9 of 9 people found the following review helpful:
3.0 out of 5 stars
Poor production quality, but some useful info., November 27, 2005
Anyone who has ever deployed a network and talked to a Cisco sales representative is probably familiar with the PIX device. Anyone who has ever used one knows that there are hundreds of commands and combinations available to them, and it's easy to get lost. A book like Cisco PIX Firewalls by Charles Riley, Umer Khan, Michael Sweeney, along with Thorsten Behrens, Brian Browne, Daniel Klingerman, and Ido Dubrawsky can help you navigate this powerful feature set.
While the Cisco PIX product, which actually refers to a device product line and its associated operating system, isn't open source, there is a full set of documentation available on the Cisco web site. You can look up commands and even many common tasks which can help you achieve your goal. So, a big question in my review of this book is "Does Cisco PIX Firewalls offer substantially more than these freely available documents?"
The book is not divided into any major sections, but follows a simple path. Provide an overview of the product, some of the basic functionality, and then move on to a task based approach of solutions. These include failover, VPN, IPv6, content inspection, and management with the newly designed ASDM product. This organization works pretty well.
A generic overview of security, security policy, and how firewalls play a role in that is covered in Chapter 1. The overview is very brief, and the authors seem to have included it for completeness only. If you're looking at a book on the PIX firewall, chances are you're familiar with what a firewall does in part. My only big complaint about this chapter is that some of the figures on NAT and PAT are confusing because they use RFC1918 address space (private address space) on both sides of the device. When they talk about how this is used internally and then use it externally, it gets confusing to remember which network is which. Sadly, this network structure continues into other chapters, perpetuating the confusion.
In chapter 2 you get an overview of the PIX software and hardware lines. Sadly, this chapter is a bit muddled. While the overview itself covers all the right bases, at times some additional material would have been helpful. Supplementing text descriptions with a simple picture would be nice, so that people could know at a glace which device they're looking at (ie a PIX 506E vs a 525). A software and hardware matrix would have been helpful, too, to reduce the confusion you get with Cisco's myriad of configurations. In several places, the one letter abbreviations from the output is not explained, including the firewall states and routing output. And finally, this appears to be common in this book, there's an inconsistency in bolding which text is input and which is output. The "bold is input, normal is output" convention is not always obeyed. These may sound like nits, but consistency helps with clarity, and at times the material is muddled.
Overall, there are some real strengths in the book, and a few weaknesses as well. One example of a real gem is the case study in chapter 3, showing a featured network and the associated PIX configuration. This lets you see how you would outline your goals and then achieve them using the PIX feature set and commands. This example was well written and useful. The breakdown of commands as new, existing, or deprecated is also quite useful given that the book covers a major new release, 7.0. The coverage of the new ASDM feature, which provides a GUI management interface to the PIX software, is pretty good. With that chapter, and chapter 9 covering management, you should be up and running in no time at all. The same goes for the new content inspection feature, covered in chapter 5. While it's brief, it contains a lot of useful information that you'll need to enable features. What's missing from that, though, is any serious overview of the problems the prior version of the feature, the 'fixup' command, caused in the past and if the new inspection feature suffers those same problems. Finally, the chapters on virtual private networking and failover are succinct but enough to get you started with a basic running configuration.
Sometimes there are real stinkers, though. Some of the formatting makes getting information out of the output difficult. Word wrap and oddities really detract from the quality of the material in those places. Many of the figures can be unclear due to the quantity of information they try and present. Here, two figures may have been useful instead of one fully packed figure. The book has a few errors in it, too, which may have been the result of a speedy printing cycle. Figure 2.3, for example, shows an incorrect TCP header. I suspect many of the errors, inconsistencies and other problems in it are due to two reasons. First, the publisher wanted to get this book out quickly to match the release of PIX 7.0 as closely as possible. Secondly, the number of contributing authors (6 authors and a technical editor) made a cohesive writing style and their edits difficult to choreograph completely.
Overall, Cisco PIX Firewalls has some value to it, covering new PIX 7.0 features clearly and skillfully. Unfortunately, it suffers from some production problems and errors which weaken it's strength and rating. Syngress also has four eBooks available with this book, one of which covers PIX migrations with earlier versions. While this wont replace the official Cisco documentation, it augments it nicely and, for some of the features covered, surpasses the Cisco documentation. If you're looking at deploying a Cisco PIX soon or upgrading from 6.x to 7.0, you should pick up this book.
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
5 of 5 people found the following review helpful:
1.0 out of 5 stars
Tons of mistakes, January 22, 2006
This book is full of errors and mistakes. Most of these occur in the examples of commands. For example, at the bottom of page 131 the author explains how to use the "static" command to create a NAT mapping between an internal server and a server on the DMZ. Here is what it says....
The following configuration translates the real IP address of the internal database server (192.168.1.10) to an address accessible by the DMZ Web server (172.16.1.10):
PIX1(config)# static (inside, dmz) 10.1.1.10 172.168.1.10 netmask 255.255.255.255 0 0
What??? Look at the IP's used in the command. Completely different than what the author just described. These are the kind of mistakes this book is full of. I can overlook one or two, but I'm about 25% through the book and have encountered about 8 of these.
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
