Escolar Documentos
Profissional Documentos
Cultura Documentos
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
FM:xi
Contents
Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Definition of a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Why Use a Firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Common Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Firewall Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Firewall Strengths and Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Strengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Good Security Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Help Your Systems Help Themselves . . . . . . . . . . . . . . . . . 7
Patch! Patch! Patch! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Appliance vs. Operating System . . . . . . . . . . . . . . . . . . . . . . 8
Layer Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Creating a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Monitoring and Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Auditing and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
xi
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:28 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:28 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
Contents xiii
4 Firewall Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
How Packet Filtering Works . . . . . . . . . . . . . . . . . . . . . . . . . 85
Creating a Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Advantages and Disadvantages . . . . . . . . . . . . . . . . . . . . . . 89
Application Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
How Application Gateways Work . . . . . . . . . . . . . . . . . . . . 91
Disadvantages of Application Gateways . . . . . . . . . . . . . . . 93
Circuit-Level Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
How Circuit Gateways Work . . . . . . . . . . . . . . . . . . . . . . . . 94
Disadvantages of Circuit Gateways . . . . . . . . . . . . . . . . . . . 95
Stateful Packet Inspection (SPI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
How Stateful Packet Inspection Firewalls Work . . . . . . . . 95
Security Advantages of SPI . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Implementation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Network Host-Based Firewalls . . . . . . . . . . . . . . . . . . . . . . . 98
Router-Based Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Single Host-Based Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Appliance Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:28 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Encryption Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Hash Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Proprietary Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Network Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Audit Trails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Session Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
State Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Additional Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:29 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
Contents xv
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:29 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:29 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
Contents xvii
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:30 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
NAT/Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:30 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
Contents xix
Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
IOS FFS Design Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Installing and Configuring the Firewall . . . . . . . . . . . . . . . . . . . . . . . 478
The Cisco IOS Command-Line Interface . . . . . . . . . . . . . . . 479
Documenting IP and Port Information . . . . . . . . . . . . . . . . . 481
Installing the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Configuring the IOS FFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Essential Router Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Configuring CBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Understanding How CBAC Works . . . . . . . . . . . . . . . . . . . 493
Configuring the Access Control Lists . . . . . . . . . . . . . . . . . . 494
Configuring Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Turning on Alerts and the Audit Trail . . . . . . . . . . . . . . . . . 498
Configuring PAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:30 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:30 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
Contents xxi
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:31 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:31 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
Contents xxiii
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:31 PM
Color profile: Generic CMYK printer profile
Composite Default screen Complete Reference / Firewalls: TCR / Strassberg, Rollie, Gondek / 9567-3 / Front Matter
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
P:\010Comp\CompRef8\567-3\fm.vp
Tuesday, May 07, 2002 1:01:31 PM