Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Published byKristina Murphy Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 9 – Configure Filtering on a PIX Security Appliance

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 9.1 Configure ACLs and Content Filters 9.2 Object Grouping 9.3 Configure a Security Appliance Modular Policy 9.4 Configure Advanced Protocol Inspection

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.1 Configure ACLs and Content Filters

5 5 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance ACLs

6 6 © 2005 Cisco Systems, Inc. All rights reserved. ACL Usage Guidelines

7 7 © 2005 Cisco Systems, Inc. All rights reserved. access-list command

8 8 © 2005 Cisco Systems, Inc. All rights reserved. access-group command

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Show access-list

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Clear access-list counters

11 11 © 2005 Cisco Systems, Inc. All rights reserved. ACL Line Numbers

12 12 © 2005 Cisco Systems, Inc. All rights reserved. icmp command

13 13 © 2005 Cisco Systems, Inc. All rights reserved. nat 0 access-list command

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Turbo ACLs Turbo ACL processingRegular ACL processing ACL A Entry 1 Entry2 Entry 3 Entry N Compiled data table Packet header value IndexACL Entry Bit Maps ACLs organized internally as linked lists. Linear search to find matching entry to deny or permit packet. Increased search time when ACL A contains large number of entries, which leads to performance degradation. ACLs compiled into sets of lookup data tables. Improved search time for large ACLs. Required minimum of 2.1 MB of memory. ACL A

15 15 © 2005 Cisco Systems, Inc. All rights reserved. Turbo ACL access-list compiled access-list acl_ID compiled pixfirewall(config)# Enables the Turbo ACL feature for a specific ACL. Enables the Turbo ACL feature on all ACLs. Turbo compiles all ACLs with 19 or more entries.

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Using ACLs - Deny Web Access to the Internet

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Using ACLs – Inbound HTTP solution

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Using ACLs – Partner Web Access to DMZ and DMZ access to Mail

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Java Applet Filtering

20 20 © 2005 Cisco Systems, Inc. All rights reserved. ActiveX Blocking

21 21 © 2005 Cisco Systems, Inc. All rights reserved. filter activex | java Command Filters out ActiveX usage from outbound packets. Filters out Java applets that return to the PIX Security Appliance from an outbound connection. pixfirewall(config)# filter activex | java port [-port] local_ip mask foreign_ip mask

22 22 © 2005 Cisco Systems, Inc. All rights reserved. URL Filtering

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Designate the URL-Filtering Server

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Configure the PIX Security Appliance to Work with a URL-Filtering Server

25 25 © 2005 Cisco Systems, Inc. All rights reserved. HTTPS and FTP Filtering

26 26 © 2005 Cisco Systems, Inc. All rights reserved. URL Filtering Example

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.2 Object Grouping

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Grouping Objects of Similar Types

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Using Object Groups in ACLs pixfirewall(config)# access-list ACLOUT permit object-group MYPROTOCOLS object-group CLIENTS object-group SERVERS pixfirewall(config)# access-list ACLOUT permit tcp 10.0.0.0 255.255.255.0 host 172.26.26.50 pixfirewall(config)# access-list ACLOUT permit icmp 10.0.0.0 255.255.255.0 host 172.26.26.50 pixfirewall(config)# access-list ACLOUT permit tcp 10.0.0.0 255.255.255.0 host 172.26.26.51 pixfirewall(config)# access-list ACLOUT permit icmp 10.0.0.0 255.255.255.0 host 172.26.26.51 pixfirewall(config)# access-list ACLOUT permit tcp host 10.0.1.11 host 172.26.26.50 pixfirewall(config)# access-list ACLOUT permit icmp host 10.0.1.11 host 172.26.26.50 pixfirewall(config)# access-list ACLOUT permit tcp host 10.0.1.11 host 172.26.26.51 pixfirewall(config)# access-list ACLOUT permit icmp host 10.0.1.11 host 172.26.26.51 pixfirewall(config)# access-list ACLOUT permit tcp host 10.0.2.11 host 172.26.26.50 pixfirewall(config)# access-list ACLOUT permit icmp host 10.0.2.11 host 172.26.26.50 pixfirewall(config)# access-list ACLOUT permit tcp host 10.0.2.11 host 172.26.26.51 pixfirewall(config)# access-list ACLOUT permit icmp host 10.0.2.11 host 172.26.26.51

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Using Object Groups in ACLs

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Configuring and Using Object Groups

32 32 © 2005 Cisco Systems, Inc. All rights reserved. object-group Command Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode. pixfirewall(config)# object-group network CLIENTS pixfirewall(config)# object-group network grp_id object-group service grp_id tcp | udp | tcp-udp object-group protocol grp_id object-group icmp-type grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol subcommand mode. Assigns a name to a Service group and enables the Service subcommand mode. Assigns a name to a Network group and enables the Network subcommand mode. Assigns the name CLIENTS to a Network group and enables the Network subcommand mode.

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Network Object Groups Creates a Network object group named CLIENTS which consists of host 10.0.1.11, and network 10.0.0.0. pixfirewall(config)# object-group network CLIENTS pixfirewall(config-network)# network-object host 10.0.1.11 pixfirewall(config-network)# network-object 10.0.0.0 255.255.255.0 network-object host host_addr | host_name pixfirewall(config-network)# pixfirewall(config)# object-group network grp_id Assigns hosts to the Network object group. Assigns a name to the group and enables the Network sub-command mode. network-object net_addr netmask pixfirewall(config-network)# Assigns networks to the Network object group.

34 34 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Service Object Groups pixfirewall(config)# object-group service MYSERVICES tcp pixfirewall(config-service)# port-object eq http pixfirewall(config-service)# port-object eq ftp port-object eq service pixfirewall(config-service)# Assigns a single TCP or UDP port number to the Service object group. Creates a Service group named MYSERVICES, which contains HTTP and FTP. port-object range begin_service end_service pixfirewall(config-service)# Assigns a range of TCP or UDP port numbers to the Service object group. object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# Assigns a name to a Service group and enables the Service sub-command mode.

35 35 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Protocol Object Groups pixfirewall(config)# object-group protocol MYPROTOCOLS pixfirewall(config-protocol)# protocol-object icmp pixfirewall(config-protocol)# protocol-object tcp protocol-object protocol pixfirewall(config-protocol)# Assigns a protocol to the Protocol object group. Creates a Protocol group named MYPROTOCOLS, which contains ICMP and TCP. object-group protocol grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol sub-command mode.

36 36 © 2005 Cisco Systems, Inc. All rights reserved. Configuring ICMP-Type Object Groups pixfirewall(config)# object-group icmp-type PING pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply icmp-object icmp-type pixfirewall(config-icmp-type)# Assigns an ICMP message type to the object group. Creates an ICMP-Type group named PING which contains echo and echo-reply message types. object-group icmp-type grp_id pixfirewall(config)# Assigns a name to an ICMP-Type group and enables the icmp-type sub-command mode.

37 37 © 2005 Cisco Systems, Inc. All rights reserved. access-list Command for Object Grouping

38 38 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Groups

39 39 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Nested Object Groups

40 40 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Group Example

41 41 © 2005 Cisco Systems, Inc. All rights reserved. group-object Command

42 42 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Group Example

43 43 © 2005 Cisco Systems, Inc. All rights reserved. Apply Nested Object Group to ACL

44 44 © 2005 Cisco Systems, Inc. All rights reserved. Multiple Object Groups in ACLs

45 45 © 2005 Cisco Systems, Inc. All rights reserved. Displaying configured Object Groups

46 46 © 2005 Cisco Systems, Inc. All rights reserved. Removing Configured Object Groups

47 47 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.3 Configure a Security Appliance Modular Policy

48 48 © 2005 Cisco Systems, Inc. All rights reserved. Modular Policy Overview

49 49 © 2005 Cisco Systems, Inc. All rights reserved. Modular Policy

50 50 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Class Map Name

51 51 © 2005 Cisco Systems, Inc. All rights reserved. Class Map – Define a Class of Traffic

52 52 © 2005 Cisco Systems, Inc. All rights reserved. Define a class match criteria

53 53 © 2005 Cisco Systems, Inc. All rights reserved. Show run class map

54 54 © 2005 Cisco Systems, Inc. All rights reserved. Policy Map Overview

55 55 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Policy Map Name

56 56 © 2005 Cisco Systems, Inc. All rights reserved. Define a Policy Map for the class

57 57 © 2005 Cisco Systems, Inc. All rights reserved. Show run policy-map

58 58 © 2005 Cisco Systems, Inc. All rights reserved. Service Policy

59 59 © 2005 Cisco Systems, Inc. All rights reserved. Show service-policy

60 60 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.4 Configure Advanced Protocol Inspection

61 61 © 2005 Cisco Systems, Inc. All rights reserved. Need for Advanced Protocol Handling

62 62 © 2005 Cisco Systems, Inc. All rights reserved. inspect Command

63 63 © 2005 Cisco Systems, Inc. All rights reserved. Default traffic inspection

64 64 © 2005 Cisco Systems, Inc. All rights reserved. Default protocol inspection policy

65 65 © 2005 Cisco Systems, Inc. All rights reserved. Delete Inspection for a Protocol

66 66 © 2005 Cisco Systems, Inc. All rights reserved. Add a Protocol Inspection Port Number

67 67 © 2005 Cisco Systems, Inc. All rights reserved. FTP Inspection

68 68 © 2005 Cisco Systems, Inc. All rights reserved. Active Mode FTP Inspection

69 69 © 2005 Cisco Systems, Inc. All rights reserved. Passive Mode FTP Inspection

70 70 © 2005 Cisco Systems, Inc. All rights reserved. FTP Deep Packet Inspection – Command Filtering

71 71 © 2005 Cisco Systems, Inc. All rights reserved. FTP Deep Packet Inspection Configuration

72 72 © 2005 Cisco Systems, Inc. All rights reserved. FTP Map – Deny Request

73 73 © 2005 Cisco Systems, Inc. All rights reserved. FTP Inspection Example

74 74 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Inspection

75 75 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Inspection

76 76 © 2005 Cisco Systems, Inc. All rights reserved. Enhanced HTTP Inspection

77 77 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Map – RFC and Extension Methods

78 78 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Map – Message Content Criteria

79 79 © 2005 Cisco Systems, Inc. All rights reserved. Enhaced HTTP Configuration

80 80 © 2005 Cisco Systems, Inc. All rights reserved. Apply HTTP Inspection Example

81 81 © 2005 Cisco Systems, Inc. All rights reserved. Application Inspection – Remote Shell

82 82 © 2005 Cisco Systems, Inc. All rights reserved. Application Inspection – SQL*Net

83 83 © 2005 Cisco Systems, Inc. All rights reserved. Application Inspection – ESMTP

84 84 © 2005 Cisco Systems, Inc. All rights reserved. ICMP Inspection

85 85 © 2005 Cisco Systems, Inc. All rights reserved. SNMP Inspection

86 86 © 2005 Cisco Systems, Inc. All rights reserved. DNS Inspection

87 87 © 2005 Cisco Systems, Inc. All rights reserved. DNS Record Translation

88 88 © 2005 Cisco Systems, Inc. All rights reserved. Why Multimedia Is an Issue Multimedia applications behave in unique ways: Use dynamic ports. Transmit a request using TCP and get responses in UDP or TCP. Use the same port for source and destination. The PIX Security Appliance: Dynamically opens and closes conduits for secure multimedia connections. Supports multimedia with or without NAT.

89 89 © 2005 Cisco Systems, Inc. All rights reserved. Real-Time Streaming Protocol

90 90 © 2005 Cisco Systems, Inc. All rights reserved. Standard RTP Mode

91 91 © 2005 Cisco Systems, Inc. All rights reserved. RealNetworks’ RDT Mode

92 92 © 2005 Cisco Systems, Inc. All rights reserved. H.323 Inspection

93 93 © 2005 Cisco Systems, Inc. All rights reserved. SIP Inspection

94 94 © 2005 Cisco Systems, Inc. All rights reserved. SCCP Inspection

95 95 © 2005 Cisco Systems, Inc. All rights reserved. CTIQBE Inspection

96 96 © 2005 Cisco Systems, Inc. All rights reserved. MGCP Inspection

97 97 © 2005 Cisco Systems, Inc. All rights reserved. MGCP Inspection Configuration

98 98 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IP Phones and the PIX Security Appliance’s DHCP Server Cisco IP phones: Download their configurations from a TFTP server. Request an IP address and the IP address of a TFTP server from a DHCP server. The PIX Security Appliance: Supports DHCP option 150 for providing the IP addresses of a list of TFTP servers. Supports DHCP option 66 for providing the IP address of a single TFTP server.

99 99 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
Chabot College ELEC 99.08 Ports (Layer 4).

Chabot College ELEC Ports (Layer 4).

Similar presentations

Ads by Google