Firewall Fundamentals By Wes Noonan, Ido Dubrawsky Publisher: Cisco Press Pub Date: June 02, 2006 Print ISBN-10: 1-58705-221-0 Print ISBN-13: 978-1-58705-221-7 Pages: 408 Table of Contents | Index The essential guide to understanding and using firewalls to protect personal computers and your network An easy-to-read introduction to the most commonly deployed network security device Understand the threats firewalls are designed to protect against Learn basic firewall architectures, practical deployment scenarios, and common management and troubleshooting tasks Includes configuration, deployment, and management checklists Increasing reliance on the Internet in both work and home environments has radically increased the vulnerability of computing systems to attack from a wide variety of threats Firewall technology continues to be the most prevalent form of protection against existing and new threats to computers and networks A full understanding of what firewalls can do, how they can be deployed to maximum effect, and the differences among firewall types can make the difference between continued network integrity and complete network or computer failure Firewall Fundamentals introduces readers to firewall concepts and explores various commercial and open source firewall implementations including Cisco, Linksys, and Linux allowing network administrators and small office/home office computer users to effectively choose and configure their devices Firewall Fundamentals is written in clear and easy-to-understand language and helps novice users understand what firewalls are and how and where they are used It introduces various types of firewalls, first conceptually and then by explaining how different firewall implementations actually work It also provides numerous implementation examples, demonstrating the use of firewalls in both personal and business-related scenarios, and explains how a firewall should be installed and configured Additionally, generic firewall troubleshooting methodologies and common management tasks are clearly defined and explained Firewall Fundamentals By Wes Noonan, Ido Dubrawsky Publisher: Cisco Press Pub Date: June 02, 2006 Print ISBN-10: 1-58705-221-0 Print ISBN-13: 978-1-58705-221-7 Pages: 408 Table of Contents | Index Copyright About the Authors About the Technical Reviewers Acknowledgments Icons Used in This Book Command Syntax Conventions Introduction Part I: Introduction to Firewalls Chapter 1 Introduction to Firewalls What Is a Firewall? What Can Firewalls Do? What Are the Threats? What Are the Motives? Security Policies Determining If You Need a Firewall Summary Chapter 2 Firewall Basics Firewall Taxonomy Firewall Products Firewall Technologies Open and Closed Source Firewalls Summary Chapter 3 TCP/IP for Firewalls Protocols, Services, and Applications Internet Protocol (IP) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet Control Message Protocol (ICMP) Addressing in IP Networks Network Address Translation (NAT) Broadcast and Multicast IP Services IP Routing Applications Using IP Summary Part II: How Firewalls Work Chapter 4 Personal Firewalls: Windows Firewall and Trend Micro's PC-cillin Windows Firewall and Windows XP Trend Micro's PC-cillin Firewall Feature Summary Chapter 5 Broadband Routers and Firewalls How Broadband Routers and Firewalls Work Linksys Broadband Routers/Firewalls Linksys Requirements How the Linksys Router/Firewall Works Configuring Linksys Linksys Checklist Summary Chapter 6 Cisco PIX Firewall and ASA Security Appliance PIX/ASA Features Choosing Between the PIX and the ASA Cisco PIX Firewall and ASA Models How the PIX/ASA Firewall Works Configuring the Cisco PIX/ASA PIX/ASA Checklist Summary Chapter 7 LinuxBased Firewalls NetFilter Features NetFilter Requirements How NetFilter Works Configuring NetFilter NetFilter Checklist Summary Chapter 8 Application Proxy Firewalls Application Layer Filtering Proxy Server Functionality Limitations of Application Proxy Firewalls Microsoft ISA Server 2004 Firewall Summary Chapter 9 Where Firewalls Fit in a Network Different Types of Office Requirements Single-Firewall Architectures Dual-Firewall Architecture The Firewall System Where Personal/Desktop Firewalls Fit in a Network Where Application Firewalls Fit in a Network Firewalls and VLANs Using Firewalls to Segment Internal Resources High-Availability Firewall Designs Summary Part III: Managing and Maintaining Firewalls Chapter 10 Firewall Security Policies Written Security Policies Firewall Policies/Rulesets Summary Chapter 11 Managing Firewalls Default Passwords Maintaining the Underlying Platform Firewall Management Interface Management Access Common Firewall Management Tasks Summary Chapter 12 What Is My Firewall Telling Me? Firewalls and Logging Firewall Log Review and Analysis Firewall Forensics Summary Chapter 13 Troubleshooting Firewalls Developing a Troubleshooting Checklist Basic Firewall Troubleshooting Advanced Firewall Troubleshooting Troubleshooting Example Summary Chapter 14 Going Beyond Basic Firewall Features Content Filtering Performing Application Filtering Intrusion Detection and Prevention Virtual Private Networks Summary Endnotes Part IV: Appendixes Appendix A Firewall and Security Tools Common Troubleshooting Tools Logging and Log-Analysis Tools Security-Testing Tools Appendix B Firewall and Security Resources Firewall-Specific Information General Security Information Additional Reading Index Copyright Firewall Fundamentals Wes Noonan Ido Dubrawsky Copyright © 2006 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing June 2006 Library of Congress Cataloging-in-Publication Number: 2004114308 Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark Warning and Disclaimer This book is designed to provide information about firewalls Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information is provided on an "as is" basis The authors, Cisco Press, and Cisco Systems, Inc shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales For more information, please contact: U.S Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S please contact: International Sales 1-317-581-3793 international@pearsontechgroup.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers' feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message We greatly appreciate your assistance Editor-in-Chief Paul Boger Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Production Manager Patrick Kanouse Development Editor Andrew Cupp Project Editor Interactive Composition Corporation Copy Editor Interactive Composition Corporation Technical Editors Randy Ivener, Eric Seagren Editorial Assistant Raina Han Book and Cover Designer Louisa Adair Composition Interactive Composition Corporation Indexer Tim Wright Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco.com Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright â 2003 Cisco Systems, Inc All rights reserved COP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] RCS (revision control system) log file, viewing repository, modifying recent changes, reviewing as part of troubleshooting methodology reconnaissance attacks redundancy, active/active failover REJECT target release notes, reading remote administration of Microsoft ISA Server 2004 remote management access, configuring on PIX/ASA firewall remote office implementation remote-access/VPN policies requirements for Linksys router connectivity restricting access to configuration files RETURN target reviewing firewall logs 2nd suspicious events revision control systems RIP (Routing Information Protocol) risk-assessment policies routed mode routing policies routing protocols BGP classifications of OSPF RIP routing tables, contents of rulesets defining for firewall security egress filters ingress filters management access verifying Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] SecureNAT client security contexts security layers firewall static configuration layer physical integrity layer security level of Trend Micro firewall, configuring security policies 2nd 3rd creating DMZ policies egress filtering rulesets, defining examples of filtering policies firewall security layers format incorporating forensic analysis findings ingress filtering rulesets, defining layers management-access policies rulesets, defining monitoring/logging policies remote-access/VPN policies routing policies rulesets, defining Security tab (Linksys BEFSR41v4 router) segmenting internal networks segments (TCP) header fields selecting between ASA and PIX software version service provider solutions, ASA and PIX models designed for service requirements for Microsoft ISA Server 2004 session layer Setup tab (Linksys BEFSR41v4 router) severity levels (syslog messages) 2nd Shorewall firewall 2nd single-firewall architectures Internet firewall with multiple DMZs Internet firewall with single DMZ Internet-screening firewall layers SLE (single loss expectancy), predicting sliding windows SMTP (Simple Mail Transport Protocol), anti-spam software SNAT (source NAT), masquerading SNAT target SNMP (Simple Network Management Protocol), remote firewall management SNMP notification social engineering software defects, tracking PIX version 7.x updating vulnerabilities software firewalls SOHO solutions, PIX models designed for spam, anti-spam software SPI (stateful packet inspection), support on Linksys routers spoofed IP addresses, identifying in firewall logs SSH (Secure Shell) remote access accessing management interface configuring on PIX/ASA firewall SSL VPNs standards for DMZ policies, defining stateful firewalls 2nd stateful inspection 2nd stateful packet inspection versus packet inspection static NAT static routing subnets suspicious events, identifying in firewall logs SYN (synchronize) segment SYN floods 2nd syslog 2nd client configuration configuring events 2nd logging facilities messages remote firewall management security deficiencies server configuration TCP-based system policy rules, configuring on ISA server system requirements for Trend Micro's PC-cillin firewall feature Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] tables (Netfilter) filter table mangle table NAT table targeted attacks targets (iptables) TCP (Transmission Control Protocol) connection teardowns, reasons for connections port numbers segments header fields sliding windows SYN floods TCP-based syslog Telnet accessing management interface configuring on PIX/ASA firewall connectivity, testing remote firewall management testing connectivity TFTP remote firewall management threats to security compromise of personal information DoS attacks malware poorly designed applications social engineering targeted attacks trojans untargeted attacks viruses worms zero-day attacks zombies three-way handshake tracking firewall defects traffic filtering on Linksys routers/firewalls DMZ forwarding from internal sources port triggering port-range forwarding traffic going through firewall, troubleshooting 2nd traffic going to firewall, troubleshooting transparent firewalls transparent mode transparent proxying transport layer transport mode (IPsec) Trend Micro's PC-cillin firewall feature checklist configuring profiles system requirements trojans troubleshooting advanced features checklist of procedures, developing firewall configuration, example of 2nd need for, verifying non-firewall specific systems traffic going through firewall 2nd traffic going to firewall trust tunnel mode (IPsec) Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] UDP (User Datagram Protocol) connectionless sessions header fields messages ULOG target untargeted attacks updating firewall software UPnP (Universal Plug-and-Play), Linksys routers UPnP Forwarding screen (BEFSR41v4 Applications and Gaming tab) URL filters maintenance on Cisco PIX Firewall, configuring user-defined chains (mangle table) utilities, fragrouter Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] verifying firewall configuration firewall rulesets need for troubleshooting viewing ACEs RCS log virtual firewalls 2nd viruses VLANs interaction with firewalls virtual firewalls VPN passthrough on Linksys routers VPN Passthrough screen (BEFSR41v4 Security tab) VPN Quarantine Control (ISA Server 2004) VPNs IPsec-based AH ESP transport mode tunnel mode remote-access/VPN policies SSL VPNs vulnerabilities Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] web applications, application filtering web proxy client configuring on ISA server Webmin, configuring Netfilter websites, Netfilter Windows Firewall checklist configuring exceptions features worms Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] xauth (extended authentication) XDMCP (X Display Management Control Protocol) Index [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] zero-day attacks ... ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet.. .Firewall Fundamentals By Wes Noonan, Ido Dubrawsky Publisher: Cisco Press Pub Date: June 02, 2006 Print ISBN- 10: 1-58705-221-0 Print ISBN- 13: 978-1-58705-221-7... Chapter 6 Cisco PIX Firewall and ASA Security Appliance PIX/ASA Features Choosing Between the PIX and the ASA Cisco PIX Firewall and ASA Models How the PIX/ASA Firewall Works Configuring the Cisco PIX/ASA