CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, 2/e
暫譯: CCSP Cisco Secure PIX 防火牆進階考試認證指南，第2版

Description:

Official self-study test preparation guide for the Cisco CSPFA 642-521 exam

Coverage of the CSPFA topics enables you to fill your knowledge gaps before the exam date. You'll learn about:

• The comprehensive line of Cisco PIX Firewall products and the technology and features central to each one
• Transport protocols, Network Address Translation (NAT), and Port Address Translation (PAT)
• Reporting, tool use, and administration using Firewall MC
• Using access control lists and URL filtering
• Attack guards and intrusion detection
• Cisco Firewall Services Module (FWSM) deployment and configuration
• Concepts and configurations that support failovers
• Enabling a secure virtual private network (VPN)
• Using Cisco PIX Device Manager to configure a firewall and create VPNs

Becoming a CCSP distinguishes you as part of an exclusive group of experts, ready to take on today's most challenging security tasks. Administration of the Cisco PIX Firewall is a difficult and complex task, critical for protecting a network. Whether you are seeking a PIX-focused certification or the full-fledged CCSP certification, learning what you need to know to pass the Cisco Secure PIX Firewall Advanced (CSPFA) exam will qualify you to keep your company's network safe while meeting business needs.

Each chapter of the CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition, tests your knowledge of the exam subjects through features such as quizzes, sections that detail exam topics to master, and summary sections that highlight essential subjects for quick reference and review. Because experienced IT professionals agree that the most demanding portion of their jobs is troubleshooting, the final section of this book includes scenarios dedicated to troubleshooting Cisco PIX Firewall configuration. This includes a description of the problem, a portion of the system configuration, debug output, and suggestions to help you resolve the issue. The companion CD-ROM's customizable testing engine enables you to take practice exams that mimic the real testing environment, focus on particular topic areas, randomize answers for reusability, track your progress, and refer to the electronic text for review.

CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition, is part of a recommended learning path from Cisco Systems that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.

Companion CD-ROM
This companion CD-ROM contains a test bank with more than 100 practice exam questions unique to this book.

CD-ROM test engine powered by www.boson.com. Boson Software is a Cisco Learning Partner.

This volume is part of the Exam Certification Guide Series from Cisco Press. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.

 

Table of Contents:

Introduction.

1. Network Security.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation and Supplemental Topics.

    Overview of Network Security.

    Vulnerabilities, Threats, and Attacks.

      Vulnerabilities.

      Threats.

      Types of Attacks.

    Security Policies.

      Step 1: Secure.

      Step 2: Monitor.

      Step 3: Test.

      Step 4: Improve.

    Network Security as a “Legal Issue”.

    Defense in Depth.

    Cisco AVVID and Cisco SAFE.

      Cisco AVVID?

       Cisco SAFE.

    Foundation Summary.

      Network Security.

      Vulnerabilities, Threats, and Attacks.

      Vulnerabilities.

      Threats.

      Attacks.

      Security Policies.

      Network Security as a Process.

      Defense in Depth.

      Cisco AVVID.

      Cisco SAFE.

      Key Terms.

    Q&A.

2. Firewall Technologies and the Cisco PIX Firewall.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    Firewall Technologies.

      Packet Filtering.

       Proxy.

      Stateful Inspection.

    Cisco PIX Firewall.

      Secure Real-Time Embedded System.

      Adaptive Security Algorithm.

      Cut-Through Proxy.

      Redundancy.

    Foundation Summary.

      Firewall Technologies.

      Cisco PIX Firewall.

    Q&A.

3. Cisco PIX Firewall.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    Overview of the Cisco PIX Firewall.

      Adaptive Security Algorithm.

      Cut-Through Proxy.

    Cisco PIX Firewall Models and Features.

      Intrusion Protection.

      AAA Support.

      X.509 Certificate Support.

      Network Address Translation/Port Address Translation.

      Firewall Management.

      Simple Network Management Protocol.

      Syslog Support.

      Virtual Private Networks.

      Optional Firewall Components.

    PIX Firewall Model Capabilities.

      Cisco PIX 501.

      Cisco PIX 506E.

      Cisco PIX 515E.

      Cisco PIX 525.

      Cisco PIX 535.

    Foundation Summary.

      Adaptive Security Algorithm.

      Cut-Through Proxy.

      Cisco PIX Firewall Models and Features.

      Intrusion Protection.

      AAA Support.

      X.509 Certificate Support.

      Network Address Translation/Port Address Translation.

      Firewall Management.

      Simple Network Management Protocol.

      Syslog Support.

      Virtual Private Networks.

    Q&A.

4. System Management Maintenance.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    Accessing the Cisco PIX Firewall.

      Accessing the Cisco PIX Firewall with Telnet.

      Accessing the Cisco PIX Firewall with Secure Shell.

    Command-Level Authorization.

    Installing a New Operating System.

      Upgrading Your Activation Key.

    Upgrading the Cisco PIX Firewall Operating System.

    Upgrading the Operating System Using the copy tftp flash Command.

      Upgrading the Operating System Using Monitor Mode.

      Upgrading the OS Using an HTTP Client.

    Creating a Boothelper Disk Using a Windows PC.

    Password Recovery.

      Cisco PIX Firewall Password Recovery: Getting Started.

      Password Recovery Procedure for a PIX Firewall with a Floppy Drive (PIX 520).

      Password Recovery Procedure for a Diskless PIX Firewall (PIX 501, 506, 506E, 515E, 515, 525, and 535).

    Overview of Simple Network Management Protocol on the PIX Firewall.

    Configuring Simple Network Management Protocol on the PIX Firewall.

    Troubleshooting Commands.

    Foundation Summary.

    Q&A.

5. Understanding Cisco PIX Firewall Translation and Connection.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    How the PIX Firewall Handles Traffic.

      Interface Security Levels and the Default Security Policy.

      Transport Protocols.

    Address Translation.

      Translation Commands.

      Network Address Translation.

      Port Address Translation.

      Static Translation.

      Using the static Command for Port Redirection.

      Configuring Multiple Translation Types on the Cisco PIX Firewall.

      Bidirectional Network Address Translation.

    Translation Versus Connection.

    Configuring DNS Support.

    Foundation Summary.

    Q&A.

6. Getting Started with the Cisco PIX Firewall.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    Access Modes.

    Configuring the PIX Firewall.

      interface Command.

      nameif Command.

      ip address Command.

      nat Command.

      global Command.

      route Command.

      Routing Information Protocol.

      Testing Your Configuration.

      Saving Your Configuration.

    Support for Domain Name System Messages.

    Configuring Dynamic Host Configuration Protocol on the Cisco PIX Firewall.

      Using the PIX Firewall Dynamic Host Configuration Protocol Server.

      Configuring the PIX Firewall Dynamic Host Configuration Protocol Client.

    Configuring Time Settings on the Cisco PIX Firewall.

      Network Time Protocol.

      PIX Firewall System Clock.

    Configuring Login Banners on the PIX Firewall.

    Sample PIX Configuration.

    Foundation Summary.

    Q&A.

7. Configuring Access.

    How Best to Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    Configuring Inbound Access Through the PIX Firewall.

       Static Network Address Translation.

      Static Port Address Translation.

      Transmission Control Protocol Intercept Feature.

      nat 0 Command.

      Policy Network Address Translation.

      Access Lists.

    TurboACL.

      Configuring Individual TurboACL.

      Globally Configuring TurboACL.

    Object Grouping.

      network Object Type.

      protocol Object Type.

      service Object Type.

      icmp-type Object Type.

      Nesting Object Groups.

      Access Control List Logging.

    Using the fixup Command.

    Advanced Protocol Handling.

      File Transfer Protocol.

      Domain Name System.

      Simple Mail Transfer Protocol.

      Multimedia Support.

    Foundation Summary.

    Q&A.

8. Syslog and the PIX.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    How Syslog Works.

      Logging Facilities.

      Logging Levels.

      How Log Messages Are Organized.

      How to Read System Log Messages.

    Configuring Syslog on the Cisco PIX Firewall.

    Configuring the PIX Device Manager to View Logging.

      Configuring Syslog Messages at the Console.

      Sending Syslog Messages to a Telnet Session.

      Configuring the Cisco PIX Firewall to Send Syslog Messages to a Log Server.

      Configuring SNMP Traps and SNMP Requests.

    Configuring a Syslogd Server.

      PIX Firewall Syslog Server.

    Foundation Summary.

    Q&A.

9. Routing and the PIX Firewall.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation and Supplemental Topics.

    General Routing Principles.

    Ethernet VLAN Tagging.

      Understanding VLANs.

      Understanding Trunk Ports.

      Understanding Logical Interfaces.

      Managing VLANs.

    IP Routing.

      Static Routes.

      Dynamic Routes.

    Multicast Routing.

      Multicast Commands.

      Inbound Multicast Traffic.

      Outbound Multicast Traffic.

      Debugging Multicast.

    Foundation Summary.

    Q&A.

10. Cisco PIX Firewall Failover.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    What Causes a Failover Event?

    What Is Required for a Failover Configuration?

    Failover Monitoring.

    Configuration Replication.

    Stateful Failover.

    LAN-Based Failover.

    Configuring Failover.

    Foundation Summary.

    Q&A.

11. Virtual Private Networks.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    Overview of Virtual Private Network Technologies.

      Internet Protocol Security.

      Internet Key Exchange.

      Perfect Forward Secrecy.

      Certification Authorities.

    Configuring the PIX Firewall as a Virtual Private Network Gateway.

      Selecting the Configuration.

      Configuring IKE.

      Configuring IPSec.

       Troubleshooting the Virtual Private Network Connection.

    Configuring PIX Firewalls for Scalable Virtual Private Networks.

    Foundation Summary.

    Q&A.

    Scenario.

      VPN Configurations.

      Completed PIX Configurations.

      How the Configuration Lines Interact.

12. Configuring Access VPNs.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation and Supplemental Topics.

    Introduction to Cisco Easy VPN.

      Easy VPN Server.

      Easy VPN Remote Feature.

     Overview of the Easy VPN Server.

      Major Features.

      Server Functions.

      Supported Servers.

    Overview of Easy VPN Remote Feature.

      Supported Clients.

      Easy VPN Remote Connection Process.

      Extended Authentication Configuration.

    Easy VPN Remote Modes of Operation.

      Client Mode.

      Network Extension Mode.

    Overview of Cisco VPN Software Client.

    Features.

    Specifications.

    Cisco VPN Client Manual Configuration Tasks.

    PIX Easy VPN Remote Configuration.

      Basic Configuration.

      Client Device Mode.

      Secure Unit Authentication.

      Individual User Authentication.

    Point-to-Point Protocol over Ethernet and the PIX Firewall.

      Configuring the Virtual Private Dial-Up Networking Group.

       Configuring Virtual Private Dial-Up Networking Group Authentication.

      Assigning the Virtual Private Dial-Up Networking Group Username.

      Configuring the Virtual Private Dial-Up Networking Username and Password.

      Enabling the Point-to-Point over Ethernet Client.

      Monitoring the Point-to-Point over Ethernet Client.

    Dynamic Host Configuration Protocol Server Configuration.

      DHCP Overview.

      Configuring the PIX Firewall Dynamic Host Configuration Protocol Server.

      Dynamic Host Configuration Protocol Server Auto Configuration.

      Dynamic Host Configuration Protocol Debugging Commands.

    Foundation Summary.

    Q&A.

13. PIX Device Manager.

    How to Best Use This Chapter.

     “Do I Know This Already?” Quiz.

    Foundation Topics.

    PDM Overview.

    PIX Firewall Requirements to Run PDM.

      PDM Workstation Requirement.

      Browser Requirements.

      Windows Requirements.

      SUN Solaris Requirements.

      Linux Requirements.

      PDM Installation.

      Using PDM to Configure the Cisco PIX Firewall.

      Monitoring.

    Using PDM for VPN Configuration.

      Using PDM to Create a Site-to-Site VPN.

      Using PDM to Create a Remote-Access VPN.

    Foundation Summary.

    Q&A.

14. CiscoWorksManagementCenter for Firewalls (PIX MC).

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation and Supplemental Topics.

    CiscoWorks Management Center for Firewalls Overview.

      Key Concepts.

      Supported Devices.

      Installation.

      PIX Bootstrap Commands.

    CiscoWorks.

      Login Process.

      User Authorization Roles.

      Adding Users.

    Firewall MC Interface.

      Configuration Tabs.

      Options Bar.

      Table of Contents.

      Path Bar.

      Instructions Box.

      Content Area.

      Scope Bar.

      Object Selector.

      Tools Bar.

      Activity Bar.

    Basic User Task Flow.

    Device Management.

      Managing Groups.

      Importing Devices.

      Managing Devices.

    Configuration Tasks.

      Configuring Device Settings.

      Defining Access Rules.

      Defining Translation Rules.

      Creating Building Blocks.

      Generating and Viewing Configuration Information.

      MC Settings.

    Deployment Tasks.

    Deploy Saved Changes.

    Summary Report.

    Reports.

    Activity Report.

    Configuration Differences Report.

    Device Setting Report.

    Administration Tasks.

    Workflow Setup.

    Maintenance.

    Support.

    CiscoWorks Auto Update Server.

      Supported Devices.

      Installation.

      Communication Settings.

      AUS Activation.

      Auto Update Server Interface.

      Configuring Devices.

      Configuring Images.

      Configuring Assignments.

      Reports.

      Administrative Tasks.

    Foundation Summary.

    Q&A.

15. Content Filtering on the PIX.

    How to Best Use This Chapter.

    “Do I Know This Already?” Quiz.

    Foundation Topics.

    Filtering ActiveX Objects and Java Applets.

      Filtering Java Applets.

      Filtering ActiveX Objects.

    Filtering URLs.

      Identifying the URL-Filtering Server.

      Configuring URL-Filtering Policy.

      Filtering HTTPS and FTP.

      Filtering Long URLs.

      Viewing Filtering Statistics and Configuration.

    Foundation Summary.

    Q&A.

16. Overview of AAA and the PIX.

    How to Best Use This Chapter.

     “Do I Know This Already?” Quiz.

    Foundation Topics.

    Overview of AAA and the Cisco PIX Firewall.

      Definition of AAA.

      AAA and the Cisco PIX Firewall.

      Cut-Through Proxy.

      Supported AAA Server Technologies.

    Cisco Secure Access Control Server.

      Minimum Hardware and Operating System Requirements for Cisco Secure ACS.

      Installing Cisco Secure ACS Version 3.2 on Windows Server.

    Foundation Summary.

    Q&A.

17. Configuration of AAA on the PIX.

    How to Best Use This Chapter.

     “Do I Know This Already?” Quiz.

    Foundation Topics.

    Specifying Your AAA Servers.

    Configuring AAA on the Cisco PIX Firewall.

      Step 1: Identifying the AAA Server and NAS.

      Step 2: Configuring Authentication.

      Step 3: Configuring Authorization.

      Step 4: Configuring Accounting.

    Cisco Secure and Cut-Through Configuration.

    Configuring Downloadable PIX ACLs.

    Troubleshooting Your AAA Setup.

      Checking the PIX Firewall.

      Checking the Cisco Secure ACS.

    Foundation Summary.

    Q&A.

18. Attack Guards and Advanced Protocol Handling.

    How To Best Use This Chapter.

     “Do I Know This Already?” Quiz.

    Foundation Topics.

    Multimedia Support on the Cisco PIX Firewall.

      Real-Time Streaming Protocol.

    Application Inspection Support for Voice over IP.

      Computer Telephony Interface Quick Buffer Encoding.

      H.323.

      Media Gateway Control Protocol.

      Skinny Client Control Protocol.

      Session Initiation Protocol.

    Attack Guards.

      Fragmentation Guard and Virtual Reassembly.

      Domain Name System Guard.

      Mail Guard.

      Flood Defender.

      AAA Floodguard.

    PIX Firewall Intrusion Detection Feature.

      Intrusion Detection Configuration.

      Dynamic Shunning.

    ip verify reverse-path Command.

    Foundation Summary.

    Q&A.

19. Firewall Services Module.

    How to Best Use This Chapter.

     “Do I Know This Already?” Quiz.

    Foundation and Supplemental Topics.

    Cisco Firewall Services Module Overview.

    Basic Deployment Scenarios.

      Multilayer Switch Feature Card as the Inside Router.

      Multilayer Switch Feature Card as the Outside Router.

      Multilayer Switch Feature Card Not Directly Connected to FWSM.

    Initializing the Firewall Services Module.

      Switch Configuration.

      Basic Firewall Services Module Configuration.

    Using PIX Device Manager with the Firewall Services Module.

      Initial Preparation.

      Installing the PIX Device Manager Image.

      Launching PIX Device Manager.

    Troubleshooting the Firewall Services Module.

      Switch Commands.

      Firewall Services Module Status LED.

    Foundation Summary.

    Q&A.

20. Case Study and Sample Configuration.

    Remote Offices.

    Firewall.

    Growth Expectation.

    Task 1: Basic Configuration for the Cisco PIX Firewall.

      Basic Configuration Information for HQ-PIX.

      Basic Configuration Information for MN-PIX.

      Basic Configuration Information for HOU-PIX.

    Task 2: Configuring Access Rules on HQ.

    Task 3: Configuring Authentication.

    Task 4: Configuring Logging.

    Task 5: Configuring a VPN Between HQ and Remote Sites.

      Configuring the Central PIX Firewall, HQ-PIX, for VPN Tunneling