Preface p. xv Acknowledgments p. xvii Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices p. 6 Firewall Features p. 6 Packet Filtering p. 6 Network Address Translation p. 7 Authentication Services p. 7 Encryption p. 7 Alarm Generation p. 8 Proxy Services p. 8 Book Preview p. 8 The TCP/IP Protocol Suite p. 8 The Internet Protocol p. 9 TCP and UDP p. 9 NetWare p. 9 Router Hardware and Software p. 9 Working with Access Lists p. 10 The PIX Firewall p. 10 The TCP/IP Protocol Suite p. 11 The ISO Open Systems Interconnection Reference Model p. 12 Layers of the OSI Reference Model p. 12 The Physical Layer p. 13 The Data Link Layer p. 13 The Network Layer p. 14 The Transport Layer p. 14 The Session Layer p. 15 The Presentation Layer p. 15 The Application Layer p. 15 Data Flow p. 16 Layer Subdivision p. 17 The TCP/IP Protocol Suite p. 18 Comparison to the ISO Reference Model p. 18 Internet Protocol (IP) p. 19 Internet Control Message Protocol (ICMP) p. 20 TCP and User Datagram Protcol (UDP) p. 20 Data Delivery p. 20
The Internet Protocol p. 23 The IP Header p. 24 Vers Field p. 24 Hlen and Total Length Fields p. 24 Service Type Field p. 24 Identification and Fragment Offset Fields p. 25 Time to Live Field p. 25 Flags Field p. 25 Protocol Field p. 26 Source and Destination Address Fields p. 30 Overview p. 31 IPv4 p. 32 The Basic Addressing Scheme p. 33 Address Classes p. 33 Class A p. 34 Class B p. 34 Class C p. 35 Class D p. 36 Class E p. 36 Dotted-Decimal Notation p. 37 Reserved Addresses p. 38 Networking Basics p. 39 Subnetting p. 40 Host Addresses on Subnets p. 44 The Subnet Mask p. 45 Configuration Examples p. 47 Classless Networking p. 50 IPv6 p. 51 Address Architecture p. 51 Address Types p. 51 Address Notation p. 52 Address Allocation p. 52 Provider-Based Addresses p. 54 Special Addresses p. 54 Address Resolution p. 55 Operation p. 56 ICMP p. 59 TCP and UDP p. 65 The TCP Header p. 66 Source and Destination Port Fields p. 67 Port Numbers p. 67
Sequence and Acknowledgment Number Fields p. 70 Hlen Field p. 71 Code Bits Field p. 71 Window Field p. 72 Checksum Field p. 72 Options and Padding Fields p. 73 The UDP Header p. 74 The Source and Destination Port Fields p. 75 Length Field p. 75 Checksum Field p. 76 Firewall and Router Access List Considerations p. 76 NetWare p. 77 Overview p. 78 General Structure p. 78 Network Layer Operation p. 78 Transport Layer Operation p. 79 SAPs, RIPs, and the NCP p. 79 NetWare Addressing p. 80 Network Address p. 80 Node Address p. 80 Socket Number p. 81 IPX p. 81 Packet Structure p. 82 Checksum Field p. 82 Length Field p. 83 Transport Control Field p. 83 Packet Type Field p. 83 Destination Network Address Field p. 84 Destination Node Address Field p. 84 Destination Socket Field p. 84 Source Network Field p. 85 Source Node Field p. 85 Source Socket Field p. 85 SPX p. 85 Packet Structure p. 86 Comparison to IPX p. 87 Connection Control Field p. 87 Datastream Type Field p. 88 Source Connection ID Field p. 88 Destination Connection ID Field p. 88
Sequence Number Field p. 89 Acknowledgment Number Field p. 89 Allocation Number Field p. 89 SAP, RIP, and NCP p. 89 Router Hardware and Software Overview p. 91 Basic Hardware Components p. 92 Central Processing Unit (CPU) p. 93 Flash Memory p. 93 ROM p. 93 RAM p. 93 Nonvolatile RAM p. 94 I/O Ports and Media-Specific Converters p. 94 The Router Initialization Process p. 96 Basic Software Components p. 99 Operating System Image p. 99 Configuration File p. 100 Data Flow p. 100 The Router Configuration Process p. 102 Cabling Considerations p. 102 Console Access p. 103 Setup Considerations p. 104 The Command Interpreter p. 107 User Mode Operations p. 107 Privileged Mode of Operation p. 109 Configuration Command Categories p. 111 Global Configuration Commands p. 112 Interface Commands p. 113 Line Commands p. 113 Router Commands p. 114 Abbreviating Commands p. 115 Security Management Considerations p. 116 Password Management p. 116 Access Lists p. 117 Cisco Router Access Lists p. 119 Cisco Access List Technology p. 120 Access Lists Defined p. 121 Creating Access Lists p. 122 Access List Details p. 125 Applying Access Lists p. 127 Named Access Lists p. 131 Editing Access Lists p. 133
Access List Processing Revisited p. 135 Placement of Entries in an Access List p. 136 Representing Address Ranges -- Using Wildcard Masks p. 137 Wildcard Mask Examples p. 140 Additional Wildcard Mask Example p. 144 Wildcard Mask Shortcuts p. 145 Wildcard Masks Concluded p. 145 Packet Filtering Technology p. 146 The Role of Packet Filters p. 146 Packet Filters Defined p. 147 Stateless and Stateful Packet Filtering p. 148 Packet Filter Limitations p. 149 IP Address Spoofing p. 150 Stateless Packet Inspection p. 151 Limited Information p. 151 Human Error p. 151 Configuration Principles p. 152 Traditional IP Access Lists p. 153 Standard Access Lists p. 153 Extended IP Access Lists p. 158 Filtering the TCP Protocol p. 161 HTTP Services p. 162 Inbound Traffic p. 162 FTP Services p. 163 Filtering the UDP Protocol p. 165 Filtering the ICMP Protocol p. 166 Filtering IP Packets p. 168 Other Protocols p. 171 Discovering Protocols p. 171 Advanced Cisco Router Security Features p. 173 Next Generation Access Lists p. 174 Dynamic Access Lists p. 174 Limitations p. 177 Time-Based Access Lists p. 178 Limitations p. 179 Reflexive Access Lists p. 180 Limitations p. 181 Examples p. 182 Context Based Access Control (CBAC) p. 186 Overview p. 186 The Process p. 187
Caveats p. 188 Configuration p. 188 Choose an Interface p. 189 Configure Access Lists p. 190 Configure Timeouts and Thresholds p. 191 Define Inspection Rules p. 191 Apply the Inspection Rules p. 193 Additional Details p. 193 Example Configuration p. 194 Other IP Security Features p. 199 Hardening the Router p. 199 Secure Router Access p. 200 Disable Unnecessary Services p. 201 Commands p. 201 TCP Intercept -- Preventing SYN Flooding p. 202 Enabling TCP Intercept p. 203 Setting the Mode p. 203 Aggressive Thresholds p. 204 Sample Configuration p. 204 Network Address Translation p. 204 Caveats p. 205 NAT Terms p. 205 Sample Configurations p. 206 Translating Source Addresses p. 206 Translating Source and Destination Addresses p. 209 TCP Load Distribution p. 210 Useful Commands p. 211 Non-IP Access Lists p. 213 IPX Access Lists p. 214 Filtering IPX Data Packets p. 215 Filtering IPX SAP Updates p. 218 Filtering IPX RIP Updates p. 219 Layer 2 Access Lists p. 220 Filtering by Layer 2 Address p. 220 Filtering by LSAP or Type p. 222 Filtering by Byte Offset p. 223 Using Access Expressions p. 224 The Cisco PIX p. 225 Cisco PIX Basics p. 226 Models and Specifications p. 229 Special Features of the PIX p. 231
Limitations of the PIX p. 234 Closed Implementation p. 234 Limited Routing Support p. 235 Limited VPN Support p. 235 Limited Client Authentication p. 235 Configuring the Cisco PIX p. 236 Default Configuration p. 236 Naming Interfaces p. 236 Interface Settings p. 240 Passwords p. 240 Hostname p. 241 Fixup Commands p. 241 Names p. 242 Failover p. 243 Pager Lines p. 243 Logging p. 243 IP Addressing p. 243 ARP p. 244 Routing Commands p. 244 Translation Timeouts p. 245 SNMP Commands p. 246 Maximum Transmission Unit (MTU) Commands p. 246 Floodguard p. 246 Getting the PIX Up and Running p. 247 Defining NAT and Global Pools p. 248 Using Static NAT and Conduits p. 254 Dual NAT -- Using the Alias Command p. 258 PIX Access Lists p. 260 Handling Multi-Channel Protocols p. 263 Setting Passwords p. 266 Managing the PIX p. 266 Advanced Configuration Topics p. 268 User Authentication p. 268 Virtual Private Networks p. 270 Redundant PIX Design p. 271 Filtering Web Traffic p. 273 The PIX Manager p. 274 Determining Wildcard Mask Ranges p. 279 Creating Access Lists p. 291 Standard Access Lists p. 295 Extended IP Access Lists p. 297
Glossary p. 299 Acronyms and Abbreviations p. 309 Index p. 315 Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.