A

AAA (authentication, authorization, and accounting), 12, 517, 520 cut-through proxies, 573 Do I Know This Already quiz, 537-539 defined, 517 Do I Know This Already quiz, 513 PIX Firewalls supported AAA server identifying, 542, 545 specifying, 541 support, 45 troubleshooting, 577, 581 aaa accounting command, 543 aaa authentication command, 543, 546 aaa authentication console command, 548 aaa authorization command, 543 aaa-server command, 542 aaa-server local command, 543 access, 9 types of...

A a a

PPPoE (see RFC 2516) provides an authenticated method for assigning IP addresses to client systems by combining the following two widely accepted standards Point-to-Point Protocol (PPP) Point-to-Point Protocol (PPP) provides a secure and reliable mechanism to transport multiprotocol datagrams over point-to-point links. It has been reliably used for many years to transmit data from dialup clients across modem-based connections. PPPoE is composed of the following two main phases PPPoE connects a...

AAA and the Cisco Security Appliance

So how does the Security Appliance factor into the AAA equation Any user who requests access or a service that is configured for authentication and who goes through the Security Appliance is prompted by the firewall for a username and password. If the Security Appliance has a local database configured for user authentication, it matches this user information against that database and permits or denies access. In a Security Appliance, the local database can be used only for console authorization...

AAA Rules

Complicated configurations such as AAA have been made significantly more intuitive and easier with the AAA Rules window. The AAA Rules window, shown in Figure 15-9, allows you to define the authentication, authorization, and accounting rules for the Security Appliance. AAA systems are designed to maintain which user can access the Security Appliance, what permissions the user is granted, and what that user did while connected to the Security Appliance. A rule can be added through the Add button...

AAA server

Network access server (NAS) It is possible to divide the AAA functions among multiple devices to reduce the processing required by any single server. It is also possible for a single AAA server to support multiple NASs. The point is that there is no single solution. The number of AAA servers and NASs should be tailored to support the size and scope of the network being accessed. Configuring the Security Appliance to connect to an AAA server requires only a few commands. Of course, quite a few...

Access Modes

The Cisco Security Appliance family of firewalls contains a command set based on Cisco IOS Software technologies that provides three administrative access modes Unprivileged mode is available when you first access the Security Appliance through console or Telnet. It displays the > prompt. This mode lets you view only restricted settings. You access privileged mode by entering the enable command and the enable password. The prompt then changes from > to . In this mode, you can change a few...

Access Rules

The Access Rules window, shown in Figure 15-8, gives the security administrator a place to add or modify an access-list rule for the Security Appliance. This window combines the concepts of access lists, outbound lists, and conduits to describe how a specific host or network interacts with another host or network to permit or deny a specific service and or protocol. Clicking the Add or Edit button will open a new window, shown in Figure 15-8, which will allow you to configure or modify an...

Accessing a Cisco Security Appliance with Telnet

You can manage Security Appliance by using Telnet from hosts on any internal interface. With Internet Protocol Security (IPSec) configured, you can use Telnet to administer the console of a Cisco Security Appliance remotely from lower-security interfaces. To access the Security Appliance using a Telnet connection, you have to first configure the PIX Firewall for Telnet access Step 1 Enter the PIX Firewall telnet command telnet local-ip mask if-name You can identify a single host or a subnet...

Accessing Cisco Security Appliance

A Security Appliance can be accessed by using the console port or remotely using the following methods A browser using Cisco Adaptive Security Device Manger (ASDM) Console port access allows a single user to configure Security Appliance. A user connects a PC or portable computer to Security Appliance through the console access port using a rollover cable. The following sections describe how to access Security Appliance remotely using Telnet and SSH. Chapter 15, Adaptive Security Device Manager,...

Accessing the Cisco Security Appliance with Secure Shell

Secure Shell (SSH) is an application that runs over Transmission Control Protocol (TCP). SSH provides strong authentication and encryption capabilities. Cisco Security Appliances supports the SSH remote shell functionality provided in SSH version 1. SSH version 1 also works with Cisco IOS Software devices. Up to five SSH clients are allowed simultaneous access to the PIX Firewall console. To gain access to Security Appliance console using SSH, at the SSH client, enter the username as pix and...

Accounting Maintains a record of user access

Cisco Security Appliance version 6.2 can maintain an internal user database for console authentication and command authorization or connect to an external AAA server. The Security Appliance supports RADIUS, TACACS+, SDI, NT, Kerberos, and LDAP authentication technologies. Figure 17-20 shows the steps that the AAA server takes during the entire AAA process. Step 1 User initiates connection to web server and is prompted for username password. Step 5 The firewall allows the connection. Step 5 The...

Acknowledgments

I'd like thank David Kim and the SEI team for the opportunity to write this book. Thanks to David Chapman, Kevin Hofstra, and Bill Thomas for keeping me straight when it came to deciphering the labyrinth of technical specifics. A big thank you goes out to the production team for this book. Brett Bartow, Christopher Cleveland, and San Dee Phillips have been a pleasure to work with and incredibly professional. I couldn't have asked for a finer team. Finally, I would like to thank my wife for...

ACL Logging

The ACL logging feature lets you log the number of permits or denies of a flow during a specific period of time. A flow is defined by protocol, source IP address, source port, destination IP address, and destination port. When a flow is permitted or denied, the system checks to see if the flow already exists in the system. If not, an initial syslog message with a hit count of 1 for the flow is generated. The flow entry is then created and the hit count for the flow is incremented every time the...

Adaptive Security Algorithm

The Adaptive Security Algorithm (ASA) is the key to stateful connection control on the Cisco Security Appliance. The ASA creates a stateful session flow table (also called the state table). Source and destination addresses and other connection information are logged in to the state table. By using the ASA, the Cisco Security Appliance can perform stateful filtering on the connections in addition to filtering packets. Additionally, the ASA generates random TCP sequence numbers for outbound...

Adaptive Security Device Manager

Cisco Adaptive Security Device Manager (ASDM) is a secure, graphical configuration tool that is designed to help you configure and monitor your Cisco Security Appliance graphically, without requiring you to have extensive knowledge of the Cisco Security Appliance command-line interface (CLI). The Cisco ASDM can be implemented by either a browser or a standalone application installed on the host. This chapter begins with an overview of ASDM and the workstation requirements needed to run ASDM,...

Address Translation

The current Internet Protocol standard being used is version 4 (IPv4). IPv4 addresses consist of 32 bits, which represents approximately 4 billion individual IP addresses. This seems like a tremendous number of addresses, but the Internet continues to grow at an incredible rate, and with the current standard, available addresses will run out. Two solutions are being implemented to help conserve the public address space or increase the number of available public addresses. The first is Internet...

Administration Context

Security Appliances with multiple security contexts enabled use a special context to manage the system interfaces, as well as all other contexts contained on the firewall. As described previously, the admin context is created by the Security Appliance when enabled in multiple security context and uses the admin.cfg file to store the admin context configuration. Unlike in single mode, where the system configuration controls the network resources, in multiple-security context mode, the admin...

Advanced Protocol Handling

Some applications require special handling by the Cisco Security Appliance application inspection function. These types of applications typically embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. The application inspection function works with NAT to help identify the location of embedded addressing information. In addition to identifying embedded addressing information, the application inspection function monitors sessions to...

Application Inspection

Hackers use several methods to cause network service disruption. Denial of service (DoS) is a popular way of causing network disruption. Cisco Security Appliance has some attack mitigation features to combat against some of the following attacks File Transfer Protocol (FTP) attacks Hypertext Transfer Protocol (HTTP) attacks Domain Name System (DNS) attacks Simple Mail Transfer Protocol (SMTP)-based attacks Internet Control Message Protocol (ICMP) flooding and spoofing attacks Remote shell...

Application Inspection Support for Voice over IP

The steady growth of voice over IP (VoIP) technology has also seen the development of new standards. IP phones and devices, unlike their regular phone counterparts, are not fixed to a specific switch device, so they must contain processors that enable them to function and be intelligent on their own, independent from a central switching location. Regular phones are relatively inexpensive because they do not need to be complex they are fixed to a specific switch at a central switching location....

Asa

A key part of the Cisco PIX operating environment is the ASA. The ASA is more secure and efficient than packet filtering and provides better performance than application-type proxy firewalls. The ASA segregates the network segments connected to the firewall, maintains secure perimeters, and can control traffic between those segments. The firewall interfaces are assigned security levels. The PIX allows traffic to pass from an interface with a higher security level (inside) to an interface with a...

ASDM Installation

Before installing ASDM, follow these steps Step 1 Save or print your Security Appliance configuration and write down your activation key. Step 2 If you are upgrading from a previous version of Security Appliance software, you must obtain the ASDM software from Cisco in the same way you download the Security Appliance software. Then, use TFTP to download the image to your Security Appliance unit. Step 3 If you upgrade your Cisco Security Appliance Software to version 7.0 and you plan to use...

ASDM Overview

ASDM is a graphical configuration tool that is designed to help you set up, configure, and monitor your Cisco Security Appliance. It is installed as a separate software image on the Security Appliance and resides in the Flash memory of all firewall units running software version 7.0 and higher. A standalone or browser-based Java applet can be used as a client to access the ASDM graphical user interface (GUI) for configuration. ASDM uses tables, drop-down menus, and task-oriented selection menus...

Assign a Shell Command Authorization Set on a Per Network Device Group BasisIn

ACS version 3.1 and later, to apply a shell command authorization set to the TACACS+ AAA clients who belong to a particular Network Device Group (NDG), select this option, and then use the following options Device Group From the list, select the NDG to which you want to assign a shell command authorization set. Command Set From the list, select the shell command authorization set you want to apply to the NDG. Add Association Click to add the NDG and command set selected to the Device Group...

Assigning Actions to a Traffic Class

For purposes of managing, controlling, and manipulating the traffic classes, actions should be assigned to these traffic classes. A security administrator might want to rate-limit only the HTTP traffic that crosses the network, and use deep inspection on all TCP traffic entering the network. This can be done by assigning one or more traffic classes, through class maps, to policy maps. Policy maps assign one or more actions to one or more class maps assigned to it. Each action is called a...

Assigning Policies to an Interface

For interfaces to be activated, you need to assign policies to them. An interface is defined as any physical interface or as a logical interface that can be defined by the nameif command. Additionally, you can apply a policy to the global interface. To assign a policy to an interface, use the service-policy command. The service-policy command assigns a policy map to a specific interface. Only one service-policy command can be made on any one interface. To disable the command, use the no form of...

Authentication of Services

The Cisco Security Appliance is designed to authenticate users via FTP, HTTP, HTTPS, and Telnet. Many other services that pass through the Security Appliance require authentication. To fulfill this requirement, the Security Appliance supports virtual services. The Security Appliance can perform functions for servers that do not exist and configures the Security Appliance to authenticate users who want to connect to services other than FTP, HTTP, HTTPS, and Telnet. After a user has been...

Authentication Prompts

The auth-prompt command is used to configure the exact text used when the user is challenged to authenticate, successfully authenticates, or does not authenticate. This command sets the text for FTP, HTTP, and Telnet session authentication. The syntax of this command is auth-prompt prompt accept reject string The string is the text that is displayed. It can be up to 235 characters in length for FTP and Telnet connections. It is limited to 120 characters for HTTP connections using Netscape...

Authentication Timeout

After a user is successfully authenticated, their user information is saved in cache for a predetermined amount of time. You set this time by configuring the timeout uauth command. It is specified in hours, minutes, and seconds. If the user session idle time exceeds the timeout, the session is terminated and the user is prompted to authenticate during the next connection. To disable caching of users, use the timeout uauth 0 command. Be sure not to use timeout uauth 0 when using virtual http....

Basic Configuration

To enable the Security Appliance Easy VPN Remote client to communicate with the Easy VPN Server, you need to identify the location of the Easy VPN Server using the vpnclient server command. The syntax for this command is as follows vpnclient server Primary_IP Secondary_IPs You need to specify the IP address of the primary Easy VPN Server. In addition to the primary Easy VPN Server, you also can specify up to ten additional secondary Easy VPN Servers. If the primary server is not accessible, the...

Basic Configuration Information for HOUPIX

Tables 20-10 through 20-13 provide the information needed to configure the PIX Firewall in the Houston office. Table 20-10 shows information about the physical interfaces of the Cisco PIX Firewall. Table 20-10 Interface Information for the Houston PIX Table 20-10 shows information about the physical interfaces of the Cisco PIX Firewall. Table 20-10 Interface Information for the Houston PIX Table 20-11 depicts which routes need to be configured on the PIX Firewall in the Houston office. Table...

Basic Configuration Information for HQPIX

Table 20-1 lists the physical interfaces of the Cisco PIX Firewall that is installed in the Reston headquarters. This table includes the interface name, physical interface ID, assigned address, and speed duplex. Table 20-1 PIX Interface Information for HQ Table 20-1 PIX Interface Information for HQ Table 20-2 shows what routing information needs to be configured on the PIX. Note that the only route required is the default route. No specific routes are defined on the firewall. Table 20-2 PIX...

Basic Configuration Information for MNPIX

Tables 20-6 through 20-9 provide the information needed to configure the PIX Firewall at the Minneapolis office. Table 20-6 shows information about the physical interfaces on the PIX Firewall. Table 20-6 PIX Interface Information for Minneapolis Table 20-6 shows information about the physical interfaces on the PIX Firewall. Table 20-6 PIX Interface Information for Minneapolis Table 20-7 depicts which routes need to be configured on the PIX Firewall in the Minneapolis office. Table 20-7 Routing...

Bn Ii r

Step 8 Specify the encryption and authentication algorithms used by IKE (Phase 1), as shown in Figure 15-34. 9 9 Iffll fllCr III.B l'h-ramiP rn * Ii 11 S Step 9 Specify the encryption and authentication algorithms used by the IPSec VPN tunnel, as shown in Figure 15-35. Figure 15-35 Transform Set Window (IPSec Encryption and Authentication) Figure 15-35 Transform Set Window (IPSec Encryption and Authentication)

Browser Requirements

The following are the requirements to access ASDM from a browser JavaScript and Java must be enabled If these are not enabled, ASDM helps the administrator enable them. When using your browser, Java Plug-in version 1.4.2 or 1.5.0 is supported. To check which version the administrator has, launch ASDM. In the main ASDM menu, click Help > About Cisco ASDM 5.0 for PIX. When the About Cisco ASDM 5.0 for PIX window opens, it displays the browser specifications in a table, including the Java...

Building Blocks

The ASDM uses the name building blocks for the reusable components that must be implemented for your policy. The Building Blocks tab, shown in Figure 15-16, provides a single location where you can configure, view, and modify the building blocks. These building blocks include the following Hosts Networks You can use this option to add, modify, or remove hosts and networks from specific interfaces. Inspect Maps You can use this option to create inspect maps for specific protocol inspection...

As certificate authorities 338 421

Configuration, 625-630 configuring access rules, 631 failover, 646, 648 growth expectation, 624 VPNs, 633-645 troubleshooting PIX Firewall implementation, 649-658 causes of failover events, 307 certificates, X.509, 45 cgi-truncate parameter, 507 changeto command, 234 changing context mode of operation, 228 CIFS (Common Internet File System), 117 cipher block chains, 334 Cisco ASA 5510 Security Appliance configuring, 235-240 features and capabilities, 62-63 Cisco ASA 5520 Security Appliance,...

Case Study and Sample Configuration

The DUKEM consulting firm is a medium-size company with 700 employees. It has three offices across the continental United States. Twenty percent of DUKEM's employees are mobile or telecommute. Figure 20-1 shows the current DUKEM network infrastructure. Figure 20-1 DUKEM Network Infrastructure

Ccsp Snpa Official Exam Certification Guide Third Edition

Michael Gibbs Greg Bastien Earl Carter Christian Abera Degu Copyright 2006 Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed...

Certification Authorities

IKE interoperates with X.509v3 certificates for authentication that requires public keys. Certification authorities (CA) manage certificate requests, issue digital certificates, and publish certificate revocation lists (CRL) to list certificates that are no longer valid. A digital certificate contains information about the user or device and includes a copy of its public key. This technology enables IPSec-protected networks to scale, because the peers simply exchange digital certificates that...

Certification Exam and This Preparation Guide

The questions for each certification exam are a closely guarded secret. The truth is that if you had the questions and could only pass the exam, you would be in for quite an embarrassing experience as soon as you arrived at your first job that required Security Appliance skills. The point is to know the material, not just to pass the exam successfully. We do know what topics you must know to complete this exam. These are, of course, the same topics required for you to be proficient with the...

Configuration of AAA on the Cisco Security Appliance Virtual HTTP

Virtual HTTP functions similarly to virtual Telnet in that the PIX Firewall acts as the HTTP server via an additional IP address assigned to the firewall. Users might believe that they are accessing the web server, but they are actually accessing the virtual server for the authentication prompt, being authenticated by an AAA server, and being redirected to their destination after successful authentication. The syntax for virtual http is virtual http ip-address warn The warn option is used for...

Modular Policy Framework Table 85 set connection Command Options

The maximum number of simultaneous TCP and UDP connections that are allowed. The maximum number of half-open TCP connections associated with a policy map. Enables or disables TCP sequence number randomization. This option should be used when multiple Security Appliances are placed inline with each other, with one appliance performing the sequence number randomization. Using the set connection command, you can control the timeout for TCP connections. The connection types that a timeout can be...

Checking the Cisco Secure ACS

After you verify your settings on the Cisco Security Appliance, you should double-check the settings on the Cisco Secure ACS to ensure that they match the Security Appliance. You also can use the extensive logging information available in the Cisco Secure ACS Reports and Activity window. You can find a list of troubleshooting information for the Cisco Secure ACS in the Cisco Secure ACS online documentation. Simply enter Troubleshooting Information for Cisco Secure ACS in the Search box at...

Checking the Security Appliance

The most effective command for troubleshooting the Security Appliance is show. The show command is run in configuration mode and can be used to show the configuration for all the AAA components on the Security Appliance. The following is a list of the show commands pertaining to the AAA configuration show aaa-server Shows you the different group-tags, which protocol is used for each group-tag, and the ip-address, key, and timeout for each AAA server. show aaa Provides you with the output of the...

Cisco ASA 5510 Security Appliance

The Cisco ASA 5510 Security Appliance is an advanced firewall and VPN solution designed for small to medium-size businesses, as well as remote offices. The ASA 5510 is a powerful security device, running on a 1.6-GHz Celeron processor, with up to 256 MB of RAM and 64 MB of Flash memory. The ASA 5510 can be configured for failover only with the Cisco ASA 5510 Security Plus license upgrade. The ASA 5510 does not support the Security Context feature. No VLAN support is available for the ASA 5510...

Cisco ASA 5520 Security Appliance

The Cisco ASA 5520 Security Appliance is a high-availability enterprise firewall and VPN. It is designed as a perimeter security device, as well as a VPN head point for all enterprise connectivity. The ASA 5520 supports a 2.0-GHz Celeron processor, with up to 512 MB of RAM and 64 MB of Flash memory. The availability of security contexts allows the ASA 5520 to support more flexible firewall design than the ASA 5510. In addition, the ASA 5520 allows the use of SSL VPNs (WebVPN) to support up to...

Cisco ASA 5540 Security Appliance

The Cisco ASA 5540 is the premiere Security Appliance for the large enterprise environment. The ASA 5540 can support up to 100 VLANs, allowing a security administrator greater flexibility when designing a corporate LAN. The ASA 5540 runs on a 2.0-GHz Pentium 4 processor, with up to 1,024 MB of RAM and 64 MB of Flash memory. The ASA 5540, like the ASA 5520, supports LAN-based failover in either Active Active or Active Standby modes. The ASA 5540 supports up to 50 security contexts with purchase...

Cisco ASA Security Model Capabilities

The following sections describe the characteristics and capabilities of each firewall in the ASA Security Appliance family. The throughput speeds mentioned for each model refer to the speeds at which the firewall can process the data with most services enabled. The addition of an AIP-SSM module will reduce an interface's throughput speeds if enabled. All the ASA Security Appliances feature the same chassis (see Figure 3-14). Figure 3-14 ASA Security Appliance 55X0 Front Panel Figure 3-14 ASA...

Cisco AVVID

AVVID is the Cisco Architecture for Voice, Video, and Integrated Data. Cisco AVVID is an open architecture that is used by Cisco partners to develop various solutions. Every Cisco partner solution is rigorously tested for interoperability with Cisco products. Cisco AVVID is designed for large enterprise networks that require an infrastructure that can support emerging applications such as IP telephone, content delivery, and storage. This network of networks concept allows the use of a single...

Cisco PIX 506E

The Cisco PIX 506E Firewall was designed for the ROBO environment. It has a 300-MHz Celeron processor, 32 MB of RAM, and 8 MB of Flash memory. It has a fixed outside Ethernet interface and a fixed inside Ethernet interface. It has a 9600-baud console port that is used for local device management. The PIX 506 does not support failover. Connection capabilities for the PIX 506 are as follows Maximum clear-text throughput 100 Mbps Maximum throughput (DES) 20 Mbps Maximum throughput (3DES) 17 Mbps...

Cisco PIX 525

The Cisco PIX 525 Firewall is an enterprise firewall. It provides perimeter security for large enterprise networks. The PIX 525 is rack-mountable in a 2U (3.5-inch) configuration. It has a 600-MHz processor, up to 256 MB of RAM, and 16 MB of Flash memory. It has two fixed 10 100 Ethernet interfaces. The two fixed interfaces are Ethernet 0, which is the outside interface by default, and Ethernet 1, which is the inside interface by default. The PIX 525 also includes three PCI slots for the...

Cisco PIX 535

The Cisco PIX 535 Firewall is the ultimate enterprise firewall designed for enterprise networks and service providers. The PIX 535 is rack-mountable and fits a 3U configuration. It has a 1-GHz processor, up to 1 GB of RAM, and 16 MB of Flash memory. It has nine PCI slots for the installation of up to ten Ethernet interfaces. It has a 9600-baud console port that is used for local device management. The PIX 535 can be configured for failover using a failover cable connected to the 115-kbps serial...

Cisco PIX Firewall Models and Features

Cisco has named its family of security firewalls Security Appliances, encompassing both the PIX and ASA Security Appliances. Currently, six models of the Cisco PIX Firewall are available. Additionally, three models have been introduced in the new series of ASA Security Appliances. All these models provide services for users ranging from the small office home office (SOHO) to the enterprise network and Internet service provider (ISP) Cisco Secure PIX 501 Intended for SOHO use and incorporates an...

Cisco PIX Firewall Password Recovery Getting Started

The procedure for password recovery on the Cisco PIX Firewall with a floppy drive is slightly different than with a diskless Cisco PIX Firewall. The difference is in how the Cisco PIX Firewall boots with the binary files listed in Table 4-6. Firewall models that have a floppy drive boot from a disk, and diskless firewall models boot from a TFTP server. In addition to the binary files, you need the following items Terminal-emulating software TFTP software (only for diskless PIX Firewall models)...

Cisco SAFE

SAFE is available for different sizes of networks. The Cisco white papers SAFE A Security Blueprint for Enterprise Networks and SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks are guides for network designers and focus on the implementation of secure network designs. Cisco SAFE is based on Cisco AVVID. SAFE uses best practices and the interoperability of various Cisco and Cisco partner products. Several SAFE white papers available on Cisco.com focus on the...

Cisco Secure Access Control Server

Cisco Secure ACS is an AAA server product developed by Cisco that can run on Windows NT 2000 Server and UNIX, although Cisco has discontinued support for the Windows NT and UNIX platforms. It supports a number of NASs, including the Cisco Security Appliance. Cisco Secure ACS supports both RADIUS and TACACS+. Cisco has replaced the UNIX platform with the Cisco Secure ACS Solution Engine Server. The server is a standalone 1U server with Cisco Secure ACS 3.3 preinstalled. With the release of Cisco...

Cisco Security Appliance

Five major characteristics of the Cisco Security Appliance family of firewalls design make it a leading-edge, high-performance security solution Secure real-time embedded system A single proprietary embedded system designed for improved security, functionality, and performance. Adaptive Security Algorithm The key to stateful session control in all Cisco Security Applicances. The ASA maintains state information in the state table and randomly generates TCP sequence numbers to prevent session...

Cisco Security Appliance Failover

Today, most businesses rely heavily on critical application servers that support the business process. The interruption of these servers due to network device failures or other causes has a great financial cost, not to mention the irritation such an interruption causes in the user community. With this in mind, Cisco has designed most of its devices, including the Security Appliance products (models 515 and up), such that they can be configured in a redundant or highly available configuration....

Cisco Security Appliance Models

Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-10 PIX Models and Features (Continued) Table 3-11 ASA Models and Features (Continued) Table 3-11 ASA Models and Features (Continued)

Cisco Security Specialist in the Real World

Cisco is one of the most recognized names on the Internet. You cannot go into a data center or server room without seeing some Cisco equipment. Cisco-certified security specialists are able to bring quite a bit of knowledge to the table because of their deep understanding of the relationship between networking and network security. This is why the Cisco certification carries such clout. Cisco certifications demonstrate to potential employers and contract holders a certain professionalism and...

Clear Command

The clear command allows you to remove current settings. You must be very careful when using the clear command to ensure that you do not remove portions of your configuration that are needed. The most common use of the clear command for troubleshooting VPN connectivity is to clear current sessions and force them to regenerate. Table 13-7 explains the two clear commands used to troubleshoot VPN connectivity. Removes all ISAKMP statements from the configuration

Client Device Mode

The Cisco VPN Client operates in the following two modes (see the Easy VPN Remote Modes of Operation section earlier in the chapter for more information) To configure the client device mode, you use the vpnclient mode command. The syntax for this command is as follows vpnclient mode Client mode applies NAT PAT to all IP addresses of the clients connected to the higher-security (inside) interface. Network extension mode, on the other hand, does not apply NAT PAT to any IP addresses of clients on...

Client Mode

Client mode enables you to deploy a VPN quickly and easily in a small office home office (SOHO) environment. In situations where there is no need to access the devices behind the VPN client directly and ease of use and quick installation are important, the client mode is the ideal solution. In client mode, the Easy VPN Remote device uses PAT to isolate the private network from the public network. PAT causes all of the traffic from the SOHO network to appear on the private network as a single...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars...

Command Level Authorization

In some organizations, there may be more than one firewall administrator for the Security Appliances. In those instances, you can provide those other admins with full rights privileges to the Security Appliances or curtail their ability to accomplish their assigned functions, thereby reducing the chance of unintended (or sometimes malicious) events from occurring on the firewall(s). The PIX operating system provides a mechanism of controlling what type of command a user can execute. The...

Configuration 432 client mode Easy VPN Remote 417 clients Easy VPN Remote 405407 clock timezone command 163

Aaa accounting, 543 aaa authentication console, 548 aaa authentication, 543, 546 aaa authorization, 543 aaa-server command, 542 access-group command, 631 address, 91 admin-context, 229 allocate-interface, 230 area, parameters, 285 arp-inspection ethertype, 169 VPNs, troubleshooting, 358-360 debug aaa accounting, 579 debug aaa authentication, 578 debug aaa authorization, 579 debug igmp, 297 debug radius, 580 debug tacacs, 580 default-inspection-traffic, 206 dhcpd address, 443 duplex, 148 enable...

Configuration Replication

Configuration changes, including initial failover configurations to the Cisco Security Appliance, are done on the primary unit. The standby unit keeps the current configuration through the process of configuration replication. For configuration replication to occur, the two Security Appliance units should be running the same software release. Configuration replication usually occurs when The standby unit completes its initial bootup and the active unit replicates its entire configuration to the...

Configuring a Cisco Security Appliance

Eight important commands are used to produce a basic working configuration for a Security Appliance Before you use these commands, it can prove very useful to draw a diagram of your Cisco Security Appliance with the different security levels, interfaces, and Internet Protocol (IP) addresses. Figure 6-1 shows one such diagram that is used for the discussion in this chapter. Figure 6-1 Documenting Cisco Security Appliance Security Levels, Interfaces, and IP Addresses v Perimeter Router P (Default...

Configuring a Syslogd Server

Because syslogd was originally a UNIX concept, the features available in the syslogd products on non-UNIX systems depend on the vendor implementation. Features might include dividing incoming messages by facility or debug level or both, resolving the names of the sending devices, and reporting facilities. For information on configuring the non-UNIX syslog server, refer to the vendor's documentation. NOTE Configuring the syslog server is not covered on the PIX CSPFA 642-522 exam. To configure...

Configuring Access

Managing controlled access to network resources from an untrusted (Internet) network is a very important function of the Cisco Security Appliance. Access lists, network address translations, authentication, and authorization are ways to provide access through a Security Appliance in a controlled fashion. In addition, PIX software version 6.2 and later, as well as ASA software version 7.0, have new features such as object grouping and TurboACL, which make managing and implementing a complex...

Configuring Access VPNs

The Cisco Easy VPN, a software enhancement for Cisco Security Appliances and security appliances, greatly simplifies virtual private network (VPN) deployment for remote offices and telecommuters. By centralizing VPN management across all Cisco VPN devices, Cisco Easy VPN reduces the complexity of VPN deployments. Cisco Easy VPN enables you to integrate various remote VPN solutions (Cisco IOS routers, Cisco PIX Firewalls, Cisco ASA 55X0 series firewalls, Cisco VPN 3002 Hardware Clients, and...

Configuring DNS Support

It is not necessary to configure DNS support on Cisco Security Appliance. By default, the Security Appliance identifies each outbound DNS request and allows only a single response to that request. The internal host can query several DNS servers for a response, and the Security Appliance allows the outbound queries. However, the Security Appliance allows only the first response to pass through the firewall. All subsequent responses to the original query are dropped. PIX Version 6.3(2) includes a...

Configuring Downloadable Security Appliance ACLs

Version 3.0 and later of Cisco Secure ACS allows you to create a downloadable ACL using the shared profile component. The downloadable ACL configuration is supported only for RADIUS servers. To verify that your configuration is for a RADIUS server, select Network Configuration from the navigation bar and click AAA Client. Verify that RADIUS (Cisco IOS Security Appliance) is selected, as shown in Figure 18-19. Figure 18-19 RADIUS (Cisco IOS PIX) Configuration Figure 18-19 RADIUS (Cisco IOS PIX)...

Configuring EMail Proxies

The WebVPN service supports four types of e-mail proxies Of the four types of e-mail proxies, only MAPI is handled through the functions command tgasa(config-group-webvpn) functions mapi The other three are handled in subcommand mode similar to WebVPN mode, as described previously. Each proxy's subcommand mode can use the commands listed in Table 13-14. Assigns a preconfigured accounting server group to use with proxy. None are initially configured. Assigns an authentication mode for proxy...

Configuring Failover

To configure failover, you need to become familiar with a few key commands. Table 12-4 shows the commands used to configure and verify failover. Table 12-4 Security Appliance Failover Commands Table 12-4 Security Appliance Failover Commands Enables the failover function on the PIX Firewall. Use this command after you connect the failover cable between the primary and secondary unit. Use the no failover command to disable the failover feature. Table 12-4 Security Appliance Failover Commands...

Configuring IKE

Remember that IKE is the method used by the peers to negotiate and establish the SA. Determining which IKE configuration to use is not difficult. Most companies have a standard configuration that they employ when creating any VPN connection. If you do not have a preestablished policy, you should select a policy that allows your minimum amount of security to be not less than that required for the most sensitive data to travel across the connection. The following steps are required to configure...

Configuring Multiple Translation Types on the Cisco Security Appliance

It is a good practice to use a combination of NAT and PAT. If you have more internal hosts than external IP addresses, you can configure both NAT and PAT. Your first group of hosts translates to the global addresses that are listed and the remaining hosts use PAT and translate to the single global address. PAT is configured separately from NAT. If NAT is configured without PAT, once the available global IP address range is depleted, additional translation attempts will be refused. If the...

Configuring Port Forwarding

Some end users will require access to applications outside of e-mail and file access. In a traditional IPSec VPN, this can be done easily, since the end user is directly connected to the enterprise network through the VPN. When using a WebVPN service, the end user has no direct connection to the network, and must redirect all application use through the WebVPN https service. This is done through port forwarding using a Java applet. A security administrator enables port forwarding in two steps...

Configuring Security Appliances for Scalable VPNs

Earlier in this chapter, you learned about the different methods of negotiating an IPSec Manual IPSec, which requires you to configure each peer manually. This method is not recommended by Cisco because it does not allow for key exchanges and, therefore, would be rather easy to decrypt, given enough time and traffic. Obviously, manual IPSec is not a scalable solution. IKE, which dynamically negotiates your SA using preshared keys or digital certificates. Preshared keys still require you to...

Configuring Security Contexts

In multiple-context mode, a security administrator can create new security contexts up to the Security Appliances license limit. These contexts will have policies that apply only to the interfaces that are assigned to that context. A security context contains two parts System configuration of the context Defines the context name, VLAN, interfaces and configuration file URL that the context will use. Context configuration file Contains all the firewall policies and interface configurations that...

Configuring Simple Network Management Protocol on Security Appliance

The snmp-server command causes Security Appliance to send SNMP traps so that the Security Appliance can be monitored remotely. Use the snmp-server host command to specify which systems receive the SNMP traps. Example 4-5 shows a SNMP sample configuration on a PIX Firewall. Example 4-5 Sample SNMP Configuration on a PIX Firewall Example 4-5 Sample SNMP Configuration on a PIX Firewall The location and contact commands identify where the host is and who administers it. The community command...

Configuring SNMP Traps and SNMP Requests

SNMP requests can be used to query the Security Appliance on its system status information. If you want to send only the cold start, link up, and link down generic traps, no further configuration is required. SNMP traps send information about a particular event only when the configured threshold is reached. To configure a Security Appliance to receive SNMP requests from a management station, you must do the following Configure the IP address of the SNMP management station with the snmp-server...

Configuring Syslog Messages at the Console

Configuring logging on the console interface is useful when you are troubleshooting or observing traffic patterns directly from a Security Appliance. This gives you real-time information about what is happening on the Security Appliance. To configure logging at the Security Appliance console interface, use the logging console command as follows. After logging into configuration mode, enter the following Pixfw(config) logging on Pixfw(config) logging console 5 The 5 indicates the logging level....

Configuring Syslog on a Cisco Security Appliance

The logging command is used to configure logging on the PIX Firewall. Logging is disabled by default. Table 10-3 describes the parameters of the logging command. Table 10-3 logging Command Parameters Table 10-3 logging Command Parameters Enables the transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command. Allows you to disable specific syslog messages. Use the logging message message_number command to resume logging of...

Configuring the ASDM to View Logging

The ASDM Log panel, shown in Figure 10-1, allows you to view syslog messages that are captured in the ASDM Log buffer in the Security Appliance memory. You may select the level of syslog messages you want to view. When you view the ASDM Log, all the buffered syslog messages at and below the logging level you choose are displayed. r-nb < .< * _ > ,> . 1 CKHI> .tMi > -tK . ' J-h -IM J rj MID hirHllipi d 1 J1 .i r 'j i i' d hr1 The ASDM logging panel has the following fields Logging...

Configuring the Central PIX Firewall HQPIX for VPN Tunneling

Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the traffic coming from the remote sites. The following steps define the VPN characteristics on HQ-PIX Step 1 Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy Step 2 Configure a preshared key and associate it with the peers (Houston and Minneapolis) isakmp key C2 ghi address 192.168.3.2 isakmp key B2 def address 192.168.2.2 Step 3 Configure the supported IPSec transforms...

Configuring the Cisco Security Appliance to Send Syslog Messages to a Log Server

Configuring a Security Appliance to send logging information to a server helps you collect and maintain data that can later be used for forensic and data traffic analysis. The Security Appliance syslog messages are usually sent to a syslog server or servers. The Security Appliance uses UDP port 514 by default to send syslog messages to a syslog server. The syntax for configuring the Security Appliance Firewall to send syslog messages to a syslog server is as follows Pixfirewall(config) Logging...

Configuring the Houston PIX Firewall Houpix for VPN Tunneling

Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on HOU-PIX at the Houston remote site Step 1 Configure an ISAKMP policy isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 Step 2 Configure a preshared key...

Configuring the Minneapolis PIX Firewall MNPIX for VPN Tunneling

Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on MN-PIX at the Minneapolis remote site isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 lifetime 1000 Step 2 Configure a preshared key and associate it with the peer (HQ-PIX) isakmp key A1 abc address 192.168.1.2 Step 3 Configure the...

Configuring the Security Appliance DHCP Client

DHCP client support on the Cisco Security appliance is designed for use in SOHO environments in which digital subscriber line (DSL) and cable modems are used. The DHCP client can be enabled only on the outside interface of the Security Appliance. When the DHCP client is enabled, DHCP servers on the outside provide the outside interface with an IP address. NOTE The DHCP client does not support failover configuration. The DHCP client feature on a Security Appliance is enabled by the ip address...

Configuring the Security Appliance DHCP Server

Configuring the Security Appliance to operate as a DHCP server involves the following tasks Configuring the address pool Specifying WINS, DNS, and the domain name Configuring the DHCP options Configuring the DHCP lease length NOTE Configuring the Security Appliance to serve as a DHCP server also requires you to assign a static IP address to the inside interface. This is one of the basic configuration tasks when setting up your Security Appliance. A DHCP server needs to know which addresses it...

Configuring Transparent Mode

With the release of Security software version 7.0, a Security Appliance can run as a Layer 2 firewall. Standard firewalls act in a similar fashion as a router, routing packets through the firewall instead of switching them. This creates an extra hop in the IP path that a user can detect. With transparent firewall enabled, the Security Appliance will act as a Layer 2 filtering bridge, switching the packets instead of routing them, and the user will not see an additional hop within the IP path....

Configuring VPDN Group Authentication

Your ISP may require you to use authentication with PPPoE. The Security Appliance PPPoE Client supports the following authentication protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) To define the authentication protocol for the PPPoE client, you use the following command vpdn group group-name ppp authentication pap chap mschap NOTE ISPs that use CHAP or MS-CHAP may refer to the...

Console Access Authentication

The final type of AAA authentication is for direct connections to the Cisco Security Appliance. It is very important to restrict access to the firewall as much as possible. One way to increase your firewall's security is to require all access to the firewall to be authenticated by an AAA server. Console access is traditionally password protected however, the aaa authentication console command prompts the user to authenticate differently, depending on the method used to access the Security...

Content Filtering on the Cisco Security Appliance

Up to now, you focused on how to configure the Security Appliance and how to protect against unwanted traffic from outside in. This chapter focuses specifically on outbound traffic and content filtering traffic moving from inside out. More and more companies today have some form of network policy in place. Websites that are not related to their business or that are otherwise considered inappropriate are prohibited for use by their employees. This chapter discusses how the Cisco Security...

Contents

How to Best Use This Chapter 3 Do I Know This Already Quiz 3 Foundation and Supplemental Topics 7 Overview of Network Security 7 Vulnerabilities, Threats, and Attacks 8 Vulnerabilities 8 Threats 8 Types of Attacks 8 Reconnaissance Attacks 9 Access Attacks 10 DoS Attacks 11 Security Policies 11 Step 1 Secure 12 Step 2 Monitor 13 Step 3 Test 13 Step 4 Improve 13 Network Security as a Legal Issue 13 Defense in Depth 14 Cisco AVVID and Cisco SAFE 14 Cisco AVVID 14 Cisco SAFE 16 Foundation Summary...

Contents at a Glance

Firewall Technologies and the Cisco Security Appliance 23 Understanding Cisco Security Appliance Translation and Connection 109 Getting Started with the Cisco Security Appliance Family of Firewalls 137 Configuring Access 177 Modular Policy Framework 199 Security Contexts 223 Syslog and the Cisco Security Appliance 247 Routing and the Cisco Security Appliance 269 Cisco Security Appliance Failover 303 Adaptive Security Device Manager 453 Content Filtering on the Cisco Security Appliance 497...

Creating a Boothelper Disk Using a Windows PC

The boothelper disk, as described earlier in this chapter, provides assistance for Cisco PIX Firewall models 510 and 520 running PIX software version 5.0(x) or version 4.x to be upgraded to a newer version Step 1 Go to the Cisco website and download the rawrite.exe utility, which you use to write the PIX Firewall binary image to a floppy disk (you must have a Cisco.com account to do this). Step 2 Download the PIX Firewall binary image (.bin file) that corresponds to the software version to...

Creating a New Context

Each security context will have a unique case-sensitive name, using alphanumeric characters no longer than 32 characters. The context names are case sensitive, and a context cannot be assigned either System or Null as names, as these are reserved by the system. To create a context, use the context command in global configuration mode The context command, when executed, will enter into a context configuration submode. In this configuration mode, interface assignments and the location of the...