Foreword Introduction Product Overview Introduction to Network Security Firewall Technologies Network Firewalls Packet-Filtering Techniques

Transcription

1 Foreword Introduction Product Overview Introduction to Network Security Firewall Technologies Network Firewalls Packet-Filtering Techniques Application Proxies Network Address Translation Port Address Translation Static Translation Stateful Inspection Firewalls Personal Firewalls Intrusion Detection and Prevention Technologies Network-Based Intrusion Detection and Prevention Systems Pattern Matching and Stateful Pattern-Matching Recognition Protocol Analysis Heuristic-Based Analysis Anomaly-Based Analysis Host-Based Intrusion Detection Systems Network-Based Attacks DoS Attacks TCP SYN Flood Attacks land.c Attacks Smurf Attacks DDoS Attacks Session Hijacking Virtual Private Networks Understanding IPSec Internet Key Exchange IKE Phase 1 IKE Phase 2 IPSec Protocols Authentication Header Encapsulation Security Payload IPSec Modes Transport Mode Tunnel Mode Product History Cisco Firewall Products

2 Cisco PIX Firewalls Cisco FWSM Cisco IOS Firewall Cisco IDS Products Cisco VPN Products Cisco ASA All-in-One Solution Firewall Services IPS Services VPN Services Hardware Overview Cisco ASA 5510 Model Cisco ASA 5520 Model Cisco ASA 5540 Model AIP-SSM Modules Firewall Solution Initial Setup and System Maintenance Accessing the Cisco ASA Appliances Establishing a Console Connection Command-Line Interface Managing Licenses Initial Setup Setting Up the Device Name Configuring an Interface Configuring a Subinterface Configuring a Management Interface DHCP Services IP Version 6 IPv6 Header Configuring IPv6 IP Address Assignment Setting Up the System Clock Manual Clock Adjustment Using clock set Automatic Clock Adjustment Using the Network Time Protocol Time Zones and Daylight Savings Time Configuration Management Running Configuration Startup Configuration Removing the Device Configuration Remote System Management

3 Telnet Secure Shell System Maintenance Software Installation Image Upgrade via the Cisco ASA CLI Image Recovery Using ROMMON Password Recovery Process Disabling the Password Recovery Process System Monitoring System Logging Enabling Logging Logging Types Additional Syslog Parameters Simple Network Management Protocol Configuring SNMP SNMP Monitoring CPU and Memory Monitoring Network Access Control Packet Filtering Types of ACLs Standard ACLs Extended ACLs IPv6 ACLs EtherType ACLs WebVPN ACLs Comparing ACL Features Configuring Packet Filtering Step 1: Set Up an ACL Step 2: Apply an ACL to an Interface Step 3: Set Up an IPv6 ACL (Optional) Advanced ACL Features Object Grouping Object Types Object Grouping and ACLs Standard ACLs Time-Based ACLs Absolute Periodic Downloadable ACLs ICMP Filtering

4 Content and URL Filtering Content Filtering ActiveX Filtering Java Filtering Configuring Content Filtering URL Filtering Configuring URL Filtering Deployment Scenarios Using ACLs Using ACLs to Filter Inbound and Outbound Traffic Enabling Content Filtering Using Websense Monitoring Network Access Control Monitoring ACLs Monitoring Content Filtering Understanding Address Translation Network Address Translation Port Address Translation Packet Flow Sequence Configuring Address Translation Static NAT Dynamic Network Address Translation Static Port Address Translation Dynamic Port Address Translation Policy NAT/PAT Bypassing Address Translation Identity NAT NAT Exemption NAT Order of Operation Integrating ACLs and NAT DNS Doctoring Monitoring Address Translations IP Routing Configuring Static Routes RIP Configuring RIP Verifying the Configuration Troubleshooting RIP Scenario 1: RIP Version Mismatch Scenario 2: RIP Authentication Mismatch Scenario 3: Multicast or Broadcast Packets Blocked Scenario 4: Correct Configuration and Behavior

5 OSPF Configuring OSPF Enabling OSPF Virtual Links Configuring OSPF Authentication Configuring the Cisco ASA as an ASBR Stub Areas and NSSAs ABR Type 3 LSA Filtering OSPF neighbor Command and Dynamic Routing over VPN Troubleshooting OSPF Useful Troubleshooting Commands Mismatched Areas OSPF Authentication Mismatch Troubleshooting Virtual Link Problems IP Multicast IGMP IP Multicast Routing Configuring Multicast Routing Enabling Multicast Routing Statically Assigning an IGMP Group Limiting IGMP States IGMP Query Timeout Defining the IGMP Version Configuring Rendezvous Points Configuring Threshold for SPT Switchover Filtering RP Register Messages PIM Designated Router Priority PIM Hello Message Interval Configuring a Static Multicast Route Troubleshooting IP Multicast Routing show Commands debug Commands Deployment Scenarios Deploying OSPF Deploying IP Multicast Authentication, Authorization, and Accounting (AAA) AAA Protocols and Services Supported by Cisco ASA RADIUS TACACS+ RSA SecurID

6 Microsoft Windows NT Active Directory and Kerberos Lightweight Directory Access Protocol Defining an Authentication Server Configuring Authentication of Administrative Sessions Authenticating Telnet Connections Authenticating SSH Connections Authenticating Serial Console Connections Authenticating Cisco ASDM Connections Authenticating Firewall Sessions (Cut-Through Proxy Feature) Authentication Timeouts Customizing Authentication Prompts Configuring Authorization Command Authorization Configuring Downloadable ACLs Configuring Accounting RADIUS Accounting TACACS+ Accounting Deployment Scenarios Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions Deploying Cut-Through Proxy Authentication Troubleshooting AAA Troubleshooting Administrative Connections to Cisco ASA Troubleshooting Firewall Sessions (Cut-Through Proxy) Application Inspection Enabling Application Inspection Using the Modular Policy Framework Selective Inspection Computer Telephony Interface Quick Buffer Encoding Inspection Domain Name System Extended Simple Mail Transfer Protocol File Transfer Protocol General Packet Radio Service Tunneling Protocol GTPv0 GTPv1 Configuring GTP Inspection H.323 H.323 Protocol Suite H.323 Version Compatibility Enabling H.323 Inspection Direct Call Signaling and Gatekeeper Routed Control Signaling

7 T.38 HTTP Enabling HTTP Inspection strict-http content-length content-type-verification max-header-length max-uri-length port-misuse request-method transfer-encoding type ICMP ILS MGCP NetBIOS PPTP Sun RPC RSH RTSP SIP Skinny SNMP SQLNet TFTP XDMCP Deployment Scenarios ESMTP HTTP FTP Security Contexts Architectural Overview System Execution Space Admin Context Customer Context Packet Flow in Multiple Mode Packet Classification Packet Forwarding Between Contexts Configuration of Security Contexts Step 1: Enabling Multiple Security Contexts Globally Step 2: Setting Up the System Execution Space

8 Step 3: Specifying a Configuration URL Step 4: Allocating the Interfaces Step 5: Configuring an Admin Context Step 6: Configuring a Customer Context Step 7: Managing the Security Contexts (Optional) Deployment Scenarios Virtual Firewall Using Two Customer Contexts Virtual Firewall Using a Shared Interface Monitoring and Troubleshooting the Security Contexts Monitoring Troubleshooting Transparent Firewalls Architectural Overview Single-Mode Transparent Firewall Packet Flow in an SMTF Multimode Transparent Firewall Packet Flow in an MMTF Transparent Firewalls and VPNs Configuration of Transparent Firewall Configuration Guidelines Configuration Steps Step 1: Enabling Transparent Firewalls Step 2: Setting Up Interfaces Step 3: Configuring an IP Address Step 4: Configuring Interface ACLs Step 5: Adding Static L2F Table Entries (Optional) Step 6: Enabling ARP Inspection (Optional) Step 7: Modifying L2F Table Parameters (optional) Deployment Scenarios SMTF Deployment MMTF Deployment with Security Contexts Monitoring and Troubleshooting the Transparent Firewall Monitoring Troubleshooting Failover and Redundancy Architectural Overview Conditions that Trigger Failover Failover Interface Tests Stateful Failover

9 Hardware and Software Requirements Types of Failover Active/Standby Failover Active/Active Failover Asymmetric Routing Failover Configuration Active/Standby Failover Configuration Step 1: Select the Failover Link Step 2: Assign Failover IP Addresses Step 3: Set the Failover Key (Optional) Step 4: Designating the Primary Cisco ASA Step 5: Enable Stateful Failover (Optional) Step 6: Enable Failover Globally Step 7: Configure Failover on the Secondary Cisco ASA Active/Active Failover Configuration Step 1: Select the Failover Link Step 2: Assign Failover Interface IP Addresses Step 3: Set Failover Key Step 4: Designate the Primary Cisco ASA Step 5: Enable Stateful Failover Step 6: Set Up Failover Groups Step 7: Assign Failover Group Membership Step 8: Assign Interface IP Addresses Step 9: Set Up Asymmetric Routing (Optional) Step 10: Enable Failover Globally Step 11: Configure Failover on the Secondary Cisco ASA Optional Failover Commands Specifying Failover MAC Addresses Configuring Interface Policy Managing Failover Timers Monitoring Failover Interfaces Zero-Downtime Software Upgrade Deployment Scenarios Active/Standby Failover in Single Mode Active/Active Failover in Multiple Security Contexts Monitoring and Troubleshooting Failovers Monitoring Troubleshooting Quality of Service Architectural Overview

10 Traffic Policing Traffic Prioritization Packet Flow Sequence Packet Classification IP Precedence Field IP DSCP Field IP Access Control List IP Flow VPN Tunnel Group QoS and VPN Tunnels Configuring Quality of Service Step 1: Set Up a Class Map Step 2: Configure a Policy Map Step 3: Apply the Policy Map on the Interface Step 4: Tune the Priority Queue (Optional) QoS Deployment Scenarios QoS for VoIP Traffic QoS for the Remote-Access VPN Tunnels Monitoring QoS Intrusion Prevention System (IPS) Solution Intrusion Prevention System Integration Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM) AIP-SSM Management Inline Versus Promiscuous Mode Directing Traffic to the AIP-SSM AIP-SSM Module Software Recovery Additional IPS Features IP Audit Shunning Configuring and Troubleshooting Cisco IPS Software via CLI Cisco IPS Software Architecture MainApp SensorApp Network Access Controller AuthenticationApp cipswebserver LogApp EventStore TransactionSource

11 Introduction to the CIPS 5.x Command-Line Interface Logging In to the AIP-SSM via the CLI CLI Command Modes Initializing the AIP-SSM User Administration User Account Roles and Levels Administrator Account Operator Account Viewer Account Service Account Adding and Deleting Users by Using the CLI Creating Users Deleting Users Changing Passwords AIP-SSM Maintenance Adding Trusted Hosts SSH Known Host List TLS Known Host List Upgrading the CIPS Software and Signatures via the CLI One-Time Upgrades Scheduled Upgrades Displaying Software Version and Configuration Information Backing Up Your Configuration Displaying and Clearing Events Displaying and Clearing Statistics Advanced Features and Configuration IPS Tuning Disabling and Retiring IPS Signatures Custom Signatures IP Logging Automatic Logging Manual Logging of Specific Host Traffic Configuring Blocking (Shunning) Virtual Private Network (VPN) Solution Site-to-Site IPSec VPNs Preconfiguration Checklist Configuration Steps Step 1: Enable ISAKMP Step 2: Create the ISAKMP Policy Step 3: Set the Tunnel Type

12 Step 4: Configure ISAKMP Preshared Keys Step 5: Define the IPSec Policy Step 6: Specify Interesting Traffic Step 7: Configure a Crypto Map Step 8: Apply the Crypto Map to an Interface Step 9: Configuring Traffic Filtering Step 10: Bypassing NAT (Optional) Advanced Features OSPF Updates over IPSec Reverse Route Injection NAT Traversal Tunnel Default Gateway Optional Commands Perfect Forward Secrecy Security Association Lifetimes Phase 1 Mode Connection Type Inheritance ISAKMP Keepalives Deployment Scenarios Single Site-to-Site Tunnel Configuration Using NAT-T Fully Meshed Topology with RRI Monitoring and Troubleshooting Site-to-Site IPSec VPNs Monitoring Site-to-Site VPNs Troubleshooting Site-to-Site VPNs ISAKMP Proposal Unacceptable Mismatched Preshared keys Incompatible IPSec Transform Set Mismatched Proxy Identities Remote Access VPN Cisco IPSec Remote Access VPN Solution Configuration Steps Step 1: Enable ISAKMP Step 2: Create the ISAKMP Policy Step 3: Configure Remote-Access Attributes Step 4: Define the Tunnel Type Step 5: Configure ISAKMP Preshared Keys Step 6: Configure User Authentication Step 7: Assign an IP Address Step 8: Define the IPSec Policy

13 Step 9: Set Up a Dynamic Crypto Map Step 10: Configure the Crypto Map Step 11: Apply the Crypto Map to an Interface Step 12: Configure Traffic Filtering Step 13: Set Up a Tunnel Default Gateway (Optional) Step 14: Bypass NAT (Optional) Step 15: Set Up Split Tunneling (Optional) Cisco VPN Client Configuration Software-Based VPN Clients Hardware-Based VPN Clients Advanced Cisco IPSec VPN Features Transparent Tunneling NAT Traversal IPSec over TCP IPSec over UDP IPSec Hairpinning VPN Load-Balancing Client Auto-Update Client Firewalling Personal Firewall Check Central Protection Policy Hardware based Easy VPN Client Features Interactive Hardware Client Authentication Individual User Authentication Cisco IP Phone Bypass Leap Bypass Hardware Client Network Extension Mode Deployment Scenarios of Cisco IPSec VPN IPSec Hairpinning with Easy VPN and Firewalling Load-Balancing and Site-to-Site Integration Monitoring and Troubleshooting Cisco Remote Access VPN Monitoring Cisco Remote Access IPSec VPNs Troubleshooting Cisco IPSec VPN Clients Cisco WebVPN Solution Configuration Steps Step 1: Enable the HTTP Service Step 2: Enable WebVPN on the Interface Step 3: Configure WebVPN Look and Feel Step 4: Configure WebVPN Group Attributes Step 5: Configure User Authentication Advanced WebVPN Features

14 Port Forwarding Configuring URL Mangling Proxy Authentication Methods for Proxy Identifying Servers for Proxies Delimiters Windows File Sharing WebVPN Access Lists Deployment Scenarios of WebVPN WebVPN with External Authentication WebVPN with Proxies Monitoring and Troubleshooting WebVPN Monitoring WebVPN Troubleshooting WebVPN SSL Negotiations WebVPN Data Capture Proxy Issues Public Key Infrastructure (PKI) Introduction to PKI Certificates Certificate Authority Certificate Revocation List Simple Certificate Enrollment Protocol Enrolling the Cisco ASA to a CA Using SCEP Generating the RSA Key Pair Configuring a Trustpoint Manual (Cut-and-Paste) Enrollment Configuration for Manual Enrollment Obtaining the CA Certificate Generating the ID Certificate Request and Importing the ID Certificate Configuring CRL Options Configuring IPSec Site-to-Site Tunnels Using Certificates Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates Enrolling the Cisco VPN Client Configuring the Cisco ASA Troubleshooting PKI Time and Date Mismatch SCEP Enrollment Problems CRL Retrieval Problems

15 Adaptive Security DeviceçManager Introduction to ASDM Setting Up ASDM Uploading ASDM Setting Up Cisco ASA Accessing ASDM Initial Setup Startup Wizard Functional Screens Configuration Screen Monitoring Screen Interface Management System Clock Configuration Management Remote System Management Telnet SSH SSL (ASDM) System Maintenance Software Installation File Management System Monitoring System Logging SNMP Firewall Management Using ASDM Access Control Lists Address Translation Routing Protocols RIP OSPF Multicast AAA Application Inspection Security Contexts Transparent Firewalls Failover QoS IPS Management Using ASDM Accessing the IPS Device Management Console from ASDM

16 Configuring Basic AIP-SSM Settings Licensing Verifying Network Settings Adding Allowed Hosts Configuring NTP Adding Users Advanced IPS Configuration and Monitoring Using ASDM Disabling and Enabling Signatures Configuring Blocking Creating Custom Signatures Creating Event Action Filters Installing Signature Updates and Software Service Packs Configuring Auto-Update VPN Management Using ASDM Site-to-Site VPN Setup Using Preshared Keys Site-to-Site VPN Setup Using PKI Cisco Remote-Access IPSec VPN Setup WebVPN VPN Monitoring Case Studies Case Study 1: Deploying the Cisco ASA at Branch Offices and Small Businesses Branch Offices Small Business Partners Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment Internet Edge and DMZ Filtering Websites Remote Access VPN Cluster Application Inspection IPS Case Study 3: Data Center Security with Cisco ASA Index Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.