1526fmfw95.book Page i Wednesday, March 22, 2006 1:07 PM CCSP SNPA Official Exam Certification Guide Third Edition Michael Gibbs Greg Bastien Earl Carter Christian Abera Degu Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA 1526fmfw95.book Page ii Wednesday, March 22, 2006 1:07 PM ii CCSP SNPA Official Exam Certification Guide, Third Edition Michael Gibbs Greg Bastien Earl Carter Christian Abera Degu Copyright © 2006 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing: April 2006 Library of Congress Cataloging-in-Publication Number: 2006922897 ISBN: 1-58720-152-6 Warning and Disclaimer This book is designed to provide information about the Securing Networks with PIX and ASA (SNPA) 642-522 exam toward the Cisco Certified Security Professional (CCSP) certification. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of people from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@cisco- press.com. Please include the book title and ISBN in your message. We greatly appreciate your assistance. Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the U.S. please contact: International Sales [email protected] 1526fmfw95.book Page iii Wednesday, March 22, 2006 1:07 PM iii Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Publisher: John Wait Cisco Representative: Anthony Wolfenden Editor-in-Chief: John Kane Cisco Press Program Manager: Jeff Brady Executive Editor: Brett Bartow Production Manager: Patrick Kanouse Senior Development Editor: Christopher Cleveland Senior Project Editor: San Dee Phillips Copy Editor: Carlisle Communications Technical Editors: David Chapman Jr., Kevin Hofstra, and Bill Thomas Editorial Assistant: Raina Han Book and Cover Designer: Louisa Adair Composition: Mark Shirar Indexer: Eric Schroeder 1526fmfw95.book Page iv Wednesday, March 22, 2006 1:07 PM iv About the Authors Michael Gibbs is the vice president of Consulting for Security Evolutions, Inc. (SEI), where he is responsible for the overall technical management of SEI’s Cisco-centric IT security consulting services. Mr. Gibbs has more than 10 years of hands-on experience with Cisco Systems routers, switches, firewalls, IDSs, and other CPE equipment and IOS Software versions. He has been involved in IP network design, IP network engineering, and IT security engineering for large service provider backbone networks and broadband infrastructures. Mr. Gibbs is proficient in designing, implementing, and operating backbone IP and VoIP networks, implementing network operation centers, and designing and configuring server farms. Mr. Gibbs is also the author of multiple patents on IP data exchanges and QoS systems. As SEI’s technical leader for Cisco-centric IP network engineering and IT security consulting services, Mr. Gibbs provided technical program management, as well as technical support, for clients who utilize Cisco Systems CPE devices at the network ingress/egress. His hands-on, real-world experience designing and implementing Cisco-centric security countermeasures provided valuable experience in the authoring of this book. Greg Bastien, CCNP, CCSP, CISSP, is the chief technical officer for Virtue Technologies, Inc. He provides consulting services to various federal agencies and commercial clients and holds a position as adjunct professor at Strayer University, teaching networking and network security classes. He completed his undergraduate and graduate degrees at Embry-Riddle Aeronautical University while on active duty as a helicopter flight instructor in the U.S. Army. Earl Carter has been working in the field of computer security for approximately 11 years. He started learning about computer security while working at the Air Force Information Warfare Center. Earl's primary responsibility was securing Air Force networks against cyber attacks. In 1998, he accepted a job with Cisco to perform IDS research for NetRanger (currently Cisco IPS) and NetSonar (Cisco Secure Scanner). Currently, he is a member of the Security Technologies Assessment Team (STAT) that is part of Consulting Engineering (CE). His duties involve performing security evaluations on numerous Cisco products and consulting with other teams within Cisco to help enhance the security of Cisco products. He has examined various products from the PIX Firewall to the Cisco CallManager. Presently, Earl is working on earning his CCIE certification with a security emphasis. In his spare time, Earl is very active at church as a youth minister and lector. He also enjoys training in Taekwondo where he is currently a third-degree black belt and working on becoming a certified American Taekowndo Association (ATA) instructor. Christian Abera Degu, CCNP, CCSP, CISSP, works as a senior network engineer for General Dynamics Network Systems Signal solutions, as consultant to the U.S. Federal Energy Regulatory commission. He holds a master's degree in computer information systems. Christian resides in Alexandria, Virginia. v About the Technical Reviewers David W. Chapman Jr. CISSP-ISSAP, CCNP, CCDP, CSSP, is president and principal consultant for SecureNet Consulting, LLC, an information security consulting firm in Fort Worth, Texas, specializing in vulnerability assessments, penetration testing, and the design and implementation of secure network infrastructures. Mr. Chapman divides his time between teaching Cisco security courses and writing about network security issues. He is a senior member of the IEEE. Kevin Hofstra, CCIE No. 14619, CCNP, CCDP, CCSP, CCVP, is a network optimization engineer within the Air Force Communications Agency of the U.S. Department of Defense. Mr. Hofstra has a computer science degree from Yale University and a master’s of engineering in telecommunications from the University of Colorado. Bill Thomas, CISSP, CCIE, CCSP, is a consulting engineer for Cisco Systems, within the Advanced Technology organization. Mr. Thomas currently focuses on design and implementation of security solutions for large, corporate customers of Cisco. He is a frequent public speaker in forums such as ISC2 and ISSA. 1526fmfw95.book Page vi Wednesday, March 22, 2006 1:07 PM vi Dedication This book is dedicated to Mustang Sallie. 1526fmfw95.book Page vii Wednesday, March 22, 2006 1:07 PM vii Acknowledgments I’d like thank David Kim and the SEI team for the opportunity to write this book. Thanks to David Chapman, Kevin Hofstra, and Bill Thomas for keeping me straight when it came to deciphering the labyrinth of technical specifics. A big thank you goes out to the production team for this book. Brett Bartow, Christopher Cleveland, and San Dee Phillips have been a pleasure to work with and incredibly professional. I couldn’t have asked for a finer team. Finally, I would like to thank my wife for putting up with me throughout the creation of this book. No woman is more understanding. 1526fmfw95.book Page ix Wednesday, March 22, 2006 1:07 PM ix Contents at a Glance Foreword xxv Introduction xxvi Chapter 1 Network Security 3 Chapter 2 Firewall Technologies and the Cisco Security Appliance 23 Chapter 3 Cisco Security Appliance 37 Chapter 4 System Management/Maintenance 75 Chapter 5 Understanding Cisco Security Appliance Translation and Connection 109 Chapter 6 Getting Started with the Cisco Security Appliance Family of Firewalls 137 Chapter 7 Configuring Access 177 Chapter 8 Modular Policy Framework 199 Chapter 9 Security Contexts 223 Chapter 10 Syslog and the Cisco Security Appliance 247 Chapter 11 Routing and the Cisco Security Appliance 269 Chapter 12 Cisco Security Appliance Failover 303 Chapter 13 Virtual Private Networks 327 Chapter 14 Configuring Access VPNs 395 Chapter 15 Adaptive Security Device Manager 453 Chapter 16 Content Filtering on the Cisco Security Appliance 497 Chapter 17 Overview of AAA and the Cisco Security Appliance 513 Chapter 18 Configuration of AAA on the Cisco Security Appliance 537 Chapter 19 IPS and Advanced Protocol Handling 587 Chapter 20 Case Study and Sample Configuration 623 Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A Sections 669 Index 712 1526fmfw95.book Page x Wednesday, March 22, 2006 1:07 PM x Contents Foreword xxv Introduction xxvi Chapter 1 Network Security 3 How to Best Use This Chapter 3 “Do I Know This Already?” Quiz 3 Foundation and Supplemental Topics 7 Overview of Network Security 7 Vulnerabilities, Threats, and Attacks 8 Vulnerabilities 8 Threats 8 Types of Attacks 8 Reconnaissance Attacks 9 Access Attacks 10 DoS Attacks 11 Security Policies 11 Step 1: Secure 12 Step 2: Monitor 13 Step 3: Test 13 Step 4: Improve 13 Network Security as a “Legal Issue” 13 Defense in Depth 14 Cisco AVVID and Cisco SAFE 14 Cisco AVVID? 14 Cisco SAFE 16 Foundation Summary 17 Network Security 17 Vulnerabilities, Threats, and Attacks 17 Vulnerabilities 17 Threats 17 Attacks 18 Security Policies 18 Network Security as a Process 19 Defense in Depth 19 Cisco AVVID 19 Cisco SAFE 20 Key Terms 20 Q&A 21 Chapter 2 Firewall Technologies and the Cisco Security Appliance 23 How to Best Use This Chapter 23 “Do I Know This Already?” Quiz 23 Foundation Topics 27