Cisco Press 201 West 103rd Street Indianapolis, IN 46290 USA Cisco Press CCSP Self-Study CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide 0678_fmi.book Page i Friday, February 28, 2003 4:21 PM www.dbeBooks.com - An Ebook Library ii CCSP Self-Study CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide Greg Bastien, Christian Degu Copyright© 2003 Cisco Systems, Inc. Published by: Cisco Press 201 West 103rd Street Indianapolis, IN 46290 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing March 2003 Library of Congress Cataloging-in-Publication Number: 2002107269 ISBN: 1-58720-067-8 Warning and Disclaimer This book is designed to provide information about the Cisco Secure PIX Firewall Advanced Exam (CSPFA 9E0-111 and 642-521) for the Cisco Certified Security Professional. Every effort has been made to make this book as complete and accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members of the pro- fessional technical community. Reader feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com. Please be sure to include the book title and ISBN in your message. We greatly appreciate your assistance. 0678_fmi.book Page ii Friday, February 28, 2003 4:21 PM iii Publisher John Wait Editor-In-Chief John Kane Cisco Representative Anthony Wolfenden Cisco Press Program Manager Sonia Torres Chavez Cisco Marketing Communications Manager Scott Miller Cisco Marketing Program Manager Edie Quiroz Executive Editor Brett Bartow Acquisitions Editor Michelle Grandin Production Manager Patrick Kanouse Senior Development Editor Christopher Cleveland Project Editor Marc Fowler Copy Editor Gayle Johnson Technical Editors Will Aranha Mesfin Goshu Jonathan Limbo Gilles Piché CD Content Jonathan Limbo Team Coordinator Tammi Ross Book Designer Gina Rexrode Cover Designer Louisa Adair Compositor Mark Shirar Indexer Larry Sweazy Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems Europe 11 Rue Camille Desmoulins 92782 Issy-les-Moulineaux Cedex 9 France http://www-europe.cisco.com Tel: 33 1 58 04 60 00 Fax: 33 1 58 04 61 00 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems Australia, Pty., Ltd Level 17, 99 Walker Street North Sydney NSW 2059 Australia http://www.cisco.com Tel: +61 2 8448 7100 Fax: +61 2 9957 4350 Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Cost a Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kon g Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexic o The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romani a Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Swede n Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietna m Zimbabwe Copyright © 2000, Cisco Systems, Inc. All rights reserved. Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0010R) 0678_fmi.book Page iii Friday, February 28, 2003 4:21 PM iv Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital- ized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. 0678_fmi.book Page iv Friday, February 28, 2003 4:21 PM v About the Authors Greg Bastien, CCNP, CCSP, CISSP, currently works as a senior network security engineer for True North Solu- tions, Inc. as a consultant to the U.S. Department of State. He is an adjunct professor at Strayer University, teaching networking and network security classes. He completed his undergraduate and graduate degrees at Embry-Riddle Aeronautical University while on active duty as a helicopter flight instructor in the U.S. Army. He lives with his wife, two sons, and two dogs in Monrovia, Maryland. Christian Degu, CCNP, CCDP, CCSP, currently works as a consulting engineer to the Federal Energy Regulatory Commission. He is an adjunct professor at Strayer University, teaching computer information systems classes. He has a master’s degree in computer information systems. He resides in Alexandria, Virginia. 0678_fmi.book Page v Friday, February 28, 2003 4:21 PM vi About the Technical Reviewers Will Aranha is currently a principal security engineer with Symantec Corp. His primary job is as a technical prod- uct manager, which includes determining new product support, baselining, and providing technical training to the security engineering staff. Aranha is well-versed in many information security products and practices. Along with numerous firewall/VPN and IDS deployments, both domestic and international, he provides third-tier technical sup- port to a 24/7 Security Operations Center, serving as a subject matter expert for all Managed Services supported products. Aranha has also contributed to the growth and success of the start-up company Riptech, Inc., which was acquired by Symantec Corp. It is now the premier security solutions provider in the market. In his free time, he has completed many industry-leading security certifications. Mesfin Goshu, CCIE No. 8350, is a system engineer for Metrocall Wireless Inc., the second-biggest wireless com- pany in the U.S. He is responsible for designing, maintaining, troubleshooting, and securing Metrocall’s backbone. He has been with Metrocall for almost six years. He has an extensive background in OSPF, BGP, MPLS, and net- work security. He has a BSc in computer and information science and civil engineering. He currently is working toward an MSc in telecommunications. As a senior network engineer, he has worked for INS and the Pentagon as a contractor. He has been in the networking field for more than nine years. Jonathan Limbo , CCIE Security No. 10508, is currently working as a Security and VPN support engineer acting as escalation for PIX issues as well as for other security and VPN products. Jonathan has worked in the IT industry for 5 years, most of which as a Network Engineer. Gilles Piché is a security consultant who has been working in the Network Security field in Canada for over 6 years. Prior to that, he did contract work with the Canadian government in a network engineering capacity. Gilles is also a Cisco Certified Security Instructor and has been teaching Cisco Security courses for Global Knowledge Net- work (Canada) for the last 2 years. 0678_fmi.book Page vi Friday, February 28, 2003 4:21 PM vii Dedications To Ingrid, Joshua, and Lukas. Thank you for putting up with me while I was locked in the office.—Greg To my father, Aberra Degu, and my mother, Tifsehit Hailegiorgise. Thank you for inspiring me and loving me as you have. To my brother, Petros, and sisters, Hiwote and Lula, I love you guys. —Christian 0678_fmi.book Page vii Friday, February 28, 2003 4:21 PM viii Acknowledgments Writing this book has been a difficult and time-consuming yet extremely rewarding project. Many have contributed in some form or fashion to the publishing of this book. We would especially like to thank the Cisco Press team, including Michelle Grandin, Acquisitions Editor, and Christopher Cleveland, Senior Development Editor, for their guidance and encouragement throughout the entire writing process. We would also like to thank the technical reviewers, who had to endure our draft manuscripts and who helped us remain on track throughout the process. 0678_fmi.book Page viii Friday, February 28, 2003 4:21 PM ix Contents at a Glance Introduction xxii Chapter 1 Network Security 3 Chapter 2 Firewall Technologies and the Cisco PIX Firewall 13 Chapter 3 The Cisco Secure PIX Firewall 23 Chapter 4 System Maintenance 47 Chapter 5 Understanding Cisco PIX Firewall Translation and Connections 65 Chapter 6 Getting Started with the Cisco PIX Firewall 91 Chapter 7 Configuring Access 111 Chapter 8 Syslog 129 Chapter 9 Cisco PIX Firewall Failover 143 Chapter 10 Virtual Private Networks 159 Chapter 11 PIX Device Manager 209 Chapter 12 Content Filtering with the Cisco PIX Firewall 245 Chapter 13 Overview of AAA and the Cisco PIX Firewall 257 Chapter 14 Configuration of AAA on the Cisco PIX Firewall 273 Chapter 15 Attack Guards and Multimedia Support 313 Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A Questions 331 Appendix B Case Study and Sample Configuration 377 Glossary 409 Index 425 0678_fmi.book Page ix Friday, February 28, 2003 4:21 PM x Contents Introduction xxii Chapter 1 Network Security 3 Vulnerabilities 3 Threats 4 Types of Attacks 4 Reconnaissance Attacks 5 Access Attacks 5 Denial of Service (DoS) Attacks 6 Network Security Policy 7 Step 1: Secure 8 Step 2: Monitor 8 Step 3: Test 8 Step 4: Improve 8 AVVID and SAFE 9 What Is AVVID? 9 What Is SAFE? 10 Q&A 11 Chapter 2 Firewall Technologies and the Cisco PIX Firewall 13 How to Best Use This Chapter 13 “Do I Know This Already?” Quiz 13 Foundation Topics 15 Firewall Technologies 15 Packet Filtering 15 Proxy 16 Stateful Inspection 16 Cisco PIX Firewall 17 Secure Real-Time Embedded System 17 Adaptive Security Algorithm (ASA) 17 Cut-Through Proxy 18 Redundancy 18 Foundation Summary 19 Q&A 20 0678_fmi.book Page x Friday, February 28, 2003 4:21 PM [...]... Cisco Secure PIX 501 30 Cisco Secure PIX 506 31 Cisco Secure PIX 515 33 Cisco Secure PIX 520 35 Cisco Secure PIX 525 38 Cisco Secure PIX 535 39 Foundation Summary 42 Q&A 44 Chapter 4 System Maintenance 47 How to Best Use This Chapter 47 “Do I Know This Already?” Quiz 47 Foundation Topics 48 Accessing the Cisco PIX Firewall 48 Accessing the Cisco PIX Firewall with Telnet 48 Accessing the Cisco PIX Firewall. .. two Cisco programs that can help companies design and implement sound security policies, processes, and architecture • Chapter 2, Firewall Technologies and the Cisco PIX Firewall —This chapter covers the different firewall technologies and the Cisco PIX Firewall It examines the design of the PIX Firewall and discusses some of that design’s security advantages • Chapter 3, “The Cisco Secure PIX Firewall —Chapter... 9E0-111 CSPFA 3.0, Cisco Secure PIX Firewall Advanced Exam By Summer 2003, a new exam will be available to certification candidates taking the PIX exam: 642-521 Note that the renumbering signifies that those passing this exam will be considered recertified at the CCNA or CCDA level There are no significant changes between the 9E0-111 exam and the 642-521 exam 9E0-100 CSIDS 3.0, Cisco Secure Intrusion Detection... continually monitor the Cisco Systems site for course and exam updates at www .cisco. com/go/training Table I-2 CCSP Certification Exams Exam Number Exam Name Comments on Upcoming Exam Changes 640-100 MCNS 3.0, Managing Cisco Network Security In Summer 2003, a new exam, SECUR 642-501, will become available This exam will eventually replace the 640-100 exam If recertification candidates pass this exam, they will... Using the PIX Firewall DHCP Server 101 Configuring the PIX Firewall DHCP Client 102 Configuring Time Settings on the Cisco PIX Firewall 102 Network Time Protocol (NTP) 102 PIX Firewall System Clock 104 Sample PIX Configuration 105 Foundation Summary 107 Q&A 108 Chapter 7 Configuring Access 111 “Do I Know This Already?” Quiz 111 Foundation Topics 112 Configuring Inbound Access Through the PIX Firewall. .. Chapter 3 The Cisco Secure PIX Firewall 23 How to Best Use This Chapter 23 “Do I Know This Already?” Quiz 23 Foundation Topics 25 Overview of the Cisco PIX Firewall 25 Adaptive Security Algorithm (ASA) 25 Cut-Through Proxy 26 Cisco PIX Firewall Models and Features 27 Intrusion Protection 28 AAA Support 28 X.509 Certificate Support 28 Network Address Translation/Port Address Translation 29 Firewall Management... allow for remote management of the PIX • Chapter 5, “Understanding Cisco PIX Firewall Translation and Connections”—This chapter covers the different transport protocols and how the PIX Firewall handles them It also discusses network addressing and how the PIX can alter node or network addresses to secure those elements • Chapter 6, “Getting Started with the Cisco PIX Firewall —This is where we really... I-1 CSPFA Foundation Topics Reference Number Exam Topic Description 1 Firewalls Firewalls process network traffic in three different ways Chapter 2 discusses these technologies and their advantages 2 PIX Firewall overview Chapter 2 explains the PIX Firewall s design and its advantages compared to other firewall products 3 PIX Firewall models Currently, the PIX Firewall has six different models Chapter 3... 13 Overview of AAA and the Cisco PIX Firewall 257 How to Best Use This Chapter 257 “Do I Know This Already?” Quiz 257 Foundation Topics 259 Overview of AAA and the Cisco PIX Firewall 259 Definition of AAA 259 AAA and the Cisco PIX Firewall 260 Cut-Through Proxy 260 Supported AAA Server Technologies 262 0678_fmi.book Page xvii Friday, February 28, 2003 4:21 PM xvii Cisco Secure Access Control Server... Introduction The primary goal of this book is to help you prepare to pass either the 9E0-111 or 642-521 Cisco Secure PIX Firewall Advanced (CSPFA) exams as you strive to attain the CCSP certification, or a focused PIX certification Who Should Read This Book? Network security is a very complex business The Cisco PIX Firewall performs some very specific functions as part of the security process It is very important . 30 Virtual Private Networks (VPNs) 30 Cisco Secure PIX 501 30 Cisco Secure PIX 506 31 Cisco Secure PIX 515 33 Cisco Secure PIX 520 35 Cisco Secure PIX 525 38 Cisco Secure PIX 535 39 Foundation Summary. Library ii CCSP Self-Study CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide Greg Bastien, Christian Degu Copyright© 2003 Cisco Systems, Inc. Published by: Cisco Press 201. Chapter 2 Firewall Technologies and the Cisco PIX Firewall 13 Chapter 3 The Cisco Secure PIX Firewall 23 Chapter 4 System Maintenance 47 Chapter 5 Understanding Cisco PIX Firewall