersan
opportunitytolearnaboutmodernfirewallcapabilities.This
bookisnotanexhaustivereferenceonallpossiblefirewallsnor
isitacompletetextonthefirewallsthatarementionedinthis
book.Instead,thisbookprovidesasolidfoundationof
fundamentalknowledgeuponwhichreaderscanbuildtheir
knowledgeandskillsinfirewalladministrationand
implementation(andsecurityingeneral).
Motivation
Theintentforthisbookistoprovideinformationaboutthe
basicworkingsoffirewalls,withapredominantslanttowardthe
smallerappliancefirewall,suchastheLinksysandCiscoPIX
501E,aswellasthepersonalfirewallsuchastheWindows
Firewall.Althoughvendors'firewallproductsvarygreatly,
fundamentalunderlyingprinciplesdonotvarybecauseofthe
natureofthetechnology.Thehopeisthatthisbookprovides
readerswithanunderstandingofthesefundamentalprinciples.
GoalsandObjectives
Thegoalofthisbookistoprovideareadyreferenceforthe
readeronfirewalltechnology,especiallywhereitpertainstothe
personalanddesktopfirewall.Readerswillcomeawaywith
enoughknowledgethattheywillthenbeabletoapproachsome
ofthereferencesprovidedattheendofthisbooktolearnmore
andexpandtheirknowledgeofthisimportantclassofdevicesin
networksecurity.
TargetAudience
Thetargetaudienceforthisbookisnovicenetwork
administrators,homeusers,andcorporateemployeeswhoare
telecommutingbutwanttouseafirewalltoprotecttheir
network.Thisbookdoesnotaimtobeathoroughreferenceon
firewallsandalloftheircapabilities.Instead,thefocusis
predominantlyonsmallerfirewallssuchastheCiscoPIX501E,
Linksys,andpersonalfirewallssuchasWindowsFirewalland
TrendMicro'sFirewall.Thereaderofthisbookisexpectedto
havesomeknowledgeofthebasicsofnetworkingandof
computeroperatingsystems.
HowThisBookIsOrganized
Thisbookprovidesabuilding-blockapproachtothematerial.
Theinitialfocusisonthebasicsoffirewallsandareviewof
TCP/IP.Althoughthebookisintendedtobereadcovertocover,
itcanalsoprovidepointreferencesforvariousproductsand
concepts.Chapters1through3providethenecessary
backgroundtofirewallsandTCP/IPconceptsastheyrelateto
firewalls.ThecorecontentliesinPartIIandPartIII,wherethe
focusshiftstohowvariousfirewallproductsareimplemented
andhowtomanagefirewalls.
Aquickoverviewofthecontentsforthevariouschapters
follows:
Chapter1,"IntroductiontoFirewalls"Thischapter
introduceswhatafirewallisanddiscusseswhatafirewall
canbereasonablyexpectedtodo.Thefocusisonwhata
firewallis,whatsecuritythreatsexist,whatthefirewall
securitypolicyis,andhowyoucanusethefirewallto
protectagainstthreats.
Chapter2,"FirewallBasics"Thischaptercoversthe
basicsofvariousfirewalltechnologies.Thefocusison
explainingsoftwarefirewalls,integratedfirewalls,and
appliancefirewalls.Thesearefurtherbrokendownintothe
variousmodesofoperationsuchaspersonal,network,NAT,
proxy,circuit,andtransparentfirewallsaswellashowthey
work.
Chapter3,"TCP/IPforFirewalls"Thischapterisa
primeronTCP/IPandhowTCP/IPfunctionsfromthe
perspectiveoffirewalladministration.Thevariousprotocols,
applications,andservicesintheTCP/IPworldarereviewed,
withaparticularfocusonIP,TCP,UDP,andICMP(foran
understandingofhowafirewallcanbeconfiguredtocontrol
them).
Chapter4,"PersonalandDesktopFirewalls"This
chaptercoverspersonalfirewallsthatcanbefoundor
installedonlaptopanddesktopsystems.Thetwoexample
systemsprovidedinthischapterareWindowsFirewall
(foundinWindowsXPServicePack2andWindows2003
Serversystems)andTrendMicro'sFirewall(whichispartof
theInternetSecuritySuite).
Chapter5,"BroadbandRoutersandFirewalls"This
chapterlooksatwhatabroadbandrouter/firewallis,howit
works,andhowandwhereitshouldbeimplemented.The
focusofthechapterisontheLinksysbroadbandrouters,
andadiscussionofthebasicfeaturesandfunctionality
necessarytoperformtheinitialconfigurationisprovided.
Chapter6,"CiscoPIXFirewallandASASecurity
Appliance"ThischapterlooksattheCiscolower-end
firewalls:thePIX501EandthePIX506E.Thesedevicesare
marketedtotheend-user/small-officeandremote-office
markets.AquickoverviewofsomeofthePIXcapabilitiesas
wellashowtoconfigurethesysteminitiallyisprovided.
Chapter7,"Linux-BasedFirewalls"Thischaptercovers
theevolutionofLinux-basedfirewalls,fromipfwadmto
ipchainstothelatestincarnation,NetFilter.Inaddition,an
overviewofconfiguringLinux-basedfirewallsisprovided.
Chapter8,"ApplicationProxyFirewalls"Thischapter
looksatwhatanapplicationproxyis,howitworks,and
howandwhereitshouldbeimplemented.Thefocusofthe
chapterisontheMicrosoftISAServer2004firewall,anda
discussionofthebasicfeaturesandfunctionalitynecessary
toperformabasicconfigurationisprovided.
Chapter9,"WhereFirewallsFitinaNetwork"This
chapterfocusesonarchitectinganddesigningfirewall
deployments.Thechapterdiscussesdifferenttypesof
firewalldesignarchitectures,includingdualfirewalland
differenttypesofDMZimplementations.Thischapteralso
exploresthedifferenttypesoffirewallsandwhereeach
typeoffirewallbestfitsinthenetwork.
Chapter10,"FirewallSecurityPolicies"Allfirewalls
functionbyvirtueofhowthefirewallsecuritypoliciesare
configured.Thischaptercoversthedifferenttypesof
firewallsecuritypoliciesandrulesetsthatexistwithafocus
oningressandegressfiltersaswellashowtoprovidefor
securemanagementaccess.
Chapter11,"ManagingFirewalls"Themanagementof
firewallsisacrucialissue.Asfirewallsbecomemoreand
morecomplicated,theconfigurationofthemandthe
managementofthembecomesharderandharderforthe
averageuserandforthenoviceadministrator.Thischapter
coverssomeofthemanagementtoolsusedtomanage
personalandsmallfirewalls.
Chapter12,"WhatIsMyFirewallTellingMe?"Someof
themostvaluableinformationafirewallcanprovideisfrom
itslogfiles.Thischapterlooksatthetypesoflogging
supportedbymostfirewallsandthekindofinformationthat
canbegleanedfromthatinformation.Thischapterexplains
howtoreadtheinformationprovidedbythelogsandhow
thatinformationcanbeusedforforensicsanalysis.This
chapteralsoidentifiesthetop10thingstolookforinlog
files.
Chapter13,"TroubleshootingFirewalls"Regardlessof
howwellyouimplement,soonerorlateryouaregoingto
needtotroubleshootsomethingregardingyourfirewall.
Thischapterexamineshowtobuildatroubleshooting
checklistthatyoucanusetotroubleshoottrafficflow
throughthefirewall(aswellasthroughthefirewallitself).
Chapter14,"GoingBeyondBasicFirewallFeatures"
Thischapterexploresmanyoftheadvancedfeaturesthat
firewallscanprovide,whileatthesametimeillustratingthe
limitationsoffirewallsinprovidingtheseadvancedfeatures.
AppendixA,"FirewallandSecurityTools"This
appendixlistsfirewallandsecuritytoolsandbriefly
discussesusageandsituationsinwhicheachtoolis
appropriate.
AppendixB,"FirewallandSecurityResources"This
appendixlistsonlineandtraditionallypublishedresources
foradditionallearning.Theseresourcesprovideasolidnext
stepofmoredetailedandtechnicalinformationtobuildon
thefundamentalsyouhavegainedfromthisbook.
PartI:IntroductiontoFirewalls
Chapter1IntroductiontoFirewalls
Chapter2FirewallBasics
Chapter3TCP/IPforFirewalls
Chapter1.IntroductiontoFirewalls
Dependingonwhomyoutalkto,afirewalliseitherthe
cornerstoneoftheirorganization'ssecurityinfrastructure,orit
isadevicethathaswoefullyfailedtoliveuptoexpectations.
Howcanonedevicehavesuchacontrastinperceptions?The
biggestreasonforthisisamisunderstandingofwhatafirewall
isandisnot,andwhatafirewallcanandcannotdo.
Thischapterlooksatwhatafirewallisandhowafirewallworks
toillustratewhatarethereasonableexpectationsforafirewall.
Thischapteralsoexaminesthethreatsthatexistand
motivationsofattackerstoexplorehowfirewallscanandmost
important,cannotprotectagainstthosethreats.
WhatIsaFirewall?
Whenmostpeoplethinkofafirewall,theythinkofadevicethat
residesonthenetworkandcontrolsthetrafficthatpasses
betweennetworksegments,suchasthefirewallinFigure1-1
(anetwork-basedfirewall).However,firewallscanalsobe
implementedonsystemsthemselves,suchaswithMicrosoft
InternetConnectionFirewall(ICF),inwhichcasetheyare
knownashost-basedfirewalls.Fundamentally,bothtypesof
firewallshavethesameobjective:toprovideamethodof
enforcinganaccesscontrolpolicy.Indeed,atthesimplest
definition,firewallsarenothingmorethanaccesscontrolpolicy
enforcementpoints.
Figure1-1.ANetworkFirewallEnforcingAccess
Controls
Firewallsenableyoutodefineanaccesscontrolrequirement
andensurethatonlytrafficordatathatmeetsthatrequirement
cantraversethefirewall(inthecaseofanetwork-based
firewall)oraccesstheprotectedsystem(inthecaseofahostbasedfirewall).Figure1-1illustrateshowyoucanusea
network-basedfirewalltoallowonlytrafficthatispermittedto
accessprotectedresources.
