Gift Guide

Cisco Firewalls [NOOK Book]


Cisco Firewalls

Concepts, design and deployment for Cisco Stateful Firewall solutions


In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action.¿A must read! —Luc ...

See more details below
Cisco Firewalls

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac

Want a NOOK? Explore Now

NOOK Book (eBook)
$31.99 price
(Save 42%)$55.99 List Price


Cisco Firewalls

Concepts, design and deployment for Cisco Stateful Firewall solutions


In this book, Alexandre proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action.¿A must read! —Luc Billot, Security Consulting Engineer at Cisco


Cisco Firewalls thoroughly explains each of the leading Cisco firewall products, features, and solutions, and shows how they can add value to any network security design or operation. The author tightly links theory with practice, demonstrating how to integrate Cisco firewalls into highly secure, self-defending networks. Cisco Firewalls shows you how to deploy Cisco firewalls as an essential component of every network infrastructure. The book takes the unique approach of illustrating complex configuration concepts through step-by-step examples that demonstrate the theory in action. This is the first book with detailed coverage of firewalling Unified Communications systems, network virtualization architectures, and environments that include virtual machines. The author also presents indispensable information about integrating firewalls with other security elements such as IPS, VPNs, and load balancers; as well as a complete introduction to firewalling IPv6 networks. Cisco Firewalls will be an indispensable resource for engineers and architects designing and implementing firewalls; security administrators, operators, and support professionals; and anyone preparing for the CCNA Security, CCNP Security, or CCIE Security certification exams.


Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a Systems Engineer for Cisco Brazil since 1998 in projects that involve not only Security and VPN technologies but also Routing Protocol and Campus Design, IP Multicast Routing, and MPLS Networks Design. He coordinated a team of Security engineers in Brazil and holds the CISSP, CCSP, and three CCIE certifications (Routing/Switching, Security, and Service Provider). A frequent speaker at Cisco Live, he holds a degree in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA – Brazil).


·¿¿¿¿¿¿¿ Create advanced security designs utilizing the entire Cisco firewall product family

·¿¿¿¿¿¿¿ Choose the right firewalls based on your performance requirements

·¿¿¿¿¿¿¿ Learn firewall¿ configuration fundamentals and master the tools that provide insight about firewall operations

·¿¿¿¿¿¿¿ Properly insert firewalls in your network’s topology using Layer 3 or Layer 2 connectivity

·¿¿¿¿¿¿¿ Use Cisco firewalls as part of a robust, secure virtualization architecture

·¿¿¿¿¿¿¿ Deploy Cisco ASA firewalls with or without NAT

·¿¿¿¿¿¿¿ Take full advantage of the classic IOS firewall feature set (CBAC)

·¿¿¿¿¿¿¿ Implement flexible security policies with the Zone Policy Firewall (ZPF)

·¿¿¿¿¿¿¿ Strengthen stateful inspection with antispoofing, TCP normalization, connection limiting, and IP fragmentation handling

·¿¿¿¿¿¿¿ Use application-layer inspection capabilities built into Cisco firewalls

·¿¿¿¿¿¿¿ Inspect IP voice protocols, including SCCP, H.323, SIP, and MGCP

·¿¿¿¿¿¿¿ Utilize identity to provide user-based stateful functionality

·¿¿¿¿¿¿¿ Understand how multicast traffic is handled through firewalls

·¿¿¿¿¿¿¿ Use firewalls to protect your IPv6 deployments


This security book is part of the Cisco Press Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end, self-defending networks.

Read More Show Less

Editorial Reviews

From the Publisher

Alexandre has worked with Cisco security technologies since the year 2000 and is a well recognized expert in the LATAM security community. He is a frequent speaker at Cisco Networkers and other security conferences and has helped in training partners and customers in Brazil. In this book, he proposes a totally different approach to the important subject of firewalls: Instead of just presenting configuration models, he uses a set of carefully crafted examples to illustrate the theory in action. From the configuration fundamentals to advanced topics such as voice inspection, multicast, IPv6 and identity-based firewalls, the book unveils important details about the operations of Cisco firewall solutions, enabling the reader to better use this knowledge on security design. A must-read !

--Luc Billot, Security Consulting Engineer at Cisco (Emerging Markets and European Market)

I think that Alexandre's book could have the alternative title 'Cisco Firewalls Illustrated.' The way in which he links theory and practice is really insightful and greatly helps in understanding individual features and making better use of them for security design. Definitely a reference work in the subject !

--Louis Senecal, CCIE 2198, Consulting Systems Engineer, Cisco (Canada)

In this fully illustrated tour of the world of Cisco Firewalls, Alexandre devotes a great deal of attention to data center-related topics. Network virtualization architecture and the protection of environments that include virtual machines figure among the important subjects covered in the book. For those that want to benefit from virtualization without compromising security, this work is highly recommended.

--David Gonzalez, CISSP #99462, Consulting Systems Engineer at Cisco ( LATAM)

Read More Show Less

Product Details

  • ISBN-13: 9781587141119
  • Publisher: Pearson Education
  • Publication date: 6/20/2011
  • Series: Networking Technology: Security
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 1
  • Pages: 800
  • Sales rank: 1,301,694
  • File size: 21 MB
  • Note: This product may take a few minutes to download.

Meet the Author

Alexandre Matos da Silva Pires de Moraes, CCIE No. 6063, has worked as a systems engineer for Cisco Brazil since 1998, in projects that involve not only security and VPN technologies but also routing protocol and campus design, IP multicast routing, and MPLS networks design. He has supported large enterprise and public sector accounts and, for almost three years, coordinated a team of Security engineers in Brazil. Alexandre holds the CISSP, CCSP, and 03 CCIE certifications (routing/switching, security, and service provider). Alexandre, a frequent speaker at Cisco Live, graduated in electronic engineering from the Instituto Tecnológico de Aeronáutica (ITA — Brazil) and has never hidden his sincere passion for mathematics (mainly the fields of synthetic geometry and trigonometry). Alexandre maintains a personal blog in which he discusses topics related to networking and security technologies at

Read More Show Less

Read an Excerpt

Foreword (by Yusuf Bhaiji)

Networks today have outgrown exponentially both in size and complexity, becoming more multifaceted and increasingly challenging to secure. The blueprint of a core network requires a strong foundation, which can be simply provided with an integrated firewall architecture cemented at the core of the system. Today, the firewall has become a core entity within a network and an integral part of every network infrastructure.

Cisco Firewalls by Alexandre M. S. P. Moraes, has taken a stab at unleashing some of the fundamentally missed concepts, providing readers with a complete library of the entire family of Cisco Firewall products in a single binder.

Alexandre has used a unique approach in explaining the concepts and architecture of the firewall technology. His distinct style has proven his skill at writing on a difficult subject using easy to understand illustrations that walk the reader through a step-by-step approach that shows the theory in action. He has combined some of the commonly used tools with the outputs from several commands to demonstrate the understanding of the technology and exemplifying how it works.

Cisco Firewalls is unlike any other book on this subject and cannot be categorized as a configuration guide or command syntax manual. It provides the readers with the key tools and essential techniques to understand the wide-ranging Cisco firewall portfolio. Whether you are just a beginner trying to learn Cisco firewalls or an experienced engineer looking for a reference, there is something for everyone in this book at varying levels.

Cisco Firewalls is an essential reference in designing, implementing, and maintaining today’s highly secured networks. It is a must read and a must have in your collection - Magnum Opus!

Yusuf Bhaiji; Sr. Manager, Expert Certifications (CCIE, CCDE, CCAr)

Read More Show Less

Table of Contents



Chapter 1: Firewalls and Network Security

Security Is a Must. But, Where to Start?

Firewalls and Domains of Trust

Firewall Insertion in the Network Topology

Routed Mode Versus Transparent Mode

Network Address Translation and Port Address Translation

Main Categories of Network Firewalls

Packet Filters

Circuit-Level Proxies

Application-Level Proxies

Stateful Firewalls

The Evolution of Stateful Firewalls

Application Awareness

Identity Awareness

Leveraging the Routing Table for Protection Tasks

Virtual Firewalls and Network Segmentation

What Type of Stateful Firewall?

Firewall Appliances

Router-Based Firewalls

Switch-Based Firewalls

Classic Topologies Using Stateful Firewalls

Stateful Firewalls and Security Design

Stateful Firewalls and VPNs

Stateful Firewalls and Intrusion Prevention

Stateful Firewalls and Specialized Security Appliances


Chapter 2: Cisco Firewall Families Overview

Overview of ASA Appliances

Positioning of ASA Appliances

Firewall Performance Parameters

Overview of ASA Hardware Models

Overview of the Firewall Services Module

Overview of IOS-Based Integrated Firewalls

Integrated Services Routers

Aggregation Services Routers


Chapter 3: Configuration Fundamentals

Device Access Using the CLI

Basic ASA Configuration

Basic Configuration for ASA Appliances Other Than 5505

Basic Configuration for the ASA 5505 Appliance

Basic FWSM Configuration

Remote Management Access to ASA and FWSM

Telnet Access

SSH Access

HTTPS Access Using ASDM

IOS Baseline Configuration

Configuring Interfaces on IOS Routers

Remote Management Access to IOS Devices

Remote Access Using Telnet

Remote Access Using SSH

Remote Access Using HTTP and HTTPS

Clock Synchronization Using NTP

Obtaining an IP Address Through the PPPoE Client

DHCP Services


Further Reading

Chapter 4: Learn the Tools. Know the Firewall

Using Access Control Lists Beyond Packet Filtering

Event Logging

Debug Commands

Flow Accounting and Other Usages of Netflow

Enabling Flow Collection on IOS

Traditional Netflow

Netflow v9 and Flexible Netflow

Enabling NSEL on an ASA Appliance

Performance Monitoring Using ASDM

Correlation Between Graphical Interfaces and CLI

Packet Tracer on ASA

Packet Capture

Embedded Packet Capture on an ASA Appliance

Embedded Packet Capture on IOS


Chapter 5: Firewalls in the Network Topology

Introduction to IP Routing and Forwarding

Static Routing Overview

Basic Concepts of Routing Protocols

RIP Overview

Configuring and Monitoring RIP

EIGRP Overview

Configuring and Monitoring EIGRP

EIGRP Configuration Fundamentals

Understanding EIGRP Metrics

Redistributing Routes into EIGRP

Generating a Summary EIGRP Route

Limiting Incoming Updates with a Distribute-List


EIGRP Stub Operation

OSPF Overview

Configuring and Monitoring OSPF

OSPF Configuration Fundamentals

OSPF Scenario with Two Areas

Configuring Authentication for Routing Protocols

Bridged Operation


Chapter 6: Virtualization in the Firewall World

Some Initial Definitions

Starting with the Data Plane: VLANs and VRFs

Virtual LANs


VRF-Aware Services

Beyond the Data Plane–Virtual Contexts

Management Access to Virtual Contexts

Allocating Resources to Virtual Contexts

Interconnecting Virtual Elements

Interconnecting VRFs with an External Router

Interconnecting Two Virtual Contexts That Do Not Share Any Interface

Interconnecting Two FWSM Contexts That Share an Interface

Interconnecting Two ASA Contexts That Share an Interface

Issues Associated with Security Contexts

Complete Architecture for Virtualization

Virtualized FWSM and ACE Modules

Segmented Transport

Virtual Machines and the Nexus 1000V


Chapter 7: Through ASA Without NAT

Types of Access Through ASA-Based Firewalls

Additional Thoughts About Security Levels

Internet Access Firewall Topology

Extranet Topology

Isolating Internal Departments

ICMP Connection Examples

Outbound Ping

Inbound Ping

Windows Traceroute Through ASA

UDP Connection Examples

Outbound IOS Traceroute Through ASA

TCP Connection Examples

ASA Flags Associated with TCP Connections

TCP Sequence Number Randomization

Same Security Access

Handling ACLs and Object-Groups


Chapter 8: Through ASA Using NAT

Nat-Control Model

Outbound NAT Analysis

Dynamic NAT

Dynamic PAT

Identity NAT

Static NAT

Policy NAT

Static Policy NAT

Dynamic Policy NAT

Dynamic Policy PAT

NAT Exemption

NAT Precedence Rules

Address Publishing for Inbound Access

Publishing with the static Command

Publishing with Port Redirection

Publishing with NAT Exemption

Inbound NAT Analysis

Dynamic PAT for Inbound

Identity NAT for Inbound

NAT Exemption for Inbound

Static NAT for Inbound

Dual NAT

Disabling TCP Sequence Number Randomization

Defining Connection Limits with NAT Rules


Chapter 9: Classic IOS Firewall Overview

Motivations for CBAC

CBAC Basics

ICMP Connection Examples

UDP Connection Examples

TCP Connection Examples

Handling ACLs and Object-Groups

Using Object-Groups with ACLs

CBAC and Access Control Lists

IOS NAT Review

Static NAT

Dynamic NAT

Policy NAT

Dual NAT

NAT and Flow Accounting



Chapter 10: IOS Zone Policy Firewall Overview

Motivations for the ZFW

Building Blocks for Zone-Based Firewall Policies

ICMP Connection Examples

UDP Connection Examples

TCP Connection Examples

ZFW and ACLs


ZFW in Transparent Mode

Defining Connection Limits

Inspection of Router Traffic

Intrazone Firewall Policies in IOS 15.X


Chapter 11: Additional Protection Mechanisms


Classic Antispoofing Using ACLs

Antispoofing with uRPF on IOS

Antispoofing with uRPF on ASA

TCP Flags Filtering

Filtering on the TTL Value

Handling IP Options

Stateless Filtering of IP Options on IOS

IP Options Drop on IOS

IP Options Drop on ASA

Dealing with IP Fragmentation

Stateless Filtering of IP Fragments in IOS

Virtual Fragment Reassembly on IOS

Virtual Fragment Reassembly on ASA

Flexible Packet Matching

Time-Based ACLs

Time-Based ACLs on ASA

Time-Based ACLs on IOS

Connection Limits on ASA

TCP Normalization on ASA

Threat Detection on ASA


Further Reading

Chapter 12: Application Inspection

Inspection Capabilities in the Classic IOS Firewall

Application Inspection in the Zone Policy Firewall

DNS Inspection in the Zone Policy Firewall

FTP Inspection in the Zone Policy Firewall

HTTP Inspection in the Zone Policy Firewall

IM Inspection in the Zone Policy Firewall

Overview of ASA Application Inspection

DNS Inspection in ASA

DNS Guard

DNS Doctoring

DNS Inspection Parameters

Some Additional DNS Inspection Capabilities

FTP Inspection in ASA

HTTP Inspection in ASA

Inspection of IM and Tunneling Traffic in ASA

Botnet Traffic Filtering in ASA


Further Reading

Chapter 13: Inspection of Voice Protocols

Introduction to Voice Terminology

Skinny Protocol

H.323 Framework

H.323 Direct Calls

H.323 Calls Through a Gatekeeper

Session Initiation Protocol (SIP)

MGCP Protocol

Cisco IP Phones and Digital Certificates

Advanced Voice Inspection with ASA TLS-Proxy

Advanced Voice Inspection with ASA Phone-Proxy


Further Reading

Chapter 14: Identity on Cisco Firewalls

Selecting the Authentication Protocol

ASA User-Level Control with Cut-Through Proxy

Cut-Through Proxy Usage Scenarios

Scenario 1: Simple Cut-Through Proxy (No Authorization)

Scenario 2: Cut-Through Proxy with Downloadable ACEs

Scenario 3: Cut-Through Proxy with Locally Defined ACL

Scenario 4: Cut-Through Proxy with Downloadable ACLs

Scenario 5: HTTP Listener

IOS User-Level Control with Auth-Proxy

Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries

Scenario 2: IOS Auth-Proxy with Downloadable ACLs

Scenario 3: Combining Classic IP Inspection (CBAC) and Auth-Proxy

User-Based Zone Policy Firewall

Establishing user-group Membership Awareness in IOS - Method 1

Establishing user-group Membership Awareness in IOS - Method 2

Integrating Auth-Proxy and the ZFW

Administrative Access Control on IOS

Administrative Access Control on ASA


Chapter 15: Firewalls and IP Multicast

Review of Multicast Addressing

Overview of Multicast Routing and Forwarding

The Concept of Upstream and Downstream Interfaces

RPF Interfaces and the RPF Check

Multicast Routing with PIM

Enabling PIM on Cisco Routers

PIM-DM Basics

PIM-SM Basics

Finding the Rendezvous Point on PIM-SM Topologies

Inserting ASA in a Multicast Routing Environment

Enabling Multicast Routing in ASA

Stub Multicast Routing in ASA

ASA Acting as a PIM-SM Router

Summary of Multicast Forwarding Rules on ASA


Further Reading

Chapter 16: Cisco Firewalls and IPv6

Introduction to IPv6

Overview of IPv6 Addressing

IPv6 Header Format

IPv6 Connectivity Basics

Handling IOS IPv6 Access Control Lists

IPv6 Support in the Classic IOS Firewall

IPv6 Support in the Zone Policy Firewall

Handling ASA IPv6 ACLs and Object-Groups

Stateful Inspection of IPv6 in ASA

Establishing Connection Limits

Setting an Upper Bound for Connections Through ASA

IPv6 and Antispoofing

Antispoofing with uRPF on ASA

Antispoofing with uRPF on IOS

IPv6 and Fragmentation

Virtual Fragment Reassembly on ASA

Virtual Fragment Reassembly on IOS


Further Reading

Chapter 17: Firewall Interactions

Firewalls and Intrusion Prevention Systems

Firewalls and Quality of Service

Firewalls and Private VLANs

Firewalls and Server Load Balancing

Firewalls and Virtual Machines

Protecting Virtual Machines with External Firewalls

Protecting Virtual Machines Using Virtual Firewall Appliances

Firewalls and IPv6 Tunneling Mechanisms

Firewalls and IPsec VPNs

Classic IPsec Site-to-Site for IOS

IPsec Site-to-Site Using a Virtual Tunnel Interface (VTI)

IPsec Site-to-Site Using a GRE Tunnel

NAT in the Middle of an IPsec Tunnel

Post-Decryption Filtering in ASA

Firewalls and SSL VPNs

Clientless Access

Client-Based Access (AnyConnect)

Firewalls and MPLS Networks

Borderless Networks Vision


Further Reading

Appendix A: NAT and ACL Changes in ASA 8.3


Read More Show Less

Customer Reviews

Average Rating 4.5
( 7 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 7 Customer Reviews
  • Posted June 28, 2011

    This book is a real treasure

    This was the book missing on my shelf.
    Definitely, a book that is able to explain network security to newbies like me.
    It starts with really basic concepts and gradually takes the reader to the most advanced topics ever.
    Gosh, I've learned a lot with this book - Firewalls and Voice, NAT entries and their precedence, Zone-Based Policy Firewall.
    5-star-worth book ! No doubt !

    3 out of 3 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
  • Posted June 14, 2011

    more from this reviewer

    Very distinctive style, easy reading.

    I started reading this book and it looks really great.
    1) The examples are very structured and complement the theoretical aspects.
    2) Easy reading. The text flow is very smooth.
    3) Interesting topics such as IPv6, Multicast and Telephony protocols are covered.
    4) Not product-centric. So many important concepts are discussed and carefully illustrated via meaningful examples.
    Actually a very useful reference.

    3 out of 3 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
  • Posted July 1, 2011

    more from this reviewer

    A must read for anyone aiming at Security CCIE !

    This book is incredible, both in terms of contents and approach. If you are experienced with Cisco gear (IOS and ASA) jump to chapter 4 and learn about the available tools that demonstrate Firewall operations. You will then use this tool set on the remaining chapters. If you are just beginning, read from cover to cover (chapters 1 through 3 will guide you through the basics). Some highlights: a) The examples are organized and very well thought of. (While reading was trying to figure out the great deal of effort to put this content together). b) Very pleasant to read. c) Everything concept is explained and illustrated. Indispensable for CCIE candidates. d) ASA and IOS are dealt with in parallel e) The author does not waste pages on hardware details (because hardware changes frequently and Cisco's site will always be a better reference to find this class of information) f) ASA NAT (classic headache for CCIE candidates) is thoroughly analyzed (before and after 8.3) g) Application inspection is demonstrated. Voice stuff deserved one dedicated chapter (very organized). h) Virtualization study from the architecture level to the details. i) And much more... Amazing reference !!

    2 out of 2 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
  • Posted November 14, 2011

    more from this reviewer

    Incredible NAT Reference !!!

    Overall the book is very well written and insightful. But if I were to mention one topic it would be the coverage of ASA NAT (from the initial implementation to the new paradigm of 8.3). Great examples and a must read for anyone transitioning to ASA 8.3 and beyond. Very worth reading !!

    1 out of 1 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
  • Posted July 25, 2012

    more from this reviewer

    Very nice book ! The reading experience is smooth. The content i

    Very nice book ! The reading experience is smooth. The content is very structured and, even more important, useful !
    Those complex topics such as ASA NAT, L7 Inspection, Telephony Security with ASA are examined in an incredible amount of detail. And it will work fine as a study reference for the Security CCIE and some of the CCNP tests (FIREWALL and SECURE basically...)
    Highly recommended !

    Was this review helpful? Yes  No   Report this review
  • Posted July 21, 2011

    A good read. Will be helpful to cisco network administrators and CCIE security candidates

    Cisco Firewalls play a critical role in the security fabric of the Internet as Cisco maintains its commanding market leadership in network gears. Alexandre Moreas' book provides a guided tour of Cisco firewall portfolio and where they may fit in an enterprise's security architecture. This book's primary audience includes the broad community of security engineers, particularly those responsible for administering firewall systems. Organized into seventeen chapters, the book starts with a primer to firewalls in general, lays out the key Cisco firewall architecture, and delves into implementation and deployment scenarios.

    Chapter 1 is an interesting exploration of the role of firewalls in network security. A cursory review of firewall technological advances and a description of firewall categories including packet filters, proxies and stateful firewall. Much of the chapter is devoted to the concept of stateful firewall, the technology driving most next generation firewall technologies. Chapter 2 is an overview of Cisco family of firewalls as at the time of writing the book. The chapter covers Cisco ASA (adaptive security appliances) appliances, Cisco FSM (firewall services module) and IOS-based firewall features. This chapter reads like a buyers guide to Cisco firewall solutions and the treatment of CPS and PPS will come handy for security solutions designers. Chapter 3 is a presentation of the basic configuration tasks necessary to implement a Cisco firewall solution. The chapter attempts to provide a complete guide for the various firewall families presented in chapter 2. Nothing you wouldn't find in a cisco manual, the organization however helps to focus your attention on what is essential.

    Chapter 4 is the administrator delight. Moreas took the reader through various additional configuration and basic performance monitoring tools. While the emphasis was on IOS commands, the near moribund Cisco MARS was also introduced as a logging facility for firewalls. Chapter 5 is an exploration of firewalls in a network topology and the author explored the interaction between key routing protocols; including RIP, EIGRP, OSPG, and EGP; and Cisco firewalls. Chapter 6 is an interesting addition that focuses on IOS features that could come handy in protecting a virtualized network. The chapter covers not only the virtual machine scenario but also present some of cisco's efforts at virtualized networking, including the age-old VLAN, virtual routing an forwarding (VRF) and virtual contexts. Chapters 7 & 8 present two alternate configuration environments for ASA (adaptive security algorithm - a core algorithm for many of Cisco's current and next generation firewall families) - one with NAT (chapter 8) and the other without NAT.

    Cisco IOS Firewall is built into all Cisco routers and many cisco switches. While not the most efficient solution for medium to large organizations with heavy traffic, it is often adequate for small shops with lower transaction requirements. The author present an overview of IOS firewall in chapter emphasizing Cisco's Context Based Access Control (CBAC), another term for stateful firewalls. Zone-based Policy Firewall (ZFW) is the more recent incarnation of stateful firewalls, which provides support for security partitions or zones, improving security designers' options. Chapter 10 presents an overview of ZFW with some configuration options.

    Chapters 11 and 12 provide explore additional tools available to Cisco

    Was this review helpful? Yes  No   Report this review
  • Posted June 30, 2011

    more from this reviewer

    many ideas for using firewalls

    The size of the book gives you some idea of the amount of effort Cisco has put into its firewalls, which are a fundamental concept for protecting your private network from intruders.

    Chapter 3 describes using the Command Line Interface [CLI]. A purely text based output to a terminal. A network sysadmin should spend some time playing around with the CLI commands to garner familiarity at the basic level. From the chapter, you can learn the power of the various commands. These let you configure important items like a DHCP server and client, for example.

    The next chapter has the overarching aim of encouraging your to think in terms of better security designs. It tries to do this by explaining key tools that Cisco has built to study network traffic. Like Netflow v9, which appears quite easy to use and valuable when its output is sent to the graphical interface of MARS.

    Much of chapter 4 goes between looking at examples in CLI and of a GUI. There are advantages to both. A newbie might find running a GUI easier, especially if she comes from a background in another vendor's equipment. There is a very useful method of doing a task via the GUI and seeing the corresponding CLI commands. From this you can construct a template to use repeatedly. The CLI approach is well suited to experienced sysadmins and to those wanting to run scripts across several network devices.

    The rest of the book expands on other capabilities of the firewalls. Very elaborate.

    Unfortunately, the start of the book, in chapter 1, has been sloppily written. To wit:

    On page 4, "it is necessary to implement security solutions that cannot [sic] mitigate the risks". Hilarious. The meaning has been inverted. The correct word is can.

    On page 9, in Figure 1-6, the boxes for SrcPort-T1 and SrcPort-T2 should be shaded.

    On page 21, in Figure 1-15, the right "Internet Access" label should say "Internet Presence".

    The problem is that a reader who carefully starts at this chapter might see these and go no further; being deterred by these flaws. The book lists 2 technical reviewers, who appear to have dropped the ball.

    0 out of 1 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 7 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)