Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
- By Omar Santos, Jazib Frahim
- Published Oct 14, 2005 by Cisco Press. Part of the Networking Technology series.
Book
- Sorry, this book is no longer in print.
- Copyright 2006
- Edition: 1st
- Book
- ISBN-10: 1-58705-209-1
- ISBN-13: 978-1-58705-209-5
Identify, mitigate, and respond to network attacks
- Understand the evolution of security technologies that make up the unified ASA device and how to install the ASA hardware
- Examine firewall solutions including network access control, IP routing, AAA, application inspection, virtual firewalls, transparent (Layer 2) firewalls, failover and redundancy, and QoS
- Evaluate Intrusion Prevention System (IPS) solutions including IPS integration and Adaptive Inspection and Prevention Security Services Module (AIP-SSM) configuration
- Deploy VPN solutions including site-to-site IPsec VPNs, remote- access VPNs, and Public Key Infrastructure (PKI)
- Learn to manage firewall, IPS, and VPN solutions with Adaptive Security Device Manager (ASDM)
Achieving maximum network security is a challenge for most organizations. Cisco® ASA, a new unified security device that combines firewall, network antivirus, intrusion prevention, and virtual private network (VPN) capabilities, provides proactive threat defense that stops attacks before they spread through the network.
This new family of adaptive security appliances also controls network activity and application traffic and delivers flexible VPN connectivity. The result is a powerful multifunction network security device that provides the security breadth and depth for protecting your entire network, while reducing the high deployment and operations costs and complexities associated with managing multiple point products.
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance is a practitioner’s guide to planning, deploying, and troubleshooting a comprehensive security plan with Cisco ASA. The book provides valuable insight and deployment examples and demonstrates how adaptive identification and mitigation services on Cisco ASA provide a sophisticated security solution for both large and small network environments.
The book contains many useful sample configurations, proven design scenarios, and discussions of debugs that help you understand how to get the most out of Cisco ASA in your own network.
“I have found this book really highlights the practical aspects needed for building real-world security. It offers the insider’s guidance needed to plan, implement, configure, and troubleshoot the Cisco ASA in customer environments and demonstrates the potential and power of Self-Defending Networks.”
–Jayshree Ullal, Sr. Vice President, Security Technologies Group, Cisco Systems®
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Online Sample Chapter
Downloadable Sample Chapter
Download - 184 KB -- Chapter 9: Security Contexts
Table of Contents
Foreword
Introduction
Part I Product Overview
Chapter 1 Introduction to Network Security
Firewall Technologies
Network Firewalls
Packet-Filtering Techniques
Application Proxies
Network Address Translation
Port Address Translation
Static Translation
Stateful Inspection Firewalls
Personal Firewalls
Intrusion Detection and Prevention Technologies
Network-Based Intrusion Detection and Prevention Systems
Pattern Matching and Stateful Pattern-Matching Recognition
Protocol Analysis
Heuristic-Based Analysis
Anomaly-Based Analysis
Host-Based Intrusion Detection Systems
Network-Based Attacks
DoS Attacks
TCP SYN Flood Attacks
land.c Attacks
Smurf Attacks
DDoS Attacks
Session Hijacking
Virtual Private Networks
Understanding IPSec
Internet Key Exchange
IKE Phase 1
IKE Phase 2
IPSec Protocols
Authentication Header
Encapsulation Security Payload
IPSec Modes
Transport Mode
Tunnel Mode
Summary
Chapter 2 Product History
Cisco Firewall Products
Cisco PIX Firewalls
Cisco FWSM
Cisco IOS Firewall
Cisco IDS Products
Cisco VPN Products
Cisco ASA All-in-One Solution
Firewall Services
IPS Services
VPN Services
Summary
Chapter 3 Hardware Overview
Cisco ASA 5510 Model
Cisco ASA 5520 Model
Cisco ASA 5540 Model
AIP-SSM Modules
Summary
Part II Firewall Solution
Chapter 4 Initial Setup and System Maintenance
Accessing the Cisco ASA Appliances
Establishing a Console Connection
Command-Line Interface
Managing Licenses
Initial Setup
Setting Up the Device Name
Configuring an Interface
Configuring a Subinterface
Configuring a Management Interface
DHCP Services
IP Version 6
IPv6 Header
Configuring IPv6
IP Address Assignment
Setting Up the System Clock
Manual Clock Adjustment Using clock set
Automatic Clock Adjustment Using the Network Time Protocol
Time Zones and Daylight Savings Time
Configuration Management
Running Configuration
Startup Configuration
Removing the Device Configuration
Remote System Management
Telnet
Secure Shell
System Maintenance
Software Installation
Image Upgrade via the Cisco ASA CLI
Image Recovery Using ROMMON
Password Recovery Process
Disabling the Password Recovery Process
System Monitoring
System Logging
Enabling Logging
Logging Types
Additional Syslog Parameters
Simple Network Management Protocol
Configuring SNMP
SNMP Monitoring
CPU and Memory Monitoring
Summary
Chapter 5 Network Access Control
Packet Filtering
Types of ACLs
Standard ACLs
Extended ACLs
IPv6 ACLs
EtherType ACLs
WebVPN ACLs
Comparing ACL Features
Configuring Packet Filtering
Step 1: Set Up an ACL
Step 2: Apply an ACL to an Interface
Step 3: Set Up an IPv6 ACL (Optional)
Advanced ACL Features
Object Grouping
Object Types
Object Grouping and ACLs
Standard ACLs
Time-Based ACLs
Absolute
Periodic
Downloadable ACLs
ICMP Filtering
Content and URL Filtering
Content Filtering
ActiveX Filtering
Java Filtering
Configuring Content Filtering
URL Filtering
Configuring URL Filtering
Deployment Scenarios Using ACLs
Using ACLs to Filter Inbound and Outbound Traffic
Enabling Content Filtering Using Websense
Monitoring Network Access Control
Monitoring ACLs
Monitoring Content Filtering
Understanding Address Translation
Network Address Translation
Port Address Translation
Packet Flow Sequence
Configuring Address Translation
Static NAT
Dynamic Network Address Translation
Static Port Address Translation
Dynamic Port Address Translation
Policy NAT/PAT
Bypassing Address Translation
Identity NAT
NAT Exemption
NAT Order of Operation
Integrating ACLs and NAT
DNS Doctoring
Monitoring Address Translations
Summary
Chapter 6 IP Routing
Configuring Static Routes
RIP
Configuring RIP
Verifying the Configuration
Troubleshooting RIP
Scenario 1: RIP Version Mismatch
Scenario 2: RIP Authentication Mismatch
Scenario 3: Multicast or Broadcast Packets Blocked
Scenario 4: Correct Configuration and Behavior
OSPF
Configuring OSPF
Enabling OSPF
Virtual Links
Configuring OSPF Authentication
Configuring the Cisco ASA as an ASBR
Stub Areas and NSSAs
ABR Type 3 LSA Filtering
OSPF neighbor Command and Dynamic Routing over VPN
Troubleshooting OSPF
Useful Troubleshooting Commands
Mismatched Areas
OSPF Authentication Mismatch
Troubleshooting Virtual Link Problems
IP Multicast
IGMP
IP Multicast Routing
Configuring Multicast Routing
Enabling Multicast Routing
Statically Assigning an IGMP Group
Limiting IGMP States
IGMP Query Timeout
Defining the IGMP Version
Configuring Rendezvous Points
Configuring Threshold for SPT Switchover
Filtering RP Register Messages
PIM Designated Router Priority
PIM Hello Message Interval
Configuring a Static Multicast Route
Troubleshooting IP Multicast Routing
show Commands
debug Commands
Deployment Scenarios
Deploying OSPF
Deploying IP Multicast
Summary
Chapter 7 Authentication, Authorization, and Accounting (AAA)
AAA Protocols and Services Supported by Cisco ASA
RADIUS
TACACS+
RSA SecurID
Microsoft Windows NT
Active Directory and Kerberos
Lightweight Directory Access Protocol
Defining an Authentication Server
Configuring Authentication of Administrative Sessions
Authenticating Telnet Connections
Authenticating SSH Connections
Authenticating Serial Console Connections
Authenticating Cisco ASDM Connections
Authenticating Firewall Sessions (Cut-Through Proxy Feature)
Authentication Timeouts
Customizing Authentication Prompts
Configuring Authorization
Command Authorization
Configuring Downloadable ACLs
Configuring Accounting
RADIUS Accounting
TACACS+ Accounting
Deployment Scenarios
Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions
Deploying Cut-Through Proxy Authentication
Troubleshooting AAA
Troubleshooting Administrative Connections to Cisco ASA
Troubleshooting Firewall Sessions (Cut-Through Proxy)
Summary
Chapter 8 Application Inspection
Enabling Application Inspection Using the Modular Policy Framework
Selective Inspection
Computer Telephony Interface Quick Buffer Encoding Inspection
Domain Name System
Extended Simple Mail Transfer Protocol
File Transfer Protocol
General Packet Radio Service Tunneling Protocol
GTPv0
GTPv1
Configuring GTP Inspection
H.323
H.323 Protocol Suite
H.323 Version Compatibility
Enabling H.323 Inspection
Direct Call Signaling and Gatekeeper Routed Control Signaling
T.38
HTTP
Enabling HTTP Inspection
strict-http
content-length
content-type-verification
max-header-length
max-uri-length
port-misuse
request-method
transfer-encoding type
ICMP
ILS
MGCP
NetBIOS
PPTP
Sun RPC
RSH
RTSP
SIP
Skinny
SNMP
SQL*Net
TFTP
XDMCP
Deployment Scenarios
ESMTP
HTTP
FTP
Summary
Chapter 9 Security Contexts
Architectural Overview
System Execution Space
Admin Context
Customer Context
Packet Flow in Multiple Mode
Packet Classification
Packet Forwarding Between Contexts
Configuration of Security Contexts
Step 1: Enabling Multiple Security Contexts Globally
Step 2: Setting Up the System Execution Space
Step 3: Specifying a Configuration URL
Step 4: Allocating the Interfaces
Step 5: Configuring an Admin Context
Step 6: Configuring a Customer Context
Step 7: Managing the Security Contexts (Optional)
Deployment Scenarios
Virtual Firewall Using Two Customer Contexts
Virtual Firewall Using a Shared Interface
Monitoring and Troubleshooting the Security Contexts
Monitoring
Troubleshooting
Summary
Chapter 10 Transparent Firewalls
Architectural Overview
Single-Mode Transparent Firewall
Packet Flow in an SMTF
Multimode Transparent Firewall
Packet Flow in an MMTF
Transparent Firewalls and VPNs
Configuration of Transparent Firewall
Configuration Guidelines
Configuration Steps
Step 1: Enabling Transparent Firewalls
Step 2: Setting Up Interfaces
Step 3: Configuring an IP Address
Step 4: Configuring Interface ACLs
Step 5: Adding Static L2F Table Entries (Optional)
Step 6: Enabling ARP Inspection (Optional)
Step 7: Modifying L2F Table Parameters (optional)
Deployment Scenarios
SMTF Deployment
MMTF Deployment with Security Contexts
Monitoring and Troubleshooting the Transparent Firewall
Monitoring
Troubleshooting
Summary
Chapter 11 Failover and Redundancy
Architectural Overview
Conditions that Trigger Failover
Failover Interface Tests
Stateful Failover
Hardware and Software Requirements
Types of Failover
Active/Standby Failover
Active/Active Failover
Asymmetric Routing
Failover Configuration
Active/Standby Failover Configuration
Step 1: Select the Failover Link
Step 2: Assign Failover IP Addresses
Step 3: Set the Failover Key (Optional)
Step 4: Designating the Primary Cisco ASA
Step 5: Enable Stateful Failover (Optional)
Step 6: Enable Failover Globally
Step 7: Configure Failover on the Secondary Cisco ASA
Active/Active Failover Configuration
Step 1: Select the Failover Link
Step 2: Assign Failover Interface IP Addresses
Step 3: Set Failover Key
Step 4: Designate the Primary Cisco ASA
Step 5: Enable Stateful Failover
Step 6: Set Up Failover Groups
Step 7: Assign Failover Group Membership
Step 8: Assign Interface IP Addresses
Step 9: Set Up Asymmetric Routing (Optional)
Step 10: Enable Failover Globally
Step 11: Configure Failover on the Secondary Cisco ASA
Optional Failover Commands
Specifying Failover MAC Addresses
Configuring Interface Policy
Managing Failover Timers
Monitoring Failover Interfaces
Zero-Downtime Software Upgrade
Deployment Scenarios
Active/Standby Failover in Single Mode
Active/Active Failover in Multiple Security Contexts
Monitoring and Troubleshooting Failovers
Monitoring
Troubleshooting
Summary
Chapter 12 Quality of Service
Architectural Overview
Traffic Policing
Traffic Prioritization
Packet Flow Sequence
Packet Classification
IP Precedence Field
IP DSCP Field
IP Access Control List
IP Flow
VPN Tunnel Group
QoS and VPN Tunnels
Configuring Quality of Service
Step 1: Set Up a Class Map
Step 2: Configure a Policy Map
Step 3: Apply the Policy Map on the Interface
Step 4: Tune the Priority Queue (Optional)
QoS Deployment Scenarios
QoS for VoIP Traffic
QoS for the Remote-Access VPN Tunnels
Monitoring QoS
Summary
Part III Intrusion Prevention System (IPS) Solution
Chapter 13 Intrusion Prevention System Integration
Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)
AIP-SSM Management
Inline Versus Promiscuous Mode
Directing Traffic to the AIP-SSM
AIP-SSM Module Software Recovery
Additional IPS Features
IP Audit
Shunning
Summary
Chapter 14 Configuring and Troubleshooting Cisco IPS Software via CLI
Cisco IPS Software Architecture
MainApp
SensorApp
Network Access Controller
AuthenticationApp
cipsWebserver
LogApp
EventStore
TransactionSource
Introduction to the CIPS 5.x Command-Line Interface
Logging In to the AIP-SSM via the CLI
CLI Command Modes
Initializing the AIP-SSM
User Administration
User Account Roles and Levels
Administrator Account
Operator Account
Viewer Account
Service Account
Adding and Deleting Users by Using the CLI
Creating Users
Deleting Users
Changing Passwords
AIP-SSM Maintenance
Adding Trusted Hosts
SSH Known Host List
TLS Known Host List
Upgrading the CIPS Software and Signatures via the CLI
One-Time Upgrades
Scheduled Upgrades
Displaying Software Version and Configuration Information
Backing Up Your Configuration
Displaying and Clearing Events
Displaying and Clearing Statistics
Advanced Features and Configuration
IPS Tuning
Disabling and Retiring IPS Signatures
Custom Signatures
IP Logging
Automatic Logging
Manual Logging of Specific Host Traffic
Configuring Blocking (Shunning)
Summary
Part IV Virtual Private Network (VPN) Solution
Chapter 15 Site-to-Site IPSec VPNs
Preconfiguration Checklist
Configuration Steps
Step 1: Enable ISAKMP
Step 2: Create the ISAKMP Policy
Step 3: Set the Tunnel Type
Step 4: Configure ISAKMP Preshared Keys
Step 5: Define the IPSec Policy
Step 6: Specify Interesting Traffic
Step 7: Configure a Crypto Map
Step 8: Apply the Crypto Map to an Interface
Step 9: Configuring Traffic Filtering
Step 10: Bypassing NAT (Optional)
Advanced Features
OSPF Updates over IPSec
Reverse Route Injection
NAT Traversal
Tunnel Default Gateway
Optional Commands
Perfect Forward Secrecy
Security Association Lifetimes
Phase 1 Mode
Connection Type
Inheritance
ISAKMP Keepalives
Deployment Scenarios
Single Site-to-Site Tunnel Configuration Using NAT-T
Fully Meshed Topology with RRI
Monitoring and Troubleshooting Site-to-Site IPSec VPNs
Monitoring Site-to-Site VPNs
Troubleshooting Site-to-Site VPNs
ISAKMP Proposal Unacceptable
Mismatched Preshared keys
Incompatible IPSec Transform Set
Mismatched Proxy Identities
Summary
Chapter 16 Remote Access VPN
Cisco IPSec Remote Access VPN Solution
Configuration Steps
Step 1: Enable ISAKMP
Step 2: Create the ISAKMP Policy
Step 3: Configure Remote-Access Attributes
Step 4: Define the Tunnel Type
Step 5: Configure ISAKMP Preshared Keys
Step 6: Configure User Authentication
Step 7: Assign an IP Address
Step 8: Define the IPSec Policy
Step 9: Set Up a Dynamic Crypto Map
Step 10: Configure the Crypto Map
Step 11: Apply the Crypto Map to an Interface
Step 12: Configure Traffic Filtering
Step 13: Set Up a Tunnel Default Gateway (Optional)
Step 14: Bypass NAT (Optional)
Step 15: Set Up Split Tunneling (Optional)
Cisco VPN Client Configuration
Software-Based VPN Clients
Hardware-Based VPN Clients
Advanced Cisco IPSec VPN Features
Transparent Tunneling
NAT Traversal
IPSec over TCP
IPSec over UDP
IPSec Hairpinning
VPN Load-Balancing
Client Auto-Update
Client Firewalling
Personal Firewall Check
Central Protection Policy
Hardware based Easy VPN Client Features
Interactive Hardware Client Authentication
Individual User Authentication
Cisco IP Phone Bypass
Leap Bypass
Hardware Client Network Extension Mode
Deployment Scenarios of Cisco IPSec VPN
IPSec Hairpinning with Easy VPN and Firewalling
Load-Balancing and Site-to-Site Integration
Monitoring and Troubleshooting Cisco Remote Access VPN
Monitoring Cisco Remote Access IPSec VPNs
Troubleshooting Cisco IPSec VPN Clients
Cisco WebVPN Solution
Configuration Steps
Step 1: Enable the HTTP Service
Step 2: Enable WebVPN on the Interface
Step 3: Configure WebVPN Look and Feel
Step 4: Configure WebVPN Group Attributes
Step 5: Configure User Authentication
Advanced WebVPN Features
Port Forwarding
Configuring URL Mangling
E-Mail Proxy
Authentication Methods for E-Mail Proxy
Identifying E-Mail Servers for E-Mail Proxies
Delimiters
Windows File Sharing
WebVPN Access Lists
Deployment Scenarios of WebVPN
WebVPN with External Authentication
WebVPN with E-Mail Proxies
Monitoring and Troubleshooting WebVPN
Monitoring WebVPN
Troubleshooting WebVPN
SSL Negotiations
WebVPN Data Capture
E-Mail Proxy Issues
Summary
Chapter 17 Public Key Infrastructure (PKI)
Introduction to PKI
Certificates
Certificate Authority
Certificate Revocation List
Simple Certificate Enrollment Protocol
Enrolling the Cisco ASA to a CA Using SCEP
Generating the RSA Key Pair
Configuring a Trustpoint
Manual (Cut-and-Paste) Enrollment
Configuration for Manual Enrollment
Obtaining the CA Certificate
Generating the ID Certificate Request and Importing the ID Certificate
Configuring CRL Options
Configuring IPSec Site-to-Site Tunnels Using Certificates
Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates
Enrolling the Cisco VPN Client
Configuring the Cisco ASA
Troubleshooting PKI
Time and Date Mismatch
SCEP Enrollment Problems
CRL Retrieval Problems
Summary
Part V Adaptive Security Device‡Manager
Chapter 18 Introduction to ASDM
Setting Up ASDM
Uploading ASDM
Setting Up Cisco ASA
Accessing ASDM
Initial Setup
Startup Wizard
Functional Screens
Configuration Screen
Monitoring Screen
Interface Management
System Clock
Configuration Management
Remote System Management
Telnet
SSH
SSL (ASDM)
System Maintenance
Software Installation
File Management
System Monitoring
System Logging
SNMP
Summary
Chapter 19 Firewall Management Using ASDM
Access Control Lists
Address Translation
Routing Protocols
RIP
OSPF
Multicast
AAA
Application Inspection
Security Contexts
Transparent Firewalls
Failover
QoS
Summary
Chapter 20 IPS Management Using ASDM
Accessing the IPS Device Management Console from ASDM
Configuring Basic AIP-SSM Settings
Licensing
Verifying Network Settings
Adding Allowed Hosts
Configuring NTP
Adding Users
Advanced IPS Configuration and Monitoring Using ASDM
Disabling and Enabling Signatures
Configuring Blocking
Creating Custom Signatures
Creating Event Action Filters
Installing Signature Updates and Software Service Packs
Configuring Auto-Update
Summary
Chapter 21 VPN Management Using ASDM
Site-to-Site VPN Setup Using Preshared Keys
Site-to-Site VPN Setup Using PKI
Cisco Remote-Access IPSec VPN Setup
WebVPN
VPN Monitoring
Summary
Chapter 22 Case Studies
Case Study 1: Deploying the Cisco ASA at Branch Offices and Small Businesses
Branch Offices
Small Business Partners
Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment
Internet Edge and DMZ
Filtering Websites
Remote Access VPN Cluster
Application Inspection
IPS
Case Study 3: Data Center Security with Cisco ASA
Summary
Index
Foreword
Download - 13 KB -- Foreword from Jayshree Ullal, Senior Vice President, Security Technology Group, Cisco Systems, Inc.
Index
Download - 115 KB -- Index
Other Things You Might Like
- Securing Enterprise Networks with Cisco Meraki
- eBook (Watermarked) $55.99
- Securing Enterprise Networks with Cisco Meraki
- Book $55.99