Title: CCNP Security FIREWALL 642-618 Official Cert Guide
Authors: David Hucaby, Dave Garneau, Anthony Sequeira
Publisher: Cisco Press
Published: June 3rd 2012
Edition: 1st Edition
Reviewer: Arani Mukherjee
Cisco CCNP Security Firewall is a one stop shop for all professionals who value their network security and give it their highest priority. It teaches you how to work and play with devices like the Cisco ASA family, and works as a definitive guide to all forms of network security features.
The publication is a master class in itself. Not only does it inform us about each Cisco ASA device, but also skilfully explains various types of network security flaws, weaknesses, points of security failures and attacks. Then it goes about explaining how such network security issues can be dealt with by showing a corresponding firewall feature to counter such risks. This publication carries all the other hallmarks of Cisco publications such as the ‘Do I already know this?” quiz after each chapter, key topic pointers, note sections and a very clear topical approach about the entire subject matter. So let’s dig in deep to understand what awaits us in the world of Cisco ASA family, and why CCNP in Security on Firewalls is a skill much needed by a network manager.
As mentioned, the formative chapters of this publication are spent on explaining various network security flaws, weaknesses, points of security failures and attacks. But, before that, there is an introductory chapter on firewalls. Extensive explanations are given based on scenarios as to when, where and why it is imperative to preserve a network resource.
Our world is being steadily governed and managed by the use of IT and networks are becoming its backbone, which is why defending the integrity of a network and protecting data becomes so much more important. One should treat a network like one’s own home. Much care and effort goes into running of a home that houses a family. As a home owner you tend to implement every caution and protection possible to ensure that no harm comes to it or its occupants. The same goes for a network.
Cisco’s treatment of security issues for a network takes a very similar path. It explains how important your network is and then it shows how it can be attacked and breached. Finally it shows you how to effectively use various features of firewalls to protect against, and in turn prevent, such intrusions. It mainly bases the concepts on the ASA family of devices, hence readers will get to know how to communicate with such devices. Further on, they will learn how to do basic tasks and, by the end, be able to implement complex and more secure firewall features.
Much emphasis is given to the configuration of various types of ASA interfaces. It addresses the features of an ASA’s capability to provide IP addressing information to network nodes it is protecting i.e. working as a DHCP server or relay. Being a device itself, an ASA will need its own monitoring and management. Also any work or configuration or access to an ASA device will need its audit trail. All such issues are dealt with in depth. Features like NAT have been addressed in detail.
There is a quick overview of the concept of NAT itself, along with benefits and what’s required to implement this. And then finally it starts talking about one of the most important aspects of this title, how to control access by using an ASA device. This forms the core of Cisco ASA. There is an overview of access controls and access rules.
New concepts like Global ACL are introduced in this publication. Pass through analysis of traffic to ensure protocols are meeting criteria set in security policies for a particular network is another key issue that is explained. Another neat feature was the ability to control access and provide proxy services based on the identity of a user on the network.
Traffic handling and management by an ASA device is a very interesting topic, traffic prioritization and bandwidth control were the key issues discussed under this topic. I particularly found the chapters on firewall modes informative, not that I’m saying the others are not. Up until then I didn’t realise that ASAs could perform their functions in a non-transparent router-like mode, and a transparent bridge-like mode. But then the penultimate chapters started throwing in some high value trump cards like virtual firewall based on specific users, high availability, modules and special cards to deploy integrated services for entire organisations, and traffic analysis tools.
Once I had finished going through the chapters, my brain was buzzing at the thought of being able to implement some of these features on the next ASA I get my hands on. But then reality kicked in and it reminded me of the purpose of a certification that goes along with this publication, which cannot be ignored. At the end of the day, this book empowers you to deliver some killer punches to any network security threats, but only once you have proved to yourself, and of course to the Cisco certification community, that you are worth your CCNP in gold.
I was not let down by this publication. But I can’t remember a Cisco publication that didn’t deliver its objectives. As mentioned time and time again, networks are important to us and so is their security and integrity. It is in our best interest to ensure that they work in a safe environment. Intrusions, hacks and breaches are constant threats, we can surely implement features to stop them and prevent them.
One sure way to fulfil that requirement is to put the subject matter of this publication to good use. A CCNP is a valuable certification, but a CCNP done under the Security banner with Firewalls is more valuable still. This review ends with two key phrases – the certification is very much needed, and the publication is highly recommended for that purpose.