Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010105250 | TK5105.59 F72 2006 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Provides insight and deployment examples and demonstrates how adaptive identification and mitigation services on Cisco ASA provide a security solution for both large and small network environments. This book contains many sample configurations, design scenarios, and discussions of debugs.
Author Notes
Jazib Frahim , CCIE® No. 5459, is a senior network security engineer in the Worldwide Security Services Practice of Advanced Services for Network Security at Cisco. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security.
Omar Santos is a senior network security engineer in the Worldwide Security Services Practice of Advanced Services for Network Security at Cisco. He has more than 12 years of experience in secure data communications.
Table of Contents
Foreword |
Introduction |
Part I Product Overview |
Chapter 1 Introduction to Network Security |
Firewall Technologies |
Network Firewalls |
Packet-Filtering Techniques |
Application Proxies |
Network Address Translation |
Port Address Translation |
Static Translation |
Stateful Inspection Firewalls |
Personal Firewalls |
Intrusion Detection and Prevention Technologies |
Network-Based Intrusion Detection and Prevention Systems |
Pattern Matching and Stateful Pattern-Matching Recognition |
Protocol Analysis |
Heuristic-Based Analysis |
Anomaly-Based Analysis |
Host-Based Intrusion Detection Systems |
Network-Based Attacks |
DoS Attacks |
TCP SYN Flood Attacks |
land.c Attacks |
Smurf Attacks |
DDoS Attacks |
Session Hijacking |
Virtual Private Networks |
Understanding IPSec |
Internet Key Exchange |
IKE Phase 1 |
IKE Phase 2 |
IPSec Protocols |
Authentication Header |
Encapsulation Security Payload |
IPSec Modes |
Transport Mode |
Tunnel Mode |
Summary |
Chapter 2 Product History |
Cisco Firewall Products |
Cisco PIX Firewalls |
Cisco FWSM |
Cisco IOS Firewall |
Cisco IDS Products |
Cisco VPN Products |
Cisco ASA All-in-One Solution |
Firewall Services |
IPS Services |
VPN Services |
Summary |
Chapter 3 Hardware Overview |
Cisco ASA 5510 Model |
Cisco ASA 5520 Model |
Cisco ASA 5540 Model |
AIP-SSM Modules |
Summary |
Part II Firewall Solution |
Chapter 4 Initial Setup and System Maintenance |
Accessing the Cisco ASA Appliances |
Establishing a Console Connection |
Command-Line Interface |
Managing Licenses |
Initial Setup |
Setting Up the Device Name |
Configuring an Interface |
Configuring a Subinterface |
Configuring a Management Interface |
DHCP Services |
IP Version 6 |
IPv6 Header |
Configuring IPv6 |
IP Address Assignment |
Setting Up the System Clock |
Manual Clock Adjustment Using clock set |
Automatic Clock Adjustment Using the Network Time Protocol |
Time Zones and Daylight Savings Time |
Configuration Management |
Running Configuration |
Startup Configuration |
Removing the Device Configuration |
Remote System Management |
Telnet |
Secure Shell |
System Maintenance |
Software Installation |
Image Upgrade via the Cisco ASA CLI |
Image Recovery Using ROMMON |
Password Recovery Process |
Disabling the Password Recovery Process |
System Monitoring |
System Logging |
Enabling Logging |
Logging Types |
Additional Syslog Parameters |
Simple Network Management Protocol |
Configuring SNMP |
SNMP Monitoring |
CPU and Memory Monitoring |
Summary |
Chapter 5 Network Access Control |
Packet Filtering |
Types of ACLs |
Standard ACLs |
Extended ACLs |
IPv6 ACLs |
EtherType ACLs |
WebVPN ACLs |
Comparing ACL Features |
Configuring Packet Filtering |
Step 1: Set Up an ACL |
Step 2: Apply an ACL to an Interface |
Step 3: Set Up an IPv6 ACL (Optional) |
Advanced ACL Features |
Object Grouping |
Object Types |
Object Grouping and ACLs |
Standard ACLs |
Time-Based ACLs |
Absolute |
Periodic |
Downloadable ACLs |
ICMP Filtering |
Content and URL Filtering |
Content Filtering |
ActiveX Filtering |
Java Filtering |
Configuring Content Filtering |
URL Filtering |
Configuring URL Filtering |
Deployment Scenarios Using ACLs |
Using ACLs to Filter Inbound and Outbound Traffic |
Enabling Content Filtering Using Websense |
Monitoring Network Access Control |
Monitoring ACLs |
Monitoring Content Filtering |
Understanding Address Translation |
Network Address Translation |
Port Address Translation |
Packet Flow Sequence |
Configuring Address Translation |
Static NAT |
Dynamic Network Address Translation |
Static Port Address Translation |
Dynamic Port Address Translation |
Policy NAT/PAT |
Bypassing Address Translation |
Identity NAT |
NAT Exemption |
NAT Order of Operation |
Integrating ACLs and NAT |
DNS Doctoring |
Monitoring Address Translations |
Summary |
Chapter 6 IP Routing |
Configuring Static Routes |
RIP |
Configuring RIP |
Verifying the Configuration |
Troubleshooting RIP |
Scenario 1: RIP Version Mismatch |
Scenario 2: RIP Authentication Mismatch |
Scenario 3: Multicast or Broadcast Packets Blocked |
Scenario 4: Correct Configuration and Behavior |
OSPF |
Configuring OSPF |
Enabling OSPF |
Virtual Links |
Configuring OSPF Authentication |
Configuring the Cisco ASA as an ASBR |
Stub Areas and NSSAs |
ABR Type 3 LSA Filtering |
OSPF neighbor Command and Dynamic Routing over VPN |
Troubleshooting OSPF |
Useful Troubleshooting Commands |
Mismatched Areas |
OSPF Authentication Mismatch |
Troubleshooting Virtual Link Problems |
IP Multicast |
IGMP |
IP Multicast Routing |
Configuring Multicast Routing |
Enabling Multicast Routing |
Statically Assigning an IGMP Group |
Limiting IGMP States |
IGMP Query Timeout |
Defining the IGMP Version |
Configuring Rendezvous Points |
Configuring Threshold for SPT Switchover |
Filtering RP Register Messages |
PIM Designated Router Priority |
PIM Hello Message Interval |
Configuring a Static Multicast Route |
Troubleshooting IP Multicast Routing |
show Commands |
debug Commands |
Deployment Scenarios |
Deploying OSPF |
Deploying IP Multicast |
Summary |
Chapter 7 Authentication, Authorization, and Accounting (AAA) |
AAA Protocols and Services Supported by Cisco ASA |
RADIUS |
TACACS+ |
RSA SecurID |
Microsoft Windows NT |
Active Directory and Kerberos |
Lightweight Directory Access Protocol |
Defining an Authentication Server |
Configuring Authentication of Administrative Sessions |
Authenticating Telnet Connections |
Authenticating SSH Connections |
Authenticating Serial Console Connections |
Authenticating Cisco ASDM Connections |
Authenticating Firewall Sessions (Cut-Through Proxy Feature) |
Authentication Timeouts |
Customizing Authentication Prompts |
Configuring Authorization |
Command Authorization |
Configuring Downloadable ACLs |
Configuring Accounting |
RADIUS Accounting |
TACACS+ Accounting |
Deployment Scenarios |
Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions |
Deploying Cut-Through Proxy Authentication |
Troubleshooting AAA |
Troubleshooting Administrative Connections to Cisco ASA |
Troubleshooting Firewall Sessions (Cut-Through Proxy) |
Summary |
Chapter 8 Application Inspection |
Enabling Application Inspection Using the Modular Policy Framework |
Selective Inspection |
Computer Telephony Interface Quick Buffer Encoding Inspection |
Domain Name System |
Extended Simple Mail Transfer Protocol |
File Transfer Protocol |
General Packet Radio Service Tunneling Protocol |
GTPv0 |
GTPv1 |
Configuring GTP Inspection |
H.323 |
H.323 Protocol Suite |
H.323 Version Compatibility |
Enabling H.323 Inspection |
Direct Call Signaling and Gatekeeper Routed Control Signaling |
T.38 |
HTTP |
Enabling HTTP Inspection |
strict-http |
content-length |
content-type-verification |
max-header-length |
max-uri-length |
port-misuse |
request-method |
transfer-encoding type |
ICMP |
ILS |
MGCP |
NetBIOS |
PPTP |
Sun RPC |
RSH |
RTSP |
SIP |
Skinny |
SNMP |
SQLNet |
TFTP |
XDMCP |
Deployment Scenarios |
ESMTP |
HTTP |
FTP |
Summary |
Chapter 9 Security Contexts |
Architectural Overview |
System Execution Space |
Admin Context |
Customer Context |
Packet Flow in Multiple Mode |
Packet Classification |
Packet Forwarding Between Contexts |
Configuration of Security Contexts |
Step 1: Enabling Multiple Security Contexts Globally |
Step 2: Setting Up the System Execution Space |
Step 3: Specifying a Configuration URL |
Step 4: Allocating the Interfaces |
Step 5: Configuring an Admin Context |
Step 6: Configuring a Customer Context |
Step 7: Managing the Security Contexts (Optional) |
Deployment Scenarios |
Virtual Firewall Using Two Customer Contexts |
Virtual Firewall Using a Shared Interface |
Monitoring and Troubleshooting the Security Contexts |
Monitoring |
Troubleshooting |
Summary |
Chapter 10 Transparent Firewalls |
Architectural Overview |
Single-Mode Transparent Firewall |
Packet Flow in an SMTF |
Multimode Transparent Firewall |
Packet Flow in an MMTF |
Transparent Firewalls and VPNs |
Configuration of Transparent Firewall |
Configuration Guidelines |
Configuration Steps |
Step 1: Enabling Transparent Firewalls |
Step 2: Setting Up Interfaces |
Step 3: Configuring an IP Address |
Step 4: Configuring Interface ACLs |
Step 5: Adding Static L2F Table Entries (Optional) |
Step 6: Enabling ARP Inspection (Optional) |
Step 7: Modifying L2F Table Parameters (optional) |
Deployment Scenarios |
SMTF Deployment |
MMTF Deployment with Security Contexts |
Monitoring and Troubleshooting the Transparent Firewall |
Monitoring |
Troubleshooting |
Summary |
Chapter 11 Failover and Redundancy |
Architectural Overview |
Conditions that Trigger Failover |
Failover Interface Tests |
Stateful Failover |
Hardware and Software Requirements |
Types of Failover |
Active/Standby Failover |
Active/Active Failover |
Asymmetric Routing |
Failover Configuration |
Active/Standby Failover Configuration |
Step 1: Select the Failover Link |
Step 2: Assign Failover IP Addresses |
Step 3: Set the Failover Key (Optional) |
Step 4: Designating the Primary Cisco ASA |
Step 5: Enable Stateful Failover (Optional) |
Step 6: Enable Failover Globally |
Step 7: Configure Failover on the Secondary Cisco ASA |
Active/Active Failover Configuration |
Step 1: Select the Failover Link |
Step 2: Assign Failover Interface IP Addresses |
Step 3: Set Failover Key |
Step 4: Designate the Primary Cisco ASA |
Step 5: Enable Stateful Failover |
Step 6: Set Up Failover Groups |
Step 7: Assign Failover Group Membership |
Step 8: Assign Interface IP Addresses |
Step 9: Set Up Asymmetric Routing (Optional) |
Step 10: Enable Failover Globally |
Step 11: Configure Failover on the Secondary Cisco ASA |
Optional Failover Commands |
Specifying Failover MAC Addresses |
Configuring Interface Policy |
Managing Failover Timers |
Monitoring Failover Interfaces |
Zero-Downtime Software Upgrade |
Deployment Scenarios |
Active/Standby Failover in Single Mode |
Active/Active Failover in Multiple Security Contexts |
Monitoring and Troubleshooting Failovers |
Monitoring |
Troubleshooting |
Summary |
Chapter 12 Quality of Service |
Architectural Overview |
Traffic Policing |
Traffic Prioritization |
Packet Flow Sequence |
Packet Classification |
IP Precedence Field |
IP DSCP Field |
IP Access Control List |
IP Flow |
VPN Tunnel Group |
QoS and VPN Tunnels |
Configuring Quality of Service |
Step 1: Set Up a Class Map |
Step 2: Configure a Policy Map |
Step 3: Apply the Policy Map on the Interface |
Step 4: Tune the Priority Queue (Optional) |
QoS Deployment Scenarios |
QoS for VoIP Traffic |
QoS for the Remote-Access VPN Tunnels |
Monitoring QoS |
Summary |
Part III Intrusion Prevention System (IPS) Solution |
Chapter 13 Intrusion Prevention System Integration |
Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM) |
AIP-SSM Management |
Inline Versus Promiscuous Mode |
Directing Traffic to the AIP-SSM |
AIP-SSM Module Software Recovery |
Additional IPS Features |
IP Audit |
Shunning |
Summary |
Chapter 14 Configuring and Troubleshooting Cisco IPS Software via CLI |
Cisco IPS Software Architecture |
MainApp |
SensorApp |
Network Access Controller |
AuthenticationApp |
cipsWebserver |
LogApp |
EventStore |
TransactionSource |
Introduction to the CIPS 5.x Command-Line Interface |
Logging In to the AIP-SSM via the CLI |
CLI Command Modes |
Initializing the AIP-SSM |
User Administration |
User Account Roles and Levels |
Administrator Account |
Operator Account |
Viewer Account |
Service Account |
Adding and Deleting Users by Using the CLI |
Creating Users |
Deleting Users |
Changing Passwords |
AIP-SSM Maintenance |
Adding Trusted Hosts |
SSH Known Host List |
TLS Known Host List |
Upgrading the CIPS Software and Signatures via the CLI |
One-Time Upgrades |
Scheduled Upgrades |
Displaying Software Version and Configuration Information |
Backing Up Your Configuration |
Displaying and Clearing Events |
Displaying and Clearing Statistics |
Advanced Features and Configuration |
IPS Tuning |
Disabling and Retiring IPS Signatures |
Custom Signatures |
IP Logging |
Automatic Logging |
Manual Logging of Specific Host Traffic |
Configuring Blocking (Shunning) |
Summary |
Part IV Virtual Private Network (VPN) Solution |
Chapter 15 Site-to-Site IPSec VPNs |
Preconfiguration Checklist |
Configuration Steps |
Step 1: Enable ISAKMP |
Step 2: Create the ISAKMP Policy |
Step 3: Set the Tunnel Type |
Step 4: Configure ISAKMP Preshared Keys |
Step 5: Define the IPSec Policy |
Step 6: Specify Interesting Traffic |
Step 7: Configure a Crypto Map |
Step 8: Apply the Crypto Map to an Interface |
Step 9: Configuring Traffic Filtering |
Step 10: Bypassing NAT (Optional) |
Advanced Features |
OSPF Updates over IPSec |
Reverse Route Injection |
NAT Traversal |
Tunnel Default Gateway |
Optional Commands |
Perfect Forward Secrecy |
Security Association Lifetimes |
Phase 1 Mode |
Connection Type |
Inheritance |
ISAKMP Keepalives |
Deployment Scenarios |
Single Site-to-Site Tunnel Configuration Using NAT-T |
Fully Meshed Topology with RRI |
Monitoring and Troubleshooting Site-to-Site IPSec VPNs |
Monitoring Site-to-Site VPNs |
Troubleshooting Site-to-Site VPNs |
ISAKMP Proposal Unacceptable |
Mismatched Preshared keys |
Incompatible IPSec Transform Set |
Mismatched Proxy Identities |
Summary |
Chapter 16 Remote Access VPN |
Cisco IPSec Remote Access VPN Solution |
Configuration Steps |
Step 1: Enable ISAKMP |
Step 2: Create the ISAKMP Policy |
Step 3: Configure Remote-Access Attributes |
Step 4: Define the Tunnel Type |
Step 5: Configure ISAKMP Preshared Keys |
Step 6: Configure User Authentication |
Step 7: Assign an IP Address |
Step 8: Define the IPSec Policy |
Step 9: Set Up a Dynamic Crypto Map |
Step 10: Configure the Crypto Map |
Step 11: Apply the Crypto Map to an Interface |
Step 12: Configure Traffic Filtering |
Step 13: Set Up a Tunnel Default Gateway (Optional) |
Step 14: Bypass NAT (Optional) |
Step 15: Set Up Split Tunneling (Optional) |
Cisco VPN Client Configuration |
Software-Based VPN Clients |
Hardware-Based VPN Clients |
Advanced Cisco IPSec VPN Features |
Transparent Tunneling |
NAT Traversal |
IPSec over TCP |
IPSec over UDP |
IPSec Hairpinning |
VPN Load-Balancing |
Client Auto-Update |
Client Firewalling |
Personal Firewall Check |
Central Protection Policy |
Hardware based Easy VPN Client Features |
Interactive Hardware Client Authentication |
Individual User Authentication |
Cisco IP Phone Bypass |
Leap Bypass |
Hardware Client Network Extension Mode |
Deployment Scenarios of Cisco IPSec VPN |
IPSec Hairpinning with Easy VPN and Firewalling |
Load-Balancing and Site-to-Site Integration |
Monitoring and Troubleshooting Cisco Remote Access VPN |
Monitoring Cisco Remote Access IPSec VPNs |
Troubleshooting Cisco IPSec VPN Clients |
Cisco WebVPN Solution |
Configuration Steps |
Step 1: Enable the HTTP Service |
Step 2: Enable WebVPN on the Interface |
Step 3: Configure WebVPN Look and Feel |
Step 4: Configure WebVPN Group Attributes |
Step 5: Configure User Authentication |
Advanced WebVPN Features |
Port Forwarding |
Configuring URL Mangling |
E-Mail Proxy |
Authentication Methods for E-Mail Proxy |
Identifying E-Mail Servers for E-Mail Proxies |
Delimiters |
Windows File Sharing |
WebVPN Access Lists |
Deployment Scenarios of WebVPN |
WebVPN with External Authentication |
WebVPN with E-Mail Proxies |
Monitoring and Troubleshooting WebVPN |
Monitoring WebVPN |
Troubleshooting WebVPN |
SSL Negotiations |
WebVPN Data Capture |
E-Mail Proxy Issues |
Summary |
Chapter 17 Public Key Infrastructure (PKI) |
Introduction to PKI |
Certificates |
Certificate Authority |
Certificate Revocation List |
Simple Certificate Enrollment Protocol |
Enrolling the Cisco ASA to a CA Using SCEP |
Generating the RSA Key Pair |
Configuring a Trustpoint |
Manual (Cut-and-Paste) Enrollment |
Configuration for Manual Enrollment |
Obtaining the CA Certificate |
Generating the ID Certificate Request and Importing the ID Certificate |
Configuring CRL Options |
Configuring IPSec Site-to-Site Tunnels Using Certificates |
Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates |
Enrolling the Cisco VPN Client |
Configuring the Cisco ASA |
Troubleshooting PKI |
Time and Date Mismatch |
SCEP Enrollment Problems |
CRL Retrieval Problems |
Summary |
Part V Adaptive Security DeviceçManager |
Chapter 18 Introduction to ASDM |
Setting Up ASDM |
Uploading ASDM |
Setting Up Cisco ASA |
Accessing ASDM |
Initial Setup |
Startup Wizard |
Functional Screens |
Configuration Screen |
Monitoring Screen |
Interface Management |
System Clock |
Configuration Management |
Remote System Management |
Telnet |
SSH |
SSL (ASDM) |
System Maintenance |
Software Installation |
File Management |
System Monitoring |
System Logging |
SNMP |
Summary |
Chapter 19 Firewall Management Using ASDM |
Access Control Lists |
Address Translation |
Routing Protocols |
RIP |
OSPF |
Multicast |
AAA |
Application Inspection |
Security Contexts |
Transparent Firewalls |
Failover |
QoS |
Summary |
Chapter 20 IPS Management Using ASDM |
Accessing the IPS Device Management Console from ASDM |
Configuring Basic AIP-SSM Settings |
Licensing |
Verifying Network Settings |
Adding Allowed Hosts |
Configuring NTP |
Adding Users |
Advanced IPS Configuration and Monitoring Using ASDM |
Disabling and Enabling Signatures |
Configuring Blocking |
Creating Custom Signatures |
Creating Event Action Filters |
Installing Signature Updates and Software Service Packs |
Configuring Auto-Update |
Summary |
Chapter 21 VPN Management Using ASDM |
Site-to-Site VPN Setup Using Preshared Keys |
Site-to-Site VPN Setup Using PKI |
Cisco Remote-Access IPSec VPN Setup |
WebVPN |
VPN Monitoring |
Summary |
Chapter 22 Case Studies |
Case Study 1: Deploying the Cisco ASA at Branch Offices and Small Businesses |
Branch Offices |
Small Business Partners |
Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment |
Internet Edge and DMZ |
Filtering Websites |
Remote Access VPN Cluster |
Application Inspection |
IPS |
Case Study 3: Data Center Security with Cisco ASA |
Summary |
Index |