Book Review: Cisco Firewalls

Author: Alexandre M.S.P. Moraes

Publisher: Cisco Press

ISBN -13: 978-1-58714-109-6

Year: 2011

 

Cisco Firewalls play a critical role in the security fabric of the Internet as Cisco maintains its commanding market leadership in network gears. Alexandre Moreas’ book provides a guided tour of Cisco firewall portfolio and where they may fit in an enterprise’s security architecture. This book’s primary audience includes the broad community of security engineers, particularly those responsible for administering firewall systems. Organized into seventeen chapters, the book starts with a primer to firewalls in general, lays out the key Cisco firewall architecture, and delves into implementation and deployment scenarios.

Chapter 1 is an interesting exploration of the role of firewalls in network security.  A cursory review of firewall technological advances and a description of firewall categories including packet filters, proxies and stateful firewall. Much of the chapter is devoted to the concept of stateful firewall, the technology driving most next generation firewall technologies.  Chapter 2 is an overview of Cisco family of firewalls as at the time of writing the book. The chapter covers Cisco ASA (adaptive security appliances) appliances, Cisco FSM (firewall services module) and IOS-based firewall features.  This chapter reads like a buyers guide to Cisco firewall solutions and the treatment of CPS and PPS will come handy for security solutions designers. Chapter 3 is a presentation of the basic configuration tasks necessary to implement a Cisco firewall solution. The chapter attempts to provide a complete guide for the various firewall families presented in chapter 2. Nothing you wouldn’t find in a cisco manual, the organization however helps to focus your attention on what is essential.

Chapter 4 is the administrator delight. Moreas took the reader through various additional configuration and basic performance monitoring tools. While the emphasis was on IOS commands, the near moribund Cisco MARS was also introduced as a logging facility for firewalls. Chapter 5 is an exploration of firewalls in a network topology and the author explored the interaction between key routing protocols; including RIP, EIGRP, OSPG, and EGP; and Cisco firewalls.  Chapter 6 is an interesting addition that focuses on IOS features that could come handy in protecting a virtualized network. The chapter covers not only the virtual machine scenario but also present some of cisco’s efforts at virtualized networking, including the age-old VLAN, virtual routing an forwarding (VRF) and virtual contexts.  Chapters 7 & 8 present two alternate configuration environments for ASA (adaptive security algorithm – a core algorithm for many of Cisco’s current and next generation firewall families) – one with NAT (chapter 8) and the other without NAT.

Cisco IOS Firewall is built into all Cisco routers and many cisco switches. While not the most efficient solution for medium to large organizations with heavy traffic, it is often adequate for small shops with lower transaction requirements. The author present an overview of IOS firewall in chapter emphasizing Cisco’s Context Based Access Control (CBAC), another term for stateful firewalls. Zone-based Policy Firewall (ZFW) is the more recent incarnation of stateful firewalls, which provides support for security partitions or zones, improving security designers’ options. Chapter 10 presents an overview of ZFW with some configuration options.

Chapters 11 and 12 provide explore additional tools available to Cisco firewall administrators, including how to use ACL  and uRPF to prevent spoofing, how to address packet fragmentation  and application inspection. Convergence is becoming more routine in today’s enterprise networks and chapter 13 focuses on voice protocol inspection features of Cisco firewalls. Perhaps one of the more interesting feature of modern firewalls is their support for identity based access control. In chapter 14, the author reviews the pertinent infrastructure in Cisco firewall that support user-level controls.  The access control protocols of choice are RADIUS and TACACS+, but there are simply configuration support for other protocols.

IP multicast and IP version 6 are two of the leading areas of networking opportunities and challenges today, and Moraes reviews IP multicast and firewalls in chapter 15, and focused on Cisco firewall configuration support for IP version 6 in chapter 16. In chapter 17, the book presents a map of cisco firewall interactions with some key networking technologies including IPS, QoS, PVLANs, Server Load Balancing, VMs, MPLS, VPN and Cisco’s borderless network concept.

A good read, the almost 900 page book is a helpful guide to CCIE Security candidates and administrators of Cisco networks.