1 / 156

Security - Cisco Firewall TRAINING

Security - Cisco Firewall TRAINING. Course Flow. Day 1. Day 2. Day 3. Nội Dung Mục Tiêu Lịch Học: Trong 5 ngày Sáng từ 9h-11h30 Chiều từ 14h-16h30. Lesson 2: Getting Started with Cisco Security Appliances (continue) Lesson :3 Managing the Security Appliance Lession 4:

xander
Download Presentation

Security - Cisco Firewall TRAINING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security - Cisco FirewallTRAINING

  2. Course Flow Day 1 Day 2 Day 3 Nội Dung Mục Tiêu Lịch Học: Trong 5 ngày Sáng từ 9h-11h30 Chiều từ 14h-16h30 Lesson 2: Getting Started with Cisco Security Appliances (continue) Lesson :3 Managing the Security Appliance Lession 4: Access Control Lists Lesson 1: Cisco Security Appliances Overview Lesson 2: Getting Started with Cisco Security Appliances Lesson 5: Cisco Adaptive Security Device Manager Lesson 6: Firewall Switch Modules (FWSM) AM 8h30-11h30 Theory Lession 1: Console connection setting Lession 2: Execute general command Lession 3: Configure Security Appliance Interfaces Lession 4: Configure NAT, and Routing Lession 5: Test the Inside, Outside, and DMZ Interface Connectivity Lession 6 :Configure ACLs on the Security Appliance Lession 7: Managing the Security Appliance PM 14h-17h Hand-on Lab

  3. Introduction • Trainer Introduction • Name: • Position : • Experiences: • Trainee Introduction • Name • Position : • Security Network knowledges and experiences…

  4. Lession 1 Cisco Security Appliances Overview

  5. What Is a Firewall? DMZ Network Internet Outside Network Inside Network A firewall is a system or group of systems that manages access between two or more networks.

  6. Firewall Technologies Firewall operations are based on one of three technologies: • Packet filtering • Proxy server • Stateful packet filtering

  7. Packet Filtering DMZ: Server B Inside: Server C DataA B Host A Internet Data A C AB-Yes AC-No Limits information that is allowed into a network based on the destination and source address

  8. Proxy Server Proxy Server Internet Inside Network Outside Network Requests connections on behalf ofa client

  9. Stateful Packet Filtering DMZ: Server B Inside: Server C Data HTTP A B Host A Internet State Table Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content Source address 10.0.0.11 192.168.0.20 Destination address 172.16.0.50 172.16.0.50 Source port 1026 1026 Destination port 80 80 Initial sequence no. 49091 49769 Ack Flag Syn Syn

  10. Security Appliances: What Are They? Cisco security appliances deliver enterprise-class security for small-to-medium-sized business and enterprise networks in a modular, purpose-built appliance. Some features of Cisco security appliances are: • Proprietary operating system • Stateful packet inspection • User-based authentication • Protocol and application inspection • Modular policy framework • Virtual private networking • Security contexts (virtual firewalls) • Stateful failover capabilities • Transparent firewalls • Web-based management solutions

  11. Proprietary Operating System • Eliminates the risks associated with general-purpose operating systems

  12. Stateful Packet Inspection • The stateful packet inspection algorithm provides stateful connection security. • It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags. • It randomizes the initial TCP sequence number of each new connection. • By default, the stateful packet inspection algorithm allows connections originating from hosts on inside (higher security level) interfaces. • By default, the stateful packet inspection algorithm drops connection attempts originating from hosts on outside (lower security level) interfaces. • The stateful packet inspection algorithm supports authentication, authorization, and accounting.

  13. Application-Aware Inspection FTP Server Client Data Port20 Control Port 21 Control Port 2008 Data Port 2010 Data - Port 2010 Port 2010 OK Data • Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections to dynamically assigned source or destination ports through the firewall. • The security appliance inspects packets above the network layer. • The security appliance securely opens and closes negotiated ports for legitimate client-server connections through the firewall.

  14. Modular Policy Internet System Engineer Headquarters T1 SE exec Internet Executives S2S S2S Site C Site B Class Map Traffic Flow Default Internet Systems Engineer Executives Site to Site Policy Map Services Inspect IPS Police Priority Service Policy Interface/Global Global Outside

  15. B A N K • B A N K Virtual Private Network Site to Site Internet IPsec VPN SSL VPN Headquarters Remote Access

  16. Security Context (Virtual Firewall) One Physical Firewall Four Virtual Firewalls Four Physical Firewalls Internet Internet Ability to create multiple security contexts (virtual firewalls) within a single security appliance

  17. Failover Capabilities: Active/Standby, Active/Active, and Stateful Failover Failover: Active/Standby Failover: Active/Active Contexts 2 2 1 1 Primary: Failed Firewall Secondary: Active Firewall Primary: Failed/Standby Secondary: Active/Active Internet Internet • Failover protects the network if the primary security appliance goes offline.. • Active/standby: Only one unit can be actively processing traffic; the other is hot standby. • Active/Active: Both units can process traffic and serve as backup units. • Stateful failover maintains the operating state during failover.

  18. Transparent Firewall 192.168.1.5 192.168.1.2 Internet • Has the ability to deploy a security appliance in a secure bridging mode • Provides rich Layers 2 through 7 security services as a Layer 2 device

  19. Web-Based Management Solutions Adaptive Security Device Manager

  20. Models and Features of Cisco Security Appliances

  21. ASA 5500 Series ASA 5550 ASA 5540 ASA 5520 Price ASA 5510 ASA 5505 Gigabit Ethernet SOHO SP SMB Enterprise ROBO Functionality SP = service provider

  22. PIX 500 Series PIX 535 PIX 525 PIX 515E Price PIX 506E PIX 501 Gigabit Ethernet SOHO SP SMB Enterprise ROBO Functionality

  23. Cisco ASA 5510 Adaptive Security Appliance • Delivers advanced security and networking services, including high-performance VPN services, for small and medium-sized businesses and enterprise branch offices • Provides up to 130,000 concurrent connections • Provides up to 300-Mbps firewall throughput • Provides interface support • Up to 5 10/100 Fast Ethernet interfaces • Up to 25 VLANs • Up to 5 contexts • Supports failover • Active/standby • Supports VPNs • Site to site (250 peers) • Remote access • WebVPN • Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)

  24. Cisco ASA 5520 Adaptive Security Appliance • Delivers advanced security services, including high-performance VPN services, for medium-sized enterprise networks • Provides up to 280,000 concurrent connections • Provides up to 450-Mbps firewall throughput • Provides Interface support • 4 10/100/1000 Gigabit Ethernet interfaces • 1 10/100 Fast Ethernet interface • Up to 100 VLANs • Up to 20 contexts • Supports failover • Active/standby • Active/active • Supports VPNs • Site to site (750 peers) • Remote access • WebVPN • Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)

  25. Cisco ASA 5540 Adaptive Security Appliance • Delivers high-performance, high-density security services, including high-performance VPN services, for medium-sized and large enterprise networks and service provider networks • Provides up to 400,000 concurrent connections • Provides up to 650-Mbps firewall throughput • Provides Interface support • 4 10/100/1000 Gigabit Ethernet interfaces • 1 10/100 Fast Ethernet interface • Up to 200 VLANs • Up to 50 contexts • Supports failover • Active/standby • Active/active • Supports VPNs • Site to site (5,000 peers) • Remote access • WebVPN • Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)

  26. ASA 5510, 5520, and 5540 Adaptive Security Appliances Front Panel Flash Status Active Power VPN

  27. ASA 5510, 5520, and 5540 Adaptive Security Appliances Back Panel CompactFlash Fixed interfaces Security services module

  28. ASA 5510, 5520, and 5540 Adaptive Security Appliances Connectors CompactFlash 10/100 out-of-band management port Console port Power supply (AC or DC) Four 10/100/1000 Gigabit Ethernet ports* AUX ports Two USB 2.0 ports *ASA 5510 Adaptive Security Appliance supports 10/100 Fast Ethernet ports.

  29. Cisco ASA Security Services Module • High-performance module designed to provide additional security services • Diskless (Flash-based) design for improved reliability • Gigabit Ethernet port for out-of-band management

  30. SSM Models SSM-10 • 2.0-GHz processor • 1.0 GB RAM SSM-20 • 2.4-GHz processor • 2.0 GB RAM • Speed • Link andactivity • Power • Status

  31. Four-Port Gigabit Ethernet SSM RJ-45 link LED SFP link LED SFP speed LED RJ-45 speed LED Status LED SFP ports RJ-45 ports Power LED

  32. Summary • A firewall is a system or group of systems that manages access between two or more networks. • Statefull firewall is a device works most effectively • Cisco Security Appliance including Cisco PIX and ASA. • Security devices ASA 5510, 5520 targeting the small and medium enterprises. • The function of security devices can be expanded by the SSMs

  33. Lession 2 Getting Started with Cisco Security Appliances

  34. User Interface

  35. ciscoasa> ciscoasa# ciscoasa(config)# monitor> Security Appliance Access Modes A Cisco security appliance has four main administrative access modes: Unprivileged Privileged Configuration Monitor

  36. Access Privileged Mode Internet Used to control access to the privileged mode Enables you to enter other access modes ciscoasa> enable [priv_level] ciscoasa> enable password: ciscoasa#

  37. Access Configuration Mode: configure terminal Command ciscoasa# configure terminal Used to start configuration mode to enter configuration commands from a terminal ciscoasa# exit Used to exit from an access mode ciscoasa> enable password: ciscoasa# configure terminal ciscoasa(config)# exit ciscoasa# exit ciscoasa>

  38. help Command ciscoasa > help ? enable Turn on privileged commands exit Exit the current command mode login Log in as a particular user logout Exit from current user profile to unprivileged mode perfmon Change or view performance monitoring options ping Test connectivity from specified interface to an IP address quit Exit the current command mode ciscoasa > help enable USAGE: enable [<priv_level>]

  39. File Management

  40. Viewing and Saving Your Configuration The following commands enable you to view your configuration: • Show running-config • Show startup-config The following commands enable you to save your configuration: • copy run start • write memory To save configuration changes: copy run start startup- config (saved) running- config Configuration Changes

  41. Clearing Running Configuration Clear the running configuration: clear config all startup- config running- config (default) ciscoasa(config)# clear configure all Clears the running configuration ciscoasa(config)# clear config all

  42. Clearing Startup Configuration Clear the startup configuration: write erase startup- config (default) running- config ciscoasa# write erase Clears the startup configuration ciscoasa# write erase

  43. Reload the Configuration: reload Command ciscoasa# Reboots the security appliance and reloads the configuration Allows scheduled reboots reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config] ciscoasa# reload Proceed with reload?[confirm] y Rebooting...

  44. File System Release 7.0 and later • Software image • Configuration file • Private data • ASDM image • Backup image* • Backup configuration file*

  45. Displaying Stored Files: System and Configuration Display the directory contents • Internet ASA disk0: disk1: PIX Security Appliance flash: ciscoasa# dir [/all] [/recursive] [all-filesystems] [disk0: | disk1: | flash: | system:] ciscoasa# dir Directory of disk0:/ 8 -rw- 8202240 13:37:33 Jul 28 2006 asa721-k8.bin 1264 -rw- 5539756 13:21:13 Jul 28 2006 asdm-521.bin 62947328 bytes total (49152000 bytes free)

  46. Outside Network GigabitEthernet0/0 Security level 0 Interface name = outside Internet Inside Network DMZ Network GigabitEthernet0/1 Security level 100 Interface name = inside GigabitEthernet0/2 Security level 50 Interface name = DMZ Security Level Example g0/2 g0/1 g0/0

  47. Examining Security Appliance Status

  48. show Commands asa1# show run interface . . . interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 ! interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . . show run interface asa1# show interface Interface GigabitEthernet0/0 "outside", is up, line protocol is up Detected: Speed 1000 Mbps, Full-duplex Requested: Auto MAC address 000b.fcf8.c538, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets, 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets show interface

  49. show memory Command ciscoasa# show memory asa1# show memory Free memory: 468962336 bytes (87%) Used memory: 67908576 bytes (13%) ------------- ---------------- Total memory: 536870912 bytes (100%)

  50. Internet show cpu usage Command 10.0.1.11 10.0.1.4 ciscoasa# show cpu usage asa1# show cpu usage CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

More Related