on May 19, 2005
I really enjoyed reading Cisco Router Firewall Security (CRFS) by Richard Deal. This book delivers just what a technical Cisco book should: discussion of concepts, explanation of command syntax, and practical examples. The author offers several ways to solve a security problem and then recommends his preferred choice. He correctly leans towards applying cryptography when available and avoids clear-text authentication methods or control channels. If you avoid the first chapter and keep a few minor caveats in mind, I would consider CRFS to be a five-star book.
CRFS covers all of the major technologies I hoped to see in a book on Cisco security functions. Though published in August 2004, it manages to provide details on the newest Cisco IOS features that contemporary books often ignore. For example, the author emphasizes the benefits of configuring SSH access, and not only SSHv1; he explains that SSHv2 is preferred. I found the book's coverage of access control lists to be very clear, and I appreciated the author's discussions of strengths and weaknesses of different ACL types. Mr. Deal is also very conscious of the load placed on the router whenever higher-end security features or traffic inspection is invoked. His warnings provide operational insights to using IOS security features. Beginning with chapter 3, each section presented just the information I needed to implement various security features.
I gave CRFS four stars, and not five, because I found some of the author's perceptions of security to be confusing or sometimes wrong. He repeats at least five times the oft-quoted but never substantiated myth that "70 percent of network attacks" are internal. This is completely backwards, according to CSI/FBI and Secret Service studies that say around 70 percent of attacks are caused by outsiders. While some of the most devastating incidents are indeed perpetrated by insiders, the majority of attacks continue to be launched from outside the security perimeter. While this point may not seem that significant, it is not a solid footing on which the author can justify certain security recommendations.
While reading CRFS I also sensed that neither the author nor his technical editors were security professionals. I do not mean that they do not or have not handled security incidents. In fact, several of Mr. Deal's stories explicitly and properly address intrusions and other events. Rather, I sensed the author and his team were networking professionals first, with security duties tacked on. For example, p. 8 lists applications, the OS, and network infrastructure as "threats to your company's network." These have vulnerabilities -- they are not threats. On p. 28 Mr. Deal says "SSL can protect only web application traffic," but this is wrong. Pages 31-33 lists "some of the most common" DoS attacks, but the explanations there of chargen and ping of death attacks are wrong. WinNuke, a Windows DoS exploit from 1997, is also listed! Page 94 says "IDS solutions are still in their infancy," although they have been deployed for over 10 years. These and related security misperceptions made me believe a person with a primary security role should have reviewed CRFS.
It is easy to overlook these security faux pas, however. CRFS does a better job describing some security issues than other security-focused books. For example, I found the coverage of the effects of DoS attacks upon a router to be better than books specifically written about DoS! Mr. Deal frequently advocates monitoring as a way to know what is happening on the network, and I found his IDS deployment guidance to be sound.
To the extend I could evaluate Mr. Deal's discussion of Cisco features, I believe they are correct. One notable exception involves using the established keyword with ACLs. On p. 269 and elsewhere, the author claims "the established keyword looks to see if the ACK, FIN, PSH, RST, SYN, or URG TCP control flags are set. If they are, the TCP traffic is allowed in." This is incorrect; established looks for only the ACK or RST flags. This is not a major concern as other filtering options provide better defense anyway.
Overall, I consider CRFS to be an excellent piece of work. I am adding it to my recommended reading lists and I strongly suggest than anyone using Cisco routers in their perimeter read and heed this book. Keep an eye out for Mr. Deal's next book on building VPNs with Cisco gear.
on April 2, 2005
Cisco Router Firewall Security by Richard A. Deal is one firewall security book no networking professional should be without. The book begins with an overview on network security and firewalls, and continues with a showcase of Deal's extensive knowledge and experience configuring the Cisco IOS Firewall. Now, rather than re-inventing the wheel or relying on trial and error practices in configuring your Cisco IOS firewalls, you too can incorporate Deal's extensive Cisco Router Firewall Security expertise into your network security plan, or environment. In each chapter of the book, Deal walks you through best practice Cisco Router Firewall Security configuration as he explains and demonstrates, step-by-step, how to program the Cisco IOS Firewall feature set-from router security management to virtual private networking.
Networking professionals having an intermediate to advanced knowledge of Cisco routers, or at least a Cisco CCNA certification will benefit immensely from reading and applying the Cisco IOS firewall security features discussed in the book. All concepts and examples, such as configuration command files, are clearly explained against the backdrop of example network illustrations and thus easy to follow. Deal reinforces each and every illustration with appropriate, well-executed discussions for you to follow as he pin-points the reasons for implementing, or applying, Cisco IOS firewall security and how best to configure it for maximum advantage.
For networking professionals interested in pursuing a Cisco security certification, Cisco Router Firewall Security provides a wealth of tips, recommendations, considerations and cautions. While there is no CD-ROM included with the book, an abundance of configuration command file listings provide network administrators and engineers the opportunity of a virtual experience in the nuts-and-bolts of configuring Cisco IOS firewalls in a secure manner. Networking professionals will develop an unparalleled depth of understanding in best practice network security-such as properly securing the various modes and methods of accessing Cisco routers as well as the Cisco IOS firewall.
If shooting from the hip in dealing with network security issues is your stick, Cisco Router Firewall Security is the book for you. Cisco Router Firewall Security provides a smorgasbord of tried and tested network security process, procedure and application-providing a comprehensive set of tools and case study material that can be either adapted in whole or in part when making your case, or justifying, how you intend to protect or defend your network against attacks.
Without question, you absolutely must add Deal's Cisco Router Firewall Security-a stellar treatise on both applied network security and applied firewall security-to your networking bookshelf. Arm yourself with the necessary knowledge, skills and practical application to secure and defend your network-and in essence your job-or else, you're fired!
on March 18, 2005
The Cisco Press Book "Cisco Router Firewall Security" by Richard Deal while claiming to be for individuals or organizations "using a Cisco router as a perimeter firewall solution" is much more and I believe from that quote it was designed to be a reference guide for using routers to do just that: be a perimeter firewall for an organization. But what Richard Deal delivered is not only an excellent book on implementing a router as the firewall, but a detailed guide and approach to making any organizations routers secure and safe as they should be to develop a safe environment. To emphasis my comments on this thought you simply need to look at the break down of the chapters, like Chapter 4 "Disabling Unnecessary Services", and while this is important for any perimeter device, doing it in general on a router regardless of location helps to strength the environment and deliver a more secure network.
Within the book Richard emphasizes that an individual can either read it cover to cover, or skip around and I agree that at sometimes reading cover to cover especially if you do not know a subject is an excellent approach, but with this one even not knowing and using it for the references offers is just as much benefit. Cause within the individual sections of the book there's enough information that you will not get lost as long as you have understanding of other Cisco devices like TACACS+ or general network concepts like RADIUS. Richard presents clear examples and details the steps to implement many of the book suggestions without much issue. I was able to take one of my lab routers and execute numerous of his examples without difficulty and still have the unit function as expected.
While Cisco continues to publish new IOS code for their devices Richard spends a few minutes at different points like in Chapter 6 "Basic ACL Configuration" to highlight which version of IOS is needed to accomplish the issue being explained. Considering this feature does help to enhance the value of the book even further, but amongst my favorite chapters and section was Part VI "Managing Access through Routers" for he the book combined numerous prior items from Access Control List (ACL) configuration to routing protocols and authentication proxy using features like AAA with both TACACS+ and RADIUS. These configuration examples combined with Part VIII on "Virtual Private Networks (VPN)" only go to enhance each other. Yet as mentioned before the book was designed to allow individuals to either research a sub-set of the features in a router or the entire book itself. Thus in the middle of what appears to be two clear parts that would naturally fit together Part VI and VIII, Richard places Part VII on "Detecting and Preventing Attacks" demonstrates this feature covering areas of Intrusion Detection Systems, DoS Protection and Logging Events. The concept that attacks could come in any form, but commonly from external interaction is widely known. Seeing this section of the book only goes further to enforce and emphasis the importance of securing routers to protect the network.
As anyone in the Information Technology industry is aware it is important to protect the environment and to say that this book could not help in that protection is a clear understatement. I believe that anyone from the "small business jack of all trade IT person" to the "corporate IT Network Specialist" could benefit in some manor from this book and the explanations and examples presented. If I was to say there was one thing I would do different on this book is of had it published in a hard bound cover cause Cisco Press has not often published a book that does not have a clear basis for use and this book is no except to that, thus I believe it would be a benefit and often used book of any network individuals library.
on January 8, 2005
Cisco Router Firewall Security by Richard A. Deal delivers exactly what the title says: using a Cisco router for every possible perimeter security scenario. The book is written for someone who has at least an intermediate level knowledge of Cisco router and switching technologies. Advanced security consultants may want to go to Chapter 21, Case Study Configuration, and refer back to the previous chapters for more explanation when needed. However, those responsible for network security should read the entire book to be familiar with all of the latest security features that Cisco routers are capable of as well as a number of vulnerabilities that should be hardened, when possible.
Deal fills in much of the lacunae of Cisco IOS configuration that are left out of certification handbooks. His sprinkling of many anecdotes from his personal experience makes the book immensely practical. For example, the author points out that Reflexive Access Control Lists can be used as a less expensive substitute for Content Based Access Control when filtering traffic for a few dozen users.
Deal's book will prepare you to deal with special situations where company policy demands something different than what a firewall in a box solution offers. As he shows you how to accomplish Intrusion Detection, Content Filtering, Security Logging, Virtual Private Networking, Denial of Service Prevention, and Access Management solutions with Cisco routers, he points out when these features should be used with a router or dedicated equipment, like the PIX firewall.
I give Deal 5 stars for the layout and structure, which includes notes, cautions, tables, and configurations. But what I found most valuable was his many real life illustrations from his consulting business.
on February 5, 2006
CiscoPress's "Cisco Router Firewall Security" by Richard Deal is designed as a book to secure perimeter routers. It is both a practical (and much needed) CiscoPress guide on how to harden a key piece of the network AND an excellent tool for any potential CCIE candidate (either for the Security and R&S lab). On pretty-much every page are either detailed diagrams or complex configurations discussing the topic at hand.
The other reviews of this book all comment from a security perspective, and I cannot hope to add anything new to these reviews (especially Richard Bejtlich's review). I can comment from the perspective as someone studying for the CCIE. In Parts 3 and 4, the book dives into the different types of ACLs that you may encounter on the lab. Reflexive ACLs, CBAC (Content-Based Access Control), and NBAR (Network-Based Application Recognition) are each given their own chapter and fully explained in depth (something not replicated in other CiscoPress books - I own over 50 CiscoPress books). I particularly like the discussion on page 308 on how best to counter a Smurf Attack. Chapter 13 on Lock-and-Key ACLs is also a valuable must-read for any potential CCIE candidates. In chapter 17, on page 679, is a great discussion on how to counter a TCP SYN flood attack.
Overall, I think "Cisco Router Firewall Security" is the best CiscoPress book published that discusses best-practices for securing Cisco routers. Too be honest, I am kind of surprised I do not see more 'noise' on this book (either from reviews here or on the CCIE list at Groupstudy.com). I have to believe it is from the title, as the title almost implies that this is a firewall book. That is too bad, as this is an excellent book for any network admin concerned about security. Weighing in at over 850 pages, this book will take some time to digest, but will be well worth the effort!
I give this book 5 pings out of 5:
on February 22, 2006
The two things I like most about this book are the lack of typos, and the chapter structure, in which each successive chapter builds on the security and lessons preened from previous chapters. A great Cisco router security reference.
on October 6, 2005
In Cisco Router Firewall Security, computer security expert Richard Deal provides truly indepth, step-by-step coverage on just how to configure a Cisco router to secure access to it. Cisco Router Firewall Security deftly explains how to use IOS routers as a firewall solution for protecting a data network from outsiders, especially hackers. Each part of Cisco Router Firewall Security addresses a specific type of technology or security issue and covers the IOS features both old and new that can be used to implement each security feature. Cisco Router Firewall Security is an indispensable instructional reference.