CCNP Security FIREWALL 642-618 Official Cert Guide

David Hucaby, CCIE No. 4594, is a network architect for the University of Kentucky, where he works with healthcare networks based on the Cisco Catalyst, ASA, FWSM, and Unified Wireless product lines. David has a bachelor of science degree and master of science degree in electrical engineering from the University of Kentucky. He is the author of several Cisco Press titles, including Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition; Cisco Firewall Video Mentor; Cisco LAN Switching Video Mentor; and CCNP SWITCH Exam Certification Guide. David lives in Kentucky with his wife, Marci, and two daughters. Dave Garneau is a senior member of the Network Security team at Rackspace Hosting, Inc. Before that, he was the principal consultant and senior technical instructor at The Radix Group, Ltd. In that role, Dave trained more than 3,000 students in nine countries on Cisco technologies, mostly focusing on the Cisco security products line, and worked closely with Cisco in establishing the new Cisco Certified Network Professional Security (CCNP Security) curriculum. Dave has a bachelor of science degree in mathematics from Metropolitan State College of Denver. Dave lives in San Antonio, Texas, with his wife, Vicki, and their two brand new baby girls, Elise and Lauren. Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor (CCSI) and author regarding all levels and tracks of Cisco Certification. Anthony formally began his career in the information technology industry in 1994 with IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered his true passion--teaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering Computers in 1996 and lectured to massive audiences around the world about the latest in computer technologies. Mastering Computers became the revolutionary online training company, KnowledgeNet, and Anthony trained there for many years. Anthony is currently pursuing his second CCIE in the area of Security and is a full-time instructor for the next-generation of KnowledgeNet, StormWind Live. Anthony is also a VMware Certified Professional.

    Introduction xxv

Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3

    Do I Know This Already? Quiz 3

    Foundation Topics 7

    Firewall Overview 7

    Firewall Techniques 11

        Stateless Packet Filtering 11

        Stateful Packet Filtering 12

        Stateful Packet Filtering with Application Inspection and Control 12

        Network Intrusion Prevention System 13

        Network Behavior Analysis 14

        Application Layer Gateway (Proxy) 14

    Cisco ASA Features 15

    Selecting a Cisco ASA Model 18

        ASA 5505 18

        ASA 5510, 5520, and 5540 19

        ASA 5550 20

        ASA 5580 21

        Security Services Modules 22

        Advanced Inspection and Prevention (AIP) SSM 22

        Content Security and Control (CSC) SSM 23

        4-port Gigabit Ethernet (4GE) SSM 24

        ASA 5585-X 24

        ASA Performance Breakdown 25

    Selecting ASA Licenses 29

    ASA Memory Requirements 31

    Exam Preparation Tasks 33

    Review All Key Topics 33

    Define Key Terms 33

Chapter 2 Working with a Cisco ASA 35

    Do I Know This Already? Quiz 35

    Foundation Topics 40

    Using the CLI 40

        Entering Commands 41

        Command Help 43

        Searching and Filtering Command Output 45

        Command History 45

        Terminal Screen Format 47

    Using Cisco ASDM 47

    Understanding the Factory Default Configuration 52

    Working with Configuration Files 54

        Clearing an ASA Configuration 57

    Working with the ASA File System 58

        Navigating an ASA Flash File System 59

        Working wit...