Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The eleven-question quiz, derived from the major sections in the Foundation Topics portion of the chapter, helps you determine how to spend your limited study time. Table 12-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions...

Viewing Accounting Information in Cisco Secure

Now that the Cisco Security Appliance is configured to perform accounting, you need to ensure that the Cisco Secure ACS is properly configured to log the events. Select System Configuration in the navigation panel to open the System Configuration window, shown in Figure 18-14 then, click the Logging link in the Select pane, and check off the log format and the items you want to log (see Figure 18-15). Logs can be saved in a CSV (flat file) or ODBC (database) format. Figure 18-14 Cisco Secure...

Configuring URLs and File Servers

Using the WebVPN home page is useful only if the end user can access resources. Internal websites and Active Directory file servers are some of the more frequently accessed resources in an enterprise network. A security administrator might not want end users to have equal access to internal websites or file servers, especially to confidential documents and information. WebVPN resolves this with the ability to configure access to internal websites and file servers on a per-user or per-group...

Installing a New Operating System

Installing a new operating system (OS) on a Cisco Security Appliance is similar in some respects to installing a new OS on your PC. You must consider fundamental questions such as whether you have enough memory and disk space (Flash size for Security Appliance) when deciding whether to upgrade the operating system. Table 4-4 shows the random-access memory (RAM) and Flash memory requirements for the different versions and releases of the Cisco Security Appliance OS prior to version 7.0. Table...

Access Lists

An access list typically consists of multiple access control entries (ACE) organized internally by Security Appliance as a linked list. When a packet is subjected to access list control, the Cisco Security Appliance searches this linked list linearly to find a matching element. The matching element is then examined to determine if the packet is to be transmitted or dropped. By default, all access-list commands have an implicit deny unless you explicitly specify permit. In other words, by...

Configuring Login Banners on the Cisco Security Appliance

PIX Firewall version 6.3 introduced support for message-of-the-day (MOTD), EXEC, and login banners, similar to the feature included in Cisco IOS Software. Banner size is limited only by available system memory or Flash memory. You can create a message as a warning for unauthorized use of the firewall. In some jurisdictions, civil and or criminal prosecution of crackers who break into your system are made easier if you have incorporated a warning banner that informs unauthorized users that their...

Active Active Failover

Prior to version 7.0, a security administrator could only have one Security Appliance actively passing user traffic, while keeping a second Security Appliance in standby mode, only to be activated during a failure. With active-active failover, both Security Appliances are active and passing user traffic, while still acting as standby Security Appliances for each other. This feature can only be using in conjunction with virtual firewall contexts. To enable active-active failover, create two...

Step 3 Configuring IPSec Security Association Lifetimes

To preclude any opportunity to gather sufficient network traffic using a single encryption key, it is important to limit the key lifetime. This forces a key exchange, changing the encryption scheme and greatly reducing the possibility of cracking the key. Technology continues to advance, producing computers that can break code at faster rates. However, these systems require a certain amount of traffic encrypted under a single key. The idea is to change encryption keys before any system can...

Assigning Interfaces to a Context

Each context can be allocated a number of interfaces that have been enabled in the system configuration mode. Assigned interfaces will be given a mapped name that the contexts configuration file will reference for policies and network settings specific to the context. The interfaces can be physical or logical, including subinterfaces. To assign one or more interfaces to a security context, use the allocate-interface command allocate-interface physical_interface map_name visible invisible...

Cisco VPN Client Manual Configuration Tasks

When using the Cisco VPN Software Client, the Easy VPN Server can push the VPN policy to help facilitate the management of the client systems. Initially, however, you still need to install the Cisco VPN Software Client on the remote system. This manual process involves the following tasks Installing the Cisco VPN Software Client Creating a new connection entry Modifying VPN Client options (optional) Installing the Cisco VPN Software Client Installation of the Cisco VPN Software Client varies...

Cisco PIX 515E

The Cisco PIX 515E Firewall was designed for small- to medium-size businesses. The PIX 515E is the smallest firewall of the PIX family that is designed to be rack-mountable and is a standard 1U (1.75-inch) configuration. It has a 433-MHz processor, 32 MB or 64 MB of RAM, and 16 MB of Flash memory. It has two fixed 10 100 Ethernet interfaces that have a default configuration of outside (Ethernet 0) and inside (Ethernet 1) and contains two PCI slots for the installation of up to four additional...

About the Technical Reviewers

CISSP-ISSAP, CCNP, CCDP, CSSP, is president and principal consultant for SecureNet Consulting, LLC, an information security consulting firm in Fort Worth, Texas, specializing in vulnerability assessments, penetration testing, and the design and implementation of secure network infrastructures. Mr. Chapman divides his time between teaching Cisco security courses and writing about network security issues. He is a senior member of the IEEE. Kevin Hofstra, CCIE No. 14619, CCNP,...

How the Configuration Lines Interact

Figure 13-11 shows the completed configuration for Los Angeles, with a brief explanation for each entry. Note that each entry is connected to one or more other entries on the right. This diagram depicts how the lines of the configuration are dependent on each other. Keep this in mind when trying to troubleshoot a VPN configuration. It might help you to find which line is missing or incorrectly configured. Figure 13-11 LA Configuration with Comments PIX Version 6.2(2) nameif ethernetO outside...

Completed PIX Configurations

To reduce confusion, it is a good idea to use a common naming convention when creating access lists, transforms, and crypto maps. Example 13-18 shows the completed configuration for the Los Angeles headquarters. Example 13-18 Completed Configuration for Los Angeles 4. nameif ethernet0 outside security0 5. nameif ethernet1 inside security100 6. nameif ethernet2 DMZ security70 7. enable password HtmvK15kjhtlyfvcl encrypted 8. passwd Kkjhlkf1568Hke encrypted 10. domain-name www.Chapter11.com...

Aipssm Module

The Cisco ASA Security Appliance series supports the Advanced Inspection and Protection Security Service Module (AIP-SSM). The AIP-SSM comes in two modules the AIP-SSM-10 and the AIP-SSM-20. Both modules function the same way, support the same features, and look identical. The only difference between the two modules is the processor speed and memory size of the AIP-SSM-20, which is faster and larger than that of the AIP-SSM-10. The AIP-SSM uses two physical channels to communicate with the...

Using ASDM to Create a Siteto Site VPN

The following steps and corresponding figures show a sample site-to-site VPN configuration using the VPN Wizard on ASDM Step 1 Select the VPN Wizard from the Wizard's drop-down menu, as shown in Figure 15-20, to start the VPN Wizard. Figure 15-20 ASDM with VPN Wizard Selected Figure 15-20 ASDM with VPN Wizard Selected Step 2 Select the site-to-site radial buttons, as shown in Figure 15-21, to create a site-to-site VPN configuration. This configuration is used between two IPSec security...

Cisco Security Appliance System Clock

The second method of configuring the time setting on the Security Appliance is by using the system clock. The system clock is usually set when you answer the initial setup interview question when you are configuring a new Cisco Security Appliance. You can change it later using the clock set command clock set hh mm ss month day year Three characters are used for the month parameter. The year is a four-digit number. For example, to set the time and date to 17 51 and 20 seconds on April 9, 2003,...

Figure 1310 VPN Network Layout

The three locations have all provided their current PIX configurations, but each has a significant amount of information missing. It is your responsibility to complete each of the configurations and ensure that they are correct. Example 13-15 shows the configuration for the corporate headquarters in Los Angeles. Example 13-15 PIX Configuration for Los Angeles 4. nameif ethernet0 outside security0 5. nameif ethernetl inside security100 6. nameif ethernet2 DMZ security70 7. enable password...

What IsWrong with This Picture

Now that you have successfully gone through the configuration scenarios in the previous sections, this section focuses on problem solving after or during an implementation of Cisco PIX Firewall. Examples 20-9 through 20-11 show the configuration of three PIX Firewalls for this exercise. Example 20-9 Atlanta PIX Firewall Configuration 9. ip address 10.10.3.1 255.255.255.0 15. ip address 192.168.3.1 255.255.255.0 21. ip address 172.16.3.1 255.255.255.0 22. enable password ksjfglkasglc encrypted...