Background

In late 2002, I worked on one of the most comprehensive guides for Cisco PIX firewalls, which covered the most current release of software (6.x) and the latest and greatest features. As the technical sponsor and editor for the book, I had to create the vision/strategy for the book, determine the audience, and create an outline with 4 levels of headings. Though many of the chapters were written by co-authors (I wrote a few), I then had to provide guidance to them, edit multiple iterations of the work, and re-write some pieces. In the end, the book turned out to be a best-seller for Syngress Publishing, as well as one of the most successful books on the topic of PIX firewalls. The book has received great reviews, and you can check some out for yourself on amazon.com. I created this web page to go with the book. You can get details on the book here.

Many companies are still running PIX firewall software 6.x, but it is still surprising to see how well the book is selling even though it was written over four years ago! Newer versions of the firewall software are now out (7.x), and Cisco has released the Adaptive Security Appliance (ASA) as a replacement for the PIX firewall. When Syngress Publishing released an updated PIX book, I did not have time to serve as a technical sponsor/editor. However, I was able to contribute by performing a technical review of the book, and by writing two of the chapters. You can get details on the new book here. By the way, if you purchase a copy of this new book, you get an eBook version of the old book for free.

The rest of the sections below are for the older Cisco Security Specialist's Guide to PIX Firewalls book.

Synopsis

The firewall has come to exemplify network security. While an overall security strategy requires a harmonious integration of people, process, and technologies to reduce risk, there’s no doubt that firewalls can be a very valuable security tool. Cisco Systems' PIX firewalls have gained market leadership by demonstrating a mix of functionality, performance, and flexibility. The objective of this book is to help you gain a deeper knowledge of Cisco PIX Firewalls. Whether you have administrative responsibilities or are studying to pass an exam such as the Cisco Secure PIX Firewall Advanced (CSPFA), this comprehensive guide will be of value to you.

This book focuses on covering (and going well beyond) all of the objectives of the CSPFA 3.0 exam (9E0-111). Through the use of detailed examples, this book provides step-by-side instructions on how to configure, maintain, and troubleshoot PIX firewalls running software version 6.2 and PIX Device Manager (PDM) version 2.1. All the latest and greatest features of PIX firewall software version 6.2 are covered, including TurboACLs, object grouping, NTP, HTTP failover replication, command level authorization, downloadable ACLs, LAN-based failover, and PPPoE.

From the Technical Editor

In an age where our society relies so heavily on electronic communication, the need for information security is constantly increasing. Given the value and confidential nature of the information that exists on today’s networks, CIOs are finding that an investment in security is extremely beneficial. Without security, a company can suffer from theft or alteration of data, legal ramifications, and other issues which all result in monetary losses. Corporations are realizing the need to create and enforce an information security policy. As a result, IT professionals are constantly being challenged to secure their networks by installing firewalls, and creating Virtual Private Networks (VPNs) that provide secure, encrypted communications over the Internet’s vulnerable public infrastructure.

Cisco's industry-leading PIX 500 Series firewall appliances (from the enterprise-class 535 to the plug-and-play SOHO model 501) deliver high levels of performance with unparalleled reliability, availability, and network security. With support for standards-based IPsec VPNs, intrusion detection features, and a lot more, the PIX is one of the leading firewalls in the market.

Cisco Security Specialist’s Guide to PIX Firewall is a comprehensive guide for network and security engineers on the entire line of the PIX firewall product series. This book is written by highly experienced authors that provide high security solutions to their clients using Cisco PIX firewalls on a daily basis. The book covers all the latest and greatest features of PIX firewall software version 6.2, including TurboACLs, object grouping, NTP, HTTP failover replication, command level authorization, downloadable ACLs, LAN-based failover, and PPPoE.

The primary audience for this book is IT professionals who are preparing for the "Cisco Secure PIX Firewall Advanced," (CSPFA) 3.x written exam or the "Cisco Certified Internet Expert (CCIE) Security" written and lab exams. This book covers all the objectives of the CSPFA exam, and overshoots most of them. The secondary audience is anyone who wants to learn and understand Cisco PIX firewalls, and is interested in a comprehensive guide to Cisco PIX firewalls. This book serves both as a tool for learning, as well as for use as a reference. It is assumed that the reader has a basic understanding of networking concepts and TCP/IP equivalent to that of a Cisco Certified Network Associated (CCNA). Here is a chapter-by-chapter breakdown of the book:

• Chapter 1, "Introduction to Security and Firewalls," introduces general security and firewall concepts. If you are new to the area of information security, this chapter will guide you through fundamental security and firewall concepts that will help you read and understand the rest of the book. The first and most important step towards starting to control network security is to establish a security policy for the company. You will learn how to create a security policy, and who to involve when creating it. Information security is not a goal or result, it is a process, and this is clearly demonstrated by the Cisco Security Wheel discussed in this chapter. The chapter will explain firewall concepts in detail, including the differences between the different types of firewalls, how firewalls work, and of course, firewall terminology. The chapter ends with a discussion of Cisco’s security certifications and the objectives for the CSS-1 and the CCIE Security written exams.
  
  
• Chapter 2, "Introduction to PIX Firewalls," goes through the fundamentals of PIX firewalls. The main features of the PIX firewall are described, as well as the paradigm of PIX firewall configuration. The concepts of security levels and the Adaptive Security Algorithms are discussed in this chapter, which are the key to PIX firewall operation. The PIX firewall provides a scalable architecture with many different hardware offerings, designed to support SOHO as well as enterprise and service provider environments. This chapter describes the various hardware models available. The last parts of the chapter introduce the PIX Command Line Interface (CLI), and go through the commands that are needed to get the firewall up and running.
  
  
• Chapter 3, "Passing Traffic," builds on the basic configuration started in Chapter 2. It covers the different methods of getting inbound and outbound traffic to pass through the PIX firewall. The various forms of address translation methods are described in detail. The chapter discusses both the legacy methods of passing traffic (conduit and outbound/apply commands), as well as the new and preferred method of using access lists. The chapter uses various examples and a complex case study to reinforce the concepts learned.
  
  
• Chapter 4, "Advanced PIX Configurations," explores various advanced PIX firewall topics. You will learn that the PIX firewall can be configured to handle complex protocols that operate over multiple or dynamic ports. Another feature this chapter discusses is the PIX firewall’s ability to block Web traffic, Java, and ActiveX applications. Next, the chapter goes into the intrusion detection features of the firewall, DHCP client and server functionality, and Reverse Path Forwarding (RPF). The chapter rounds up the discussion of advanced features by provide detailed information on PIX firewall multicast configuration.
  
  
• Chapter 5, "Configuring Authentication, Authorization, and Accounting," takes you down the path of configuring user-level security, which allows you to develop and enforce policies on a per-user basis. After introducing AAA concepts and protocols (RADIUS and TACACS+), this chapter describes in detail how the PIX firewall can be configured as an AAA client for controlling administrative access to the firewall itself, and/or traffic that is passing through the firewall. You also learn how to install and configure Cisco’s AAA server, Cisco Secure Access Control Server for Windows.
  
  
• Chapter 6, "Configuring System Management," discusses the various management and maintenance of the PIX firewall. Logging is important not just for monitoring or troubleshooting, it is invaluable for measuring system performance, identifying potential network bottlenecks, and in today’s brave new security conscious world, detecting potential security violations. The chapter explains how to enable and customize logging features. Next, the chapter discusses the remote administration features of the PIX firewall using both in-band management (SSH, Telnet, and HTTP), and out-of-band management (SNMP). The chapter also provides details on how to set system date and time, and the Network Time Protocol (NTP).
  
  
• Chapter 7, "Configuring Virtual Private Networking," explores site-to-site and remote access VPNs on the PIX firewall using IPsec, L2TP, and PPTP. This chapter takes the complicated topic of VPNs, and breaks it down into easy to understand pieces. Step-by-step examples are provided for configuration of site-to-site and remote access VPNs using manual IPsec, IPsec with IKE using pre-shared keys, and IPsec with IKE using digital certificates.
  
  
• Chapter 8, "Configuring Failover," covers high availability configurations on the PIX firewall comprehensively. The PIX firewall provides a feature known as failover, which is used to set up a hot standby backup firewall in case the primary fails. In this chapter, you will learn how failover works, and how to configure it. Each type of failover is discussed, standard and LAN-based, and stateless and stateful.
  
  
• Chapter 9, "PIX Device Manager," looks at the Graphical User Interface (GUI) based administration features of the PIX firewall. While most of the book is focused around learning the Command Line Interface (CLI), the goal of this chapter is to show you how virtually all of these functions can also be performed through the PIX Device Manager (PDM) GUI. In this chapter, you will learn how to use PDM to install, configure and maintain the PIX firewall.
  
  
• Chapter 10, "Troubleshooting and Performing Monitoring," ties up a number of the concepts in the book by looking at proactive and reactive troubleshooting on the PIX firewall. The OSI model is used as the basis for the organization of this chapter and the range of topics include hardware, layer 2 connectivity, address translation, IPsec, and traffic capture. It is very important to understand if your PIX firewall is performing. Firewall performance and health need to be monitored proactively, and this chapter discusses how to do it so you can ensure that the PIX firewall is operating as you expect it to.
  
  

When you have completed reading this book, you will be a master on PIX firewall installation, configuration, maintenance, and troubleshooting, and you will be ready to take the CSPFA exam. This book will then serve you as a comprehensive reference to PIX firewalls, and will become an important part of the collection of resources you use to manage and maintain your security infrastructure. Whether you are using the book to obtain a certification, or simply to enhance your knowledge and understanding of Cisco PIX firewalls, I am sure you will find the material very useful.

—Umer Khan, CCIE #7410, MCSE, SCSA, SCNA, CCA, SCE, CNX

Command Syntax Conventions in the Book

Command syntax examples depict screen displays, prompts, and the command line in screen font (Courier). Information you need to enter literally as shown is in boldface screen font (Courier). The following conventions are followed:

• Braces ({}) indicate a required choice.
• Square brackets ([]) indicate optional elements.
• Braces within square brackets ([{}]) indicate required choices within optional elements.
• Vertical bars (|) separate alternative, mutually exclusive elements.
• Angle brackets (<>) indicate arguments for which you supply values.

Contact Me

Do you have any questions or comments about the book? My contact information is available here.

---

Copyright © 2007 Umer Khan. All Rights Reserved.