- Paperback: 912 pages
- Publisher: Cisco Press (August 20, 2004)
- Language: English
- ISBN-10: 1587051753
- ISBN-13: 978-1587051753
- Product Dimensions: 7.3 x 2.1 x 9.1 inches
- Shipping Weight: 3.2 pounds
- Average Customer Review: 7 customer reviews
- Amazon Best Sellers Rank: #1,593,987 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Cisco Router Firewall Security
Use the Amazon App to scan ISBNs and compare prices.
"Neverworld Wake" by Marisha Pessl
Read the absorbing new psychological suspense thriller from acclaimed New York Times bestselling author Marisha Pessl. Learn more
Customers who bought this item also bought
Customers who viewed this item also viewed
About the Author
Richard A. Deal has 18 years experience in the computing and networking industry including networking, training, systems administration, and programming. In addition to a B.S. in mathematics and computer science from Grove City College, Richard holds many certifications from Cisco, including the CCNP and CCSP(tm) certifications. For the past seven years, Richard has operated his own company, The Deal Group, Inc., in Orlando, Florida.
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
The other reviews of this book all comment from a security perspective, and I cannot hope to add anything new to these reviews (especially Richard Bejtlich's review). I can comment from the perspective as someone studying for the CCIE. In Parts 3 and 4, the book dives into the different types of ACLs that you may encounter on the lab. Reflexive ACLs, CBAC (Content-Based Access Control), and NBAR (Network-Based Application Recognition) are each given their own chapter and fully explained in depth (something not replicated in other CiscoPress books - I own over 50 CiscoPress books). I particularly like the discussion on page 308 on how best to counter a Smurf Attack. Chapter 13 on Lock-and-Key ACLs is also a valuable must-read for any potential CCIE candidates. In chapter 17, on page 679, is a great discussion on how to counter a TCP SYN flood attack.
Overall, I think "Cisco Router Firewall Security" is the best CiscoPress book published that discusses best-practices for securing Cisco routers. Too be honest, I am kind of surprised I do not see more 'noise' on this book (either from reviews here or on the CCIE list at Groupstudy.com). I have to believe it is from the title, as the title almost implies that this is a firewall book. That is too bad, as this is an excellent book for any network admin concerned about security. Weighing in at over 850 pages, this book will take some time to digest, but will be well worth the effort!
I give this book 5 pings out of 5:
CRFS covers all of the major technologies I hoped to see in a book on Cisco security functions. Though published in August 2004, it manages to provide details on the newest Cisco IOS features that contemporary books often ignore. For example, the author emphasizes the benefits of configuring SSH access, and not only SSHv1; he explains that SSHv2 is preferred. I found the book's coverage of access control lists to be very clear, and I appreciated the author's discussions of strengths and weaknesses of different ACL types. Mr. Deal is also very conscious of the load placed on the router whenever higher-end security features or traffic inspection is invoked. His warnings provide operational insights to using IOS security features. Beginning with chapter 3, each section presented just the information I needed to implement various security features.
I gave CRFS four stars, and not five, because I found some of the author's perceptions of security to be confusing or sometimes wrong. He repeats at least five times the oft-quoted but never substantiated myth that "70 percent of network attacks" are internal. This is completely backwards, according to CSI/FBI and Secret Service studies that say around 70 percent of attacks are caused by outsiders. While some of the most devastating incidents are indeed perpetrated by insiders, the majority of attacks continue to be launched from outside the security perimeter. While this point may not seem that significant, it is not a solid footing on which the author can justify certain security recommendations.
While reading CRFS I also sensed that neither the author nor his technical editors were security professionals. I do not mean that they do not or have not handled security incidents. In fact, several of Mr. Deal's stories explicitly and properly address intrusions and other events. Rather, I sensed the author and his team were networking professionals first, with security duties tacked on. For example, p. 8 lists applications, the OS, and network infrastructure as "threats to your company's network." These have vulnerabilities -- they are not threats. On p. 28 Mr. Deal says "SSL can protect only web application traffic," but this is wrong. Pages 31-33 lists "some of the most common" DoS attacks, but the explanations there of chargen and ping of death attacks are wrong. WinNuke, a Windows DoS exploit from 1997, is also listed! Page 94 says "IDS solutions are still in their infancy," although they have been deployed for over 10 years. These and related security misperceptions made me believe a person with a primary security role should have reviewed CRFS.
It is easy to overlook these security faux pas, however. CRFS does a better job describing some security issues than other security-focused books. For example, I found the coverage of the effects of DoS attacks upon a router to be better than books specifically written about DoS! Mr. Deal frequently advocates monitoring as a way to know what is happening on the network, and I found his IDS deployment guidance to be sound.
To the extend I could evaluate Mr. Deal's discussion of Cisco features, I believe they are correct. One notable exception involves using the established keyword with ACLs. On p. 269 and elsewhere, the author claims "the established keyword looks to see if the ACK, FIN, PSH, RST, SYN, or URG TCP control flags are set. If they are, the TCP traffic is allowed in." This is incorrect; established looks for only the ACK or RST flags. This is not a major concern as other filtering options provide better defense anyway.
Overall, I consider CRFS to be an excellent piece of work. I am adding it to my recommended reading lists and I strongly suggest than anyone using Cisco routers in their perimeter read and heed this book. Keep an eye out for Mr. Deal's next book on building VPNs with Cisco gear.
Deal fills in much of the lacunae of Cisco IOS configuration that are left out of certification handbooks. His sprinkling of many anecdotes from his personal experience makes the book immensely practical. For example, the author points out that Reflexive Access Control Lists can be used as a less expensive substitute for Content Based Access Control when filtering traffic for a few dozen users.
Deal's book will prepare you to deal with special situations where company policy demands something different than what a firewall in a box solution offers. As he shows you how to accomplish Intrusion Detection, Content Filtering, Security Logging, Virtual Private Networking, Denial of Service Prevention, and Access Management solutions with Cisco routers, he points out when these features should be used with a router or dedicated equipment, like the PIX firewall.
I give Deal 5 stars for the layout and structure, which includes notes, cautions, tables, and configurations. But what I found most valuable was his many real life illustrations from his consulting business.