Chapter 11: Modular Policy Framework
|
|
- Amie Rose Reed
- 7 years ago
- Views:
Transcription
1 Chapter 11: Modular Policy Framework Modular Policy Framework is very simillar to Cisco IOS software QoS CLI which provides a flexiable way to configure security applaince features. MPF is supported with these features QoS input policing TCP normalization, TCP and UDP connection limites and timeouts, and TCP sequence number randomization CSC Application Inspection IPS QoS output policing QoS standard priority queue QoS traffic shaping, hierarchial priority queue Configuration of modular policy framework consists of three main tasks. Class-map : Classifies the traffic on which you want to perform Modular Policy Framework actions by creating layer ¾ class maps. For Example, we might want to perform actions on all traffic that passes through the security appliance or you might only want to perform certain actions on traffic from /24 to any destination address. Various types of match criteria in a class map can be used to classify traffic. The primary criterion is the use of an access control list (ACL). In a case where you want to match traffic on application layer you can create a layer 7 class map. For example if you want to match PUT command in a FTP session. Policy-map : After the security appliance identified the traffic using Class-map it uses Policy-map to apply action on it. Example could be of a policy-map which limits the maximum number of TCP connections towards a certain server. Simillar to class-maps, we can create layer3/4 Policy-map or a layer 7 policy-map. Service-Policy: Actives a policy map globally on all interface or on a selected interface. There can be one global policy and one policy per interface. By default, security appliance includes a default policy which is applied globally. Please note that there can be one global policy at a single time. If we need to change it we need to either edit the global policy or to make a new one. Figure 11.1 : The chart illusterates the structure of how ASA modular policy framework would be implemented. Class Map Policy Map Service Policy Internet Users IPS and Inspect Outside interface Sales Users Police Outside Interface Voice Traffic Prioritize Inside Interface Normal Traffic Inspect All interfaces Configuring Class-Maps By default there is a Layer3/4 class map that the security appliance uses in its default global
2 policy. It is named as inspection_default and matches the default inspection traffic. Another class-map that exists in the default configuration is called class-default which matches all traffic but is not applied using any of service policy. You can use the class-default class map if required, rather than making your own match any class map. Class map supports several types of match entries which includes Match any matches any traffic Match ACL matches traffic based on Access Control List Match port matches traffic based on TCP/UDP port numbers Match default-inspection traffic matches default port on supported applications Match DSCP matches traffic based on DSCP values in the ip header Match Precedence matches specific precedence values in the IP header Match RTP matches port range of RTP traffic Match tunnel-group matches specific site-to-site VPN tunnel or remote access VPN group traffic Match flow ip used with tunnel-group above Please note that default-inspection traffic is a set of pre-defined match entries of several applications working on their default ports. Below is a chart listing those applications Application Protocol Type Port CTIQBE ( Computer Telephony TCP 2748 Interface ) DNS UDP 53 FTP TCP 21 GTP ( GPRS Tunneling Protocol) UDP 2123, 3386 *requires special license H323 H225 TCP 1720 H323 RAS UDP HTTP TCP 80 ICMP N/A N/A ILS (LDAP) TCP 389 IPSec Pass-Through UDP 500 MGCP ( Media Gateway Control UDP 2427,2727 Protocol ) NetBIOS Name Server UDP 137,138 ( Source ports ) PPTP TCP 1723 RADIUS Accounting UDP 1646 RSH TCP 514 RTSP TCP 554 SIP TCP/UDP 5060 SCCP ( Cisco Skinny ) TCP 2000 SMTP-ESMTP TCP 25 SNMP UDP 161,162 SQL*NET TCP 1521 SUN RPC UDP 111 TFTP UDP 69 XDMCP UDP 177 Most of the protocols in table above are inspected by ASA in its default configuration. Inspection plays a major role especially when it comes to returning trurning traffic especially with complicated protocols like FTP. For example BOB who is connected to inside interface of ASA connectes to a FTP server attached to outside interface of the security appliance. Data is initiates towards server on port 21 using control connection. Server returns traffic on port 20 using data connection. Now a stateful firewall will not allow that kind of traffic since traffic is now using different port. In this scnerio inspection feature of security appliance
3 will help the traffic determine if its is legimate or not depending on the protocol used. Other protocols also have problem in data flow as FTP does and thus inspecting them on application layer helps ensuring smooth network connectivity. A default Class-Map exist on the security appliance which matches the default-inspectiontraffic. You can view this default class-map using show run class-map command Configuration Example: Step 1 : Create ACL Ciscoasa(config)#access access-list id [line line-num] [extended] {deny permit} protocol {src_ipaddr src_ipmask any host ip_address} [operator port] { dest_ipaddr dest_ipmask any host ip_address} [operator port] We will create an ACL which would be define traffic source and destination ciscoasa(config)#access-list ftp_traffic permit tcp host any eq 21 Step 2 : Create class-map ciscoasa(config)#class class-map class_map_name Use the class-map command to assign a unique name to the class map. ciscoasa(config)#class-map FTP_TRAFFIC Step 3 : Description ( OPTIONAL ) ciscoasa(config-cmap)#description class_map_description We will put description which helps us identify class map easily Ciscoasa(config-cmap)#description Matches ftp traffic Step 4 : Match statement ciscoasa(config-cmap)#match match access-list ACL_ID We will match traffic based on ACL entry we made before Ciscoasa(config-cmap)#match access-list ftp_traffic Configuring Policy-Maps As discussed earlier there are two types of policy maps Layer 3/4 and Layer 7. We will be restricting our discussion to Layer 3/4 maps in this chapter. Layer 3/4 policy maps associate one of more policies to traffic that matches a match command in layer 3/4 class map. When more than one policy is assocaited with the class map, the policies are enforced in the order listed below
4 1. Connection limits, connection timeouts and TCP sequence number randomization 2. CSC card 3. Stateful and application inspection 4. IPS card 5. Input policing 6. Output policing 7. Priority queuing Configuration Example: Step 1 : Create Policy map ciscoasa(config)# policy-map policy_map_name Use the policy-map command to assign a unique name to the policy-map. ciscoasa(config)#policy-map FTP_TRAFFIC Step 2 : Description ( OPTIONAL ) ciscoasa(config-pmap)#description class_map_description We will put description which helps us identify class map easily Ciscoasa(config-pmap)#description FTP_LIMITS Step 3 : Reference class map ciscoasa(config-pmap)#class class class_map_name We will reference a class map created earlier after which the security appliance will take us into a second subcommand mode. Here we can reference our multiple policies for that traffic. Ciscoasa(config-pmap)#class FTP_TRAFFIC Next we need to configure actions, there are several types of actions which can be applied to a policy map. Below is a a list of available catagories CSC action will send traffic to Content Security service module IPS action will send traffic to Intrusion Prevension service module Set connection will enforce connection limits on traffic Inspect will apply protocol inspection to traffic Policy will limit rate for traffic Priority will apply priority to traffic We will look into each of these actions using couple of scenerios. Configuring Service-Policy Service policy is the third component of Modular Policy Framework. In other words this is the activation of your previously configured policy maps. You can activivate policy-map globally
5 or on specific interface however there can only be one policy applied per location. In a case where you have applied a global policy along with a policy on an interface, the interface policy overrides the global policy settings. Configuration Example: Step 1 : Define Policy ciscoasa(config)#service service-policy policy_map_name interface interface_name OR ciscoasa(config)#service service-policy policy_map_name global By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. Because you can only apply one global policy you need to either edit the default policy or disable it and apply a new one when we are defining a policy globally. Ciscoasa(config)#service-policy FTP_TRAFFIC Using MPF for Content Security Control Module The Cisco ASA 5500 Series Content Security and Control Security Services Module ( CSC- SSM) combines comprehansive malware protection with advanced traffic and message complaiance for Cisco ASA Family of multifunction security appliance. Figure 11.2 : Cisco Content Security Control Module for ASA Below is a feature list of CSC-SSM Feature Antivirus Anti-Spyware Benefit Award-winning antivirus technology shields internal network resources from virus attacks at the most effective point in your infrastructure, the Internet gateway. Cleaning and Internet web traffic at the perimeter helps ensures business continuity and eliminates the need for resource intensive malware infection clean-ups. Blocks spyware from entering the network through Internet web and traffic. Frees up IT support resources from costly spyware removal procedures and improves employee productivity by blocking spyware at the gateway.
6 Anti-Spam Anti-phishing Automatic Updates from TrendLabs Central Administration Real-Time Protection for Web Access, Mail and File Transfers Full URL Filtering Capability with Categories, Scheduling and Caching Content Filtering Effectively blocks spam with extremely low false positives, helping to maintain the effectiveness of communications, so contact with customers, vendors, and partners continues uninterrupted and without distraction. Protection against spoofed identity and sourcing guards against phishing attacks thereby preventing employees from inadvertently disclosing company or personal details which can often lead to financial loss. Backed and supported by one of the largest teams of virus, spyware and spam experts in the industry, working 24x7 to ensure that your solution is providing the most up to date protection, automatically. Easy "set-and-forget" administration through a remotely accessible Web-console and automated updates reduces deployment time and effort as well as recurring IT support costs. Even if company is already protected, many employees will access their own private Webmail from company PCs or laptops introducing another entry point for Internet-borne threats. Employees may also directly download programs or files that may be contaminated. Real-time protection of all Web traffic at the Internet gateway greatly reduces this often-overlooked point of vulnerability. URL filtering can be used to control employee Internet usage by blocking access to inappropriate or non-workrelated websites, thereby improving employee productivity and limiting the risk of legal action being taken by employees exposed to offensive Web content. filtering minimizes legal liability due to exposure to offensive material transferred by and enforces regulatory compliance, helping organizations meet the requirements of legislation such as Graham Leach Bliley and the Data Protection Act. The Cisco ASA 5500 Series CSC-SSM ships with a default feature set that provides antivirus, anti-spyware, and file blocking services. A premium Plus license is available for additional capabilities including anti-spam, anti-phishing, URL blocking/filtering and content control services. The optional Plus pack feature license is available for an additional charge for each CSC-SSM. Figure 11.3 : Network on which traffic would be sent to CSC using MPF
7 The CSC module can inspect and filter http, pop3, smtp and ftp protocols on their default ports. Shown above in figure 11.2 is a network where the security appliance is connected to the Internet on interface Gi0/0 (outside) and to the internal network on interface Gi0/1 (Inside). Servers are connected using interface Gi0/2 (DMZ). We will be configuring the security appliance to send traffic to CSC module which would scan it before sending it to the actual destination. Step 1 : Configure access-list Ciscoasa(config)#access-list CSC extended permit ip any Ciscoasa(config)#access-list CSC extended permit tcp host any host eq 25 We have configured two access control entries of which first is for traffic moving from inside towards outside of the network while in second entry traffic is destined towards server from Internet. Step 2 : Create Class-map ciscoasa(config)#class-map CSC_TRAFFIC Step 3 : Match statement Ciscoasa(config-cmap)#match access-list CSC We will match traffic based on ACL entry we made before Step 4 : Edit Policy-Map
8 Since we want these inspections to be applied globally and there could be only one global service policy active at one time, we will go ahead and edit the existing policy-map which is already applied globally. We can configure the security appliance to send the traffic to csc module in either fail-close or fail-open mode. Please note that csc option will only be configurable and visiable if you have a CSC card inserted in the security appliance. ciscoasa(config)#policy-map global_policy ciscoasa(config-pmap)#class CSC_TRAFFIC ciscoasa(config-pmap-c)#csc fail-open fail-close = if CSC card fails, traffic should be dropped fail-open = if CSC card fails, traffic should be forwarded without inspection Using MPF for Intrusion Prevention System Module The Cisco AIP SSM and AIP SSC combine inline prevention services with innovative technologies to improve accuracy. For you, this means confidence in the protection offered by your IPS solution without the fear of legitimate traffic being dropped. When deployed within Cisco ASA 5500 Series appliances, the AIP SSM and AIP SSC offer comprehensive protection of your IPv6 and IPv4 networks by collaborating with other network security resources, providing a proactive approach to protecting your network. Either CSC or AIP module can be plugged into the security appliance at one time, AIP module can operate in two modes IDS/IPS sensors operate in promiscous mode by default, which means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor. Because the device works with a copy of the traffic, the device performance IDS. It can detect an attack and send an alert but it does not prevent the attack from entering the network. When we use sensors in Inline mode this means that traffic is passing through that device before it reaches its actual destination. This gives sensors the ability to block traffic from entering the network ensuring greater security. We will refer to the Figure 11.3 illustrated in topic Using MPF for Content Security Control Module and will be sending all traffic which comes from Outside zone to DMZ for inspection. Figure 11.4 : IPS Module working in Inline Mode
9 Figure 11.5 : IPS Module working in Promiscuous mode Configuration Example: Step 1 : Configure access-list Ciscoasa(config)#access-list AIP extended permit ip any host Ciscoasa(config)#access-list AIP extended permit ip any host We have configured two access control entries of which first is for traffic moving from inside towards outside of the network while in second entry traffic is destined towards server from Internet. Step 2 : Create Class-map ciscoasa(config)#class-map AIP_TRAFFIC Step 3 : Match statement Ciscoasa(config-cmap)#match access-list AIP We will match traffic based on ACL entry we made before Step 4 : Create Policy-Map We will configure the security appliance to send selected traffic to the IPS module by making a policy map and then associating a class map created earlier with it. Ciscoasa(config)#policy-map IPS Ciscoasa(config-pmap)#class AIP_TRAFFIC Step 5 : Send traffic We will send traffic to IPS module.
10 ciscoasa(config-pmap-c)#ips ips [inline promiscuous ] [ fail-close fail-open ] fail-close = if CSC card fails, traffic should be dropped fail-open = if CSC card fails, traffic should be forwarded without inspection ciscoasa(config-pmap-c)#ips promiscuous fail-open Step 6 : Apply Service-Policy We will attach this policy to the outside interface. ciscoasa(config)#service-policy IPS interface outside Using MPF for setting TCP connection limits Set-connection under policy-map is used to enforce connection limites for selected traffic flows. When a packet matches specified source and destination address it is subject to connection limit as defined. We can use "set-connection" to configure following items conn-max : Maximum number of simultaneous connections allowed. Helps protecting against DoS attacks per-client-max : Limits number of simultaenous connections on per host basis embryonic-conn-max: Limits number of half-open TCP connections. Protects against SYN attacks. per-client-embryonic-max: Limits number of half-open TCP connections per client Figure 11.6 : Network on which tcp connections would be limited using MPF
11 In this scenerio we will configure the security appliance to restrict number of simultaneous sessions for traffic coming from outside to server and for traffic going from Inside to the Internet. Step 1 : Configure access-list A ) ACL for traffic moving from outside to Server in DMZ Ciscoasa(config)#access-list outside_in extended permit tcp any host eq 25 B ) ACL for traffic from Inside machine towards outside world. Ciscoasa(config)#access-list inside_in extended permit ip host any Step 2 : Create Class-map A ) We will create class-map for users accessing server in DMZ from outside ciscoasa(config)#class-map cmap_outside_dmz B ) Class-map for user accessing Internet from Inside Zone Ciscoasa(Config)#class-map cmap_inside_outside Step 3 : Match statement A ) We will make match statement for users accessing server in DMZ from outside under class map cmap_outside_dmz Ciscoasa(config-cmap)#match access-list outside_in B ) We will then match statement for users accessing Internet from Inside zone under class-map cmap_inside_outside Ciscoasa(config-cmap)#match access-list inside_in
12 Step 4 : Create Policy-Map A ) Create policy-map for outside to DMZ We will create a policy map and assign the earlier configured class to it Ciscoasa(config)#policy-map pmap_outside_dmz Ciscoasa(config-pmap)#class cmap_outside_dmz B) Create policy-map for Inside to Outside We will create a policy map and assign the earlier configured class to it Ciscoasa(config)#policy-map pmap_inside_outside Ciscoasa(config-pmap)#class cmap_inside_outside Step 5: Set connection Limits Depending on our requirements we can set restrictions on these policy-maps. A ) Set connection limits for data traveling from outside to DMZ Ciscoasa(config-pmap-c)# set connection conn-max 4000 Ciscoasa(config-pmap-c)# set connection per-client-max 200 Ciscoasa(config-pmap-c)# set connection embryonic-conn-max 2000 B ) Set connection limits for data traveling from inside to outside Ciscoasa(config-pmap-c)# set connection conn-max 4000 Ciscoasa(config-pmap-c)# set connection per-client-max 200 Ciscoasa(config-pmap-c)# set connection embryonic-conn-max 2000 Step 6 : Apply Service-Policy We will attach both of the policies in specific direction ciscoasa(config)#service-policy pmap_outside_dmz interface outside ciscoasa(config)#service-policy pmap_inside_outside interface insid Using MPF for setting for Traffic Inspection As discussed earlier the security appliance has a default class-map, policy-map and service policy. Below is what you see from show running-config. class-map inspection_default match default-inspection-traffic!! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp
13 inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp! service-policy global_policy global prompt hostname context There is a default class-map (class-map inspection_default), default policy-map (policy-map global_policy ) and default service policy applied globally (service-policy global_policy global ). We can go under policy-map, class-inspection_default and type inspect? to see which other protocols are supported for inspection and can add other protocols for inspection as required. The inspect command looks for common security issues in the application layer and prevent them, look for additional connections that need to be opened e.g. FTP or VoIP traffic. It also looks for embedded addressing information inside packets that will be translated with NAT. Using MPF for setting for Policing and Rate Limiting A rate-limiting policy is commonly called a policing policy, which can be configured to affect traffic as it enters (ingress) and / or leaves (egress) an interface. The parameters used to enforce the policy are similar to how Commited Information rate and Commited burst rate are used in frame relay, using the leaky bucket algorithm to handle small bursts of traffic. Let s say we want to apply policing to a specific IPSec remote access user group as following: Maximum allowed bandwidth = 1024kbps Burst Size = 1536kbps Step 1: Configure class-map ciscoasa(config)#class-map VPN_USERS Step 2: Match tunnel-group ciscoasa(config-cmap)#match tunnel-group VPN We discussed earlier that matching of class-maps can also be done on tunnel-groups. We will use tunnel-group of remote user vpn group to match traffic. Step 3 : Create Policy-map
14 ciscoasa(config)#policy-map VPN_Policy Step 4 : Match Class ciscoasa(config-pmap)#class VPN_USERS Step 5 : Define Policy A ) Incoming Policy ciscoasa(config-pmap-c)#police input conform-action transmit exceed-action drop B) Outgoing Policy ciscoasa(config-pmap-c)#police output conform-action transmit exceed-action drop The security appliance accepts police input/output rates in bits per second thus we converted 1024kbps to bits per second. Note that the burst value has to be in bytes [ Burst Size = (conform rate in bps)/8*1.5 ]. Step 6 : Apply Service-Policy We will attach this policy to the outside interface. ciscoasa(config)#service-policy VPN_POLICY interface outside Using MPF for setting for Voice Traffic Prioritization Packet prioritization is used on the egress of an interface to prioritize traffic (before traffic exits an interface. Prioritization is normally used for delay-sensitive traffic, like voice, or video. Only low-latency queuing (LLQ) is supported for prioritization on the security appliance. Each interface of security applaince has two queues namely priority queue which is used to transmit delay-sensitive traffic and a default queue which transmit all other traffic. Step 1 : Configure ACL Ciscoasa(config)#access-list voip_acl extended permit ip Step 1: Configure class-map ciscoasa(config)#class-map cmap_voip_vpn Step 2: Match ACL ciscoasa(config-cmap)#match access-list voip_acl Step 3 : Create Policy-map ciscoasa(config)#policy-map pmap_voip_vpn
15 Step 4 : Match Class ciscoasa(config-pmap)#class cmap_voip_vpn Step 5 : Set priority Ciscoasa(config-pmap-c)#priority Step 6 : Enable Proirity Ciscoasa(config)# priority-queue inside We will enable priority queue on selected interface
Cisco PIX. Upgrade-Workshop PixOS 7. Dipl.-Ing. Karsten Iwen CCIE #14602 (Seccurity) http://security-planet.de
Cisco PIX Upgrade-Workshop PixOS 7 http://security-planet.de 22 March, 2007 Agenda Basics Access-Control Inspections Transparent Firewalls Virtual Firewalls Failover VPNs Sec. 6-5 P. 343 Modular Policy
More informationCisco ASA 5500 Series Business Edition
Cisco ASA 5500 Series Business Edition Cisco ASA 5500 Series Business Edition Provides an All-in-One Security Solution The Cisco ASA 5500 Series Business Edition is an enterprise-strength comprehensive
More informationThe information in this document is based on these software and hardware versions:
Contents Introduction Prerequisites Requirements Components Used Background Information Advanced Protocol Handling Configuration Scenarios Scenario 1: FTP Client configured for Active Mode Scenario 2:
More informationASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example
ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example Document ID: 113110 Contents Introduction Prerequisites Requirements Components Used Network Diagram Related Products Conventions Background
More informationPIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example
PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example Document ID: 82018 Contents Introduction Prerequisites Requirements Components Used Network Diagram Related Products Conventions Background Information
More informationPIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example
PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example Document ID: 69374 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram
More informationASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example
ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example Document ID: 113336 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram
More informationConfiguring NetFlow Secure Event Logging (NSEL)
75 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter
More informationASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example
ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example Document ID: 112182 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationBONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET
BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET WRITTEN BY: HARRIS ANDREA MSC ELECTRICAL ENGINEERING AND COMPUTER SCIENCE CISCO
More informationPIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example
PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example Document ID: 70031 Contents Introduction Prerequisites Requirements Components Used Conventions Related Products
More information642 523 Securing Networks with PIX and ASA
642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall
More informationFirewall Stateful Inspection of ICMP
The feature categorizes Internet Control Management Protocol Version 4 (ICMPv4) messages as either malicious or benign. The firewall uses stateful inspection to trust benign ICMPv4 messages that are generated
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More informationConfiguring Trend Micro Content Security
9 CHAPTER This chapter describes how to configure the CSC SSM using the CSC Setup Wizard in ASDM and the CSC SSM GUI, and includes the following sections: Information About the CSC SSM, page 9-1 Licensing
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More informationCisco ASA, PIX, and FWSM Firewall Handbook
Cisco ASA, PIX, and FWSM Firewall Handbook David Hucaby, CCIE No. 4594 Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA Contents Foreword Introduction xxii xxiii Chapter 1 Firewall
More informationQoS: Color-Aware Policer
QoS: Color-Aware Policer First Published: August 26, 2003 Last Updated: February 28, 2006 The QoS: Color-Aware Policer enables a color-aware method of traffic policing. This feature allows you to police
More informationFirewall Defaults and Some Basic Rules
Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified
More informationFirewall Introduction Several Types of Firewall. Cisco PIX Firewall
Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls
More informationConfiguring the Transparent or Routed Firewall
5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationConfiguring NetFlow Secure Event Logging (NSEL)
73 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter
More informationConfiguring Class Maps and Policy Maps
CHAPTER 4 Configuring Class Maps and Policy Maps This chapter describes how to configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More informationFirewall Defaults, Public Server Rule, and Secondary WAN IP Address
Firewall Defaults, Public Server Rule, and Secondary WAN IP Address This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSafe Wireless-N
More informationCisco - Catalyst 2950 Series Switches Quality of Service (QoS) FAQ
Page 1 of 8 Catalyst 2950 Series Switches Quality of Service (QoS) FAQ Document ID: 46523 TAC Notice: What's C han g i n g o n T A C We b H el p u s h el p y ou. Questions Introduction What is the software
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationIINS Implementing Cisco Network Security 3.0 (IINS)
IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationClassic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1
Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls,
More informationAbout Firewall Protection
1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote
More informationCisco SA 500 Series Security Appliances
Cisco SA 500 Series Security Appliances An All-in-One Security Solution to Secure Your Small Business The Cisco SA 500 Series Security Appliances, part of the Cisco Small Business Pro Series, are comprehensive
More informationInternetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview
Internetwork Expert s CCNA Security Bootcamp IOS Firewall Feature Set http:// Firewall Design Overview Firewall defines traffic interaction between zones or trust levels e.g. ASA security-level Common
More informationConfiguring Control Plane Policing
CHAPTER 53 This chapter describes how to configure control plane policing (CoPP) with Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationIxLoad-Attack: Network Security Testing
IxLoad-Attack: Network Security Testing IxLoad-Attack tests network security appliances determining that they effectively and accurately block attacks while delivering high end-user quality of experience
More informationAppendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003
http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationFirewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT
Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of
More informationQoS Queuing on Cisco Nexus 1000V Class-Based Weighted Fair Queuing for Virtualized Data Centers and Cloud Environments
QoS Queuing on Cisco Nexus 1000V Class-Based Weighted Fair Queuing for Virtualized Data Centers and Cloud Environments Intended Audience Virtualization architects, network engineers or any administrator
More informationImplementing Secure Converged Wide Area Networks (ISCW)
Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet
More informationConfiguring Network Address Translation
CHAPTER5 Configuring Network Address Translation The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. This chapter contains the following major sections
More informationFirewalls, IDS and IPS
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationImproving Quality of Service
Improving Quality of Service Using Dell PowerConnect 6024/6024F Switches Quality of service (QoS) mechanisms classify and prioritize network traffic to improve throughput. This article explains the basic
More informationEasy Performance Monitor
First Published: July 30, 2013 The chapter describes how to configure (ezpm) for Application Visibility and Control (AVC). Finding Feature Information Your software release may not support all the features
More informationIBM. Tivoli. Netcool Performance Manager. Cisco Class-Based QoS 2.2.0.0 Technology Pack. User Guide. Document Revision R2E1
Tivoli Netcool Performance Manager Document Revision R2E1 IBM Cisco Class-Based QoS 2.2.0.0 Technology Pack User Guide Note Before using this information and the product it supports, read the information
More informationLab 8.1.10.2 Introduction to the Modular QoS Command-Line Interface
Lab 8.1.10.2 Introduction to the Modular QoS Command-Line Interface Objective Configuring Quality of Service (QoS) involves classifying, marking, and policing traffic flows. It is often necessary to apply
More informationsame-security-traffic through show asdm sessions Commands
24 CHAPTER same-security-traffic through show asdm sessions Commands 24-1 same-security-traffic Chapter 24 same-security-traffic To permit communication between interfaces with equal security levels, or
More informationCisco ASA 5500 Series Content Security Edition for the Enterprise
Cisco ASA 5500 Series Content Security Edition for the Enterprise Viruses and other malicious code can overwhelm your IT resources, disrupting business operations and impacting business transactions. The
More informationCisco ASA 5500 Series Anti-X Edition for the Enterprise
Solution Overview Cisco ASA 5500 Series Anti-X Edition for the Enterprise Viruses and other malicious code can overwhelm your IT resources disrupting business operations and impacting business transactions.
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationSonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity
SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria
More informationChapter 4 Rate Limiting
Chapter 4 Rate Limiting HP s rate limiting enables you to control the amount of bandwidth specific Ethernet traffic uses on specific interfaces, by limiting the amount of data the interface receives or
More informationIntroduction TELE 301. Routers. Firewalls
Introduction TELE 301 Lecture 21: s Zhiyi Huang Computer Science University of Otago Discernment of Routers, s, Gateways Placement of such devices Elementary firewalls Stateful firewalls and connection
More informationEasy Performance Monitor
The chapter describes how to configure (ezpm) for Application Visibility and Control (AVC). Finding Feature Information, page 1 Information About, page 2 How to Configure, page 4 Verifying Configuration,
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationEnabling Remote Access to the ACE
CHAPTER 2 This chapter describes how to configure remote access to the Cisco Application Control Engine (ACE) module by establishing a remote connection by using the Secure Shell (SSH) or Telnet protocols.
More informationHow To Set Up A Cisco Safesa Firewall And Security System
Cisco ASA Aii-in-Qne Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, Second Edition Jazib Frahim, CCIE No. 5459 Omar Santos / Cisco Press 800 East 96th Street Indianapolis, IN 46240 VII Contents
More informationAutoQoS for Medianet
Appendix A AutoQoS for Medianet As of August 2010, an updated version of AutoQoS was released for the Catalyst 2960- G/S, 3560-G/E/X, and 3750-G/E/X family of switches (with IOS Release 12.2(55)SE). This
More informationLab 12.1.7 Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance
Lab 12.1.7 Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance Objective Scenario Estimated Time: 20 minutes Number of Team Members: Two teams with four students per team
More informationMonitoring and analyzing audio, video, and multimedia traffic on the network
Monitoring and analyzing audio, video, and multimedia traffic on the network Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia AMRES Academic Network of Serbia RCUB - Belgrade University
More informationCisco SA 500 Series Security Appliances
Cisco SA 500 Series Security Appliances An All-in-One Security Solution to Secure Your Small Business The Cisco SA 500 Series Security Appliances, part of the Cisco Small Business Pro Series, are comprehensive
More informationThe Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series
Cisco IOS Firewall Feature Set Feature Summary The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document includes information that is new in Cisco IOS Release 12.0(1)T, including
More informationIPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016
IPv6 Firewalls ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok Last updated 17 th May 2016 1 Acknowledgements p Contains material from n Stallings and Brown (2015) n Ian Welch (Victoria
More informationConfiguring the ASA IPS Module
CHAPTER 62 This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a physical module or a software module, depending on your ASA model. For a list of supported ASA IPS modules
More informationEasy Performance Monitor
The chapter describes how to configure (ezpm) for Application Visibility and Control (AVC). Finding Feature Information, page 1 Information About, page 1 How to Configure, page 3 Configuration Examples
More informationCisco ASA 5500 Series Unified Communications Deployments
5500 Series Unified Communications Deployments Cisco Unified Communications Solutions unify voice, video, data, and mobile applications on fixed and mobile networks, enabling easy collaboration every time,
More informationForeword Introduction Product Overview Introduction to Network Security Firewall Technologies Network Firewalls Packet-Filtering Techniques
Foreword Introduction Product Overview Introduction to Network Security Firewall Technologies Network Firewalls Packet-Filtering Techniques Application Proxies Network Address Translation Port Address
More informationCisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release
Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release PB526545 Cisco ASA Software Release 8.2 offers a wealth of features that help organizations protect their networks against new threats
More informationNETASQ MIGRATING FROM V8 TO V9
UTM Firewall version 9 NETASQ MIGRATING FROM V8 TO V9 Document version: 1.1 Reference: naentno_migration-v8-to-v9 INTRODUCTION 3 Upgrading on a production site... 3 Compatibility... 3 Requirements... 4
More informationPCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data
White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and
More informationTECHNICAL NOTE. FortiGate Traffic Shaping Version 2.80. www.fortinet.com
TECHNICAL NOTE FortiGate Traffic Shaping Version 2.80 www.fortinet.com FortiGate Traffic Shaping Technical Note Version 2.80 March 10, 2006 01-28000-0304-20060310 Copyright 2005 Fortinet, Inc. All rights
More informationPrototype Cloud-based Services on MPLS Service Provider in Iraq
Prototype Cloud-based Services on MPLS Service Provider in Iraq Shahad H. Zwayen College of Information Engineering Al-Nahrain University Iraq, Baghdad Mustapha B. Ibrahim College of Information Engineering
More informationDS3 Performance Scaling on ISRs
This document provides guidelines on scaling the performance of DS3 interface (NM-1T3/E3) for the Cisco 2811/2821/2851/3825/3845 Integrated Services Routers. The analysis provides following test results;
More informationACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security
More informationIPS AIM for Cisco Integrated Services Routers
IPS AIM for Cisco Integrated Services Routers Technical Overview James Weathersby, TME, ARTG Tina Lam, Product Manager, ARTG 1 Cisco Integrated Threat Control Industry-Certified Security Embedded Within
More informationThis topic lists the key mechanisms use to implement QoS in an IP network.
IP QoS Mechanisms QoS Mechanisms This topic lists the key mechanisms use to implement QoS in an IP network. QoS Mechanisms Classification: Each class-oriented QoS mechanism has to support some type of
More informationNetwork Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000
Network Security Protective and Dependable With the growth of the Internet threats, network security becomes the fundamental concerns of family network and enterprise network. To enhance your business
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationConfiguring QoS. Finding Feature Information. Prerequisites for QoS
Finding Feature Information, page 1 Prerequisites for QoS, page 1 QoS Components, page 2 QoS Terminology, page 3 Information About QoS, page 3 Restrictions for QoS on Wired Targets, page 41 Restrictions
More informationFortinet Network Security NSE4 test questions and answers:http://www.it-tests.com/NSE4.html
IT-TESTs.com IT Certification Guaranteed, The Easy Way! \ http://www.it-tests.com We offer free update service for one year Exam : NSE4 Title : Fortinet Network Security Expert 4 Written Exam (400) Vendor
More informationANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239
ANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239 Check Point Firewall Software and Management Software I. Description of the Item Up gradation, installation and commissioning of Checkpoint security gateway
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationSonicwall Reporting Server
Sonicwall Reporting Server How to access the reporting server: Navigate to https://swreports.hitechsupport.com.au, and enter your username and password provided. After you have logged in, click on the
More informationPC-over-IP Protocol Virtual Desktop Network Design Checklist. TER1105004 Issue 2
PC-over-IP Protocol Virtual Desktop Network Design Checklist TER1105004 Issue 2 Teradici Corporation #101-4621 Canada Way, Burnaby, BC V5G 4X8 Canada p +1 604 451 5800 f +1 604 451 5818 www.teradici.com
More informationHow To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)
Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network
More informationCisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software
LiveAction Application Note Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software January 2013 http://www.actionpacked.com Table of Contents 1. Introduction... 1 2. ASA NetFlow Security
More informationThe Basics. Configuring Campus Switches to Support Voice
Configuring Campus Switches to Support Voice BCMSN Module 7 1 The Basics VoIP is a technology that digitizes sound, divides that sound into packets, and transmits those packets over an IP network. VoIP
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationNetwork Security 1. Module 8 Configure Filtering on a Router
Network Security 1 Module 8 Configure Filtering on a Router Module 8 Configure Filtering on a Router 8.1 Filtering Technologies Packet Filtering Stateful Packet Filtering URL Filtering Module 8 Configure
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationPCoIP Protocol Network Design Checklist. TER1105004 Issue 3
PCoIP Protocol Network Design Checklist TER1105004 Issue 3 Teradici Corporation #101-4621 Canada Way, Burnaby, BC V5G 4X8 Canada phone +1.604.451.5800 fax +1.604.451.5818 www.teradici.com The information
More informationImplementing Cisco Voice Communications and QoS
Implementing Cisco Voice Communications and QoS Course CVOICE v8.0; 5 Days, Instructor-led Course Description Implementing Cisco Voice Communications and QoS (CVOICE) v8.0 teaches learners about voice
More information- QoS and Queuing - Queuing Overview
1 Queuing Overview - QoS and Queuing - A queue is used to store traffic until it can be processed or serialized. Both switch and router interfaces have ingress (inbound) queues and egress (outbound) queues.
More information21.4 Network Address Translation (NAT) 21.4.1 NAT concept
21.4 Network Address Translation (NAT) This section explains Network Address Translation (NAT). NAT is also known as IP masquerading. It provides a mapping between internal IP addresses and officially
More information