Introduction

The Internet is a core business driver for many large corporations. Along with the expanded business, however, come security issues. Recent news headlines often feature articles about large e-commerce sites getting hacked, with potentially disastrous results.

Cisco Systems strives to help customers build secure internetworks through network design that features its Cisco Secure product family. At present, no available publication deals with Internet security from a Cisco perspective, using the Cisco Secure product family. This book covers the basics of Internet security and then concentrates on each member of the Cisco Secure product family, providing a rich explanation with examples of the preferred configurations required for securing Internet connections.

The book starts by explaining the threats posed by the Internet and progresses to a complete working explanation of the Cisco Secure product family. The individual components of the Cisco Secure product family are discussed in detail, with advice given about how to configure each individual component to meet the requirements of the situation. The Cisco Secure PIX Firewall is covered in-depth, from presenting an architectural point of view to providing a reference of the common PIX commands and their use in the real world. Although the book is concerned with Internet security, it is also viable for use in general network security scenarios.

Audience

Cisco Secure Internet Security Solutions is for network engineers and network designers. The primary audience is network engineers and network designers responsible for the corporate Internet connection or the installation of Cisco Secure products. The secondary audience is other networking staff members that have an interest in security or Cisco Secure products in relation to their specific corporate environment.

Also, CCIE and CCDP/CCNP candidates will take interest in the title to improve their Internet security skills.

The book should be read and used by an intermediate to advanced reader. Because of the unique content, industry experts could reference this book.

Audience Prerequisites

The content in this book assumes that the reader is familiar with general networking concepts and terminology. This includes a thorough understanding of the network protocol TCP/IP, and a familiarity of the topics covered in the Cisco Press books Internetworking Technologies Handbook and IP Routing Fundamentals.

What Is Covered

The book is organized into 11 chapters and one appendix:

• Chapter 1 “Internet Security”— This chapter provides a historical overview of the Internet and the growing number of risks that are associated with it.

• Chapter 2 “Basic Cisco Router Security”— This chapter looks at Cisco routers and the related security threats and vulnerabilities from an Internet point of view. Sample configurations and tips are provided for implementation on your corporate Internet routers.

• Chapter 3 “Overview of the Cisco Security Solution and the Cisco Secure Product Family”— This chapter provides an overview of the Cisco Security Solution and the Cisco Secure product range. The following six chapters look at each device in more detail.

• Chapter 4 “Cisco Secure PIX Firewall”— This chapter covers the Cisco Secure PIX Firewall. A technical overview of the PIX is provided, along with a configuration guide and sample configurations based against a case study.

• Chapter 5 “Cisco IOS Firewall”— This chapter looks at the Cisco IOS Firewall. Sample configurations are provided, and the major technologies are explained.

• Chapter 6 “Intrusion Detection Systems”— This chapter looks at one of the latest and most emergent security technologies, intrusion detection. It gives a brief explanation of the various types of intrusion detection systems, and then provides configurations for both a Cisco router and a Cisco Secure PIX Firewall based on perimeter intrusion detection.

• Chapter 7 “Cisco Secure Scanner”— This chapter covers the Cisco Secure Scanner. A brief explanation of network scanning and its uses, good and bad, is provided before looking in-depth at the offering from Cisco, the Cisco Secure Scanner.

• Chapter 8 “Cisco Secure Policy Manager (CSPM)”— This chapter covers the Cisco Secure Policy Manager. The CSPM provides a centralized management platform for an enterprise network that incorporates Cisco routers running the Cisco IOS Firewall and Cisco Secure PIX Firewalls. This chapter provides a sample installation and configuration of CSPM.

• Chapter 9 “Cisco Secure Access Control Server (ACS)”— This chapter looks at the Cisco Secure Access Control Server and its uses within an internetwork. Configuration guidelines are provided for both the network access server (NAS) and the Cisco Secure ACS server component.

• Chapter 10 “Securing the Corporate Network”— This chapter looks at a common corporate network and identifies the risks associated with external connections. Numerous tips and configuration solutions are provided to overcome the associated risks.

• Chapter 11 “Providing Secure Access to Internet Services”— This chapter focuses on Internet services and the protection that can be offered to them. The chapter is written with servers hosted either at an ISP or on the corporate DMZ in mind. Each Internet service is looked at individually, and potential vulnerabilities and remedies are proposed.

• Appendix A “Cisco SAFE: A Security Blueprint for Enterprise Networks”— The principle goal of SAFE, Cisco's secure blueprint for enterprise networks, is to provide best practice information to interested parties on designing and implementing secure networks. SAFE serves as a guide to network designers considering the security requirements of their networks. SAFE takes a defense-in-depth approach to network security design. This type of design focuses on the expected threats and their methods of mitigation, rather than on “put the firewall here, put the intrusion detection system there” instructions. This strategy results in a layered approach to security, where the failure of one security system is not likely to lead to the compromise of network resources. SAFE is based on Cisco products and those of its partners.

Command Syntax Conventions

Command syntax in this book conforms to the following conventions:

• Commands, keywords, and actual values for arguments are bold.

• Arguments (which need to be supplied with an actual value) are italic.

• Optional keywords or arguments (or a choice of optional keywords or arguments) are in brackets, [ ].

• Choice of mandatory keywords or arguments is in braces, { }.

Device Icons Used in the Figures

Figure I-1 contains a key of the most important device icons used in the figures in this book.