Preface | p. xv |
Acknowledgments | p. xvii |
Introduction | p. 1 |
The Need for Security | p. 2 |
Public Network Threats | p. 2 |
Private Network Threats | p. 4 |
The Role of Routers | p. 5 |
Other Security Devices | p. 6 |
Firewall Features | p. 6 |
Packet Filtering | p. 6 |
Network Address Translation | p. 7 |
Authentication Services | p. 7 |
Encryption | p. 7 |
Alarm Generation | p. 8 |
Proxy Services | p. 8 |
Book Preview | p. 8 |
The TCP/IP Protocol Suite | p. 8 |
The Internet Protocol | p. 9 |
TCP and UDP | p. 9 |
NetWare | p. 9 |
Router Hardware and Software | p. 9 |
Working with Access Lists | p. 10 |
The PIX Firewall | p. 10 |
The TCP/IP Protocol Suite | p. 11 |
The ISO Open Systems Interconnection Reference Model | p. 12 |
Layers of the OSI Reference Model | p. 12 |
The Physical Layer | p. 13 |
The Data Link Layer | p. 13 |
The Network Layer | p. 14 |
The Transport Layer | p. 14 |
The Session Layer | p. 15 |
The Presentation Layer | p. 15 |
The Application Layer | p. 15 |
Data Flow | p. 16 |
Layer Subdivision | p. 17 |
The TCP/IP Protocol Suite | p. 18 |
Comparison to the ISO Reference Model | p. 18 |
Internet Protocol (IP) | p. 19 |
Internet Control Message Protocol (ICMP) | p. 20 |
TCP and User Datagram Protcol (UDP) | p. 20 |
Data Delivery | p. 20 |
The Internet Protocol | p. 23 |
The IP Header | p. 24 |
Vers Field | p. 24 |
Hlen and Total Length Fields | p. 24 |
Service Type Field | p. 24 |
Identification and Fragment Offset Fields | p. 25 |
Time to Live Field | p. 25 |
Flags Field | p. 25 |
Protocol Field | p. 26 |
Source and Destination Address Fields | p. 30 |
Overview | p. 31 |
IPv4 | p. 32 |
The Basic Addressing Scheme | p. 33 |
Address Classes | p. 33 |
Class A | p. 34 |
Class B | p. 34 |
Class C | p. 35 |
Class D | p. 36 |
Class E | p. 36 |
Dotted-Decimal Notation | p. 37 |
Reserved Addresses | p. 38 |
Networking Basics | p. 39 |
Subnetting | p. 40 |
Host Addresses on Subnets | p. 44 |
The Subnet Mask | p. 45 |
Configuration Examples | p. 47 |
Classless Networking | p. 50 |
IPv6 | p. 51 |
Address Architecture | p. 51 |
Address Types | p. 51 |
Address Notation | p. 52 |
Address Allocation | p. 52 |
Provider-Based Addresses | p. 54 |
Special Addresses | p. 54 |
Address Resolution | p. 55 |
Operation | p. 56 |
ICMP | p. 59 |
TCP and UDP | p. 65 |
The TCP Header | p. 66 |
Source and Destination Port Fields | p. 67 |
Port Numbers | p. 67 |
Sequence and Acknowledgment Number Fields | p. 70 |
Hlen Field | p. 71 |
Code Bits Field | p. 71 |
Window Field | p. 72 |
Checksum Field | p. 72 |
Options and Padding Fields | p. 73 |
The UDP Header | p. 74 |
The Source and Destination Port Fields | p. 75 |
Length Field | p. 75 |
Checksum Field | p. 76 |
Firewall and Router Access | |
List Considerations | p. 76 |
NetWare | p. 77 |
Overview | p. 78 |
General Structure | p. 78 |
Network Layer Operation | p. 78 |
Transport Layer Operation | p. 79 |
SAPs, RIPs, and the NCP | p. 79 |
NetWare Addressing | p. 80 |
Network Address | p. 80 |
Node Address | p. 80 |
Socket Number | p. 81 |
IPX | p. 81 |
Packet Structure | p. 82 |
Checksum Field | p. 82 |
Length Field | p. 83 |
Transport Control Field | p. 83 |
Packet Type Field | p. 83 |
Destination Network Address Field | p. 84 |
Destination Node Address Field | p. 84 |
Destination Socket Field | p. 84 |
Source Network Field | p. 85 |
Source Node Field | p. 85 |
Source Socket Field | p. 85 |
SPX | p. 85 |
Packet Structure | p. 86 |
Comparison to IPX | p. 87 |
Connection Control Field | p. 87 |
Datastream Type Field | p. 88 |
Source Connection ID Field | p. 88 |
Destination Connection ID Field | p. 88 |
Sequence Number Field | p. 89 |
Acknowledgment Number Field | p. 89 |
Allocation Number Field | p. 89 |
SAP, RIP, and NCP | p. 89 |
Router Hardware and Software Overview | p. 91 |
Basic Hardware Components | p. 92 |
Central Processing Unit (CPU) | p. 93 |
Flash Memory | p. 93 |
ROM | p. 93 |
RAM | p. 93 |
Nonvolatile RAM | p. 94 |
I/O Ports and Media-Specific Converters | p. 94 |
The Router Initialization Process | p. 96 |
Basic Software Components | p. 99 |
Operating System Image | p. 99 |
Configuration File | p. 100 |
Data Flow | p. 100 |
The Router Configuration Process | p. 102 |
Cabling Considerations | p. 102 |
Console Access | p. 103 |
Setup Considerations | p. 104 |
The Command Interpreter | p. 107 |
User Mode Operations | p. 107 |
Privileged Mode of Operation | p. 109 |
Configuration Command Categories | p. 111 |
Global Configuration Commands | p. 112 |
Interface Commands | p. 113 |
Line Commands | p. 113 |
Router Commands | p. 114 |
Abbreviating Commands | p. 115 |
Security Management Considerations | p. 116 |
Password Management | p. 116 |
Access Lists | p. 117 |
Cisco Router Access Lists | p. 119 |
Cisco Access List Technology | p. 120 |
Access Lists Defined | p. 121 |
Creating Access Lists | p. 122 |
Access List Details | p. 125 |
Applying Access Lists | p. 127 |
Named Access Lists | p. 131 |
Editing Access Lists | p. 133 |
Access List Processing Revisited | p. 135 |
Placement of Entries in an Access List | p. 136 |
Representing Address Ranges -- Using Wildcard Masks | p. 137 |
Wildcard Mask Examples | p. 140 |
Additional Wildcard Mask Example | p. 144 |
Wildcard Mask Shortcuts | p. 145 |
Wildcard Masks Concluded | p. 145 |
Packet Filtering Technology | p. 146 |
The Role of Packet Filters | p. 146 |
Packet Filters Defined | p. 147 |
Stateless and Stateful Packet Filtering | p. 148 |
Packet Filter Limitations | p. 149 |
IP Address Spoofing | p. 150 |
Stateless Packet Inspection | p. 151 |
Limited Information | p. 151 |
Human Error | p. 151 |
Configuration Principles | p. 152 |
Traditional IP Access Lists | p. 153 |
Standard Access Lists | p. 153 |
Extended IP Access Lists | p. 158 |
Filtering the TCP Protocol | p. 161 |
HTTP Services | p. 162 |
Inbound Traffic | p. 162 |
FTP Services | p. 163 |
Filtering the UDP Protocol | p. 165 |
Filtering the ICMP Protocol | p. 166 |
Filtering IP Packets | p. 168 |
Other Protocols | p. 171 |
Discovering Protocols | p. 171 |
Advanced Cisco Router Security Features | p. 173 |
Next Generation Access Lists | p. 174 |
Dynamic Access Lists | p. 174 |
Limitations | p. 177 |
Time-Based Access Lists | p. 178 |
Limitations | p. 179 |
Reflexive Access Lists | p. 180 |
Limitations | p. 181 |
Examples | p. 182 |
Context Based Access Control (CBAC) | p. 186 |
Overview | p. 186 |
The Process | p. 187 |
Caveats | p. 188 |
Configuration | p. 188 |
Choose an Interface | p. 189 |
Configure Access Lists | p. 190 |
Configure Timeouts and Thresholds | p. 191 |
Define Inspection Rules | p. 191 |
Apply the Inspection Rules | p. 193 |
Additional Details | p. 193 |
Example Configuration | p. 194 |
Other IP Security Features | p. 199 |
Hardening the Router | p. 199 |
Secure Router Access | p. 200 |
Disable Unnecessary Services | p. 201 |
Commands | p. 201 |
TCP Intercept -- Preventing SYN Flooding | p. 202 |
Enabling TCP Intercept | p. 203 |
Setting the Mode | p. 203 |
Aggressive Thresholds | p. 204 |
Sample Configuration | p. 204 |
Network Address Translation | p. 204 |
Caveats | p. 205 |
NAT Terms | p. 205 |
Sample Configurations | p. 206 |
Translating Source Addresses | p. 206 |
Translating Source and Destination Addresses | p. 209 |
TCP Load Distribution | p. 210 |
Useful Commands | p. 211 |
Non-IP Access Lists | p. 213 |
IPX Access Lists | p. 214 |
Filtering IPX Data Packets | p. 215 |
Filtering IPX SAP Updates | p. 218 |
Filtering IPX RIP Updates | p. 219 |
Layer 2 Access Lists | p. 220 |
Filtering by Layer 2 Address | p. 220 |
Filtering by LSAP or Type | p. 222 |
Filtering by Byte Offset | p. 223 |
Using Access Expressions | p. 224 |
The Cisco PIX | p. 225 |
Cisco PIX Basics | p. 226 |
Models and Specifications | p. 229 |
Special Features of the PIX | p. 231 |
Limitations of the PIX | p. 234 |
Closed Implementation | p. 234 |
Limited Routing Support | p. 235 |
Limited VPN Support | p. 235 |
Limited Client Authentication | p. 235 |
Configuring the Cisco PIX | p. 236 |
Default Configuration | p. 236 |
Naming Interfaces | p. 236 |
Interface Settings | p. 240 |
Passwords | p. 240 |
Hostname | p. 241 |
Fixup Commands | p. 241 |
Names | p. 242 |
Failover | p. 243 |
Pager Lines | p. 243 |
Logging | p. 243 |
IP Addressing | p. 243 |
ARP | p. 244 |
Routing Commands | p. 244 |
Translation Timeouts | p. 245 |
SNMP Commands | p. 246 |
Maximum Transmission Unit (MTU) Commands | p. 246 |
Floodguard | p. 246 |
Getting the PIX Up and Running | p. 247 |
Defining NAT and Global Pools | p. 248 |
Using Static NAT and Conduits | p. 254 |
Dual NAT -- Using the Alias Command | p. 258 |
PIX Access Lists | p. 260 |
Handling Multi-Channel Protocols | p. 263 |
Setting Passwords | p. 266 |
Managing the PIX | p. 266 |
Advanced Configuration Topics | p. 268 |
User Authentication | p. 268 |
Virtual Private Networks | p. 270 |
Redundant PIX Design | p. 271 |
Filtering Web Traffic | p. 273 |
The PIX Manager | p. 274 |
Determining Wildcard Mask Ranges | p. 279 |
Creating Access Lists | p. 291 |
Standard Access Lists | p. 295 |
Extended IP Access Lists | p. 297 |
Glossary | p. 299 |
Acronyms and Abbreviations | p. 309 |
Index | p. 315 |
Table of Contents provided by Syndetics. All Rights Reserved. |