to design a single network-wide security policy that meets all the customer requirements. The
goals of this chapter are to understand how and why modern network security works, to learn
how the PIX firewall works in comparison to other firewalls, and to learn the technologies that
are implemented in the PIX firewall. This chapter also introduces security rules that should be
followed with every network design. The topics covered here are very important to the average
network, from the placement of access lists to the new features offered in Cisco IOS, including
CBAC and TCP Interceptor. PIX Firewall is covered, along with the new Internet IPSec
standard. With Virtual Private Networking, L2F and L2TP are discussed, along with the
advantages and disadvantages of each.
technologies and choosing the right combination for the customer. It is not the lack of
technology that makes this difficult, but rather the choices available that can complicate
the issues.
protect a network. It can be accomplished in a variety of ways. In most cases, you either permit
traffic to flow through a network or deny traffic into the network. Cisco routers can act as
firewalls, but they do not have the performance capability of devices made to perform firewall-
only functions, such as the PIX 520 firewall. Some firewalls place more emphasis on permitting
traffic, and others place more emphasis on blocking traffic. If you have a choice, you might want
to lean toward a solution that requires the least amount of processing overhead.
limited number of applications used by outsiders. It usually resides in the demilitarized zone
(DMZ) area and holds data that outsiders access, typically WWW pages. Outsiders can access
only these pages.