solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 235_PIX_FM.qxd 11/8/02 3:56 PM Page i 235_PIX_FM.qxd 11/8/02 3:56 PM Page ii 1 YEAR UPGRADE BUYER PROTECTION PLAN Cisco Guide to ® Security Specialist’s PIX Firewall Vitaly Osipov Mike Sweeney Woody Weaver Charles E. Riley Technical Reviewer Umer Khan Technical Editor ® Foreword by Ralph Troupe, President and CEO, Callisma 235_PIX_FM.qxd 11/8/02 3:56 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack Proofing®,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 27GYW9HV43 002 Q26UUN7TJM 003 STX3AD4HF5 004 Z6KB6Y2B7Y 005 T5RZU8MPD6 006 AQ8NC4E8S6 007 PH7PQ2A7EK 008 9RD7BK43HG 009 SX7V6CVPFH 010 5M39ZBVBR2 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Cisco Security Specialist’s Guide to PIX Firewall Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-63-9 Technical Editor: Umer Khan Cover Designer: Michael Kavish Technical Reviewer: Charles E. Riley Page Layout and Art by: Personal Editions Acquisitions Editor: Catherine B. Nolan Copy Editor: Darlene Bordwell Developmental Editor: Jonathan Babcock Indexer: Brenda Miller Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 235_PIX_FM.qxd 11/8/02 3:56 PM Page iv Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Ralph Troupe, Rhonda St. John, Emlyn Rhodes, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world- class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise. Duncan Enright, AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie Moss of Elsevier Science for making certain that our vision remains worldwide in scope. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Tricia Herbert of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. v 235_PIX_FM.qxd 11/8/02 3:56 PM Page v vi Contributors C. Tate Baumrucker (CISSP, CCNP, Sun Enterprise Engineer, MCSE) is a Senior Consultant with Callisma, where he is responsible for leading engineering teams in the design and implementation of secure and highly available systems infrastructures and networks.Tate is an industry recog- nized subject matter expert in security and LAN/WAN support systems such as HTTP, SMTP, DNS, and DHCP.Tate has spent eight years pro- viding technical consulting services for the Department of Defense, and other enterprise and service provider industries for companies including: American Home Products, Blue Cross and Blue Shield of Alabama, Amtrak, Iridium, National Geographic, Geico, GTSI, Adelphia Communications, Digex, Cambrian Communications, and BroadBand Office.Tate has also contributed to the book Managing Cisco Network Security, Second Edition (Syngress Publishing, ISBN: 1-931836-56-6). Brian Browne (CISSP) is a Senior Consultant with Callisma. He pro- vides senior-level strategic and technical security consulting to Callisma clients, has 12 years of experience in the field of information systems security, and is skilled in all phases of the security lifecycle. A former independent consultant, Brian has provided security consulting for mul- tiple Fortune 500 clients, has been published in Business Communications Review, and was also a contributor to the book Managing Cisco Network Security, Second Edition (Syngress Publishing, ISBN: 1-931836-56-6). His security experience includes network security, firewall architectures, vir- tual private networks (VPNs), intrusion detection systems (IDSs), UNIX security,Windows NT security, and public key infrastructure (PKI). Brian resides in Willow Grove, PA with his wife, Lisa, and daughter, Marisa. Vitaly Osipov (CISSP, CCSE, CCNA) is co-author for Syngress Publishing’s Check Point Next Generation Security Administration (ISBN: 1-928994-74-1) and Managing Cisco Network Security, Second Edition (ISBN: 1-931836-56-6).Vitaly has spent the last six years working as a consultant for companies in Eastern, Central, and Western Europe. His 235_PIX_FM.qxd 11/8/02 3:56 PM Page vi vii specialty is designing and implementing information security solutions. Currently Vitaly is the team leader for the consulting department of a large information security company. In his spare time, he also lends his consulting skills to the anti-spam company, CruelMail.com.Vitaly would like to extend his thanks to his many friends in the British Isles, especially the one he left in Ireland. Derek Schatz (CISSP) is a Senior Consultant with Callisma, and is the lead Callisma resource for security in the western region of the United States. He specializes in information security strategy and the alignment of security efforts with business objectives. Derek has a broad technical back- ground; previous positions have included stints with a Big Five consulting firm, where he managed a team in the technology risk consulting practice, and as a Systems Engineer at Applied Materials, where he was responsible for their Internet and Extranet infrastructure. Derek holds a bachelor’s degree from the University of California, Irvine, and is a member of the Information Systems Security Association. He received his CISSP certifica- tion in 1999. Derek resides in Southern California with his family. Timothy “TJ” Schuler (CCIE #8800) works as a Senior Network Engineer for Coleman Technologies in Denver, CO.TJ has over seven years of experience with network implementation and design including security, large routing and switching networks, ATM, wireless, IP Telephony and IP based video technologies.TJ is currently pursuing the Security CCIE certification, which would be his second CCIE. He would like to dedicate this work to his family. Michael Sweeney (CCNA, CCDA, CCNP, MCSE) is the owner of the IT consulting firm, Packetattack.com. His specialties are network design, network troubleshooting, wireless network design, security, network anal- ysis using Sniffer Pro, and wireless network analysis using AirMagnet. Michael is a graduate of the extension program at the University of California, Irvine with a certificate in Communications and Network Engineering. Michael currently resides in Orange, CA with his wife, Jeanne, and daughter, Amanda. 235_PIX_FM.qxd 11/8/02 3:56 PM Page vii viii Robert “Woody” Weaver (CISSP) is the Field Practice Lead for Security at Callisma. As an information systems security professional, Woody’s responsibilities include field delivery and professional services product development.Woody’s background includes a decade as a tenured professor, teaching mathematics and computer science.Woody also spent time as the most senior Network Engineer for Williams Communications in the San Jose/San Francisco Bay area, providing client services for their network integration arm, and as Vice President of Technology for Fullspeed Network Services, a regional systems integrator. He is also a contributiong author to Managing Cisco Network Security, Second Edition (Syngress Publishing, ISBN: 1-931836-56-6).Woody holds a bachelor’s of Science degree from the California Institute of Technology, and a Ph.D. from Ohio State. He currently works out of the Washington, D.C. metro area. 235_PIX_FM.qxd 11/8/02 3:56 PM Page viii ix Charles Riley (CCNP, CSS1, CISSP, CCSA, MCSE, CNE-3) is a Network Engineer with a long tenure in the networking security field. Charles has co-authored several books including Configuring Cisco Voice Over IP, Second Edition (Syngress Publishing ISBN: 1-931836-64-7). He has designed and implemented robust networking solutions for large Fortune 500 and privately held companies. He started with the U.S. Army at Fort Huachuca, AZ, eventually finishing his Army stretch as the Network Manager of the Seventh Army Training Command in Grafenwoehr, Germany. Currently Charles is employed as a Network Security Engineer for HyperVine (www.hypervine.net) in Kansas, where he audits and hardens the existing security of customers, as well as deploying new security architectures and solutions. Charles holds a bachelor’s degree from the University of Central Florida. He is grateful to his wife, René, and daughter,Tess, for their support of his writing: My world is better with y ou in it. Technical Reviewer and Contributor 235_PIX_FM.qxd 11/8/02 3:56 PM Page ix [...]... Chapter 2 Introduction to PIX Firewalls Introduction PIX Firewall Features Embedded Operating System The Adaptive Security Algorithm State Security Levels How ASA Works Technical Details for ASA User Datagram Protocol Advanced Protocol Handling VPN Support URL Filtering NAT and PAT High Availability PIX Hardware Models PIX 501 PIX 506 PIX 506E PIX 515 PIX 515E PIX 520 PIX 525 PIX 535 29 31 31 32 32... www.syngress.com 235 _pix_ pd_01.qxd 11/7/02 11:05 AM Page 1 Chapter 1 Introduction to Security and Firewalls Solutions in this chapter: I The Importance of Security I Creating a Security Policy I Cisco s Security Wheel I Firewall Concepts I Cisco Security Certifications Summary Solutions Fast Track Frequently Asked Questions 1 235 _pix_ pd_01.qxd 2 11/7/02 11:05 AM Page 2 Chapter 1 • Introduction to Security and Firewalls... Chapter 1, “Introduction to Security and Firewalls,” introduces general security and firewall concepts For readers new to the area of information security, this chapter will guide them through fundamental security and firewall concepts that are necessary to understand the following chapters.The first and most important step towards starting to control network security is to establish a security policy for... traffic captures Firewall performance and health need to be monitored proactively, and this chapter discusses the practices that will ensure that the PIX firewall is operating as it should Our hope is that the readers of Cisco Security Specialist’s Guide to PIX Firewalls will become masters of installing, configuring, maintaining, and troubleshooting PIX firewalls, in addition to being ready to take the CSPFA... Importance of Security What Is Information Security? The Early Days of Information Security Insecurity and the Internet The Threats Grow Attacks Creating a Security Policy Cisco s Security Wheel Securing the Environment Monitoring Activity Testing Security Improving Security Firewall Concepts What Is a Firewall? Types of Firewalls Packet Filters Stateful Inspection Packet Filters Application Proxies Firewall. .. discussion of Cisco s security certifications and the objectives for the CSS-1 and CCIE Security written exams Chapter 2, “Introduction to PIX Firewalls,” goes through the fundamentals of PIX firewalls.The main features of the PIX firewall are described, as well as the paradigm of PIX firewall configuration.The concepts of security levels and the Adaptive Security Algorithms (ASA), which are integral to PIX firewall... Cisco Security Specialist’s Guide to PIX Firewalls is a comprehensive guide for network and security engineers, covering the entire line of the PIX firewall product series.This book was written by highly experienced authors who provide high security solutions to their clients using Cisco PIX firewalls on a daily basis.This book covers all the latest and greatest features of PIX firewall software version 6.2,... perspectives on security, ones often in opposition to those of academia Commercial information had value, and access to it needed to be limited to specifically authorized people UNIX,TCP/IP, and connections to the Internet became avenues of attack and did not have much www.syngress.com 5 235 _pix_ pd_01.qxd 6 11/7/02 11:05 AM Page 6 Chapter 1 • Introduction to Security and Firewalls capability to implement... certifications Cisco offers: the Cisco Security Specialist 1 (CSS-1) and the Cisco Certified Internet Expert (CCIE) Security The Importance of Security Over the last couple of decades, many companies began to realize that their most valuable assets were not only their buildings or factories but also the intellectual property and other information that flowed internally as well as outwardly to suppliers and customers... failover replication, PIX Device Manager (PDM), and many others We have directed this book towards IT professionals who are preparing for the Cisco Secure PIX Firewall Advanced (CSPFA) written exam or the Cisco Certified Internet Expert (CCIE) Security written and lab exams.This book covers all the objectives of the CSPFA exam, and includes enough additional information to be useful to readers long after . Hardware 59 Models 59 PIX 501 61 PIX 506 61 PIX 506E 61 PIX 515 61 PIX 515E 62 PIX 520 62 PIX 525 63 PIX 535 63 235 _PIX_ TOC.qxd 11/8/02 5:26 PM Page xii Contents. Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Cisco Security Specialist’s Guide to PIX Firewall Copyright © 2002 by Syngress Publishing, Inc.