You are previewing The Best Damn Firewall Book Period, Second Edition.
O'Reilly logo
The Best Damn Firewall Book Period, Second Edition

Book Description

The Second Edition of the Best Damn Firewall Book Period is completely revised and updated to include all of the most recent releases from Microsoft, Cisco, Juniper Network, SonicWALL, and Check Point.

Compiled from the best of the Syngress firewall library and authored by product experts such as Dr. Tom Shinder on ISA Server, this volume is an indispensable addition to a serious networking professionals toolkit.

Coverage includes migrating to ISA Server 2006, integrating Windows Firewall and Vista security into your enterprise, successfully integrating Voice over IP applications around firewalls, and analyzing security log files.

Sections are organized by major vendor, and include hardware, software and VPN configurations for each product line.

New to this Edition:

* Microsoft firewall protection, from Windows Firewall to ISA Server 2006
* Cisco PIX Version 7, including VPN configuration and IDS
* Analyzing Firewall Logs and Reports
* VoIP and Firewall Bypassing

Table of Contents

  1. Copyright
  2. Contributing Authors
  3. 1. Installing Check Point NGX
    1. Introduction
    2. Preparing the Gateway
    3. Installation
      1. SecurePlatform
        1. FireWall-1/VPN-1 Installation
    4. SmartCenter Server Installation
      1. SmartConsole Installation
    5. Putting It All Together
      1. SmartDashboard
    6. Summary
  4. 2. SmartDashboard and SmartPortal
    1. Introduction
    2. A Tour of the Dashboard
      1. Logging In
      2. The Rulebase Pane
        1. Security Tab
        2. Address Translation Tab
        3. SmartDefense Tab
        4. Web Intelligence Tab
        5. VPN Manager Tab
        6. QoS Tab
        7. Desktop Security Tab
        8. Web Access Tab
        9. Consolidation Rules Tab
      3. The Objects Tree Pane
        1. Network Objects
        2. Services
        3. Resources
        4. Servers and OPSEC Applications
        5. Users and Administrators
        6. VPN Communities
      4. The Objects List Pane
      5. The SmartMap Pane
      6. Menus and Toolbars
      7. Working with Policy Packages
      8. Installing the Policy
      9. Global Properties
        1. FireWall Page
        2. NAT—Network Address Translation Page
        3. VPN Page
        4. VPN-1 Edge/Embedded Page
        5. Remote Access Page
        6. SmartDirectory (LDAP) Page
        7. Stateful Inspection Page
    3. New in SmartDashboard NGX
      1. Security Policy Rule Names and Unique IDs
      2. Group Object Convention
      3. Group Hierarchy
      4. Clone Object
      5. Session Description
      6. Tooltips
    4. Your First Security Policy
      1. Creating Your Administrator Account
      2. Hooking Up to the Gateway
      3. Reviewing the Gateway Object
      4. Defining Your Security Policy
      5. Policy Design
      6. Creating Rules
      7. Network Address Translation
      8. Installing the Policy
    5. Other Useful Controls on the Dashboard
      1. Working with Security Policy Rules
        1. Section Titles
          1. Hiding Rules
          2. Rule Queries
          3. Searching Rules
        2. Working with Objects
          1. Object References
          2. Who Broke That Object?
          3. Object Queries
        3. Working with Policies
          1. What Would Be Installed?
          2. What’s Really Installed?
          3. No Security Please
          4. For the Anoraks
        4. Change Management
    6. Managing Connectra and Interspect Gateways
      1. Configuring Interspect or Connectra Integration
      2. SmartDefense Updates
    7. SmartPortal
      1. SmartPortal Functionality
      2. Installing SmartPortal
      3. Tour of SmartPortal
    8. Summary
  5. 3. Smart View Tracker
    1. Introduction
    2. Tracker
    3. Log View
      1. Active
        1. Audit
    4. Predefined Queries
      1. Use for Predefined Queries
        1. Adding Custom Queries
          1. Applying Filters
    5. Custom Queries
      1. Matching Rule Filter
        1. Viewing the Matching Rule
          1. Viewing Log Records from SmartDashboard
    6. Active View
      1. Live Connections
        1. Custom Commands
          1. Following a Source or Destination
    7. Block Intruder
    8. Audit View
    9. Log Maintenance
      1. Daily Maintenance
        1. Log Switch
    10. Summary
  6. 4. SmartDefense and Web Intelligence
    1. Introduction
    2. Network Security
      1. Threats
        1. Structured Threats
          1. Denial of Service
        2. External Threats
          1. Welchia Internet Control Message Protocol
          2. Network Quota
        3. Internal Threats
      2. Reconnaissance (Port Scans and Sweeps)
      3. The OSI Model
        1. Layer 3: The Network Layer
        2. Layer 4: The Transport Layer
        3. Layer 7: The Application Layer
      4. The Need for Granular Inspection
    3. Application Intelligence
      1. Configuring Hosts and Nodes for AI
      2. SmartDefense Technology
        1. Central Configuration and the SmartDefense Web Site
        2. Updating SmartDefense
        3. Defense Against Attacks
          1. Peer-to-Peer
      3. Preventing Information Disclosure
        1. Fingerprint Scrambling
        2. Abnormal Behavior Analysis
      4. Web Intelligence Technology
        1. Malicious Code Protector
        2. Active Streaming
        3. Application Intelligence
        4. Web Application Layer
        5. SQL Injection
        6. Custom Web Blocking
        7. Preventing Information Disclosure
        8. Header Spoofing
        9. Directory Listing
    4. Malicious Code
      1. Definition
      2. Different Types of Malicious Code
        1. General HTTP Worm Catcher
    5. Protocol Inspection
      1. Conformity
      2. DNS Enforcement
      3. HTTP Inspection
      4. Default Configuration
    6. DShield Storm Center
      1. Retrieving Blocklist
        1. Submitting Logs
    7. Summary
  7. 5. Network Address Translation
    1. Introduction
    2. Global Properties
      1. Network Address Translation
    3. Configuring Dynamic Hide Mode NAT
      1. Dynamic NAT Defined
      2. Advanced Understanding of NAT
      3. When to Use It
      4. Routing and ARP
        1. Adding ARP Entries
          1. Secure Platform
          2. Solaris
          3. Windows
          4. IPSO
    4. Configuring Static Mode NAT
      1. Static NAT Defined
        1. When to Use It
          1. Inbound Connections
    5. Configuring Automatic NAT
      1. When to Use It
        1. NAT Rule Base
          1. Access Control Settings
    6. Configuring Port Translation
      1. When to Use It
        1. NAT Rule Base
          1. Security Policy Implications
    7. Summary
  8. 6. Authentication
    1. Introduction
    2. Authentication Overview
      1. Using Authentication in Your Environment
    3. Users and Administrators
      1. Managing Users and Administrators
        1. Permission Profiles
        2. Administrators
          1. General Tab
          2. Personal Tab
          3. Groups
          4. Admin Auth
          5. Admin Certificates
        3. Administrator Groups
        4. User Templates
          1. General
          2. Personal
          3. Groups
          4. Authentication
          5. Location
          6. Time
          7. Encryption
        5. User Groups
        6. Users
          1. General
          2. Personal
          3. Groups
          4. Authentication
          5. Location
          6. Time
          7. Certificates
          8. Encryption
        7. External User Profiles
          1. Match by Domain
          2. Match All Users
        8. LDAP Group
      2. Understanding Authentication Schemes
        1. Undefined
        2. SecurID
        3. Check Point Password
        4. RADIUS
        5. TACACS
    4. User Authentication
      1. Configuring User Authentication in the Rulebase
        1. UserAuth | Edit Properties | General | Source
        2. UserAuth | Edit Properties | General | Destination
        3. UserAuth | Edit Properties | General | HTTP
      2. Interacting with User Authentication
        1. Telnet and RLOGIN
        2. FTP
        3. HTTP
        4. Placing Authentication Rules
      3. Advanced Topics
        1. Eliminating the Default Authentication Banner
        2. Changing the Banner
        3. Use Host Header as Destination
    5. Session Authentication
      1. Configuring Session Authentication in the Rulebase
        1. SessionAuth | Edit Properties | General | Source
        2. SessionAuth | Edit Properties | General | Destination
        3. SessionAuth | Edit Properties | General | Contact Agent At
        4. SessionAuth | Edit Properties | General | Accept only SecuRemote/SecureClient Encrypted Connections
        5. SessionAuth | Edit Properties | General | Single Sign-On
      2. Configuring Session Authentication Encryption
      3. The Session Authentication Agent
        1. Configuration | Passwords | Ask for Password
        2. Configuration | Allowed Firewall-1 | Allow authentication request from
        3. Configuration | Allowed Firewall-1 | Options
      4. Interacting with Session Authentication
    6. Client Authentication
      1. Configuring Client Authentication in the Rulebase
        1. ClientAuth | Edit Properties | General | Source
        2. ClientAuth | Edit Properties | General | Destination
        3. ClientAuth | Edit Properties | General | Apply Rule Only if Desktop Configuration Options Are Verified
        4. ClientAuth | Edit Properties | General | Required Sign-In
        5. ClientAuth | Edit Properties | General | Sign-On Method
          1. Manual Sign-On
          2. Partially Automatic Sign-On
          3. Fully Automatic Sign-On
          4. Agent Automatic Sign-On
          5. Single Sign-On
        6. General | Successful Authentication Tracking
        7. Limits | Authorization Timeout
        8. Limits | Number of Sessions Allowed
      2. Advanced Topics
        1. Check Point Gateway | Authentication
          1. Enabled Authentication Schemes
          2. Authentication Settings
          3. HTTP Security Server
        2. Global Properties | Authentication
          1. Failed Authentication Attempts
          2. Authentication of Users with Certificates
          3. Brute-Force Password Guessing Protection
          4. Early Version Compatibility
        3. Registry Settings
          1. New Interface
          2. Use Host Header as Destination
          3. Opening All Client Authentication Rules
        4. Configuration Files
          1. Enabling Encrypted Authentication
          2. Custom Pages
      3. Installing the User Database
    7. Summary
  9. 7. Content Security and OPSEC
    1. Introduction
    2. OPSEC
      1. Partnership
        1. Anti-virus
          1. Web Filtering
          2. OPSEC Applications
    3. Security Servers
      1. URI
      2. SMTP
      3. FTP
      4. TCP
      5. CIFS
    4. CVP
      1. Resource Creation
    5. UFP
      1. Resource Creation
    6. MDQ
      1. How to Debug
    7. Secure Internal Communication
    8. Summary
  10. 8. VPN
    1. Introduction
    2. Encryption Overview
      1. Symmetric and Asymmetric Encryption
      2. Certificate Authorities
        1. Exchanging Keys
      3. Tunnel Mode vs. Transport Mode
      4. Encryption Algorithms
      5. Hashing Algorithms
        1. Public Key Infrastructure
    3. Simplified vs. Traditional
      1. Using the Simplified Configuration Method
        1. VPN Communities
          1. Meshed VPN Communities
          2. Star VPN Communities
          3. Multiple Entry Point (MEP)
          4. Installing the Policy
        2. Configuring a VPN with a Cisco PIX
      2. Using the Traditional VPN Configuration Method
      3. VPN Directional Matching
    4. Route-Based VPN
      1. Routing Protocols
      2. Configuring VTIs
        1. Configuring VTI Example
    5. Tunnel Management and Debugging
      1. Using SmartView Tracker
      2. Using cpstat
    6. Summary
  11. 9. SecuRemote, SecureClient, and Integrity
    1. Introduction
    2. SecuRemote
      1. What’s New with SecuRemote in NGX?
      2. Standard Client
        1. Basic Remote Access
      3. Defining the Connection Policy
      4. SecuRemote Installation and Configuration on Microsoft Windows
      5. Connecting to the VPN-1 Gateway
    3. SecureClient
      1. What’s New in SC NGX?
      2. Installing SecureClient on Microsoft Windows
      3. Policy Server
        1. Desktop Security Policies
        2. Configuring Desktop Security Policies
        3. Disabling the Security Policy
        4. Secure Configuration Verification
    4. Office Mode
      1. Why Office Mode?
        1. Client IP Pool
        2. Configuring Office Mode with IP Pools
          1. Configuring the VPN-1 Gateway for Office Mode
          2. Configuring SecureClient for Office Mode
    5. Secure Configuration Verification (SCV)
      1. What’s New with Secure Configuration Verification (SCV) in NGX?
      2. Configuring the Policy Server to Enable Secure Configuration Verification (SCV)
      3. Secure Configuration Verification (SCV) Checks Available
        1. Check Point OPSEC Vendor SCV Checks
        2. Other Third-Party Checks
        3. Create Your Own Checks
    6. Integrity
      1. History of Integrity
        1. Integrity Client Installation
        2. Integrity Client Configuration
      2. Integrity Clientless Security
    7. Summary
  12. 10. Adaptive Security Device Manager
    1. Introduction
    2. Features, Limitations, and Requirements
      1. Supported PIX Firewall Hardware and Software Versions
        1. PIX Device Requirements
        2. Host Requirements for Running ASDM
      2. Adaptive Security Device Manager Limitations
        1. Unsupported Commands
        2. Unsupported Characters
        3. ASDM CLI Does Not Support Interactive Commands
        4. Printing from ASDM
    3. Installing, Configuring, and Launching ASDM
      1. Preparing for Installation
      2. Installing or Upgrading ASDM
        1. Obtaining a DES Activation Key
        2. Configuring the PIX Firewall for Network Connectivity
        3. Installing a TFTP Server
        4. Upgrading the PIX Firewall and Configuring the DES Activation Key
        5. Installing or Upgrading ASDM on the PIX Device
      3. Enabling and Disabling ASDM
      4. Launching ASDM
    4. Configuring the PIX Firewall Using ASDM
      1. Using the Startup Wizard
      2. Configuring System Properties
        1. The AAA Menu
        2. The Advanced Menu
        3. The ARP Static Table Menu
        4. The Auto Update Menu
        5. The DHCP Services Menu
        6. The DNS Client Menu
        7. The Failover Menu
        8. The History Metrics Category
        9. The IP Audit Menu
        10. The Logging Menu
        11. The Priority Queue Category
        12. The SSL Category
        13. The SunRPC Server Category
        14. The URL Filtering Category
    5. Configuring VPNs Using ASDM
      1. Configuring a Site-to-Site VPN Using ASDM
      2. Configuring a Remote Access VPN Using ASDM
    6. Summary
  13. 11. Application Inspection
    1. New Features in PIX 7.0
    2. Supporting and Securing Protocols
      1. TCP, UDP, ICMP, and the PIX Firewall
    3. Application Layer Protocol Inspection
      1. Defining a Traffic Class
      2. Associating a Traffic Class with an Action
      3. Customizing Application Inspection Parameters
      4. Applying Inspection to an Interface
        1. Domain Name Service
        2. Remote Procedure Call
        3. SQL*Net
        4. Internet Locator Service and Lightweight Directory Access Protocol
      5. HTTP Inspection
      6. FTP Inspection
        1. Active versus Passive Mode
      7. ESMTP Inspection
      8. ICMP Inspection
        1. H.323
        2. Simple Network Management Protocol (SNMP)
      9. Voice and Video Protocols
        1. SIP
        2. CTIQBE
        3. SCCP
        4. Real-Time Streaming Protocol (RTSP), NetShow, and VDO Live
    4. Summary
  14. 12. Filtering, Intrusion Detection, and Attack Management
    1. New Features in PIX 7.0
      1. Enhanced TCP Security Engine
      2. Improved Websense URL Filtering Performance
    2. Introduction
    3. Filtering Web and FTP Traffic
      1. Filtering URLs
        1. Websense and Sentian by N2H2
        2. Fine-Tuning and Monitoring the Filtering Process
        3. Configuring HTTP URL Filtering
        4. Configuring HTTPS Filtering
        5. Setting Up FTP Filtering
      2. Active Code Filtering
        1. Filtering Java Applets
        2. Filtering ActiveX Objects
        3. Virus Filtering; Spam, Adware, Malware, and Other-Ware Filtering
      3. TCP Attack Detection and Response
    4. PIX Intrusion Detection
      1. Supported Signatures
      2. Configuring Intrusion Detection/Auditing
      3. Disabling Signatures
      4. Configuring Shunning
    5. Attack Containment and Management
      1. Placing Limits on Fragmentation
      2. SYN FloodGuard
        1. The TCP Intercept Feature
      3. Preventing IP Spoofing
      4. Other Ways the PIX Can Prevent, Contain, or Manage Attacks
        1. Configuring Connection Limits and Timeouts
        2. Preventing MAC Address Spoofing
    6. Summary
  15. 13. Services
    1. Introduction
    2. DHCP Functionality
      1. DHCP Servers
        1. Cisco IP Phone-Related Options
      2. DHCP Relay
      3. DHCP Clients
    3. PPPoE
    4. EasyVPN
      1. EasyVPN Server
    5. Routing and the PIX Firewall
      1. Unicast Routing
        1. Static Routes
      2. RIP
      3. OSPF
      4. Network Address Translation as a Routing Mechanism
      5. Multicast Routing
        1. Stub Multicast Routing
        2. PIM Multicast Routing
      6. BGP through PIX Firewall
    6. Queuing and Policing
    7. Summary
  16. 14. Configuring Authentication, Authorization, and Accounting
    1. Introduction
      1. New and Changed Commands in 7.0
    2. Introducing AAA Concepts
      1. Authentication
      2. Authorization
      3. Accounting
      4. AAA Security Protocols
        1. RADIUS
          1. Authentication Methods Used by RADIUS
          2. RADIUS Functions Available on the Cisco PIX
        2. How RADIUS Works
        3. TACACS+
          1. Authentication Methods Used by TACACS+
          2. TACACS+ Functions Available to the Cisco PIX
        4. How TACACS+ Works
        5. Optional Security Protocols and Methods
    3. AAA Servers
    4. Configuring Console Authentication
      1. Configuring Local Authentication
        1. Configuring Local AAA Using the ASDM
    5. Configuring Command Authorization
      1. Configuring Local Command Authorization
    6. Configuring TACACS+ and RADIUS Console Authentication
      1. Configuring TACACS+ Command Authorization
    7. Configuring Authentication for Traffic through the Firewall
      1. Configuring Cut-through Proxy
      2. Virtual HTTP
      3. Virtual Telnet
    8. Configuring Authorization for Traffic through the Firewall
    9. Configuring Accounting for Traffic through the Firewall
    10. Summary
  17. 15. PIX Firewall Management
    1. Introduction
    2. Configuring Logging
      1. Logging Levels
      2. Dropped and Changed Syslog Messages from 6.x
      3. Logging Facility
      4. Local Logging
        1. Buffered Logging
        2. Console Logging
        3. Terminal Logging
      5. Remote Logging via Syslog
      6. Disabling Specific Syslog Messages
    3. Configuring Remote Access
      1. Secure Shell
        1. Enabling SSH Access
        2. Troubleshooting SSH
      2. Telnet
        1. Restrictions
    4. Configuring Simple Network Management Protocol
      1. Configuring System Identification
      2. Configuring Polling
      3. Configuring Traps
      4. Managing SNMP on the PIX
    5. Configuring System Date and Time
      1. Setting and Verifying the Clock and Time Zone
      2. Configuring and Verifying the Network Time Protocol
        1. NTP Authentication
      3. Management Using the Cisco PIX Adaptive Security Device Manager (ASDM)
    6. Summary
  18. 16. Configuring Virtual Private Networking
    1. Introduction
    2. What’s New in PIX 7.0
      1. IPsec Concepts
        1. IPsec
          1. IPsec Core Layer 3 Protocols: ESP and AH
          2. Authentication Header
          3. Encapsulating Security Payload
          4. IPsec Communication Modes: Tunnel and Transport
        2. Internet Key Exchange
        3. Security Associations
        4. Certificate Authority Support
    3. Configuring a Site-to-Site VPN
      1. Planning
      2. Allowing IPsec Traffic
      3. Enabling IKE
      4. Creating an ISAKMP Protection Suite
      5. Defining an ISAKMP Preshared Key
      6. Configuring Certificate Authority Support
        1. Preparing the PIX to Use Certificates
        2. Generating a Key Pair
        3. Configure a CA as a Trustpoint
        4. Authenticating and Enrolling with the CA
      7. Configuring Crypto Access-Lists
      8. Defining a Transform Set
      9. Bypassing Network Address Translation
      10. Configuring a Crypto Map
      11. Troubleshooting
    4. Remote Access—Configuring Support for the Cisco Software VPN Client
      1. Enabling IKE and Creating an ISAKMP Protection Suite
      2. Defining a Transform Set
      3. Crypto Maps
      4. Tunnel Groups and Group Policies
      5. Address Pool Configuration
      6. Split Tunneling
      7. NAT Issues
      8. Authentication against Radius, TACACS+, SecurID, or Active Directory
      9. Automatic Client Update
      10. Configuring Client Firewall Requirements
      11. Sample Configurations of PIX and VPN Clients
    5. Summary
  19. 17. ISA Server 2006 Client Types and Automating Client Provisioning
    1. Introduction
    2. Understanding ISA Server 2006 Client Types
      1. Understanding the ISA Server 2006 SecureNAT Client
        1. SecureNAT Client Limitations
        2. SecureNAT Client Advantages
        3. Name Resolution for SecureNAT Clients
          1. Name Resolution and “Looping Back” Through the ISA Server 2006 Firewall
      2. Understanding the ISA Server 2006 Firewall Client
        1. Allows Strong User/Group-Based Authentication for All Winsock Applications Using TCP and UDP Protocols
        2. Allows User and Application Information to be Recorded in the ISA Server 2006 Firewall’s Log Files
        3. Provides Enhanced Support for Network Applications, Including Complex Protocols That Require Secondary Connections
        4. Provides “Proxy” DNS Support for Firewall Client Machines
        5. The Network Routing Infrastructure Is Transparent to the Firewall Client
        6. How the Firewall Client Works
        7. Installing the Firewall Client Share
        8. Installing the Firewall Client
        9. Firewall Client Configuration
          1. Centralized Configuration Options at the ISA Server 2006 Firewall Computer
          2. Enabling Support for Legacy Firewall Client/Winsock Proxy Clients
        10. Client Side Firewall Client Settings
        11. Firewall Client Configuration Files
          1. .ini Files
          2. Advanced Firewall Client Settings
        12. Firewall Client Configuration at the ISA Server 2006 Firewall
      3. ISA Server 2006 Web Proxy Client
        1. Improved Performance for the Firewall Client and SecureNAT Client Configuration for Web Access
        2. Ability to Use the Autoconfiguration Script to Bypass Sites Using Direct Access
        3. Allows You to Provide Web Access (HTTP/HTTPS/FTP Download) without Enabling Users Access to Other Protocols
        4. Allows You to Enforce User/Group-based Access Controls Over Web Access
        5. Allows you to Limit the Number of Outbound Web Proxy Client Connections
        6. Supports Web Proxy Chaining, Which Can Further Speed Up Internet Access
      4. ISA Server 2006 Multiple Client Type Configuration
      5. Deciding on an ISA Server 2006 Client Type
    3. Automating ISA Server 2006 Client Provisioning
      1. Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery
        1. Install the DHCP Server
        2. Create the DHCP scope
        3. Create the DHCP 252 Scope Option and Add It to the Scope
        4. Configure the Client as a DHCP Client
        5. Configure the Client Browser to Use DCHP for Autodiscovery
        6. Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information
        7. Making the Connection
      2. Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery
        1. Creating the wpad Entry in DNS
        2. Configure the Client to Use the Fully-Qualified wpad Alias
        3. Configure the client browser to use autodiscovery
        4. Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information
        5. Making the Connection Using DNS for Autodiscovery
    4. Automating Installation of the Firewall Client
      1. Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console
      2. Group Policy Software Installation
      3. Silent Installation Script
      4. Systems Management Server (SMS)
    5. Summary
  20. 18. Installing and Configuring the ISA Firewall Software
    1. Pre-installation Tasks and Considerations
      1. System Requirements
      2. Configuring the Routing Table
      3. DNS Server Placement
      4. Configuring the ISA Firewall’s Network Interfaces
      5. Installation via a Terminal Services Administration Mode Session
    2. Performing a Clean Installation on a Multihomed Machine
    3. Default Post-installation ISA Firewall Configuration
    4. The Post-installation System Policy
    5. Performing a Single NIC Installation (Unihomed ISA Firewall)
    6. Quick Start Configuration for ISA Firewalls
      1. Configuring the ISA Firewall’s Network Interfaces
        1. IP Address and DNS Server Assignment
          1. Configuring the Internal Network Interface
          2. Configuring the External Network Interface
        2. Network Interface Order
      2. Installing and Configuring a DNS Server on the ISA Server Firewall
        1. Installing the DNS Service
          1. Installing the DNS Server Service on Windows Server 2003
        2. Configuring the DNS Service on the ISA Firewall
          1. Configuring the DNS Service in Windows Server 2003
        3. Configuring the DNS Service on the Internal Network DNS Server
      3. Installing and Configuring a DHCP Server on the ISA Server Firewall
        1. Installing the DHCP Service
          1. Installing the DHCP Server Service on a Windows Server 2003 Computer
        2. Configuring the DHCP Service
      4. Installing and Configuring the ISA Server 2006 Software
        1. Configuring the ISA Firewall
          1. DHCP Request to Server Rule
          2. DHCP Reply from Server Rule
          3. Internal DNS Server to DNS Forwarder Rule
          4. Internal Network to DNS Server
          5. The All Open Rule
      5. Configuring the Internal Network Computers
        1. Configuring Internal Clients as DHCP Clients
    7. Hardening the Base ISA Firewall Configuration and Operating System
      1. ISA Firewall Service Dependencies
      2. Service Requirements for Common Tasks Performed on the ISA Firewall
      3. Client Roles for the ISA Firewall
      4. ISA Firewall Administrative Roles and Permissions
      5. Lockdown Mode
        1. Lockdown Mode Functionality
      6. Connection Limits
      7. DHCP Spoof Attack Prevention
    8. Summary
  21. 19. Creating and Using ISA 2006 Firewall Access Policy
    1. ISA Firewall Access Rule Elements
      1. Protocols
      2. User Sets
      3. Content Types
      4. Schedules
      5. Network Objects
    2. Configuring Access Rules for Outbound Access through the ISA Firewall
      1. The Rule Action Page
      2. The Protocols Page
      3. The Access Rule Sources Page
      4. The Access Rule Destinations Page
      5. The User Sets Page
      6. Access Rule Properties
        1. The General Tab
        2. The Action Tab
        3. The Protocols Tab
        4. The From Tab
        5. The To Tab
        6. The Users Tab
        7. The Schedule Tab
        8. The Content Types Tab
      7. The Access Rule Context Menu Options
      8. Configuring RPC Policy
      9. Configuring FTP Policy
      10. Configuring HTTP Policy
      11. Ordering and Organizing Access Rules
      12. How to Block Logging for Selected Protocols
      13. Disabling Automatic Web Proxy Connections for SecureNAT Clients
    3. Using Scripts to Populate Domain Name Sets
      1. Using the Import Scripts
      2. Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports
      3. Avoiding Looping Back through the ISA Firewall for Internal Resources
      4. Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections)
      5. Blocking MSN Messenger using an Access Rule
      6. Allowing Outbound Access to MSN Messenger via Web Proxy
      7. Changes to ISA Firewall Policy Only Affects New Connections
    4. Allowing Intradomain Communications through the ISA Firewall
    5. Summary
  22. 20. Creating Remote Access and Site-to-Site VPNs with ISA Firewalls
    1. Overview of ISA Firewall VPN Networking
      1. Firewall Policy Applied to VPN Client Connections
      2. Firewall Policy Applied to VPN Site-to-Site Connections
      3. VPN Quarantine
      4. User Mapping of VPN Clients
      5. SecureNAT Client Support for VPN Connections
      6. Site-to-Site VPN Using Tunnel Mode IPSec
      7. Publishing PPTP VPN Servers
      8. Pre-shared Key Support for IPSec VPN Connections
      9. Advanced Name Server Assignment for VPN Clients
      10. Monitoring of VPN Client Connections
      11. An Improved Site-to-Site Wizard (New ISA 2006 feature)
      12. The Create Answer File Wizard (New ISA 2006 feature)
      13. The Branch Office Connectivity Wizard (New ISA 2006 feature)
      14. The Site-to-Site Summary (New ISA 2006 feature)
    2. Creating a Remote Access PPTP VPN Server
      1. Enable the VPN Server
      2. Create an Access Rule Allowing VPN Clients Access to Allowed Resources
      3. Enable Dial-in Access
      4. Test the PPTP VPN Connection
    3. Creating a Remote Access L2TP/IPSec Server
      1. Issue Certificates to the ISA Firewall and VPN Clients
      2. Test the L2TP/IPSec VPN Connection
      3. Monitor VPN Clients
      4. Using a Pre-shared Key for VPN Client Remote Access Connections
    4. Creating a PPTP Site-to-Site VPN
      1. Create the Remote Site Network at the Main Office
      2. The Network Rule at the Main Office
      3. The Access Rules at the Main Office
      4. Create the VPN Gateway Dial-in Account at the Main Office
      5. Create the Remote Site Network at the Branch Office
      6. The Network Rule at the Branch Office
      7. The Access Rules at the Branch Office
      8. Create the VPN Gateway Dial-in Account at the Branch Office
      9. Activate the Site-to-Site Links
    5. Creating an L2TP/IPSec Site-to-Site VPN
      1. Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA
      2. Request and Install a Certificate for the Main Office Firewall
      3. Configure the Main Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link
      4. Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA
      5. Request and Install a Certificate for the Branch Office Firewall
      6. Configure the Branch Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link
      7. Activate the L2TP/IPSec Site-to-Site VPN Connection
      8. Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links
    6. IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways
    7. Using RADIUS for VPN Authentication and Remote Access Policy
      1. Configure the Internet Authentication Services (RADIUS) Server
      2. Create a VPN Clients Remote Access Policy
      3. Remote Access Permissions and Domain Functional Level
      4. Changing the User Account Dial-in Permissions
      5. Changing the Domain Functional Level
      6. Controlling Remote Access Permission via Remote Access Policy
      7. Enable the VPN Server on the ISA Firewall and Configure RADIUS Support
      8. Create an Access Rule Allowing VPN Clients Access to Approved Resources
      9. Make the Connection from a PPTP VPN Client
    8. Using EAP User Certificate Authentication for Remote Access VPNs
      1. Configuring the ISA Firewall Software to Support EAP Authentication
      2. Enabling User Mapping for EAP Authenticated Users
      3. Issuing a User Certificate to the Remote Access VPN Client Machine
    9. Supporting Outbound VPN Connections through the ISA Firewall
    10. Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall
    11. Summary
  23. 21. ISA 2006 Stateful Inspection and Application Layer Filtering
    1. Introduction
    2. Application Filters
      1. The SMTP Filter
      2. The DNS Filter
      3. The POP Intrusion Detection Filter
      4. The SOCKS V4 Filter
      5. The FTP Access Filter
      6. The H.323 Filter
      7. The MMS Filter
      8. The PNM Filter
      9. The PPTP Filter
      10. The RPC Filter
      11. The RTSP Filter
    3. Web Filters
      1. The HTTP Security Filter (HTTP Filter)
        1. Overview of HTTP Security Filter Settings
          1. The General Tab
          2. The Methods Tab
          3. The Extensions Tab
          4. The Headers Tab
          5. The Signatures Tab
        2. HTTP Security Filter Logging
        3. Exporting and Importing HTTP Security Filter Settings
          1. Exporting an HTTP Policy from a Web Publishing Rule
          2. Importing an HTTP Policy into a Web Publishing Rule
        4. Investigating HTTP Headers for Potentially Dangerous Applications
        5. Example HTTP Security Filter Policies
        6. Commonly Blocked Headers and Application Signatures
      2. The ISA Server Link Translator
        1. Determining Custom Dictionary Entries
        2. Configuring Custom Link Translation Dictionary Entries
      3. The Web Proxy Filter
      4. The OWA Forms-Based Authentication Filter
      5. The RADIUS Authentication Filter
    4. IP Filtering and Intrusion Detection/Intrusion Prevention
      1. Common Attacks Detection and Prevention
      2. DNS Attacks Detection and Prevention
      3. IP Options and IP Fragment Filtering
        1. Source Routing Attack
    5. Summary
  24. 22. Deploying NetScreen Firewalls
    1. Introduction
    2. Managing the NetScreen Firewall
      1. NetScreen Management Options
        1. Serial Console
        2. Telnet
        3. Secure Shell
        4. WebUI
        5. The NetScreen-Security Manager
      2. Administrative Users
      3. The Local File System and the Configuration File
      4. Using the Command Line Interface
      5. Using the Web User Interface
      6. Securing the Management Interface
      7. Updating ScreenOS
      8. System Recovery
    3. Configuring NetScreen
      1. Types of Zones
        1. Security Zones
        2. Tunnel Zones
        3. Function Zones
      2. Virtual Routers
      3. Types of Interfaces
        1. Security Zone Interfaces
          1. Physical Interfaces
          2. Subinterfaces
          3. Aggregate Interfaces
          4. Redundant Interfaces
          5. VLAN1 Interface
          6. Virtual Security Interfaces
        2. Function Zone Interfaces
          1. Management Interfaces
          2. HA Interfaces
        3. Tunnel Interfaces
        4. Loopback Interfaces
      4. Configuring Security Zones
    4. Configuring Your NetScreen for the Network
      1. Binding an Interface to a Zone
      2. Setting up IP Addressing
      3. Configuring the DHCP Client
      4. Using PPPoE
      5. Interface Speed Modes
      6. Port Mode Configuration
      7. Configuring Basic Network Routing
    5. Configuring System Services
      1. Setting The Time
      2. DHCP Server
      3. DNS
      4. SNMP
      5. Syslog
      6. WebTrends
    6. Resources
    7. Summary
  25. 23. Policy Configuration
    1. Introduction
    2. NetScreen Policies
      1. Theory Of Access Control
      2. Types of NetScreen Policies
        1. Intrazone Policies
        2. Interzone Policies
        3. Global Policies
        4. Default Policy
      3. Policy Checking
      4. Getting Ready to Make a Policy
    3. Policy Components
      1. Zones
      2. Address Book Entries
        1. Creating Address Book Entries
        2. Modifying and Deleting Address Book Entries
        3. Address Groups
      3. Services
        1. Creating Custom Services
        2. Modifying and Deleting Services
        3. Service Groups
    4. Creating Policies
      1. Creating a Policy
        1. Creating a Policy via the WebUI
        2. Reordering Policies in the WebUI
        3. Other Policy Options in the WebUI
        4. Creating a Policy via the CLI
        5. Other Policy Options Available in the CLI
    5. Summary
  26. 24. User Authentication
    1. Introduction
    2. Types of Users
      1. Uses of Each Type
      2. Auth Users
      3. IKE Users
      4. L2TP Users
      5. XAuth Users
      6. Admin Users
    3. User Databases
      1. Local Database
        1. Types of Users
        2. Features
    4. External Auth Servers
      1. Object Properties
      2. Auth Server Types
        1. RADIUS
          1. Types of Users
          2. Features
          3. How to Configure
        2. SecurID
          1. Types of Users
          2. Features
          3. How to Configure
        3. LDAP
          1. Types of Users
          2. Features
          3. How to Configure
      3. Default Auth Servers
        1. How to Change
        2. When to Use
      4. Authentication Types
        1. Auth Users and User Groups
        2. IKE Users and User Groups
        3. XAuth Users and User Groups
        4. L2TP Users and User Groups
        5. Admin Users and User Groups
        6. Multi-type Users
        7. User Groups and Group expressions
  27. 25. Routing
    1. Introduction
    2. Virtual Routers
      1. Using Virtual Routers
        1. Creating Virtual Routers
      2. Route Selection
        1. Set Route Preference
        2. Set Route Metric
      3. Route Redistribution
        1. Configuring a Route Access List
        2. Configuring A Route Map
    3. Routing Information Protocol
      1. RIP Concepts
      2. Basic RIP Configuration
        1. Configuring RIP
    4. Open Shortest Path First (OSPF)
      1. OSPF Concepts
      2. Basic OSPF Configuration
    5. Border Gateway Protocol
      1. Basic BGP Configuration
    6. Summary
  28. 26. Address Translation
    1. Introduction
    2. Purpose of Address Translation
      1. Advantages of Address Translation
      2. Disadvantages of Address Translation
    3. NetScreen NAT Overview
    4. NetScreen Packet Flow
    5. Source NAT
      1. Interface-based Source Translation
      2. MIP
        1. MIP Limitations
        2. MIP Scenarios
          1. Scenario 1
          2. Scenario 2
          3. Scenario 3
      3. Policy-based Source NAT
        1. DIP
          1. Sticky DIP
          2. DIP Shift
    6. Destination NAT
      1. VIP
      2. Policy-based Destination NAT
        1. Destination NAT Scenarios
          1. One-to-One Mapping
          2. Many-to-one Mapping
          3. Many-to-Many Mapping
        2. Destination PAT Scenario
        3. Source and Destination NAT Combined
    7. Summary