A a a

PPPoE (see RFC 2516) provides an authenticated method for assigning IP addresses to client systems by combining the following two widely accepted standards Point-to-Point Protocol (PPP) Point-to-Point Protocol (PPP) provides a secure and reliable mechanism to transport multiprotocol datagrams over point-to-point links. It has been reliably used for many years to transmit data from dialup clients across modem-based connections. PPPoE is composed of the following two main phases PPPoE connects a...

AAA Rules

Complicated configurations such as AAA have been made significantly more intuitive and easier with the AAA Rules window. The AAA Rules window, shown in Figure 15-9, allows you to define the authentication, authorization, and accounting rules for the Security Appliance. AAA systems are designed to maintain which user can access the Security Appliance, what permissions the user is granted, and what that user did while connected to the Security Appliance. A rule can be added through the Add button...

Access Modes

The Cisco Security Appliance family of firewalls contains a command set based on Cisco IOS Software technologies that provides three administrative access modes Unprivileged mode is available when you first access the Security Appliance through console or Telnet. It displays the > prompt. This mode lets you view only restricted settings. You access privileged mode by entering the enable command and the enable password. The prompt then changes from > to . In this mode, you can change a few...

Access Rules

The Access Rules window, shown in Figure 15-8, gives the security administrator a place to add or modify an access-list rule for the Security Appliance. This window combines the concepts of access lists, outbound lists, and conduits to describe how a specific host or network interacts with another host or network to permit or deny a specific service and or protocol. Clicking the Add or Edit button will open a new window, shown in Figure 15-8, which will allow you to configure or modify an...

Accounting Maintains a record of user access

Cisco Security Appliance version 6.2 can maintain an internal user database for console authentication and command authorization or connect to an external AAA server. The Security Appliance supports RADIUS, TACACS+, SDI, NT, Kerberos, and LDAP authentication technologies. Figure 17-20 shows the steps that the AAA server takes during the entire AAA process. Step 1 User initiates connection to web server and is prompted for username password. Step 5 The firewall allows the connection. Step 5 The...

ACL Logging

The ACL logging feature lets you log the number of permits or denies of a flow during a specific period of time. A flow is defined by protocol, source IP address, source port, destination IP address, and destination port. When a flow is permitted or denied, the system checks to see if the flow already exists in the system. If not, an initial syslog message with a hit count of 1 for the flow is generated. The flow entry is then created and the hit count for the flow is incremented every time the...

Adaptive Security Algorithm

The Adaptive Security Algorithm (ASA) is the key to stateful connection control on the Cisco Security Appliance. The ASA creates a stateful session flow table (also called the state table). Source and destination addresses and other connection information are logged in to the state table. By using the ASA, the Cisco Security Appliance can perform stateful filtering on the connections in addition to filtering packets. Additionally, the ASA generates random TCP sequence numbers for outbound...

Administration Context

Security Appliances with multiple security contexts enabled use a special context to manage the system interfaces, as well as all other contexts contained on the firewall. As described previously, the admin context is created by the Security Appliance when enabled in multiple security context and uses the admin.cfg file to store the admin context configuration. Unlike in single mode, where the system configuration controls the network resources, in multiple-security context mode, the admin...

Advanced Protocol Handling

Some applications require special handling by the Cisco Security Appliance application inspection function. These types of applications typically embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. The application inspection function works with NAT to help identify the location of embedded addressing information. In addition to identifying embedded addressing information, the application inspection function monitors sessions to...

Application Inspection

Hackers use several methods to cause network service disruption. Denial of service (DoS) is a popular way of causing network disruption. Cisco Security Appliance has some attack mitigation features to combat against some of the following attacks File Transfer Protocol (FTP) attacks Hypertext Transfer Protocol (HTTP) attacks Domain Name System (DNS) attacks Simple Mail Transfer Protocol (SMTP)-based attacks Internet Control Message Protocol (ICMP) flooding and spoofing attacks Remote shell...

Application Inspection Support for Voice over IP

The steady growth of voice over IP (VoIP) technology has also seen the development of new standards. IP phones and devices, unlike their regular phone counterparts, are not fixed to a specific switch device, so they must contain processors that enable them to function and be intelligent on their own, independent from a central switching location. Regular phones are relatively inexpensive because they do not need to be complex they are fixed to a specific switch at a central switching location....

ASDM Installation

Before installing ASDM, follow these steps Step 1 Save or print your Security Appliance configuration and write down your activation key. Step 2 If you are upgrading from a previous version of Security Appliance software, you must obtain the ASDM software from Cisco in the same way you download the Security Appliance software. Then, use TFTP to download the image to your Security Appliance unit. Step 3 If you upgrade your Cisco Security Appliance Software to version 7.0 and you plan to use...

ASDM Overview

ASDM is a graphical configuration tool that is designed to help you set up, configure, and monitor your Cisco Security Appliance. It is installed as a separate software image on the Security Appliance and resides in the Flash memory of all firewall units running software version 7.0 and higher. A standalone or browser-based Java applet can be used as a client to access the ASDM graphical user interface (GUI) for configuration. ASDM uses tables, drop-down menus, and task-oriented selection menus...

Assign a Shell Command Authorization Set on a Per Network Device Group BasisIn

ACS version 3.1 and later, to apply a shell command authorization set to the TACACS+ AAA clients who belong to a particular Network Device Group (NDG), select this option, and then use the following options Device Group From the list, select the NDG to which you want to assign a shell command authorization set. Command Set From the list, select the shell command authorization set you want to apply to the NDG. Add Association Click to add the NDG and command set selected to the Device Group...

Assigning Actions to a Traffic Class

For purposes of managing, controlling, and manipulating the traffic classes, actions should be assigned to these traffic classes. A security administrator might want to rate-limit only the HTTP traffic that crosses the network, and use deep inspection on all TCP traffic entering the network. This can be done by assigning one or more traffic classes, through class maps, to policy maps. Policy maps assign one or more actions to one or more class maps assigned to it. Each action is called a...

Assigning Policies to an Interface

For interfaces to be activated, you need to assign policies to them. An interface is defined as any physical interface or as a logical interface that can be defined by the nameif command. Additionally, you can apply a policy to the global interface. To assign a policy to an interface, use the service-policy command. The service-policy command assigns a policy map to a specific interface. Only one service-policy command can be made on any one interface. To disable the command, use the no form of...

Authentication of Services

The Cisco Security Appliance is designed to authenticate users via FTP, HTTP, HTTPS, and Telnet. Many other services that pass through the Security Appliance require authentication. To fulfill this requirement, the Security Appliance supports virtual services. The Security Appliance can perform functions for servers that do not exist and configures the Security Appliance to authenticate users who want to connect to services other than FTP, HTTP, HTTPS, and Telnet. After a user has been...

Authentication Prompts

The auth-prompt command is used to configure the exact text used when the user is challenged to authenticate, successfully authenticates, or does not authenticate. This command sets the text for FTP, HTTP, and Telnet session authentication. The syntax of this command is auth-prompt prompt accept reject string The string is the text that is displayed. It can be up to 235 characters in length for FTP and Telnet connections. It is limited to 120 characters for HTTP connections using Netscape...

Authentication Timeout

After a user is successfully authenticated, their user information is saved in cache for a predetermined amount of time. You set this time by configuring the timeout uauth command. It is specified in hours, minutes, and seconds. If the user session idle time exceeds the timeout, the session is terminated and the user is prompted to authenticate during the next connection. To disable caching of users, use the timeout uauth 0 command. Be sure not to use timeout uauth 0 when using virtual http....

Basic Configuration

To enable the Security Appliance Easy VPN Remote client to communicate with the Easy VPN Server, you need to identify the location of the Easy VPN Server using the vpnclient server command. The syntax for this command is as follows vpnclient server Primary_IP Secondary_IPs You need to specify the IP address of the primary Easy VPN Server. In addition to the primary Easy VPN Server, you also can specify up to ten additional secondary Easy VPN Servers. If the primary server is not accessible, the...

Basic Configuration Information for HOUPIX

Tables 20-10 through 20-13 provide the information needed to configure the PIX Firewall in the Houston office. Table 20-10 shows information about the physical interfaces of the Cisco PIX Firewall. Table 20-10 Interface Information for the Houston PIX Table 20-10 shows information about the physical interfaces of the Cisco PIX Firewall. Table 20-10 Interface Information for the Houston PIX Table 20-11 depicts which routes need to be configured on the PIX Firewall in the Houston office. Table...

Basic Configuration Information for HQPIX

Table 20-1 lists the physical interfaces of the Cisco PIX Firewall that is installed in the Reston headquarters. This table includes the interface name, physical interface ID, assigned address, and speed duplex. Table 20-1 PIX Interface Information for HQ Table 20-1 PIX Interface Information for HQ Table 20-2 shows what routing information needs to be configured on the PIX. Note that the only route required is the default route. No specific routes are defined on the firewall. Table 20-2 PIX...

Basic Configuration Information for MNPIX

Tables 20-6 through 20-9 provide the information needed to configure the PIX Firewall at the Minneapolis office. Table 20-6 shows information about the physical interfaces on the PIX Firewall. Table 20-6 PIX Interface Information for Minneapolis Table 20-6 shows information about the physical interfaces on the PIX Firewall. Table 20-6 PIX Interface Information for Minneapolis Table 20-7 depicts which routes need to be configured on the PIX Firewall in the Minneapolis office. Table 20-7 Routing...

Bn Ii r

Step 8 Specify the encryption and authentication algorithms used by IKE (Phase 1), as shown in Figure 15-34. 9 9 Iffll fllCr III.B l'h-ramiP rn * Ii 11 S Step 9 Specify the encryption and authentication algorithms used by the IPSec VPN tunnel, as shown in Figure 15-35. Figure 15-35 Transform Set Window (IPSec Encryption and Authentication) Figure 15-35 Transform Set Window (IPSec Encryption and Authentication)

Building Blocks

The ASDM uses the name building blocks for the reusable components that must be implemented for your policy. The Building Blocks tab, shown in Figure 15-16, provides a single location where you can configure, view, and modify the building blocks. These building blocks include the following Hosts Networks You can use this option to add, modify, or remove hosts and networks from specific interfaces. Inspect Maps You can use this option to create inspect maps for specific protocol inspection...

As certificate authorities 338 421

Configuration, 625-630 configuring access rules, 631 failover, 646, 648 growth expectation, 624 VPNs, 633-645 troubleshooting PIX Firewall implementation, 649-658 causes of failover events, 307 certificates, X.509, 45 cgi-truncate parameter, 507 changeto command, 234 changing context mode of operation, 228 CIFS (Common Internet File System), 117 cipher block chains, 334 Cisco ASA 5510 Security Appliance configuring, 235-240 features and capabilities, 62-63 Cisco ASA 5520 Security Appliance,...

Case Study and Sample Configuration

The DUKEM consulting firm is a medium-size company with 700 employees. It has three offices across the continental United States. Twenty percent of DUKEM's employees are mobile or telecommute. Figure 20-1 shows the current DUKEM network infrastructure. Figure 20-1 DUKEM Network Infrastructure

Certification Exam and This Preparation Guide

The questions for each certification exam are a closely guarded secret. The truth is that if you had the questions and could only pass the exam, you would be in for quite an embarrassing experience as soon as you arrived at your first job that required Security Appliance skills. The point is to know the material, not just to pass the exam successfully. We do know what topics you must know to complete this exam. These are, of course, the same topics required for you to be proficient with the...

Configuration of AAA on the Cisco Security Appliance Virtual HTTP

Virtual HTTP functions similarly to virtual Telnet in that the PIX Firewall acts as the HTTP server via an additional IP address assigned to the firewall. Users might believe that they are accessing the web server, but they are actually accessing the virtual server for the authentication prompt, being authenticated by an AAA server, and being redirected to their destination after successful authentication. The syntax for virtual http is virtual http ip-address warn The warn option is used for...

Modular Policy Framework Table 85 set connection Command Options

The maximum number of simultaneous TCP and UDP connections that are allowed. The maximum number of half-open TCP connections associated with a policy map. Enables or disables TCP sequence number randomization. This option should be used when multiple Security Appliances are placed inline with each other, with one appliance performing the sequence number randomization. Using the set connection command, you can control the timeout for TCP connections. The connection types that a timeout can be...

Checking the Cisco Secure ACS

After you verify your settings on the Cisco Security Appliance, you should double-check the settings on the Cisco Secure ACS to ensure that they match the Security Appliance. You also can use the extensive logging information available in the Cisco Secure ACS Reports and Activity window. You can find a list of troubleshooting information for the Cisco Secure ACS in the Cisco Secure ACS online documentation. Simply enter Troubleshooting Information for Cisco Secure ACS in the Search box at...

Cisco ASA 5520 Security Appliance

The Cisco ASA 5520 Security Appliance is a high-availability enterprise firewall and VPN. It is designed as a perimeter security device, as well as a VPN head point for all enterprise connectivity. The ASA 5520 supports a 2.0-GHz Celeron processor, with up to 512 MB of RAM and 64 MB of Flash memory. The availability of security contexts allows the ASA 5520 to support more flexible firewall design than the ASA 5510. In addition, the ASA 5520 allows the use of SSL VPNs (WebVPN) to support up to...

Cisco ASA 5540 Security Appliance

The Cisco ASA 5540 is the premiere Security Appliance for the large enterprise environment. The ASA 5540 can support up to 100 VLANs, allowing a security administrator greater flexibility when designing a corporate LAN. The ASA 5540 runs on a 2.0-GHz Pentium 4 processor, with up to 1,024 MB of RAM and 64 MB of Flash memory. The ASA 5540, like the ASA 5520, supports LAN-based failover in either Active Active or Active Standby modes. The ASA 5540 supports up to 50 security contexts with purchase...

Cisco ASA Security Model Capabilities

The following sections describe the characteristics and capabilities of each firewall in the ASA Security Appliance family. The throughput speeds mentioned for each model refer to the speeds at which the firewall can process the data with most services enabled. The addition of an AIP-SSM module will reduce an interface's throughput speeds if enabled. All the ASA Security Appliances feature the same chassis (see Figure 3-14). Figure 3-14 ASA Security Appliance 55X0 Front Panel Figure 3-14 ASA...

Cisco PIX 506E

The Cisco PIX 506E Firewall was designed for the ROBO environment. It has a 300-MHz Celeron processor, 32 MB of RAM, and 8 MB of Flash memory. It has a fixed outside Ethernet interface and a fixed inside Ethernet interface. It has a 9600-baud console port that is used for local device management. The PIX 506 does not support failover. Connection capabilities for the PIX 506 are as follows Maximum clear-text throughput 100 Mbps Maximum throughput (DES) 20 Mbps Maximum throughput (3DES) 17 Mbps...

Cisco PIX 525

The Cisco PIX 525 Firewall is an enterprise firewall. It provides perimeter security for large enterprise networks. The PIX 525 is rack-mountable in a 2U (3.5-inch) configuration. It has a 600-MHz processor, up to 256 MB of RAM, and 16 MB of Flash memory. It has two fixed 10 100 Ethernet interfaces. The two fixed interfaces are Ethernet 0, which is the outside interface by default, and Ethernet 1, which is the inside interface by default. The PIX 525 also includes three PCI slots for the...

Cisco PIX 535

The Cisco PIX 535 Firewall is the ultimate enterprise firewall designed for enterprise networks and service providers. The PIX 535 is rack-mountable and fits a 3U configuration. It has a 1-GHz processor, up to 1 GB of RAM, and 16 MB of Flash memory. It has nine PCI slots for the installation of up to ten Ethernet interfaces. It has a 9600-baud console port that is used for local device management. The PIX 535 can be configured for failover using a failover cable connected to the 115-kbps serial...

Cisco PIX Firewall Models and Features

Cisco has named its family of security firewalls Security Appliances, encompassing both the PIX and ASA Security Appliances. Currently, six models of the Cisco PIX Firewall are available. Additionally, three models have been introduced in the new series of ASA Security Appliances. All these models provide services for users ranging from the small office home office (SOHO) to the enterprise network and Internet service provider (ISP) Cisco Secure PIX 501 Intended for SOHO use and incorporates an...

Cisco SAFE

The Cisco white papers SAFE A Security Blueprint for Enterprise Networks and SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks are guides for network designers and focus on the implementation of secure network designs. The SAFE blueprints comprise the following components Security management and monitoring

Cisco Secure Access Control Server

Cisco Secure ACS is an AAA server product developed by Cisco that can run on Windows NT 2000 Server and UNIX, although Cisco has discontinued support for the Windows NT and UNIX platforms. It supports a number of NASs, including the Cisco Security Appliance. Cisco Secure ACS supports both RADIUS and TACACS+. Cisco has replaced the UNIX platform with the Cisco Secure ACS Solution Engine Server. The server is a standalone 1U server with Cisco Secure ACS 3.3 preinstalled. With the release of Cisco...

Cisco Security Appliance Models

Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-11 ASA Models and Features (Continued) Table 3-11 ASA Models and Features (Continued)

Cisco Security Specialist in the Real World

Cisco is one of the most recognized names on the Internet. You cannot go into a data center or server room without seeing some Cisco equipment. Cisco-certified security specialists are able to bring quite a bit of knowledge to the table because of their deep understanding of the relationship between networking and network security. This is why the Cisco certification carries such clout. Cisco certifications demonstrate to potential employers and contract holders a certain professionalism and...

Client Device Mode

The Cisco VPN Client operates in the following two modes (see the Easy VPN Remote Modes of Operation section earlier in the chapter for more information) To configure the client device mode, you use the vpnclient mode command. The syntax for this command is as follows vpnclient mode Client mode applies NAT PAT to all IP addresses of the clients connected to the higher-security (inside) interface. Network extension mode, on the other hand, does not apply NAT PAT to any IP addresses of clients on...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars...

Command Level Authorization

In some organizations, there may be more than one firewall administrator for the Security Appliances. In those instances, you can provide those other admins with full rights privileges to the Security Appliances or curtail their ability to accomplish their assigned functions, thereby reducing the chance of unintended (or sometimes malicious) events from occurring on the firewall(s). The PIX operating system provides a mechanism of controlling what type of command a user can execute. The...

Configuration 432 client mode Easy VPN Remote 417 clients Easy VPN Remote 405407 clock timezone command 163

Aaa accounting, 543 aaa authentication console, 548 aaa authentication, 543, 546 aaa authorization, 543 aaa-server command, 542 access-group command, 631 address, 91 admin-context, 229 allocate-interface, 230 area, parameters, 285 arp-inspection ethertype, 169 VPNs, troubleshooting, 358-360 debug aaa accounting, 579 debug aaa authentication, 578 debug aaa authorization, 579 debug igmp, 297 debug radius, 580 debug tacacs, 580 default-inspection-traffic, 206 dhcpd address, 443 duplex, 148 enable...

Configuration Replication

Configuration changes, including initial failover configurations to the Cisco Security Appliance, are done on the primary unit. The standby unit keeps the current configuration through the process of configuration replication. For configuration replication to occur, the two Security Appliance units should be running the same software release. Configuration replication usually occurs when The standby unit completes its initial bootup and the active unit replicates its entire configuration to the...

Configuring a Cisco Security Appliance

Eight important commands are used to produce a basic working configuration for a Security Appliance Before you use these commands, it can prove very useful to draw a diagram of your Cisco Security Appliance with the different security levels, interfaces, and Internet Protocol (IP) addresses. Figure 6-1 shows one such diagram that is used for the discussion in this chapter. Figure 6-1 Documenting Cisco Security Appliance Security Levels, Interfaces, and IP Addresses v Perimeter Router P (Default...

Configuring a Syslogd Server

Because syslogd was originally a UNIX concept, the features available in the syslogd products on non-UNIX systems depend on the vendor implementation. Features might include dividing incoming messages by facility or debug level or both, resolving the names of the sending devices, and reporting facilities. For information on configuring the non-UNIX syslog server, refer to the vendor's documentation. NOTE Configuring the syslog server is not covered on the PIX CSPFA 642-522 exam. To configure...

Configuring Access VPNs

The Cisco Easy VPN, a software enhancement for Cisco Security Appliances and security appliances, greatly simplifies virtual private network (VPN) deployment for remote offices and telecommuters. By centralizing VPN management across all Cisco VPN devices, Cisco Easy VPN reduces the complexity of VPN deployments. Cisco Easy VPN enables you to integrate various remote VPN solutions (Cisco IOS routers, Cisco PIX Firewalls, Cisco ASA 55X0 series firewalls, Cisco VPN 3002 Hardware Clients, and...

Configuring DNS Support

It is not necessary to configure DNS support on Cisco Security Appliance. By default, the Security Appliance identifies each outbound DNS request and allows only a single response to that request. The internal host can query several DNS servers for a response, and the Security Appliance allows the outbound queries. However, the Security Appliance allows only the first response to pass through the firewall. All subsequent responses to the original query are dropped. PIX Version 6.3(2) includes a...

Configuring Downloadable Security Appliance ACLs

Version 3.0 and later of Cisco Secure ACS allows you to create a downloadable ACL using the shared profile component. The downloadable ACL configuration is supported only for RADIUS servers. To verify that your configuration is for a RADIUS server, select Network Configuration from the navigation bar and click AAA Client. Verify that RADIUS (Cisco IOS Security Appliance) is selected, as shown in Figure 18-19. Figure 18-19 RADIUS (Cisco IOS PIX) Configuration Figure 18-19 RADIUS (Cisco IOS PIX)...

Configuring EMail Proxies

The WebVPN service supports four types of e-mail proxies Of the four types of e-mail proxies, only MAPI is handled through the functions command tgasa(config-group-webvpn) functions mapi The other three are handled in subcommand mode similar to WebVPN mode, as described previously. Each proxy's subcommand mode can use the commands listed in Table 13-14. Assigns a preconfigured accounting server group to use with proxy. None are initially configured. Assigns an authentication mode for proxy...

Configuring Failover

To configure failover, you need to become familiar with a few key commands. Table 12-4 shows the commands used to configure and verify failover. Table 12-4 Security Appliance Failover Commands Table 12-4 Security Appliance Failover Commands Enables the failover function on the PIX Firewall. Use this command after you connect the failover cable between the primary and secondary unit. Use the no failover command to disable the failover feature. Table 12-4 Security Appliance Failover Commands...

Configuring Multiple Translation Types on the Cisco Security Appliance

It is a good practice to use a combination of NAT and PAT. If you have more internal hosts than external IP addresses, you can configure both NAT and PAT. Your first group of hosts translates to the global addresses that are listed and the remaining hosts use PAT and translate to the single global address. PAT is configured separately from NAT. If NAT is configured without PAT, once the available global IP address range is depleted, additional translation attempts will be refused. If the...

Configuring Security Appliances for Scalable VPNs

Earlier in this chapter, you learned about the different methods of negotiating an IPSec Manual IPSec, which requires you to configure each peer manually. This method is not recommended by Cisco because it does not allow for key exchanges and, therefore, would be rather easy to decrypt, given enough time and traffic. Obviously, manual IPSec is not a scalable solution. IKE, which dynamically negotiates your SA using preshared keys or digital certificates. Preshared keys still require you to...

Configuring Simple Network Management Protocol on Security Appliance

The snmp-server command causes Security Appliance to send SNMP traps so that the Security Appliance can be monitored remotely. Use the snmp-server host command to specify which systems receive the SNMP traps. Example 4-5 shows a SNMP sample configuration on a PIX Firewall. Example 4-5 Sample SNMP Configuration on a PIX Firewall Example 4-5 Sample SNMP Configuration on a PIX Firewall The location and contact commands identify where the host is and who administers it. The community command...

Configuring SNMP Traps and SNMP Requests

SNMP requests can be used to query the Security Appliance on its system status information. If you want to send only the cold start, link up, and link down generic traps, no further configuration is required. SNMP traps send information about a particular event only when the configured threshold is reached. To configure a Security Appliance to receive SNMP requests from a management station, you must do the following Configure the IP address of the SNMP management station with the snmp-server...

Configuring Syslog on a Cisco Security Appliance

The logging command is used to configure logging on the PIX Firewall. Logging is disabled by default. Table 10-3 describes the parameters of the logging command. Table 10-3 logging Command Parameters Table 10-3 logging Command Parameters Enables the transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command. Allows you to disable specific syslog messages. Use the logging message message_number command to resume logging of...

Configuring the ASDM to View Logging

The ASDM Log panel, shown in Figure 10-1, allows you to view syslog messages that are captured in the ASDM Log buffer in the Security Appliance memory. You may select the level of syslog messages you want to view. When you view the ASDM Log, all the buffered syslog messages at and below the logging level you choose are displayed. r-nb < .< * _ > ,> . 1 CKHI> .tMi > -tK . ' J-h -IM J rj MID hirHllipi d 1 J1 .i r 'j i i' d hr1 The ASDM logging panel has the following fields Logging...

Configuring the Central PIX Firewall HQPIX for VPN Tunneling

Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the traffic coming from the remote sites. The following steps define the VPN characteristics on HQ-PIX Step 1 Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy Step 2 Configure a preshared key and associate it with the peers (Houston and Minneapolis) isakmp key C2 ghi address 192.168.3.2 isakmp key B2 def address 192.168.2.2 Step 3 Configure the supported IPSec transforms...

Configuring the Cisco Security Appliance to Send Syslog Messages to a Log Server

Configuring a Security Appliance to send logging information to a server helps you collect and maintain data that can later be used for forensic and data traffic analysis. The Security Appliance syslog messages are usually sent to a syslog server or servers. The Security Appliance uses UDP port 514 by default to send syslog messages to a syslog server. The syntax for configuring the Security Appliance Firewall to send syslog messages to a syslog server is as follows Pixfirewall(config) Logging...

Configuring the Houston PIX Firewall Houpix for VPN Tunneling

Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on HOU-PIX at the Houston remote site Step 1 Configure an ISAKMP policy isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 Step 2 Configure a preshared key...

Configuring the Minneapolis PIX Firewall MNPIX for VPN Tunneling

Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on MN-PIX at the Minneapolis remote site isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 lifetime 1000 Step 2 Configure a preshared key and associate it with the peer (HQ-PIX) isakmp key A1 abc address 192.168.1.2 Step 3 Configure the...

Configuring the Security Appliance DHCP Client

DHCP client support on the Cisco Security appliance is designed for use in SOHO environments in which digital subscriber line (DSL) and cable modems are used. The DHCP client can be enabled only on the outside interface of the Security Appliance. When the DHCP client is enabled, DHCP servers on the outside provide the outside interface with an IP address. NOTE The DHCP client does not support failover configuration. The DHCP client feature on a Security Appliance is enabled by the ip address...

Configuring the Security Appliance DHCP Server

Configuring the Security Appliance to operate as a DHCP server involves the following tasks Configuring the address pool Specifying WINS, DNS, and the domain name Configuring the DHCP options Configuring the DHCP lease length NOTE Configuring the Security Appliance to serve as a DHCP server also requires you to assign a static IP address to the inside interface. This is one of the basic configuration tasks when setting up your Security Appliance. A DHCP server needs to know which addresses it...

Configuring Transparent Mode

With the release of Security software version 7.0, a Security Appliance can run as a Layer 2 firewall. Standard firewalls act in a similar fashion as a router, routing packets through the firewall instead of switching them. This creates an extra hop in the IP path that a user can detect. With transparent firewall enabled, the Security Appliance will act as a Layer 2 filtering bridge, switching the packets instead of routing them, and the user will not see an additional hop within the IP path....

Configuring VPDN Group Authentication

Your ISP may require you to use authentication with PPPoE. The Security Appliance PPPoE Client supports the following authentication protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) To define the authentication protocol for the PPPoE client, you use the following command vpdn group group-name ppp authentication pap chap mschap NOTE ISPs that use CHAP or MS-CHAP may refer to the...

Contents

How to Best Use This Chapter 3 Do I Know This Already Quiz 3 Foundation and Supplemental Topics 7 Overview of Network Security 7 Vulnerabilities, Threats, and Attacks 8 Vulnerabilities 8 Threats 8 Types of Attacks 8 Reconnaissance Attacks 9 Access Attacks 10 DoS Attacks 11 Security Policies 11 Step 1 Secure 12 Step 2 Monitor 13 Step 3 Test 13 Step 4 Improve 13 Network Security as a Legal Issue 13 Defense in Depth 14 Cisco AVVID and Cisco SAFE 14 Cisco AVVID 14 Cisco SAFE 16 Foundation Summary...

Contents at a Glance

Firewall Technologies and the Cisco Security Appliance 23 Understanding Cisco Security Appliance Translation and Connection 109 Getting Started with the Cisco Security Appliance Family of Firewalls 137 Configuring Access 177 Modular Policy Framework 199 Security Contexts 223 Syslog and the Cisco Security Appliance 247 Routing and the Cisco Security Appliance 269 Cisco Security Appliance Failover 303 Adaptive Security Device Manager 453 Content Filtering on the Cisco Security Appliance 497...

Creating a Boothelper Disk Using a Windows PC

The boothelper disk, as described earlier in this chapter, provides assistance for Cisco PIX Firewall models 510 and 520 running PIX software version 5.0(x) or version 4.x to be upgraded to a newer version Step 1 Go to the Cisco website and download the rawrite.exe utility, which you use to write the PIX Firewall binary image to a floppy disk (you must have a Cisco.com account to do this). Step 2 Download the PIX Firewall binary image (.bin file) that corresponds to the software version to...

Cut Through Proxy

The cut-through proxy feature on a Cisco Security Appliance provides significantly better performance than application proxy firewalls because it completes user authentication at the application layer, verifies authorization against the security policy, and then opens the connection as authorized by the security policy. Subsequent traffic for this connection is no longer handled at the application layer but is statefully inspected, providing significant performance benefits over proxy-based...

D

Data compression, Easy VPN Remote, 421 DDoS (distributed denial of service) attacks, 11 debug aaa accounting command, 579 debug aaa authentication command, 578 debug aaa authorization command, 579 debug command, troubleshooting VPNs, 358-360 debug igmp command, 297 debug radius command, 580 debug tacacs command, 580 DHCP server on Cisco Security Appliance, 445-446 multicast configuration, 296 default routes, 279 default-inspection-traffic command, 206 defense in depth, 14 defining class map...

Dbanner login enter the enable password

Why would you want authentication enabled between the PIX and the NTP server a. To ensure that the PIX does synchronize with an unauthorized NTP server b. To maintain the integrity of the communication c. To increase the speed of communication 7. How do you access the enable mode a. Enter the enable command and the enable password. b. Enter the privilege command and the privilege password. c. Enter the super-secret password. d. Enter only the command privilege. 8. How do you view the current...

Debug Command

The debug command lets you watch the VPN negotiation take place. This command is available only from configuration mode on the PIX and will not display any output in a Telnet session. Table 13-8 explains the two debug commands most commonly used to troubleshoot VPN connectivity. Displays IKE communication between the PIX and its IPSec peers Displays IPSec communication between the PIX and its IPSec peers Example 13-8 displays the output from the debug crypto isakmp command on the PIX Firewall...

Defense in Depth

Defense in depth refers to implementing multiple layers of security to mitigate potential threats. Cisco has two specific programs to address defense in depth Cisco AVVID and Cisco SAFE. and Integrated Data. Cisco AVVID is an develop various solutions. Cisco AVVID AVVID is the Cisco Architecture for Voice, Video, open architecture that is used by Cisco partners to solutions provide the following benefits Equipment and link redundancy

Define a Group Policy for Mode Configuration Push

When remote VPN clients connect to HQ-PIX, the firewall must push certain configuration information to them. You configure these parameters using the vpngroup command B 42Dd 10.200.10.35 10.100.10.25 dukem.com vpn-pool 10 NOTE You also need to configure the VPN client software on the remote user PCs. This configuration involves identifying the IP address of HQ-PIX and indicating the VPN group name (remote-users) and group password (B 42Dd).

Deleting Contexts

There are two aspects to deleting contexts. To delete a single context, use the no context command in global configuration mode This will remove the named context from the running configuration. Remember to save the running configuration to the start-up configuration to make the change permanent. To remove all currently configured context on a Security Appliance, use the clear configure context command in the global configuration mode. Both the clear configure context and no context commands...

DescriptionA description of the access list

ACL Definitions A test of the command. This should use the same format as the command used on the Security Appliance Firewall, except for the access list name and the fact that there is no requirement for the keyword access-list. It also is not necessary to add the access list to an access group. This is done automatically when the ACL is downloaded to the Security Appliance Firewall. Figure 18-21 shows a downloadable ACL configured to allow outbound access to Figure 18-21 Creating a...

Device Administration

The ASDM gives you a single location where you can manage the basic parameters of the Security Appliance. The Device Administration tab, shown in Figure 15-17, can set the basic parameters for the Security Appliance, such as passwords, user accounts, banners, system access, and so on. While in this tab, the administrator can also generate and manage certificates. Figure 15-17 Device Administration Tab on ASDM Figure 15-17 Device Administration Tab on ASDM W UiliF BiiaBia FM nn jhf i Mw

Diffie Hellman group

As soon as the IKE SA negotiation is complete, the established SA is bidirectional. The phase 2 negotiations establish unidirectional SAs between two IPSec peers. The SAs determine the keying, protocols, and algorithms to be used between the peers. Two primary security protocols are included as part of the IPSec standard supported by the Cisco Security Appliance Encapsulating Security Payload (ESP) ESP provides data authentication, encryption, and antireplay services. ESP is protocol number 50...

Dns

This makes DNS queries subject to generic UDP handling based on activity timeouts. DNS, therefore, requires application inspection. As soon as the first response is received for a DNS query, the UDP connection is terminated. This is known as DNS guard and is discussed further in Chapter 19, IPS and Advanced Protocol Handling. The DNS inspection task includes the following Compares the ID of the DNS reply to the ID of the DNS query. Translates the DNS A record....

Do I Know This Already

What differentiates Modular Policy Framework from classic policy maps Answer A Modular Policy Framework (MPF) gives the security administrator the tools to segment traffic flows into traffic classes and to assign one or more actions to each traffic class. Traditional policy maps only allowed actions to be assigned to the total traffic flow on the Security Appliance, whereas with an MPF, HTTP traffic can have a policy separate from H.323 or ICMP. 2. What are the three parts to an MPF and what do...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The ten-question quiz, derived from the major sections in the Foundation and Supplemental Topics portion of the chapter, helps you determine how to spend your limited study time. Table 1-1 outlines the major topics discussed in this chapter and the Do I Know This Already...

Do I Know This Already Quiz 1 d

What is the difference between TCP and UDP Answer TCP is a connection-oriented protocol, and UDP is a connectionless protocol. 2. What is the default security for traffic origination on the inside network segment going to the outside network Answer By default, traffic is permitted from the inside (higher security level) to the outside (lower security level) network as long as the appropriate nat global static command has been configured. 3. True or false You can have multiple translations in a...

Domain Name Inspection

To understand the DNS attack protection provided by Cisco Security Appliance, it helps to understand how DNS can be exploited to cause a DoS attack. DNS queries are sent from the attacker to each of the DNS servers. These queries contain the target's spoofed address. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity. The port assignment for DNS cannot be configured on...

Dshow tcp active

Why is it difficult to penetrate the Security Appliance over UDP port 53 a. The Security Appliance allows multiple outbound queries but randomizes the UDP sequence numbers. b. The Security Appliance allows queries to go out to multiple DNS servers but drops all but the first response. c. The Security Appliance allows responses only to outbound DNS queries. 10. How many connections can you hide behind a single global address The answers to the Do I Know This Already quiz are found in Appendix A,...

Dynamic Host Configuration Protocol Server Configuration

DHCP provides automatic allocation of reusable network addresses on a Transmission Control Protocol Internet Protocol (TCP IP) network. Without DHCP, IP addresses must be manually entered on each computer or device that is connected to the network. Automatic allocation dramatically reduces administration and user error. DHCP can also distribute other configuration parameters such as DNS and WINS server addresses and domain names. The system requesting an IP address and configuration parameters...

Dynamic Routes

Besides creating static routes manually, the Cisco Security Appliance also supports some dynamic routing functionality. Dynamic routes are created based on routing protocols that automatically add entries into the Security Appliance's routing table. The Security Appliance supports the following two different routing protocols, but only one can be active on a single Security Appliance The Security Appliance can learn new routes based on the RIP routing broadcasts, but the Security Appliance does...

Easy VPN Remote Connection Process

When the Easy VPN Remote Client initiates a connection with the Easy VPN Server gateway, the interaction between the peers involves the following major steps Step 1 VPN Client initiates the IKE phase 1 process. Step 2 VPN Client negotiates an IKE SA. Step 3 Easy VPN Server accepts the SA proposal. Step 4 Easy VPN Server initiates a username password challenge. Step 5 Mode configuration process is initiated. Step 6 IKE quick mode completes the connection. Step 1 VPN Client Initiates IKE Phase 1...

Easy VPN Remote Feature

The Easy VPN Remote feature enables Security Appliances, Cisco VPN 3002 Hardware Clients, Cisco VPN Software Clients, and certain Cisco IOS routers to act as remote VPN clients. The Easy VPN Server can push security policies to these clients, thus minimizing VPN configuration requirements at remote locations. This cost-effective solution is ideal for remote offices with little information technology (IT) support as well as large deployments where it is impractical to configure individual remote...

Easy VPN Server

The Easy VPN Server enables Cisco IOS routers, Security Appliances, and Cisco VPN 3000 Series concentrators to serve as VPN headend devices when remote offices are running the Easy VPN Remote feature. The configuration works for both site-to-site and remote access configurations. With Cisco Easy VPN, security policies defined at the headend are pushed to the remote VPN device, ensuring that the connection has up-to-date policies in place before the connection is established. Mobile workers...

Enabling the Pointto Point over Ethernet Client

By default, the PPPoE client on the Security Appliance is disabled. Use the following command to enable the PPPoE client ip address interface-name pppoe setroute You also can enable PPPoE by manually entering the IP address using the following command ip address interface-name ip-address netmask pppoe setroute This command causes the Security Appliance to use the specified IP address instead of negotiating with the PPPoE server to assign an address dynamically. The parameters for the ip address...

Enabling Transparent Mode

When you decide to enable transparent mode, ensure that your configuration has been backed up. When this feature is enabled, it will clear the current configuration to avoid any command conflicts that may exist with the currently deployed configuration. To enable transparent mode, use the firewall transparent command in the global configuration mode. If you are using multiple contexts, you must execute this command in the system configuration mode, which will affect all configured contexts. Use...

Extended Authentication Configuration

XAUTH enables the Easy VPN Server to require username password authentication in order to establish the VPN connection. This authentication is performed by an AAA server. To configure the Easy VPN Server to use XAUTH for remote VPN clients, you must set up the Easy VPN Server and configure it to perform XAUTH. The complete configuration process involves performing the following tasks Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for remote Cisco VPN Client...

Failover Monitoring

The failover feature in the Cisco Security Appliance monitors failover communication, the power status of the other unit, and hello packets received at each interface. If two consecutive hello packets are not received within an amount of time determined by the failover feature, failover starts testing the interfaces to determine which unit has failed and transfers active control to the standby unit. At this point, the active LED on the front of the standby Security Appliance lights up and the...

Filtering ActiveX Objects

The filter activex command filters out ActiveX objects and other HTML < OBJECT> usages from inbound packets. These controls include custom forms, calendars, and extensive third-party forms for gathering or displaying information. The syntax for filtering ActiveX objects is as follows filter activex port local-ip local-mask foreign-ip foreign-mask Note that if the < OBJECT> and < OBJECT> HTML tags split across network packets or if the code in the tags is longer than the number of...

Filtering ActiveX Objects and Java Applets

ActiveX objects and Java applets are designed to make the browsing experience more interactive. Based on the Component Object Model (COM), ActiveX objects are written for a specific platform of Microsoft Windows. When the user displays a page containing ActiveX or Java, the browser downloads the control dynamically. ActiveX objects are native programs, so they can do all the things that local programs can do. For example, they can read and write to the hard drive, execute programs, perform...

Filtering Long URLs

Cisco Security Appliance supports filtering URLs up to 6000 bytes for the Websense URL-filtering server. The default is 2000 bytes. In addition, Cisco Security Appliance supports the longurl-truncate and cgi-truncate parameters to allow handling of URL requests longer than the maximum permitted size. The format for these options is as follows filter url http port -port local-ip local-mask foreign-ip foreign-mask allow proxy-block longurl-truncate longurl-deny cgi-truncate Table 16-4 identifies...

Firewall Technologies

To understand the different firewall technologies, you first need to have a good understanding of the Open System Interconnection (OSI) reference model. The seven-layer OSI reference model is the standard for network communication and is the foundation upon which each firewall technology was built. The lower four layers of the OSI reference model are generally considered to be the layers that deal with networking, whereas the upper three layers deal more with application functions. Firewalls...