Accessing Cisco Security Appliance

A Security Appliance can be accessed by using the console port or remotely using the following methods A browser using Cisco Adaptive Security Device Manger (ASDM) Console port access allows a single user to configure Security Appliance. A user connects a PC or portable computer to Security Appliance through the console access port using a rollover cable. The following sections describe how to access Security Appliance remotely using Telnet and SSH. Chapter 15, Adaptive Security Device Manager,...

Accounting Maintains a record of user access

Cisco Security Appliance version 6.2 can maintain an internal user database for console authentication and command authorization or connect to an external AAA server. The Security Appliance supports RADIUS, TACACS+, SDI, NT, Kerberos, and LDAP authentication technologies. Figure 17-20 shows the steps that the AAA server takes during the entire AAA process. Step 1 User initiates connection to web server and is prompted for username password. Step 5 The firewall allows the connection. Step 5 The...

ACL Logging

The ACL logging feature lets you log the number of permits or denies of a flow during a specific period of time. A flow is defined by protocol, source IP address, source port, destination IP address, and destination port. When a flow is permitted or denied, the system checks to see if the flow already exists in the system. If not, an initial syslog message with a hit count of 1 for the flow is generated. The flow entry is then created and the hit count for the flow is incremented every time the...

ASDM Installation

Before installing ASDM, follow these steps Step 1 Save or print your Security Appliance configuration and write down your activation key. Step 2 If you are upgrading from a previous version of Security Appliance software, you must obtain the ASDM software from Cisco in the same way you download the Security Appliance software. Then, use TFTP to download the image to your Security Appliance unit. Step 3 If you upgrade your Cisco Security Appliance Software to version 7.0 and you plan to use...

Assign a Shell Command Authorization Set on a Per Network Device Group BasisIn

ACS version 3.1 and later, to apply a shell command authorization set to the TACACS+ AAA clients who belong to a particular Network Device Group (NDG), select this option, and then use the following options Device Group From the list, select the NDG to which you want to assign a shell command authorization set. Command Set From the list, select the shell command authorization set you want to apply to the NDG. Add Association Click to add the NDG and command set selected to the Device Group...

Assigning Policies to an Interface

For interfaces to be activated, you need to assign policies to them. An interface is defined as any physical interface or as a logical interface that can be defined by the nameif command. Additionally, you can apply a policy to the global interface. To assign a policy to an interface, use the service-policy command. The service-policy command assigns a policy map to a specific interface. Only one service-policy command can be made on any one interface. To disable the command, use the no form of...

Basic Configuration Information for HOUPIX

Tables 20-10 through 20-13 provide the information needed to configure the PIX Firewall in the Houston office. Table 20-10 shows information about the physical interfaces of the Cisco PIX Firewall. Table 20-10 Interface Information for the Houston PIX Table 20-10 shows information about the physical interfaces of the Cisco PIX Firewall. Table 20-10 Interface Information for the Houston PIX Table 20-11 depicts which routes need to be configured on the PIX Firewall in the Houston office. Table...

Basic Configuration Information for HQPIX

Table 20-1 lists the physical interfaces of the Cisco PIX Firewall that is installed in the Reston headquarters. This table includes the interface name, physical interface ID, assigned address, and speed duplex. Table 20-1 PIX Interface Information for HQ Table 20-1 PIX Interface Information for HQ Table 20-2 shows what routing information needs to be configured on the PIX. Note that the only route required is the default route. No specific routes are defined on the firewall. Table 20-2 PIX...

Basic Configuration Information for MNPIX

Tables 20-6 through 20-9 provide the information needed to configure the PIX Firewall at the Minneapolis office. Table 20-6 shows information about the physical interfaces on the PIX Firewall. Table 20-6 PIX Interface Information for Minneapolis Table 20-6 shows information about the physical interfaces on the PIX Firewall. Table 20-6 PIX Interface Information for Minneapolis Table 20-7 depicts which routes need to be configured on the PIX Firewall in the Minneapolis office. Table 20-7 Routing...

Bn Ii r

Step 8 Specify the encryption and authentication algorithms used by IKE (Phase 1), as shown in Figure 15-34. 9 9 Iffll fllCr III.B l'h-ramiP rn * Ii 11 S Step 9 Specify the encryption and authentication algorithms used by the IPSec VPN tunnel, as shown in Figure 15-35. Figure 15-35 Transform Set Window (IPSec Encryption and Authentication) Figure 15-35 Transform Set Window (IPSec Encryption and Authentication)

Case Study and Sample Configuration

The DUKEM consulting firm is a medium-size company with 700 employees. It has three offices across the continental United States. Twenty percent of DUKEM's employees are mobile or telecommute. Figure 20-1 shows the current DUKEM network infrastructure. Figure 20-1 DUKEM Network Infrastructure

Certification Exam and This Preparation Guide

The questions for each certification exam are a closely guarded secret. The truth is that if you had the questions and could only pass the exam, you would be in for quite an embarrassing experience as soon as you arrived at your first job that required Security Appliance skills. The point is to know the material, not just to pass the exam successfully. We do know what topics you must know to complete this exam. These are, of course, the same topics required for you to be proficient with the...

Configuration of AAA on the Cisco Security Appliance Virtual HTTP

Virtual HTTP functions similarly to virtual Telnet in that the PIX Firewall acts as the HTTP server via an additional IP address assigned to the firewall. Users might believe that they are accessing the web server, but they are actually accessing the virtual server for the authentication prompt, being authenticated by an AAA server, and being redirected to their destination after successful authentication. The syntax for virtual http is virtual http ip-address warn The warn option is used for...

Modular Policy Framework Table 85 set connection Command Options

The maximum number of simultaneous TCP and UDP connections that are allowed. The maximum number of half-open TCP connections associated with a policy map. Enables or disables TCP sequence number randomization. This option should be used when multiple Security Appliances are placed inline with each other, with one appliance performing the sequence number randomization. Using the set connection command, you can control the timeout for TCP connections. The connection types that a timeout can be...

Cisco ASA 5520 Security Appliance

The Cisco ASA 5520 Security Appliance is a high-availability enterprise firewall and VPN. It is designed as a perimeter security device, as well as a VPN head point for all enterprise connectivity. The ASA 5520 supports a 2.0-GHz Celeron processor, with up to 512 MB of RAM and 64 MB of Flash memory. The availability of security contexts allows the ASA 5520 to support more flexible firewall design than the ASA 5510. In addition, the ASA 5520 allows the use of SSL VPNs (WebVPN) to support up to...

Cisco ASA 5540 Security Appliance

The Cisco ASA 5540 is the premiere Security Appliance for the large enterprise environment. The ASA 5540 can support up to 100 VLANs, allowing a security administrator greater flexibility when designing a corporate LAN. The ASA 5540 runs on a 2.0-GHz Pentium 4 processor, with up to 1,024 MB of RAM and 64 MB of Flash memory. The ASA 5540, like the ASA 5520, supports LAN-based failover in either Active Active or Active Standby modes. The ASA 5540 supports up to 50 security contexts with purchase...

Cisco ASA Security Model Capabilities

The following sections describe the characteristics and capabilities of each firewall in the ASA Security Appliance family. The throughput speeds mentioned for each model refer to the speeds at which the firewall can process the data with most services enabled. The addition of an AIP-SSM module will reduce an interface's throughput speeds if enabled. All the ASA Security Appliances feature the same chassis (see Figure 3-14). Figure 3-14 ASA Security Appliance 55X0 Front Panel Figure 3-14 ASA...

Cisco PIX 506E

The Cisco PIX 506E Firewall was designed for the ROBO environment. It has a 300-MHz Celeron processor, 32 MB of RAM, and 8 MB of Flash memory. It has a fixed outside Ethernet interface and a fixed inside Ethernet interface. It has a 9600-baud console port that is used for local device management. The PIX 506 does not support failover. Connection capabilities for the PIX 506 are as follows Maximum clear-text throughput 100 Mbps Maximum throughput (DES) 20 Mbps Maximum throughput (3DES) 17 Mbps...

Cisco PIX 525

The Cisco PIX 525 Firewall is an enterprise firewall. It provides perimeter security for large enterprise networks. The PIX 525 is rack-mountable in a 2U (3.5-inch) configuration. It has a 600-MHz processor, up to 256 MB of RAM, and 16 MB of Flash memory. It has two fixed 10 100 Ethernet interfaces. The two fixed interfaces are Ethernet 0, which is the outside interface by default, and Ethernet 1, which is the inside interface by default. The PIX 525 also includes three PCI slots for the...

Cisco PIX 535

The Cisco PIX 535 Firewall is the ultimate enterprise firewall designed for enterprise networks and service providers. The PIX 535 is rack-mountable and fits a 3U configuration. It has a 1-GHz processor, up to 1 GB of RAM, and 16 MB of Flash memory. It has nine PCI slots for the installation of up to ten Ethernet interfaces. It has a 9600-baud console port that is used for local device management. The PIX 535 can be configured for failover using a failover cable connected to the 115-kbps serial...

Cisco Security Appliance Models

Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-11 ASA Models and Features (Continued) Table 3-11 ASA Models and Features (Continued)

Cisco Security Specialist in the Real World

Cisco is one of the most recognized names on the Internet. You cannot go into a data center or server room without seeing some Cisco equipment. Cisco-certified security specialists are able to bring quite a bit of knowledge to the table because of their deep understanding of the relationship between networking and network security. This is why the Cisco certification carries such clout. Cisco certifications demonstrate to potential employers and contract holders a certain professionalism and...

Client Device Mode

The Cisco VPN Client operates in the following two modes (see the Easy VPN Remote Modes of Operation section earlier in the chapter for more information) To configure the client device mode, you use the vpnclient mode command. The syntax for this command is as follows vpnclient mode Client mode applies NAT PAT to all IP addresses of the clients connected to the higher-security (inside) interface. Network extension mode, on the other hand, does not apply NAT PAT to any IP addresses of clients on...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars...

Command Level Authorization

In some organizations, there may be more than one firewall administrator for the Security Appliances. In those instances, you can provide those other admins with full rights privileges to the Security Appliances or curtail their ability to accomplish their assigned functions, thereby reducing the chance of unintended (or sometimes malicious) events from occurring on the firewall(s). The PIX operating system provides a mechanism of controlling what type of command a user can execute. The...

Configuration 432 client mode Easy VPN Remote 417 clients Easy VPN Remote 405407 clock timezone command 163

Aaa accounting, 543 aaa authentication console, 548 aaa authentication, 543, 546 aaa authorization, 543 aaa-server command, 542 access-group command, 631 address, 91 admin-context, 229 allocate-interface, 230 area, parameters, 285 arp-inspection ethertype, 169 VPNs, troubleshooting, 358-360 debug aaa accounting, 579 debug aaa authentication, 578 debug aaa authorization, 579 debug igmp, 297 debug radius, 580 debug tacacs, 580 default-inspection-traffic, 206 dhcpd address, 443 duplex, 148 enable...

Configuring a Cisco Security Appliance

Eight important commands are used to produce a basic working configuration for a Security Appliance Before you use these commands, it can prove very useful to draw a diagram of your Cisco Security Appliance with the different security levels, interfaces, and Internet Protocol (IP) addresses. Figure 6-1 shows one such diagram that is used for the discussion in this chapter. Figure 6-1 Documenting Cisco Security Appliance Security Levels, Interfaces, and IP Addresses v Perimeter Router P (Default...

Configuring a Syslogd Server

Because syslogd was originally a UNIX concept, the features available in the syslogd products on non-UNIX systems depend on the vendor implementation. Features might include dividing incoming messages by facility or debug level or both, resolving the names of the sending devices, and reporting facilities. For information on configuring the non-UNIX syslog server, refer to the vendor's documentation. NOTE Configuring the syslog server is not covered on the PIX CSPFA 642-522 exam. To configure...

Configuring Access VPNs

The Cisco Easy VPN, a software enhancement for Cisco Security Appliances and security appliances, greatly simplifies virtual private network (VPN) deployment for remote offices and telecommuters. By centralizing VPN management across all Cisco VPN devices, Cisco Easy VPN reduces the complexity of VPN deployments. Cisco Easy VPN enables you to integrate various remote VPN solutions (Cisco IOS routers, Cisco PIX Firewalls, Cisco ASA 55X0 series firewalls, Cisco VPN 3002 Hardware Clients, and...

Configuring Downloadable Security Appliance ACLs

Version 3.0 and later of Cisco Secure ACS allows you to create a downloadable ACL using the shared profile component. The downloadable ACL configuration is supported only for RADIUS servers. To verify that your configuration is for a RADIUS server, select Network Configuration from the navigation bar and click AAA Client. Verify that RADIUS (Cisco IOS Security Appliance) is selected, as shown in Figure 18-19. Figure 18-19 RADIUS (Cisco IOS PIX) Configuration Figure 18-19 RADIUS (Cisco IOS PIX)...

Configuring EMail Proxies

The WebVPN service supports four types of e-mail proxies Of the four types of e-mail proxies, only MAPI is handled through the functions command tgasa(config-group-webvpn) functions mapi The other three are handled in subcommand mode similar to WebVPN mode, as described previously. Each proxy's subcommand mode can use the commands listed in Table 13-14. Assigns a preconfigured accounting server group to use with proxy. None are initially configured. Assigns an authentication mode for proxy...

Configuring Failover

To configure failover, you need to become familiar with a few key commands. Table 12-4 shows the commands used to configure and verify failover. Table 12-4 Security Appliance Failover Commands Table 12-4 Security Appliance Failover Commands Enables the failover function on the PIX Firewall. Use this command after you connect the failover cable between the primary and secondary unit. Use the no failover command to disable the failover feature. Table 12-4 Security Appliance Failover Commands...

Configuring Multiple Translation Types on the Cisco Security Appliance

It is a good practice to use a combination of NAT and PAT. If you have more internal hosts than external IP addresses, you can configure both NAT and PAT. Your first group of hosts translates to the global addresses that are listed and the remaining hosts use PAT and translate to the single global address. PAT is configured separately from NAT. If NAT is configured without PAT, once the available global IP address range is depleted, additional translation attempts will be refused. If the...

Configuring Security Appliances for Scalable VPNs

Earlier in this chapter, you learned about the different methods of negotiating an IPSec Manual IPSec, which requires you to configure each peer manually. This method is not recommended by Cisco because it does not allow for key exchanges and, therefore, would be rather easy to decrypt, given enough time and traffic. Obviously, manual IPSec is not a scalable solution. IKE, which dynamically negotiates your SA using preshared keys or digital certificates. Preshared keys still require you to...

Configuring Simple Network Management Protocol on Security Appliance

The snmp-server command causes Security Appliance to send SNMP traps so that the Security Appliance can be monitored remotely. Use the snmp-server host command to specify which systems receive the SNMP traps. Example 4-5 shows a SNMP sample configuration on a PIX Firewall. Example 4-5 Sample SNMP Configuration on a PIX Firewall Example 4-5 Sample SNMP Configuration on a PIX Firewall The location and contact commands identify where the host is and who administers it. The community command...

Configuring Syslog on a Cisco Security Appliance

The logging command is used to configure logging on the PIX Firewall. Logging is disabled by default. Table 10-3 describes the parameters of the logging command. Table 10-3 logging Command Parameters Table 10-3 logging Command Parameters Enables the transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command. Allows you to disable specific syslog messages. Use the logging message message_number command to resume logging of...

Configuring the ASDM to View Logging

The ASDM Log panel, shown in Figure 10-1, allows you to view syslog messages that are captured in the ASDM Log buffer in the Security Appliance memory. You may select the level of syslog messages you want to view. When you view the ASDM Log, all the buffered syslog messages at and below the logging level you choose are displayed. r-nb < .< * _ > ,> . 1 CKHI> .tMi > -tK . ' J-h -IM J rj MID hirHllipi d 1 J1 .i r 'j i i' d hr1 The ASDM logging panel has the following fields Logging...

Configuring the Central PIX Firewall HQPIX for VPN Tunneling

Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the traffic coming from the remote sites. The following steps define the VPN characteristics on HQ-PIX Step 1 Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy Step 2 Configure a preshared key and associate it with the peers (Houston and Minneapolis) isakmp key C2 ghi address 192.168.3.2 isakmp key B2 def address 192.168.2.2 Step 3 Configure the supported IPSec transforms...

Configuring the Cisco Security Appliance to Send Syslog Messages to a Log Server

Configuring a Security Appliance to send logging information to a server helps you collect and maintain data that can later be used for forensic and data traffic analysis. The Security Appliance syslog messages are usually sent to a syslog server or servers. The Security Appliance uses UDP port 514 by default to send syslog messages to a syslog server. The syntax for configuring the Security Appliance Firewall to send syslog messages to a syslog server is as follows Pixfirewall(config) Logging...

Configuring the Houston PIX Firewall Houpix for VPN Tunneling

Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on HOU-PIX at the Houston remote site Step 1 Configure an ISAKMP policy isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 Step 2 Configure a preshared key...

Configuring the Minneapolis PIX Firewall MNPIX for VPN Tunneling

Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on MN-PIX at the Minneapolis remote site isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 lifetime 1000 Step 2 Configure a preshared key and associate it with the peer (HQ-PIX) isakmp key A1 abc address 192.168.1.2 Step 3 Configure the...

Configuring the Security Appliance DHCP Client

DHCP client support on the Cisco Security appliance is designed for use in SOHO environments in which digital subscriber line (DSL) and cable modems are used. The DHCP client can be enabled only on the outside interface of the Security Appliance. When the DHCP client is enabled, DHCP servers on the outside provide the outside interface with an IP address. NOTE The DHCP client does not support failover configuration. The DHCP client feature on a Security Appliance is enabled by the ip address...

Configuring the Security Appliance DHCP Server

Configuring the Security Appliance to operate as a DHCP server involves the following tasks Configuring the address pool Specifying WINS, DNS, and the domain name Configuring the DHCP options Configuring the DHCP lease length NOTE Configuring the Security Appliance to serve as a DHCP server also requires you to assign a static IP address to the inside interface. This is one of the basic configuration tasks when setting up your Security Appliance. A DHCP server needs to know which addresses it...

Configuring Transparent Mode

With the release of Security software version 7.0, a Security Appliance can run as a Layer 2 firewall. Standard firewalls act in a similar fashion as a router, routing packets through the firewall instead of switching them. This creates an extra hop in the IP path that a user can detect. With transparent firewall enabled, the Security Appliance will act as a Layer 2 filtering bridge, switching the packets instead of routing them, and the user will not see an additional hop within the IP path....

Contents

How to Best Use This Chapter 3 Do I Know This Already Quiz 3 Foundation and Supplemental Topics 7 Overview of Network Security 7 Vulnerabilities, Threats, and Attacks 8 Vulnerabilities 8 Threats 8 Types of Attacks 8 Reconnaissance Attacks 9 Access Attacks 10 DoS Attacks 11 Security Policies 11 Step 1 Secure 12 Step 2 Monitor 13 Step 3 Test 13 Step 4 Improve 13 Network Security as a Legal Issue 13 Defense in Depth 14 Cisco AVVID and Cisco SAFE 14 Cisco AVVID 14 Cisco SAFE 16 Foundation Summary...

Contents at a Glance

Firewall Technologies and the Cisco Security Appliance 23 Understanding Cisco Security Appliance Translation and Connection 109 Getting Started with the Cisco Security Appliance Family of Firewalls 137 Configuring Access 177 Modular Policy Framework 199 Security Contexts 223 Syslog and the Cisco Security Appliance 247 Routing and the Cisco Security Appliance 269 Cisco Security Appliance Failover 303 Adaptive Security Device Manager 453 Content Filtering on the Cisco Security Appliance 497...

Cut Through Proxy

The cut-through proxy feature on a Cisco Security Appliance provides significantly better performance than application proxy firewalls because it completes user authentication at the application layer, verifies authorization against the security policy, and then opens the connection as authorized by the security policy. Subsequent traffic for this connection is no longer handled at the application layer but is statefully inspected, providing significant performance benefits over proxy-based...

Debug Command

The debug command lets you watch the VPN negotiation take place. This command is available only from configuration mode on the PIX and will not display any output in a Telnet session. Table 13-8 explains the two debug commands most commonly used to troubleshoot VPN connectivity. Displays IKE communication between the PIX and its IPSec peers Displays IPSec communication between the PIX and its IPSec peers Example 13-8 displays the output from the debug crypto isakmp command on the PIX Firewall...

DescriptionA description of the access list

ACL Definitions A test of the command. This should use the same format as the command used on the Security Appliance Firewall, except for the access list name and the fact that there is no requirement for the keyword access-list. It also is not necessary to add the access list to an access group. This is done automatically when the ACL is downloaded to the Security Appliance Firewall. Figure 18-21 shows a downloadable ACL configured to allow outbound access to Figure 18-21 Creating a...

Diffie Hellman group

As soon as the IKE SA negotiation is complete, the established SA is bidirectional. The phase 2 negotiations establish unidirectional SAs between two IPSec peers. The SAs determine the keying, protocols, and algorithms to be used between the peers. Two primary security protocols are included as part of the IPSec standard supported by the Cisco Security Appliance Encapsulating Security Payload (ESP) ESP provides data authentication, encryption, and antireplay services. ESP is protocol number 50...

Do I Know This Already

What differentiates Modular Policy Framework from classic policy maps Answer A Modular Policy Framework (MPF) gives the security administrator the tools to segment traffic flows into traffic classes and to assign one or more actions to each traffic class. Traditional policy maps only allowed actions to be assigned to the total traffic flow on the Security Appliance, whereas with an MPF, HTTP traffic can have a policy separate from H.323 or ICMP. 2. What are the three parts to an MPF and what do...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The ten-question quiz, derived from the major sections in the Foundation and Supplemental Topics portion of the chapter, helps you determine how to spend your limited study time. Table 1-1 outlines the major topics discussed in this chapter and the Do I Know This Already...

Do I Know This Already Quiz 1 d

What is the difference between TCP and UDP Answer TCP is a connection-oriented protocol, and UDP is a connectionless protocol. 2. What is the default security for traffic origination on the inside network segment going to the outside network Answer By default, traffic is permitted from the inside (higher security level) to the outside (lower security level) network as long as the appropriate nat global static command has been configured. 3. True or false You can have multiple translations in a...

Domain Name Inspection

To understand the DNS attack protection provided by Cisco Security Appliance, it helps to understand how DNS can be exploited to cause a DoS attack. DNS queries are sent from the attacker to each of the DNS servers. These queries contain the target's spoofed address. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity. The port assignment for DNS cannot be configured on...

Dshow tcp active

Why is it difficult to penetrate the Security Appliance over UDP port 53 a. The Security Appliance allows multiple outbound queries but randomizes the UDP sequence numbers. b. The Security Appliance allows queries to go out to multiple DNS servers but drops all but the first response. c. The Security Appliance allows responses only to outbound DNS queries. 10. How many connections can you hide behind a single global address The answers to the Do I Know This Already quiz are found in Appendix A,...

Dynamic Routes

Besides creating static routes manually, the Cisco Security Appliance also supports some dynamic routing functionality. Dynamic routes are created based on routing protocols that automatically add entries into the Security Appliance's routing table. The Security Appliance supports the following two different routing protocols, but only one can be active on a single Security Appliance The Security Appliance can learn new routes based on the RIP routing broadcasts, but the Security Appliance does...

Easy VPN Remote Feature

The Easy VPN Remote feature enables Security Appliances, Cisco VPN 3002 Hardware Clients, Cisco VPN Software Clients, and certain Cisco IOS routers to act as remote VPN clients. The Easy VPN Server can push security policies to these clients, thus minimizing VPN configuration requirements at remote locations. This cost-effective solution is ideal for remote offices with little information technology (IT) support as well as large deployments where it is impractical to configure individual remote...

Easy VPN Server

The Easy VPN Server enables Cisco IOS routers, Security Appliances, and Cisco VPN 3000 Series concentrators to serve as VPN headend devices when remote offices are running the Easy VPN Remote feature. The configuration works for both site-to-site and remote access configurations. With Cisco Easy VPN, security policies defined at the headend are pushed to the remote VPN device, ensuring that the connection has up-to-date policies in place before the connection is established. Mobile workers...

Enabling the Pointto Point over Ethernet Client

By default, the PPPoE client on the Security Appliance is disabled. Use the following command to enable the PPPoE client ip address interface-name pppoe setroute You also can enable PPPoE by manually entering the IP address using the following command ip address interface-name ip-address netmask pppoe setroute This command causes the Security Appliance to use the specified IP address instead of negotiating with the PPPoE server to assign an address dynamically. The parameters for the ip address...

Enabling Transparent Mode

When you decide to enable transparent mode, ensure that your configuration has been backed up. When this feature is enabled, it will clear the current configuration to avoid any command conflicts that may exist with the currently deployed configuration. To enable transparent mode, use the firewall transparent command in the global configuration mode. If you are using multiple contexts, you must execute this command in the system configuration mode, which will affect all configured contexts. Use...

Extended Authentication Configuration

XAUTH enables the Easy VPN Server to require username password authentication in order to establish the VPN connection. This authentication is performed by an AAA server. To configure the Easy VPN Server to use XAUTH for remote VPN clients, you must set up the Easy VPN Server and configure it to perform XAUTH. The complete configuration process involves performing the following tasks Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for remote Cisco VPN Client...

Filtering ActiveX Objects

The filter activex command filters out ActiveX objects and other HTML < OBJECT> usages from inbound packets. These controls include custom forms, calendars, and extensive third-party forms for gathering or displaying information. The syntax for filtering ActiveX objects is as follows filter activex port local-ip local-mask foreign-ip foreign-mask Note that if the < OBJECT> and < OBJECT> HTML tags split across network packets or if the code in the tags is longer than the number of...

Filtering Long URLs

Cisco Security Appliance supports filtering URLs up to 6000 bytes for the Websense URL-filtering server. The default is 2000 bytes. In addition, Cisco Security Appliance supports the longurl-truncate and cgi-truncate parameters to allow handling of URL requests longer than the maximum permitted size. The format for these options is as follows filter url http port -port local-ip local-mask foreign-ip foreign-mask allow proxy-block longurl-truncate longurl-deny cgi-truncate Table 16-4 identifies...

Filtering URLs

Most organizations today have human resources policies that specify indecent materials cannot be brought into the workplace. Similarly, most organizations have network security policies that prohibit users from visiting websites that are categorized as indecent or inappropriate to the business mission of the organization. Using other content-filtering vendor products, the Cisco Security Appliance enforces network security policy as it relates to URL filtering. When a user issues an HTTP request...

Foundation Summary

The Foundation Summary provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam. Cisco Easy VPN greatly simplifies VPN deployment for remote offices and telecommuters....

FTP Inspection

The FTP protocol requires some special handling due to its use of two ports per FTP session. The FTP protocol uses two ports when activated for transferring data a control channel and a data channel using ports 21 and 20, respectively. The user, who initiates the FTP session over the control channel, makes all data requests through that channel. The FTP server will then initiate a request to open a port from server port 20 to the user's computer. FTP will always use port 20 for data channel...

Global Command

The global command is used to define the address or range of addresses into which the addresses defined by the nat command are translated. It is important that the nat-id be identical to the nat-id used in the nat command. The nat-id pairs the IP address defined by the global and nat commands so that network translation can take place. The syntax of the global command is as follows global (if-name) nat-id global-ip global-ip-global-ip netmask netmask Table 6-8 describes the parameters and...

How to Read System Log Messages

System log messages received at a syslog server begin with a percent sign ( ) and are structured as follows P1X-level-message-number message-text PIX identifies the message facility code for messages generated by the Cisco Security Appliance. level reflects the severity of the condition described by the message. The lower the number, the more serious the condition. message-number is the numeric code that uniquely identifies the message. message-text is a text string describing the condition....

How to Use This Book

Each chapter builds upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations. Chapter 20 includes additional case studies and configuration examples that might or might not work it is up to you to determine if the configurations fulfill the requirement and why. This book was written as a guide to help you prepare for the SNPA certification exam. It is a tool not the entire...

HTTP Inspection

Many known exploits have used HTTP as the transport. Many of these exploits relied on embedded applications or scripting languages, such as Java or ActiveX, to take control of a user's system. Additionally, exploits have been known to take advantage of web browsers or computers that do not fully comply with RFC 2616 standards. With HTTP inspections, the Security Appliance can help control these exploits by filtering out specific attacks and threats that are known to associate with HTTP traffic...

Inbound Multicast Traffic

Allowing inbound multicast traffic involves the configuration shown in Figure 11-3. In this configuration, the multicast router is located outside the Security Appliance and the hosts that want to receive multicast traffic are being protected by the Security Appliance. Figure 11-3 Inbound Multicast Configuration Figure 11-3 Inbound Multicast Configuration Because the hosts that need to receive the multicast traffic are separated from the multicast router by your Security Appliance, you need to...

Installing Cisco Secure ACS Version 33 on Windows Server

You can download a 90-day trial version of Cisco Secure ACS from the Cisco Software Center at Cisco.com. You must register as a user to receive your CCO login. You must have the CCO login to download software from the software center. The installation of Cisco Secure ACS is an easy, step-by-step process. It is a good idea to verify that your Windows server is up to the current patch level. When you are ready to begin the installation, just run setup.exe. Figure 17-3 shows the initial Cisco...

Interface Security Levels and the Default Security Policy

By default, a Cisco Security Appliance applies security levels to each interface. The more secure the network segment, the higher the security number. Security levels range from 0 to 100. By default, 0 is applied to Ethernet 0 and is given the default name outside 100 is applied to Ethernet 1 and is given the default name inside. Any additional interfaces are configured using the nameif command. The security level for these additional interfaces can be from 1 to 99. The Adaptive Security...

Internet Key Exchange

Internet Key Exchange is the protocol that is responsible for negotiation. IKE is the short name for ISAKMP Oakley, which stands for Internet Security Association and Key Management Protocol (with Oakley distribution). The terms IKE and ISAKMP are used interchangeably throughout this chapter. IKE operates over User Datagram Protocol (UDP) port 500 and negotiates the key exchange between the ISAKMP peers to establish a bidirectional SA. This process requires that the IPSec systems first...

Ip address Command

All the interfaces on a Security Appliance that will be used must be configured with an IP address. The IP address can be configured manually or through Dynamic Host Configuration Protocol (DHCP). The DHCP feature is usually used on Cisco Security Appliance small office home office (SOHO) models. DHCP is discussed later in this chapter. The ip address command, while in interface configuration mode, is used to configure IP addresses on the Security Appliance interfaces. The ip address command...

Key Terms

Table 1-2 lists the most important terms used in this chapter. Table 1-2 Chapter Key Terms The implementation of security devices, policies, and processes to prevent the unauthorized access to network resources or the alteration or destruction of A formal statement that specifies a set of rules that users must follow while gaining access to corporate network access. A network architecture that provides multiple layers of protection. Cisco Architecture for Voice, Video, and Integrated Data. The...

Managing Security Contexts

Security contexts can be accessed on two levels. A security administrator can log into the admin context or system execution space. This will allow the security administrator access to the configuration of all configured contexts, as well as the ability to create new contexts. Additionally, users can be set up as security administrators for specific contexts. When users logs into the Security Appliance, they will be able to see only the security context to which they have been assigned. Within...

Message integrity algorithmSHA1 or MD5

Key exchange parameters Diffie-Hellman group 1, group 2, or group 5 IKE established SA lifetime The default is 86,400 seconds. Security Appliance supports an unlimited ISAKMP SA (phase 1) lifetime by using a value of 0. This allows for VPN connectivity with third-party VPN products that do not support rekeying the ISAKMP SA. An unlimited ISAKMP SA lifetime will be much less secure than a constantly rekeyed SA and should be used only if required to support connections to third-party gateways....

Minimum Hardware and Operating System Requirements for Cisco Secure ACS

Table 17-2 documents the minimum requirements needed by a system to run Cisco Secure ACS version 3.3. Table 17-2 Cisco Secure ACS Version 3.3 System Requirements Table 17-2 Cisco Secure ACS Version 3.3 System Requirements Pentium III Processor, 550 MHz or greater. 256 MB of RAM. 250 MB of available drive space. Additional space is required if you intend to run the Cisco Secure ACS database on this system. Screen resolution of 800x600 pixels and 256-color display. Microsoft Windows 2000 Server...

Monitoring in Transparent Mode

All traffic flows based on MAC address lookup via bridging. MAC addresses are either statically assigned by the administrator or dynamically learned through traffic over an interface. The Security Appliance lists all known MAC addresses in the MAC address table. This table is used by the Security Appliance to switch traffic that passes through it, based on any filters applied to each interface. To display the current MAC address table, you can use the show mac-address-table command in...

Multicast Commands

Configuring multicast functionality on your Security Appliance requires you to understand various multicast configuration commands. The major multicast configuration commands are as follows igmp query-max-response-time The multicast-routing command enables PIM and IGMP on all interfaces. The syntax for this command is To configure your Security Appliance to forward multicast traffic when the multicast router is on the inside interface, you need to use the mroute command. The syntax for this...

Nat Command

The nat (Network Address Translation) command lets you dynamically translate a set of IP addresses (usually on the inside) to a global set of IP addresses. NOTE PIX version 6.2 and later support bidirectional translation of inside network IP addresses to global IP addresses and translation of outside IP addresses to inside network IP addresses. The nat command is always paired with a global command, with the exception of the nat 0 command. Table 6-5 describes the command parameters for the nat...

Navigating Multiple Contexts

When you log into the admin context or the system execution space, you might need to switch between multiple contexts. This will enable you to perform configuration changes and monitor separate contexts while logged on. Each context has reserved system execution space that is limited to that context's running configuration. This will require you to swap between contexts to show the configuration of each context. This will also require you to do a write memory command in each context to save the...

Nesting Object Groups

You can add an object group within an object group. The object-group command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration. To nest an object group within another object group, use the group-object command. Example 7-10 illustrates the use of nested object groups. Example 7-10 Configuring Nested Object Groups Example 7-10 Configuring Nested Object Groups

Network Extension Mode

In network extension mode, all SOHO PCs connected to the Easy VPN Remote device are uniquely addressable by the VPN tunnel. This allows devices to connect directly to PCs behind the Easy VPN Remote device. Figure 14-4 illustrates the Easy VPN Remote network extension mode. The remote client hosts are assigned IP addresses that are fully routable by the destination network through the tunnel. Figure 14-4 Easy VPN Remote Network Extension Mode

Network Object Type

The network object type is used to group hosts and subnets. Server and client hosts can be grouped by functions. For example, mail servers, web servers, or a group of client hosts that have special privileges on the network can be grouped accordingly. Example 7-5 shows a web servers object group. Example 7-5 Configuring an Object Group pixfirewall(config) object-group network web-servers pixfirewall(config-network) description Public web servers host 192.168.1.12 host 192.168.1.14...

Overview of Virtual Private Network Technologies

Before the creation of VPN technologies, the only way for companies to secure network communications between different locations was to purchase or lease costly dedicated connections. VPNs allow companies to create secure encrypted tunnels between locations over a shared network infrastructure such as the Internet. A VPN is a service that offers secure, reliable connectivity over a shared public network infrastructure. VPNs are broken into three types based on the business component accessing...

Password Recovery Procedure for a Diskless PIX Firewall PIX 501 506 506E 515E 515 525 and 535

Step 1 Start the terminal-emulation software, and connect your portable computer or PC to the console port of the PIX Firewall. Step 2 After you power on the Cisco PIX Firewall and the startup messages appear, send a BREAK character or press the Esc key. The monitor> prompt is displayed. Step 3 At the monitor> prompt, use the interface command to specify which interface the PIX Firewall traffic should use. Step 4 Use the address command to specify the IP address of the PIX Firewall...

Password Recovery Procedure for a PIX Firewall with a Floppy Drive PIX 520

Step 1 Create the boot disk by running the rawrite.exe file on your portable computer or PC and writing npxn.bin to the bootable floppy. Step 2 Make sure that the terminal-emulating software is running on your PC and that you connected the console cable to the Cisco PIX Firewall. NOTE Because you are locked out, you see only a password prompt. Step 3 Insert the PIX Firewall password lockout utility disk into the PIX Firewall's floppy drive. Push the Reset button on the front of the PIX...

Pointto Point Protocol over Ethernet and the Security Appliance

Many Internet service providers (ISPs) deploy PPPoE because it provides high-speed broadband access using their existing remote access infrastructure. PPPoE is also easy for customers to use. Figure 14-13 depicts a typical PPPoE network configuration that uses a Security Appliance to secure a low-cost always-on Internet connection. The Security Appliance can secure various broadband connections including the following Digital Subscriber Line (DSL) Figure 14-13 PIX Firewall PPPoE Client...

Proxy

New Webster's Dictionary of the English Language defines proxy as the agency of a person who acts as a substitute for another person authority to act for another. Although this definition does not define a proxy firewall, the function is very similar. A proxy firewall, commonly called a proxy server, acts on behalf of hosts on the protected network segments. The protected hosts never actually make any connections with the outside world. Hosts on the protected network send their requests to the...

Rdmii HuiHMii WiikH5iivii

' > J 'I Vi f K> - ' pl-I C'-.Tl i i I V bt MKlltC -fOO A IStlH SHl > 6 IM LLLL CVJC LE. aawtlb 4 fkif m*t '-> J r+tt* idWuUdU-t v J '4 u. cln-K IV Fl > i I d rh i . f-J-i Ih- 1-4kv i j Hh 1 U F -lu riiij- r'- i- n+j M i- I i h Hjpir V ji pi- l.'d yvfJ rri it& Z Vf,' r IJTI Cisco Secure ACS version 3.3 includes an optional NAS Configuration window, shown in Figure 17-14, to assist you with the initial configuration of the Cisco IOS Software. If you need further explanation, click...

Route Command

The route command tells the Cisco Security Appliance where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the Security Appliance using the route command. Table 6-9 describes the route command parameters, the syntax of which is as follows route if-name ip-address netmask gateway-ip metric tunneled Table 6-9 route Command Parameters route if-name ip-address netmask gateway-ip metric tunneled Table 6-9...

Routing Information Protocol

The Routing Information Protocol (RIP) can be enabled to build the Cisco Security Appliance routing table. RIP configuration specifies whether the Security Appliance updates its routing tables by passively listening to RIP traffic and whether the interface broadcasts itself as a default route for network traffic on that interface. When using RIP version 2 with Security Appliance software versions earlier than 5.3, it is important to configure the router providing the RIP updates with the...

Rules of the Road

We have always found it very confusing when different addresses are used in the examples throughout a technical publication. For this reason, we use the address space depicted in Figure I-2 when assigning network segments in this book. Please note that the address space we have selected is all reserved space, per RFC 1918. We understand that these addresses are not routable across the Internet and are not normally used on outside interfaces. Even with the millions of IP addresses available on...

Security Appliance Intrusion Protection Feature

Cisco Security Appliance includes an IP-only intrusion protection feature through the AIP-SSM module for the ASA Security Appliance series. It provides visibility at network perimeters or for locations where additional security between network segments is required. After it is configured, the IPS module watches packets and sessions as they flow through the firewall, scanning each for a match with any of the IPS configured filters. When suspicious activity is detected, the Security Appliance...

Security Appliance Requirements to Run ASDM

Like all software, ASDM 5.0 has minimum hardware and software requirements for it to work. ASDM 5.0 is available on all PIX 515 515E, PIX 525, PIX 535, ASA 5510, ASA 5520, and ASA 5540 platforms running software version 7.0. Depending on the type of model on which ASDM will be running, it must have at least 256 MB of RAM and the Flash memory sizes listed in Table 15-2. Table 15-2 Flash Memory Requirements for each PIX and ASA Model to Support ASDM 5.0 Table 15-2 Flash Memory Requirements for...

Security Context Overview

Within a single Security Appliance, a security administrator can create more then one security context (see Figure 9-1). Each context uses a separate configuration that describes the security policy, assigned interfaces, and options that the security context manages. This reduces the amount of equipment, cost, rack space, and administrative duties that a security department would normally incur if each department required a separate firewall unit. Figure 9-1 Multiple Security Contexts Figure...

Server Functions

The Security Appliance version 6.3 VPN Server supports the following functionality Mode Configuration version 6 Extended Authentication (XAUTH) version 6 Internet Key Exchange (IKE) dead peer detection (DPD) Split tunneling control Initial contact Group-based policy control Dead peer detection (DPD) enables two IPSec peers to determine if each other is still alive during the lifetime of the VPN connection. This functionality is useful to clean up valuable VPN resources that are allocated to a...

Service Policy Rules

The Service Policy Rules window, shown in Figure 15-11, gives the security administrator a place to add or modify QoS rules for the Security Appliance. Figure 15-11 Service Policy Rules Window on ASDM Figure 15-11 Service Policy Rules Window on ASDM The ASA uses a menu-driven wizard to configure a service policy through this window. When you press the Add button, a new window opens and starts the wizard. The wizard takes you through three steps to configure a Service Policy Rule Step 2...