What I liked most about the book is the fine long-lost tradition of teaching the technology, its inner workings and relevant details before jumping to boxes or configuration commands. Even if you know enough IPv6 to pass the CCIE written test, you can still learn a lot about how it works, the internal packet structures, the design decisions and the inherent protocol vulnerabilities. Contrary to some other security books that look like a feature list from a Request for Proposal, this one manages to establish a delicate balance between technology description, vulnerability demonstrations and well-documented router configurations. The only problem I had with router configurations included in this book is that they tend to be long and complex, but that’s definitely a Cisco IOS problem, not a fault of the authors.

The other amazing feature is the book’s lack of Cisco-centrism. While it does cover only Cisco’s equipment on the network side (which is understandable), it also provides a thorough coverage of host operating systems and descriptions of a plethora of public-domain tools that can be used to hack, probe or protect IPv6 hosts or networks.

Most books reveal to a careful reader the tug-of-war struggle between the author and external (usually product marketing-driven) forces. Yet again, this book is an exception. There are no “extra” features, the coverage is consistent and the level of detail doesn’t fade as you get closer to the last chapters. The topics covered by the book are included because they are needed, not because someone wanted to sell his favorite features.

It doesn’t make sense for this review to describe each individual chapter in detail; you can always get the table of contents on Amazon.com. Let me just conclude by saying that this book will get a place of honor on my bookshelf.

Part II of the book, “VoIP Security Best Practices,” looked more promising. Unfortunately, the author apparently was worried about those readers who would skip the introductory chapters, as he repeats most of the useful information from them in Chapter 6, “Analysis and Simulation of Current Threats,” adding perhaps 50% new content in each case. Chapter 7, “Protection with VoIP Protocol,” looked like another interesting topic, but again was very fundamental. It listed sample technology solutions, but never mentioned a single case in which the described solution would be applied in an operational network. Chapter 8, “Protection with Session Border Controller,” was even worse. It’s obvious that Cisco did not have a good SBC solution at the time the book was written, so the whole chapter reads like a Request for Proposal (RFP) put together by a security engineer wanting all the features mentioned in marketing materials from various vendors. I would much prefer having a few working case studies or even a list of desirable SBC features and a neutral comparison of available solutions.

The first chapter that could justify the book’s subtitle is Chapter 9 (out of 11), »Protection with Enterprise Network Devices,« which describes various voice-related security features offered by network devices manufactured by Cisco Systems. It covers PIX/ASA and FWSM firewalls, Unified Communications (UC) Manager and UC Manager Express (UCME), the phones and the switches. I can’t understand why the routers (apart from the UCME function) are not covered, as they could offer significant security benefits (including VoIP encryption). The omission of IDS/IPS systems throughout the book is also a mystery to me. Last but not least, I noticed the lack of coverage of any service provider VoIP products in Chapter 9. This is in stark contrast to the coverage of lawful interception in Chapter 10, »Lawful Interception Fundamentals,« and Chapter 11, »Lawful Interception Implementation,« which are applicable primarily to the service provider markets. One thus has to wonder which market (enterprise or service provider) the author is trying to target.

If you’re new to voice and security, this book will give you a great baseline introduction to various voice and security aspects as well as an overview of the VoIP security threats and potential solutions. It’s also an eye opener, describing various security threats that you probably haven’t considered yet. However, if you already know about voice and security, and you want to secure your VoIP network, you might be disappointed by the book’s lack of in-depth details related to actual network implementation.

The book does a good job of explaining the functionality of FWSM. The coverage of advanced topics, including transparent/routed modes, virtual firewall contexts and the intricacies of resource allocation between virtual firewalls, gave me all the information I needed. Unfortunately, I’ve sorely missed the command syntax descriptions; sometimes you could deduce the command syntax from the examples. Every now and then the meaning of some of the command parameters (for example, the number after the interface name in the NAT pool definition) remains a mystery, and you’ll have to refer to Cisco’s online documentation to sort it out. It’s too bad, really; without these minor omissions, the book could be the definitive reference on FWSM. More annoying are typos in the crucial parts of the text; for example, in the introductory NAT section. I know how NAT works, so I was able to skip across the inconsistent IP addresses (between the sample configuration command and the following figure), but such a minor error could spell disaster for a beginning reader.

The “Advanced Configuration” section covers numerous topics that you might not need immediately, but it’s good to know that they are covered in the book. These topics include failover configuration, application-level inspection, URL filters, IP multicast and load balancing. Unfortunately, some of this coverage looks like the result of “feature creep” triggered by product managers; there’s very little substance beyond basic descriptions of the features.

“Design Scenarios” is one of the last chapters in the book, which is (in my personal opinion) very appropriate placement: you have to know what a box does before you can start discussing how to design networks using it. Most of the chapter covers variants of the same basic principle: how you can use VRF Lite, available on Catalyst 6500, to implement a virtual firewall. I am probably biased since I’m very familiar with the MPLS VPN, but I was hoping for a slightly wider look at the design challenges.

Recommendation: If you’re vaguely familiar with firewalls and network address translation and you want to get fluent with FWSM, this is the book you need. If you know what FWSM does and you’re looking for best practice recommendations, you’ll be disappointed. Last but not least, if you’re a beginner in the security world, start somewhere else.

The Wide Area Application Services (WAAS) from Cisco is a solution that is (when deployed correctly) transparent to the applications, but it still needs lots of cooperation from other network elements to work properly. The Deploying Cisco Wide Area Application Services book by Cisco Press is a perfect source of design and deployment knowledge you need if you want to introduce WAAS into your network. The authors introduce the concept of WAAS, various hardware models (with the focus on where each model could fit into a large network) and a variety of design options. Individual chapters cover the planning/analysis, network integration and network management phases, both for the basic WAAS deployment as well as for advanced WAN optimization and CIFS acceleration. The most valuable part of the book are the integration chapters, which present various non-redundant or redundant design options for branch offices and data centers, including complete device configurations. After reading these chapters, I’m positive you’ll be able to select the best integration method for your network, design the WAAS integration and deploy the solution.

Unfortunately, the book skips the dirty details that come after the successful deployment. There’s almost no information on monitoring and troubleshooting and the configuration sections are biased toward GUI interface (for example, the CLI configuration commands needed to configure user authentication on WAAS devices are not covered anywhere in the book), but to be fair, the cover text (“Design and deploy Cisco WAN optimization and application acceleration solutions”) gives you a very honest insight in what you’ll get from the book. Since every successful network deployment project starts with good planning, analysis and design phases, this is without doubt the first book you need to have before you start thinking about deploying WAAS in your network.

Find out more about WAAS.

The first three chapters deal with the economic background of the Internet, IPv6 myths and realities, and the economic reasons why someone would want to migrate to IPv6. You might find these chapters a bit long-winded; I was persuaded after a few pages and had to delve through roughly 80 more to get to the more interesting topics. However, these chapters reflect the authors’ past experiences with people who are still in denial about the need for IPv6, and I’m positive that you’ll eventually find an answer to every issue your boss or coworker will raise when you try to persuade them that it’s time to start IPv6 preparation in your network.

The core of the book is Chapters 4 and 5, which describe various IPv6 adoption strategies and business cases. As I suspected, the majority of the IPv6 early adopters came from the service provider world, as these networks have had to cope with dramatic increases in the numbers of residential end users. The book lists a number of enterprise case studies, but only one of them (Bechtel Corporation) is what I would consider a typical enterprise network. The others are an educational network in Greece, Cisco Systems, Arch Rock (a startup manufacturing wireless sensors) and Command Information (a professional services organization working for the U.S. government). Very likely, the corporate networks will encounter IPv6 initially in their DMZ subnet when the adoption of IPv6 by their customers forces them to deploy dual-stack solutions on public servers.

Chapter 6, which concludes the book, contains step-by-step recommendations for IPv6 migration planning, from objectives definition phase through needs and equipment assessments to training and deployment issues. In this chapter, you’ll likely find information that will help you to make a seamless transition to IPv6.