© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

Slides:



Advertisements
Similar presentations
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—3-1 Determining IP Routes Introducing Routing.
Bellevue University CIS 341A Final Review. The test Monday, August 4, Question multiple choice, True/False, and fill in the blanks. You have the.
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Semester 2 Module 11 Access Control Lists (ACLs) Yuda college of business James Chen
© N. Ganesan, All rights reserved. Chapter IP Routing.
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How Routing Works INTRO v2.0—4-1.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Addressing Networking for Home and Small Businesses – Chapter 5.
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How IP Address Protocols Work INTRO v2.0—4-1.
CCNA – Cisco Certified Network Associates Routing and Static Routes By Roshan Chaudhary Lecturer Islington College.
© 2002, Cisco Systems, Inc. All rights reserved..
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Access Control Lists (ACLs)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
© 2002, Cisco Systems, Inc. All rights reserved..
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
Access-Lists Securing Your Router and Protecting Your Network.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
1 What Are Access Lists? –Standard –Checks Source address –Generally permits or denies entire protocol suite –Extended –Checks Source and Destination address.
Semester 3 Chapter 6 ACLs. Overview Router can provide basic traffic filtering capability Access Control Lists can prevent packets from passing through.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Basic Switch Configurations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping.
+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.
Access Control Lists Mark Clements. 17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-1 Lesson 5 Configuring Inbound Access Thru a Cisco Security Appliance.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.0 Module 9 Basic Router Troubleshooting.
CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.
Instructor Materials Chapter 2: Scaling VLANs
100% Exam Passing Guarantee & Money Back Assurance
Instructor Materials Chapter 7: Access Control Lists
Virtual LANs.
Chapter 2: Scaling VLANs
Chapter 4: Access Control Lists (ACLs)
Access Control Lists CCNA 2 v3 – Module 11
Chapter 2: Scaling VLANs
Presentation transcript:

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2006 Cisco Systems, Inc. All rights reserved. Lesson 8.3 Configure Transparent Firewall Mode Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-3 Transparent Firewall Mode Overview

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-4 Transparent vs. Routed Firewall The security appliance can run in two firewall settings:  Routed: Based on IP address  Transparent: Based on MAC address VLAN VLAN Transparent Mode VLAN VLAN 200 Routed Mode

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-5 Transparent Firewall Benefits Easily integrated and maintained in the existing network:  IP readdressing not necessary  No NAT to configure  No IP routing to troubleshoot VLAN VLAN Transparent Mode Layer 2 Device

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-6 Transparent Firewall Guidelines  Layer 3 traffic must be explicitly permitted.  Each directly connected network must be on the same subnet.  A management IP address is required for each context, even if you do not intend to use Telnet to the context.  The management IP address must be on the same subnet as the connected network.  Do not specify the security appliance management IP address as the default gateway for connected devices. –Devices need to specify the router on the other side of the security appliance as the default gateway.  Each interface must be a different VLAN interface. VLAN VLAN Transparent Mode Management IP Address IP– Gateway – IP– Gateway – Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-7 Transparent Firewall Unsupported Features The following features are not supported in transparent firewall mode:  NAT  Dynamic routing protocols  IPv6  DHCP relay  QoS  Multicast  VPN termination for through traffic VLAN VLAN Transparent Mode

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-8 Enabling Transparent Firewall Mode

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-9 Viewing the Current Firewall Mode show firewall ciscoasa#  Shows the current firewall mode asa1# show firewall Firewall mode: Transparent VLAN VLAN Transparent Mode VLAN VLAN 200 Routed Mode ?

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-10 Enabling Transparent Firewall Mode vs. Routed Mode  Changes the mode to transparent  Requires use of the no firewall transparent command to return to routed mode firewall transparent ciscoasa(config)# asa1(config)# firewall transparent Switched to transparent mode VLAN VLAN Transparent Mode VLAN VLAN 200 Routed Mode

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-11 Assigning the Management IP Address  Sets the IP address for an interface (in routed mode) or for the management address (transparent mode).  For routed mode, enter this command in interface configuration mode.  In transparent mode, enter this command in global configuration mode. ip address ip_address [mask] [standby ip_address] ciscoasa(config)# asa1(config)# ip address asa1(config)# show ip address Management System IP Address: ip address Management Current IP Address: ip address

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-12 Configure ACLs  Determines which traffic should be allowed through the firewall access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time- range time_range_name] ciscoasa(config)# asa1(config)# access-list ACLIN permit icmp asa1(config)# access-group ACLIN in interface inside asa1(config)# access-group ACLIN in interface outside VLAN VLAN Security levels are supported in transparent mode; therefore, traffic from a higher security level interface to a lower security level interface will pass without an ACL, just as it does in routed mode. Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-13 Ethertype ACLS Treatment of non-IP packets:  The transparent firewall introduces a new type of ACL: the Ethertype ACL.  With Ethertype ACLs, an administrator can allow specific non-IP packets through the firewall. access-list id ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number} ciscoasa(config)# asa1(config)# access-list ETHER ethertype permit ipx asa1(config)# access-group ETHER in interface inside asa1(config)# access-group ETHER in interface outside VLAN VLAN IPX Traffic

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-14  ARP inspection checks all ARP packets against static ARP entries and blocks mismatched packets.  This feature prevents ARP spoofing. arp-inspection interface_name enable [flood | no-flood] ciscoasa(config)# asa1(config)# arp-inspection outside enable arp inspection enabled on outside arp interface_name ip_address mac_address [alias] ciscoasa(config)# asa1(config)# arp outside cbe.2100  A static ARP entry maps a MAC address to an IP address and identifies the interface through which the host is reached. ARP Inspection

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-15 Monitoring and Maintaining Transparent Firewall Mode

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-16 MAC Address Table The MAC address table is used to find the outgoing interface based on the destination MAC address.  Built dynamically; contents learned from source MAC addresses  No flooding if MAC address not found VLAN VLAN Interface MAC Address Type Time Left outside cbe.2100 dynamic 10 - inside cbe.6101 dynamic cbe cbe.6101

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-17 Disabling MAC Address Learning mac-learn interface_name disable ciscoasa(config)#  Disables MAC address learning for an interface (To re-enable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table.) asa1(config)# mac-learn outside disable Disabling learning on outside VLAN VLAN Interface MAC Address Type Time Left outside cbe.2100 dynamic 10 - inside cbe.6101 dynamic cbe cbe.6101

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-18 Adding a Static MAC Address mac-address-table static interface_name mac_address ciscoasa(config)#  Adds a static entry to the MAC address table  Guards against MAC spoofing (Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. ) asa1(config)# mac-address-table static inside cbe.6101 Added to the bridge table VLAN VLAN cbe cbe.6101 Interface MAC Address Type Time Left outside cbe.2100 static - inside cbe.6101 static -

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-19 Viewing the MAC Address Table  Displays the MAC address table show mac-address-table [interface_name | count | static] ciscoasa# asa1# show mac-address-table interface mac address type Age(min) inside cbe.6101 static inside 0008.e3bc.5ee0 dynamic 5

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-20 asa1# debug arp-inspection asa1# debug mac-address-table debug Commands Debug Support  debug arp-inspection: To the track code path of ARP forwarding and ARP inspection module in transparent firewall  debug mac-address-table: To track the insertions, deletions, or updates to the bridge table that is maintained for the transparent firewall.

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-21 Summary  A transparent firewall is a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices.  The security appliance connects the same network on its inside and outside ports but uses different VLANs on the inside and outside.  Layer 2 monitoring and maintenance is performed by customizing the MAC address table.

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-22