- Introduction to PIX/ASA Firewalls -



Similar documents
FIRE-ROUTER: A NEW SECURE INTER-NETWORKING DEVICE

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Securing Networks with PIX and ASA

- Introduction to Firewalls -

- The PIX OS Command-Line Interface -

Cisco Certified Security Professional (CCSP)

FIREWALLS & CBAC. philip.heimer@hh.se

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

Recommended IP Telephony Architecture

Overview. Firewall Security. Perimeter Security Devices. Routers

Cisco PIX vs. Checkpoint Firewall

Secure your Informations efficiently. SECURITY: FIREWALL & VPN CLIENTS Trends Features Products and Solutions jfrancis@dlink.de

Implementing Cisco IOS Network Security

Cisco Integrated Services Routers Performance Overview

PIX/ASA 7.x with Syslog Configuration Example

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

FWSM introduction Intro 5/1

IINS Implementing Cisco Network Security 3.0 (IINS)

Latest IT Exam Questions & Answers

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

WAN Failover Scenarios Using Digi Wireless WAN Routers

Voice Over IP and Firewalls

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

A Model Design of Network Security for Private and Public Data Transmission

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

How To Extend Security Policies To Public Clouds

Configuring IPsec VPN with a FortiGate and a Cisco ASA

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Cisco ASA. Administrators

Introduction of Intrusion Detection Systems

VPN Lesson 2: VPN Implementation. Summary

Network Security Topologies. Chapter 11

The Bomgar Appliance in the Network

Cisco SR 520-T1 Secure Router

INTRODUCTION TO FIREWALL SECURITY

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Cisco Certified Security Professional (CCSP) 50 Cragwood Rd, Suite 350 South Plainfield, NJ 07080

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

TechGuard Firewall Products Specs/Parts/Competitive Analysis

Firewall Security. Presented by: Daminda Perera

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Load Balance Router R258V

TABLE OF CONTENTS NETWORK SECURITY 1...1

Cisco Certified Network Expert (CCNE)

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Gigabit Multi-Homing VPN Security Router

Implementing Core Cisco ASA Security (SASAC)

Deploying Firewalls Throughout Your Organization

Monitoring Remote Access VPN Services

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

VPN Only Connection Information and Sign up

SonicWALL Advantages Over WatchGuard

Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

What would you like to protect?

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

1- and 2-Port Fast Ethernet High-Speed WAN Interface Cards for Cisco 1841, 2800, and 3800 Series Integrated Services Routers

Firewall Design Principles

CCNA Security 2.0 Scope and Sequence

Achieving PCI-Compliance through Cyberoam

Cisco Application Networking Manager Version 2.0

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

How To Configure Virtual Host with Load Balancing and Health Checking

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Security and Access Control Lists (ACLs)

Firewalls. Chapter 3

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Network Access Security. Lesson 10

Top-Down Network Design

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

AppDirector Load balancing IBM Websphere and AppXcel

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Oracle SDN Performance Acceleration with Software-Defined Networking

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Cisco ASA, PIX, and FWSM Firewall Handbook

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Routing Security Server failure detection and recovery Protocol support Redundancy

Firewalls. Ahmad Almulhem March 10, 2012

ENTERPRISE DATA CENTER CSS HARDWARE LOAD BALANCING POLICY

Cisco Wide Area Application Services (WAAS) Software Version 4.0

TABLE OF CONTENTS NETWORK SECURITY 2...1

WAN Traffic Management with PowerLink Pro100

Cisco Easy VPN on Cisco IOS Software-Based Routers

Network Services Internet VPN

Transcription:

1 Cisco Security Appliances - Introduction to PIX/ASA Firewalls - Both Cisco routers and multilayer switches support the IOS firewall set, which provides security functionality. Additionally, Cisco offers dedicated security appliances: PIX (Private Internet exchange) ASA (Adaptive Security Appliance) PIX firewalls, though still in prevalent use, are being replaced with ASA equivalents. Cisco security appliances help protect against three categories of attacks: Reconnaissance Attacks used to document and map a network s infrastructure, including vulnerabilities. Access Attacks used to gain unauthorized access to data or systems. Denial of Service (DoS) Attacks used to disrupt access to services, often by crashing or overloading a system. Cisco security appliances offer features to safeguard against these attacks: Packet Filtering permits or denies traffic based on source/destination IP addresses, or TCP/UDP port numbers using Access Control Lists (ACLs), Stateful Packet Inspection tracks TCP and UDP sessions in a flow table, using the Adaptive Security Algorithm. Proxy serves as the middle-man for communication, by authenticating users before communication is allowed to occur. Cisco security appliances employ a proprietary operating system called Finesse (Fast InterNEt Server Executive). Cisco did not originally develop this operating system - the PIX product line was acquired when Cisco bought out Network Translation, Inc. The Finesse operating system is referred to now as the PIX OS, and employs a command-line interface that is similar to, but not quite, entirely unlike the Cisco IOS. Various GUI interfaces are available as well, depending on the PIX OS version, such as the PIX Device Manager (PDM) or Adaptive Security Device Manager (ASDM). (Reference: http://en.wikipedia.org/wiki/cisco_pix)

2 PIX/ASA Security-Levels Cisco security appliances protect trusted zones from untrusted zones. Like most firewalls, a Cisco PIX/ASA will permit traffic from the trusted interface to the untrusted interface, without any explicit configuration. However, traffic from the untrusted interface to the trusted interface must be explicitly permitted. Thus, any traffic that is not explicitly permitted from the untrusted to trusted interface will be implicitly denied. A firewall is not limited to only two interfaces, but can contain multiple less trusted interfaces, often referred to as Demilitarized Zones (DMZ s). To control the trust value of each interface, each firewall interface is assigned a security level, which is represented as a numerical value between 0 100 on the Cisco PIX/ASA. For example, in the above diagram, the Trusted Zone could be assigned a security value of 100, the Less Trusted Zone a value of 75, and the Untrusted Zone a value of 0. As stated previously, traffic from a higher security to lower security interface is (generally) allowed by default, while traffic from a lower security to higher security interface requires explicit permission.

3 PIX/ASA Failover Both PIX and ASA firewalls also support failover, providing a redundant environment for high-availability. This failover feature is similar to HSRP (Hot Standby Routing Protocol). One firewall remains in an active state, performing all normal firewall functions. Another firewall remains in a standby state, ready to take over if the primary firewall fails. Only specific PIX/ASA models support failover. PIX/ASA Licensing All PIX/ASA firewalls, with the exception of the PIX 506e, support various levels of licensing. For example, the PIX 501 firewall licenses based on the number of users, and supports 10, 25, or 50 concurrent users. The PIX 506e supports an unlimited numbered of users. Higher-end PIX/ASA models support three types of licensing: Unrestricted allows the maximum number of interfaces and RAM for each model. Supports failover. Restricted limits the maximum number of interfaces and RAM. Does not support failover. Failover places the PIX/ASA in a standby by state, as a backup to an active unrestricted PIX/ASA. Predictably, unrestricted licensing is far more expensive than restricted licensing. Additionally, stronger VPN encryption algorithms (such as AES), may require a specific PIX/ASA license. All licenses are installed through the use of activation keys.

4 PIX Firewall Models The Cisco PIX firewall family consists of five standard models: PIX 501 PIX 506e PIX 515e PIX 525 PIX 535 All PIX models contain a console port for access to the PIX IOS. Higher-end models support faster processors and increased port density. Additionally, the higher-end models support a high number of total connections, IPSEC tunnels, and overall throughput. The PIX 501 is the low-end model of the PIX family. It contains a single WAN port, and an integrated, 10/100 four-port switch that serves as the LAN network. The PIX 501 is intended for home or small offices, with support for 10 IPSEC VPN tunnels. The PIX 506e is the next model up, and is intended for small branch or remote offices. It contains one integrated LAN port, and one integrated WAN port, and support for 25 VPN tunnels. Neither the PIX 501 nor the PIX 506e support failover. Both firewalls are also completely integrated; neither offer modular bays for additional ports. Additionally, the PIX 501 and 506e support up to PIX OS 6.0, and thus do not support PIX OS 7.0 or higher. The following models are modular, and rack-mountable: The PIX 515e is intended for small to medium sized offices. The PIX 515e supports up to six 10/100 Ethernet interfaces. Each interface is used as either a LAN, WAN, or DMZ port. The PIX 525e is intended for large or enterprise businesses, and supports a maximum of eight interfaces. The PIX 535 is the highest-end model of the PIX family, with support for 500,000 concurrent connections. A maximum of ten interfaces are supported. The PIX 515e, 525e, and 535 support all PIX OS versions, including 7.0.

5 PIX VPN Acceleration The modular PIX firewalls (515e and up) support the installation of VPN Accelerator Cards (VACs). Normally, IPSEC functions are performed in software on the PIX, resulting in suboptimal throughput. VACs improve performance by providing hardware-based IPSEC acceleration. By offloading IPSEC functions onto a VAC card, the PIX IOS can be dedicated to other firewall functions. In addition to VAC modules, a higher-performance VAC+ module is available for modular PIX firewalls. The PIX 535 contains an integrated VAC, and all ASA firewalls have integrated VPN acceleration. ASA Firewall Models The Cisco ASA firewall family currently consists of five standard models: ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550 As with the PIX, higher-end ASA models support faster processors and increased port density. Additionally, the higher-end models support a larger number of total connections, memory, IPSEC tunnels, and overall throughput. The link below provides a detailed comparison of each model. ASA firewalls all operate PIX OS 7.0 or higher. (Reference: http://www.cisco.com/en/us/products/ps6120/prod_models_comparison.html)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information