Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations


Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 3 – Security Devices

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 3.1 Device Options 3.2 Using Security Device Manager 3.3 Introduction to the Cisco Security Appliance Family 3.4 Getting Started with the PIX Security Appliance 3.5 PIX Security Appliance Translations and Connections 3.6 Manage a PIX Security Appliance with Adaptive Security Device Manager 3.7 PIX Security Appliance Routing Capabilities 3.8 Firewall Services Module Operation

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.1 Device Options

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Sample Firewall Topology

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Security Offerings Secure Operating System Foundation IP Services IOS Firewall Network Integrated Solutions VPNFirewall Intrusion Protection VPN IPsec CBAC Stateful Inspection IDSSSHSSL ACLAAANATL2TP/EAPMSCHAPv2 PKI 802.1X BGPGRE Multicast Application Aware QoS DHCP/DNS MPLSVoIP EIGRPOSPFMultiprotocol HTTPS Secure ARP uRPF Authentication per user via AAA Command Authorization via AAA Device Access by Privilege Level Activity Logging Netflow IP Comp SNMPv3 (Unicast Reverse Path Forward)

7 7 © 2005 Cisco Systems, Inc. All rights reserved. IOS Firewall

8 8 © 2005 Cisco Systems, Inc. All rights reserved. SMB Connectivity Performance Gigabit Ethernet PIX Security Appliance Lineup Enterprise ROBO PIX 515E PIX 525 PIX 535 SOHO PIX 501 PIX 506E Service Provider Stateful Inspection Firewall Appliance is Hardened OS IPSec VPN Integrated Intrusion Detection Hot Standby, Stateful Failover Easy VPN Client/Server VoIP Support

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Adaptive Security Appliance Lineup

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Finesse Operating System Cisco proprietary real-time operating system Runs directly on the hardware of the PIX Security Appliance and the Adaptive Security Appliance Eliminates the risks associated with general-purpose operating systems PIX - 1,000,000 simultaneous connections

11 11 © 2005 Cisco Systems, Inc. All rights reserved. The Adaptive Security Algorithm The stateful, connection-oriented ASA algorithm design creates session flows based on source and destinations addresses. Randomizes TCP sequence numbers, port numbers, and additional TCP flags before completion of the connection. Minimize the risk of a TCP sequence number attack Stateful packet filtering Method of analyzing data packets that places extensive information about a data packet into a table. Information about the connection is logged in a stateful session flow table

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Catalyst Switch Integration Firewall IDS Virtual Private Network Appliance Capabilities Cisco Infrastructure © 2002, Cisco Systems, Inc. All rights reserved. VPNSSLNAMIDSFirewall Security Services Modules

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.2 Using Security Device Manager

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Security Device Manager (SDM)

15 15 © 2005 Cisco Systems, Inc. All rights reserved. What is Security Device Manager (SDM)

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Security Device Manager (SDM) Features

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Obtaining SDM SDM is factory loaded on supported routers manufactured as of June Always check for the latest information regarding SDM support. SDM cannot be ordered independent of the router.

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Cisco SDM Files

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Installing Cisco SDM

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Startup Wizard: Welcome Window

21 21 © 2005 Cisco Systems, Inc. All rights reserved. SDM Main Window Layout and Navigation Menu bar Toolbar Router Information Configuration Overview

22 22 © 2005 Cisco Systems, Inc. All rights reserved. SDM Wizard Options

23 23 © 2005 Cisco Systems, Inc. All rights reserved. WAN Wizard: Create a New WAN Connection

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Reset to Factory Default Wizard

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Mode Overview Interface Stats Firewall Stats VPN Stats

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.3 Introduction to the Cisco Security Appliance Family

27 27 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance Family

28 28 © 2005 Cisco Systems, Inc. All rights reserved. ASA Security Appliance Family

29 29 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 501

30 30 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 506E

31 31 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E

32 32 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Expansion Slots Options Cards

33 33 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E FE Cards

34 34 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 525 Front Panel LEDs

35 35 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 525 Back Panel

36 36 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 525 Back Panel

37 37 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 535

38 38 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 535Board Install

39 39 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 535 Option Cards

40 40 © 2005 Cisco Systems, Inc. All rights reserved. PIX License Options

41 41 © 2005 Cisco Systems, Inc. All rights reserved. ASA5510 Adaptive Security Appliance

42 42 © 2005 Cisco Systems, Inc. All rights reserved. ASA5520 Adaptive Security Appliance

43 43 © 2005 Cisco Systems, Inc. All rights reserved. ASA5540 Adaptive Security Appliance

44 44 © 2005 Cisco Systems, Inc. All rights reserved. ASA55XX Adaptive Security Appliance Back Panel

45 45 © 2005 Cisco Systems, Inc. All rights reserved. AIP-SSM

46 46 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.4 Getting Started with the PIX Security Appliance

47 47 © 2005 Cisco Systems, Inc. All rights reserved. User Interface

48 48 © 2005 Cisco Systems, Inc. All rights reserved. Accessing Configuration Mode

49 49 © 2005 Cisco Systems, Inc. All rights reserved. Security Levels Higher security level interface to a lower security level interface – For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface of the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization. Lower security level interface to a higher security level interface – For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization is used. Same secure interface to a same secure interface – No traffic flows between two Interfaces with the same security level.

50 50 © 2005 Cisco Systems, Inc. All rights reserved. Security Levels

51 51 © 2005 Cisco Systems, Inc. All rights reserved. Basic Commands hostname – assigns a hostname to the PIX. interface – Configures the type and capability of each perimeter interface. nameif – Assigns a name to each perimeter interface. ip address – Assigns an IP address to each interface. security level – Assigns the security level for the perimeter interface. speed – Assigns the connection speed. duplex – Assigns the duplex communications.

52 52 © 2005 Cisco Systems, Inc. All rights reserved. Additional Commands nat-control – Enable or disable NAT configuration requirement. nat – Shields IP addresses on the inside network from the outside network. global – Creates a pool of one or more IP addresses for use in NAT and PAT. route – Defines a static or default route for an interface.

53 53 © 2005 Cisco Systems, Inc. All rights reserved. Interface Name

54 54 © 2005 Cisco Systems, Inc. All rights reserved. Interface Security Level

55 55 © 2005 Cisco Systems, Inc. All rights reserved. ASA Management Interface

56 56 © 2005 Cisco Systems, Inc. All rights reserved. NAT

57 57 © 2005 Cisco Systems, Inc. All rights reserved. Nat-control

58 58 © 2005 Cisco Systems, Inc. All rights reserved. Nat command

59 59 © 2005 Cisco Systems, Inc. All rights reserved. Global command

60 60 © 2005 Cisco Systems, Inc. All rights reserved. Route command

61 61 © 2005 Cisco Systems, Inc. All rights reserved. Hostname to IP address mapping

62 62 © 2005 Cisco Systems, Inc. All rights reserved. Configuration Example

63 63 © 2005 Cisco Systems, Inc. All rights reserved. Configuration Example (cont.)

64 64 © 2005 Cisco Systems, Inc. All rights reserved. Configuration Example (cont.)

65 65 © 2005 Cisco Systems, Inc. All rights reserved. Examining the PIX Security Appliance status

66 66 © 2005 Cisco Systems, Inc. All rights reserved. Examining the PIX Security Appliance status

67 67 © 2005 Cisco Systems, Inc. All rights reserved. Examining the PIX Security Appliance status

68 68 © 2005 Cisco Systems, Inc. All rights reserved. Examining the PIX Security Appliance status

69 69 © 2005 Cisco Systems, Inc. All rights reserved. Examining the PIX Security Appliance status – sh xlate

70 70 © 2005 Cisco Systems, Inc. All rights reserved. Time setting and NTP support clock command

71 71 © 2005 Cisco Systems, Inc. All rights reserved. NTP command

72 72 © 2005 Cisco Systems, Inc. All rights reserved. Configure Syslog output

73 73 © 2005 Cisco Systems, Inc. All rights reserved. Logging options

74 74 © 2005 Cisco Systems, Inc. All rights reserved. Logging levels

75 75 © 2005 Cisco Systems, Inc. All rights reserved. Configure message output to syslog server

76 76 © 2005 Cisco Systems, Inc. All rights reserved. Customize syslog output

77 77 © 2005 Cisco Systems, Inc. All rights reserved. Show logging command

78 78 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.5 PIX Security Appliance Translations and Connections

79 79 © 2005 Cisco Systems, Inc. All rights reserved. Sessions in a TCP/IP world

80 80 © 2005 Cisco Systems, Inc. All rights reserved. TCP Initialization Inside to Outside

81 81 © 2005 Cisco Systems, Inc. All rights reserved. TCP Initialization Inside to Outside (cont.)

82 82 © 2005 Cisco Systems, Inc. All rights reserved. UDP

83 83 © 2005 Cisco Systems, Inc. All rights reserved. NAT

84 84 © 2005 Cisco Systems, Inc. All rights reserved. Access through the PIX Security Appliance

85 85 © 2005 Cisco Systems, Inc. All rights reserved. Inside Address Translation

86 86 © 2005 Cisco Systems, Inc. All rights reserved. Dynamic Inside NAT

87 87 © 2005 Cisco Systems, Inc. All rights reserved. Two Interfaces with NAT

88 88 © 2005 Cisco Systems, Inc. All rights reserved. Three Interfaces with NAT

89 89 © 2005 Cisco Systems, Inc. All rights reserved. PAT

90 90 © 2005 Cisco Systems, Inc. All rights reserved. PAT Example

91 91 © 2005 Cisco Systems, Inc. All rights reserved. PAT Using outside interface address

92 92 © 2005 Cisco Systems, Inc. All rights reserved. Mapping subnets to PAT addresses

93 93 © 2005 Cisco Systems, Inc. All rights reserved. Backing Up PAT Addresses by Using Multiple PATs

94 94 © 2005 Cisco Systems, Inc. All rights reserved. Augmenting a Global Pool with PAT

95 95 © 2005 Cisco Systems, Inc. All rights reserved. NAT/Global vs Static

96 96 © 2005 Cisco Systems, Inc. All rights reserved. Static Translation

97 97 © 2005 Cisco Systems, Inc. All rights reserved. Static NAT – www server

98 98 © 2005 Cisco Systems, Inc. All rights reserved. Static NAT – ftp server

99 99 © 2005 Cisco Systems, Inc. All rights reserved. Net static

100 100 © 2005 Cisco Systems, Inc. All rights reserved. Static PAT – Port Redirection

101 101 © 2005 Cisco Systems, Inc. All rights reserved. The static PAT Command

102 102 © 2005 Cisco Systems, Inc. All rights reserved. No translation - The identity nat command

103 103 © 2005 Cisco Systems, Inc. All rights reserved. The identity nat – nat 0 command

104 104 © 2005 Cisco Systems, Inc. All rights reserved. Translations and Connections

105 105 © 2005 Cisco Systems, Inc. All rights reserved. Show conn

106 106 © 2005 Cisco Systems, Inc. All rights reserved. The show conn detail Command

107 107 © 2005 Cisco Systems, Inc. All rights reserved. The show local-host Command

108 108 © 2005 Cisco Systems, Inc. All rights reserved. The show xlate Command

109 109 © 2005 Cisco Systems, Inc. All rights reserved. The show xlate detail Command

110 110 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Multiple Interfaces

111 111 © 2005 Cisco Systems, Inc. All rights reserved. Configuring 3 interfaces

112 112 © 2005 Cisco Systems, Inc. All rights reserved. Configuring 4 Interfaces

113 113 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.6 Manage a PIX Security Appliance with Adaptive Security Device Manager

114 114 © 2005 Cisco Systems, Inc. All rights reserved. Adaptive Security Device Manager (ASDM)

115 115 © 2005 Cisco Systems, Inc. All rights reserved. ASDM Features

116 116 © 2005 Cisco Systems, Inc. All rights reserved. Security Appliance Requirements

117 117 © 2005 Cisco Systems, Inc. All rights reserved. ASDM Compatibility

118 118 © 2005 Cisco Systems, Inc. All rights reserved. Workstation Requirements

119 119 © 2005 Cisco Systems, Inc. All rights reserved. Running ASDM

120 120 © 2005 Cisco Systems, Inc. All rights reserved. Configure the security appliance to use ASDM

121 121 © 2005 Cisco Systems, Inc. All rights reserved. Setup Dialog

122 122 © 2005 Cisco Systems, Inc. All rights reserved. ASDM Home Window

123 123 © 2005 Cisco Systems, Inc. All rights reserved. Startup Wizard

124 124 © 2005 Cisco Systems, Inc. All rights reserved. ASDM Configuration Window

125 125 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.7 PIX Security Appliance Routing Capabilities

126 126 © 2005 Cisco Systems, Inc. All rights reserved. VLANs

127 127 © 2005 Cisco Systems, Inc. All rights reserved. Create Logical and Physical interfaces

128 128 © 2005 Cisco Systems, Inc. All rights reserved. VLAN Names and Security Levels

129 129 © 2005 Cisco Systems, Inc. All rights reserved. Assign VLAN ip address

130 130 © 2005 Cisco Systems, Inc. All rights reserved. VLAN Example

131 131 © 2005 Cisco Systems, Inc. All rights reserved. Maximun interfaces supported – Rel 7

132 132 © 2005 Cisco Systems, Inc. All rights reserved. Static Routes

133 133 © 2005 Cisco Systems, Inc. All rights reserved. Routing with RIP – Learning routes

134 134 © 2005 Cisco Systems, Inc. All rights reserved. Routing with OSPF

135 135 © 2005 Cisco Systems, Inc. All rights reserved. OSFP Configuration

136 136 © 2005 Cisco Systems, Inc. All rights reserved. Enable OSPF Routing

137 137 © 2005 Cisco Systems, Inc. All rights reserved. Define OSPF Networks

138 138 © 2005 Cisco Systems, Inc. All rights reserved. OSPF two processes

139 139 © 2005 Cisco Systems, Inc. All rights reserved. Defining OSPF two processes

140 140 © 2005 Cisco Systems, Inc. All rights reserved. Multicast Routing

141 141 © 2005 Cisco Systems, Inc. All rights reserved. Outside Multicast Server – Configuring the Outside Interface

142 142 © 2005 Cisco Systems, Inc. All rights reserved. Outside Multicast Server – Configuring the Inside Interface

143 143 © 2005 Cisco Systems, Inc. All rights reserved. Outside Multicast Server – Inside Receiving Hosts

144 144 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Other IGMP Options

145 145 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.8 Firewall Services Module Operation

146 146 © 2005 Cisco Systems, Inc. All rights reserved. Firewall Services Module (FWSM) Designed for high end enterprise and service providers Runs in Catalyst 6500 switches and 7600 Series routers Based on PIX Security Appliance technology PIX Security Appliance 6.0 feature set (some 6.2) 1 million simultaneous connections Over 100,000 connections per second 5 Gbps throughput Up to 4 can be stacked in a chassis, providing 20 Gbps throughput 1 GB DRAM Supports 100 VLANs Supports failover

147 147 © 2005 Cisco Systems, Inc. All rights reserved. FWSM in the Catalyst 6500 Switch Supervisor engine Redundant supervisor engine Slots 1-9 (top to bottom) Power supply 1 Power supply 2 ESD ground strap connector Switch fabric module 48 Port 10/100 Ethernet 16 Port GBIC Fan assembly FWSM

148 148 © 2005 Cisco Systems, Inc. All rights reserved. FWSM in the Cisco 7609 Internet Router Fan assembly Power supply 1 Power supply 2 Switch fabric module Supervisor engine ESD ground strap connection Slots 1-9 (right to left) FWSM

149 149 © 2005, Cisco Systems, Inc. All rights reserved.


Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations


Ads by Google