It teaches you how to work and play with devices like the Cisco ASA family, and works as a definitive guide to all forms of network security features. The publication is a master class in itself. Not only does it inform us about each Cisco ASA device, but also skilfully explains various types of network security flaws, weaknesses, points of security failures and attacks. Then it goes about explaining how such network security issues can be dealt with by showing a corresponding firewall feature to counter such risks.

Author:Aragor Akinoshakar
Country:Great Britain
Language:English (Spanish)
Published (Last):7 January 2007
PDF File Size:7.94 Mb
ePub File Size:13.34 Mb
Price:Free* [*Free Regsitration Required]

On the inside of the security domain or firewall, trusted resources exist; on the outside are untrusted things. This trust relationship is only locally significant, however. Consider the data center boundary firewall in Figure The users just outside the data center are untrusted at least from the perspective of that firewall , but they are still trusted from the perspective of the Internet boundary firewall.

Each firewall has its own set of security policies and its own concept of a trust boundary. Now consider a different scenario. Company A is surrounded by a security domain at the Internet boundary. It wants to allow its internal, trusted users to connect to resources out on the public Internet through the Internet firewall.

Company A also has some web servers that it wants to have face the public so that untrusted Internet users can interact with the business. If the web servers are located somewhere inside the security domain, then untrusted users would be granted access into the trusted environment. Because the web server is already a trusted resource, the malicious users might then use that server to attack other trusted resources.

A better solution is to put the web servers into a security domain of their own, somewhere between the trusted internal network and the untrusted Internet. This is commonly called a demilitarized zone DMZ. Figure shows one solution that leverages the Internet firewall. This can be done in one of two ways: physical separation or logical separation. Physical separation requires that each physical firewall interface must be connected into a distinct network infrastructure.

For example, Figure shows how a firewall physically separates a network into two distinct pieces, with each firewall interface connecting into a different switch.

Physical separation provides the utmost security because traffic cannot pass between security domains without some sort of physical intervention—the firewall would have to be disconnected, cables rerouted, and so on.

In Figure , a firewall forms a boundary between two security domains that are carried over two separate VLANs. Logical networks are cost effective and can be flexible and complex. This makes logical separation less secure than physical separation, simply because a firewall might be bypassed or breached through a misconfiguration or failure of a logical network component or through an exploit of the logical separation itself.

Chapter 1: Cisco ASA Adaptive Security Appliance Overview 11 Firewall Techniques In its most basic form, a firewall strives to isolate its interfaces from each other and to carefully control how packets are forwarded from one interface to another.

A firewall can enforce access control across a security boundary based on layers in the Open Systems Interconnection OSI model. For example, a firewall performing network layer access control can make decisions based on Layers 2 through 4, or the data link, network, and transport layers. Such a firewall might control whether IP traffic can pass through, whether hosts on one side can open UDP or TCP connections to resources on the other side, and so on.

Firewalls that perform application layer access control enforce security policies at Layers 5 through 7, or the session, presentation, and application layers. Such a firewall can control what users do within applications that pass data from one side to another.

Permissive access control is also known as a reactive approach because it can react or block traffic only after potentially threatening things are identified and rules are put in place.

Otherwise, everything else is allowed to pass through. Permissive rules are usually added to a firewall by intrusion prevention systems IPS and antivirus systems, which are tools that react to things that are detected on the network in real time. Restrictive access control is also known as a proactive approach. Every acceptable type of traffic is identified ahead of time and entered into the firewall rules so that it may pass without further intervention.

Any other traffic, whether it is malicious, undesirable, or just unidentified, is blocked by default. A firewall can use its access control approach to evaluate and filter traffic based on the methods and techniques described in the following sections. Decisions to forward or block a packet are made on each packet independently. Therefore, the firewall has no concept of a connection state; it knows only whether each packet conforms to the security policies. Stateless packet filtering is performed by using a statically configured set of firewall rules.

Stateless packet filters can be characterized by the attributes listed in Table Table Characteristics of a Stateless Packet Filter Feature Statically configured rules, usually for a restrictive approach Effective filtering is limited by human rule configuration Effective for Layer 3 address, protocol, or Layer 4 port number filtering No tracking of dynamically negotiated sessions or changing port numbers Efficient and cost-effective Relatively easy to exploit Stateful Packet Filtering Stateful packet filtering SPF requires that a firewall keep track of individual connections or sessions as packets are encountered.

The firewall must maintain a state table for each active connection that is permitted, to verify that the pair of hosts is following an expected behavior as they communicate. As well, the firewall must inspect traffic at Layer 4 so that any new sessions that are negotiated as part of an existing connection can be validated and tracked. Tracking the negotiated sessions requires some limited inspection of the application layer protocol.

Stateful packet filters can be characterized by the attributes listed in Table Table Key Topic Characteristics of a Stateful Packet Filter Feature Reliable filtering of traffic at Layers 3 and 4; typically used for a restrictive approach No visibility into Layers 5 through 7 Simple configuration; less reliance on human knowledge of protocols — High performance No protocol verification Stateful Packet Filtering with Application Inspection and Control To move beyond stateful packet filtering, firewalls must add additional analysis at the application layer.

Inspection engines in the firewall reassemble UDP and TCP sessions and look inside the application layer protocols that are passing through. AIC comes at a price, as a firewall needs more processing power and more memory to be able to inspect and validate application sessions and they unfold. Chapter 1: Cisco ASA Adaptive Security Appliance Overview Table Characteristics of Stateful Packet Filtering with Application Inspection and Control Feature Limitation Reliable filtering of Layers 3 through 7; typically used for a restrictive approach Limited buffering for thorough application analysis Simple configuration; less reliance on human knowledge of protocols — Medium performance AIC requires greater processing power Network Intrusion Prevention System A network intrusion prevention system NIPS examines and analyzes network traffic and compares it to a database of known malicious activity.

The database contains a large number of signatures or patterns that describe specific known attacks or exploits. As new attacks are discovered, new signatures are added to the database. In some cases, NIPS devices can detect malicious activity from single packets or atomic attacks. In other cases, groups or streams of packets must be collected, reassembled, and examined.

A network IPS usually operates with a permissive approach, where traffic is allowed to cross security domains unless something suspicious is detected. Once that occurs, the NIPS can generate firewall rules dynamically to block or reset malicious packets or connections. Table Characteristics of a Network Intrusion Prevention System Feature A rich signature database of attack patterns, covering Layers 3 through 7 Limited buffering for thorough application analysis Usually used in a permissive approach Requires inline operation or partnership with a firewall to react to detected threats; cannot usually detect attacks that are new or not previously known Medium performance Requires periodic tuning to manage false positive and false negative threat detection 13 14 CCNP Security FIREWALL Official Cert Guide Network Behavior Analysis Network behavior analysis NBA systems examine network traffic over time to build statistical models of normal, baseline activity.

An NBA system continually examines traffic and refines its models automatically, although human intervention is needed to tune the results. Once the models are built, an NBA system can trigger on any activity that it considers to be an anomaly or that falls outside the normal conditions. Even when malicious activity involves a previously unknown scheme, an NBA system can often detect it if it involves traffic patterns or volumes that fall outside the norm. An NBA system can be characterized by the attributes listed in Table Table Characteristics of a Network Behavior Analysis System Feature Limitation Examines inline network traffic or offline traffic data to build profiles or models of normal network activity Human intervention is required for model tuning.

Can detect previously unknown attacks Generates false positives if legitimate traffic appears to be an anomaly. Uses a restrictive approach, detecting or blocking everything that is not known good activity — Application Layer Gateway Proxy An application layer gateway ALG or proxy is a device that acts as a gateway or intermediary between clients and servers.

A client must send its application layer requests to the proxy, in place of any destination servers. Once the servers answer the requests, the proxy evaluates the content and decides what to do with them. Because a proxy operates on application requests, it can filter traffic based on the IP addresses involved, the type of application request, and the content of any data that is returned from the server. Proxies can perform detailed and thorough analysis of client-server connections.

Traffic can be validated against protocol standards at Layers 3 through 7, and the results can be normalized or made to conform to the standards, as needed. An ALG or proxy can be characterized by the attributes listed in Table


Book Review: CCNP Security FIREWALL 642-618 Official Cert Guide

They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Expert networking consultants Dave Hucaby, Dave Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. Well-regarded for its level of detail, assessment features, comprehensive design scenarios, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.


CCNP Security FIREWALL 642-618 Official Cert Guide

To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package: Allows you to focus on individual topic areas or take complete, timed exams Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions Provides unique sets of exam-realistic practice questions Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most Pearson IT Certification Practice Test minimum system requirements: Windows XP SP3 , Windows Vista SP2 , or Windows 7; Microsoft. NET Framework 4. Senior security consultants and instructors David Hucaby, David Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills.

Related Articles