1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 3 City College.

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Advertisements

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved..
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.
Virtual LANs.
PowerEdge M-Series CMC Management
 Category 6 Ethernet Cable, Single-mode Fiber Cable, and RJ45 Jacks  APC Netshelter SX 48U Racks and NetShelter AV Roof Fan Tray 825mm  Cisco 3800 ISR.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
SIS - Security Lab Introductory Session University of Pittsburgh 2006.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using the Cisco SDM.
CEG3185 Tutorial 7 Routers and Routing. IP Address An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer,
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Configuring Network Devices Working at a Small-to-Medium Business or ISP – Chapter.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Addressing Networking for Home and Small Businesses – Chapter 5.
Starting the switch Configuring the Switch
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Cooperative Education – Networking Spring 2010 Network Team Saigon Institute of Technology.
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Copyright ©Universalinet.Com, LLC 2009 Implementing Secure Converged Wide Area Networks ( ISCW) Take-Aways Course 1: Cable (HFC) Technologies.
Network Admin Course Plan Accede Institute Of Science & Technology.
Operating Cisco IOS Software
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
Smart Switches FS526T / FS750T / GS748T / GS724T
Cisco ASA 5505 Joseph Cicero Northeast Wisconsin Technical College.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
Cooperative Education – Networking Fall 2009 Network Team Saigon Institute of Technology.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Enabling Port Security
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Configuring the PIX Firewall Presented by Drew Spesard.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.
Module 10: Windows Firewall and Caching Fundamentals.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Cisco PIX Firewall Family
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
SIS - Security Lab Introductory Session University of Pittsburgh 2008.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 2 Introduction to Routers.
Configuring Network Devices
Instructor Materials Chapter 1: LAN Design
Network Security Solution
100% Exam Passing Guarantee & Money Back Assurance
The sign of success.
Only Two Ways through the PIX Firewall
Routing and Switching Essentials v6.0
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
Chapter 10: Advanced Cisco Adaptive Security Appliance
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 3 City College of San Francisco Spring 2007

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 3 – Security Devices

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives –3.1 Device Options –3.2 Using Security Device Manager –3.3 Introduction to the Cisco Security Appliance Family –3.4 Getting Started with the PIX Security Appliance –3.5 PIX Security Appliance Translations and Connections –3.6 Manage a PIX Security Appliance with Adaptive Security Device Manager –3.7 PIX Security Appliance Routing Capabilities –3.8 Firewall Services Module Operation

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.1 Device Options

5 © 2005 Cisco Systems, Inc. All rights reserved. Sample Firewall Topology OutsideInside

6 © 2005 Cisco Systems, Inc. All rights reserved. Security Offerings Secure Operating System Foundation IP Services IOS Firewall – Router as Firewall Network Integrated Solutions VPNFirewall Intrusion Protection V 3 PN IPsec CBAC Stateful Inspection IDSSSHSSL ACLAAANATL2TP/EAPMSCHAPv2 PKI 802.1X BGPGRE Multicast Application Aware QoS DHCP/DNS MPLSVoIP EIGRPOSPFMultiprotocol HTTPS Secure ARP uRPF Authentication per user via AAA Command Authorization via AAA Device Access by Privilege Level Activity Logging Netflow IP Comp SNMPv3 (Unicast Reverse Path Forward)

7 © 2005 Cisco Systems, Inc. All rights reserved. SMB Connectivity Performance Gigabit Ethernet PIX Security Appliance Lineup Enterprise ROBO PIX 515E PIX 525 PIX 535 SOHO PIX 501 PIX 506E Service Provider Stateful Inspection Firewall Appliance is Hardened OS IPSec VPN Integrated Intrusion Detection Hot Standby, Stateful Failover Easy VPN Client/Server VoIP Support

8 © 2005 Cisco Systems, Inc. All rights reserved. Adaptive Security Appliance Lineup

9 © 2005 Cisco Systems, Inc. All rights reserved. Catalyst Switch Integration Firewall IDS Virtual Private Network Appliance Capabilities Cisco Infrastructure © 2002, Cisco Systems, Inc. All rights reserved. VPNSSLNAMIDSFirewall Security Services Modules

10 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.2 Using Security Device Manager

11 © 2005 Cisco Systems, Inc. All rights reserved. Security Device Manager (SDM)

12 © 2005 Cisco Systems, Inc. All rights reserved. Obtaining SDM SDM is factory loaded on supported routers manufactured as of June Always check for the latest information regarding SDM support. SDM cannot be ordered independent of the router.

13 © 2005 Cisco Systems, Inc. All rights reserved. Startup Wizard: Welcome Window

14 © 2005 Cisco Systems, Inc. All rights reserved. SDM Main Window Layout and Navigation Menu bar Toolbar Router Information Configuration Overview

15 © 2005 Cisco Systems, Inc. All rights reserved. SDM Wizard Options LAN Configuration: Configure LAN interfaces and DHCP. WAN Configuration: Configure PPP, Frame Relay, and HDLC WAN interfaces. Firewall: Access two types of firewall wizards: –Simple inside/outside. –Advanced inside/outside/DMZ with multiple interfaces. VPN: Access three types of VPN wizards: –Secure site-to-site VPN –Easy VPN –GRE tunnel with IPSec VPN Security Audit: Performs a router security audit and button for router lockdown. IPS: QOS: Routing:

16 © 2005 Cisco Systems, Inc. All rights reserved. WAN Wizard: Create a New WAN Connection

17 © 2005 Cisco Systems, Inc. All rights reserved. Reset to Factory Default Wizard

18 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Mode Overview Interface Stats Firewall Stats VPN Stats

19 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Interface Status

20 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Firewall Status

21 © 2005 Cisco Systems, Inc. All rights reserved. Monitor VPN Status

22 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Logging

23 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.3 Introduction to the Cisco Security Appliance Family

24 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance Family

25 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 501 Front Panel LEDs VPN tunnel Power 100 MBPS Link/Act

26 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 501 Back Panel Security lock slot Power connector 10BaseT (RJ-45) Console port (RJ-45) 4-port 10/100 switch (RJ-45)

27 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 506E Front Panel LEDs Network LED Active LED Power LED

28 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 506E Back Panel Console Port (RJ-45) Power switch USB port ACT(ivity) LED 10BaseT (RJ-45) 10BaseT (RJ-45) ACT(ivity) LED LINK LED LINK LED

29 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Front Panel LEDs Network LED Power LED Active failover firewall

30 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Back Panel Failover connector FDX LED LINK LED 100 Mbps LED FDX LED Console port (RJ-45) 10/100BaseTX Ethernet 1 (RJ-45) Power switch 100 Mbps LED 10/100BaseTX Ethernet 0 (RJ-45) LINK LED

31 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Quad Card Using the quad card requires the PIX Security Appliance 515E-UR license.

32 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Two Single-Port Connectors Using two single-port connectors requires the PIX Security Appliance 515E-UR license.

33 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 525 Front Panel LEDs Power LED Active LED

34 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 525 Back Panel ACT(ivity) LED LINK LED LINK LED Failover connection 10/100BaseTX Ethernet 1 (RJ-45) 10/100BaseTX Ethernet 0 (RJ-45) USB port Console port (RJ-45) 100Mbps LED

35 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 535 Front Panel LEDs Power ACT

36 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 535 Back Panel DB-15 failover Slot 8 Slot 7 Slot 6 Slot 5 Slot 4 Slot 3 Slot 2Slot 1 Slot 0Console RJ-45 USB port

37 © 2005 Cisco Systems, Inc. All rights reserved. ASA5510 Adaptive Security Appliance Up to five 10/100 Fast Ethernet interfaces Optional Security Services Module (SSM) slot which provides inline IPS. Throughput of 100 Mbps with the ability to handle up to 64,000 concurrent connections. Supports Active/standby failover. Can deliver 150 Mbps IPS throughput when an AIP SSM model 10 is added to the appliance.

38 © 2005 Cisco Systems, Inc. All rights reserved. ASA5520 Adaptive Security Appliance Four 10/100/1000 Gigabit Ethernet interfaces Supports an SSM slot which provides inline IPS. Throughput of 200 Mbps with the ability to handle up to 130,000 concurrent connections. Supports active/standby and active/active failover. Can deliver 375 Mbps IPS throughput when an AIP SSM model 20 is added to the appliance.

39 © 2005 Cisco Systems, Inc. All rights reserved. ASA5540 Adaptive Security Appliance Four 10/100/1000 Gigabit Ethernet interfaces One 10/100 Fast Ethernet management interface Optional Security Services Module slot which provides inline IPS. Throughput of 400 Mbps with the ability to handle up to 280,000 concurrent connections. Can deliver 450 Mbps IPS throughput when an AIP SSM model 20 is added to the appliance.

40 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.4 Getting Started with the PIX Security Appliance

41 © 2005 Cisco Systems, Inc. All rights reserved. User Interface Unprivileged mode – This mode is available when the PIX is first accessed. The > prompt is displayed. This mode provides a restricted, limited, view of PIX settings. Privileged mode – This mode displays the # prompt and enables users to change the current settings. Any unprivileged command also works in privileged mode. Configuration mode – This mode displays the (config)# prompt and enables users to change system configurations. All privileged, unprivileged, and configuration commands work in this mode. Monitor mode – This is a special mode that enables users to update the image over the network or to perform password recovery. While in the monitor mode, users can enter commands specifying the location of the TFTP server and the PIX software image or password recovery binary file to download.

42 © 2005 Cisco Systems, Inc. All rights reserved. Security Levels Higher security level interface to a lower security level interface – For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface of the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization. ICMP does not follow this rule. Lower security level interface to a higher security level interface – For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization is used. Same secure interface to a same secure interface – No traffic flows between two Interfaces with the same security level unless specifically allowed by an access-list command or with the comman:.

43 © 2005 Cisco Systems, Inc. All rights reserved. Basic Commands hostname – assigns a hostname to the PIX. interface – Configures the type and capability of each perimeter interface. nameif – Assigns a name to each perimeter interface. ip address – Assigns an IP address to each interface. security level – Assigns the security level for the perimeter interface. speed – Assigns the connection speed. duplex – Assigns the duplex communications.

44 © 2005 Cisco Systems, Inc. All rights reserved. Additional Commands nat-control – Enable or disable NAT configuration requirement. –If nat-control is enabled, you must configure a NAT rule before an inside host can communicate with any outside networks nat – Shields IP addresses on the inside network from the outside network. global – Creates a pool of one or more IP addresses for use in NAT and PAT. route – Defines a static or default route for an interface.

45 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.5 PIX Security Appliance Translations and Connections

46 © 2005 Cisco Systems, Inc. All rights reserved. UDP

47 © 2005 Cisco Systems, Inc. All rights reserved. NAT NAT substitutes the local address on a packet with a global address that is routable on the destination network. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control.

48 © 2005 Cisco Systems, Inc. All rights reserved. Access through the PIX Security Appliance

49 © 2005 Cisco Systems, Inc. All rights reserved. PAT - Many-to-one NAT

50 © 2005 Cisco Systems, Inc. All rights reserved. Static Translation

51 © 2005 Cisco Systems, Inc. All rights reserved. Identity NAT – nat 0 nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the local host. The nat 0 command lets administrators disable address translationso that inside IP addresses are visible on the outside without address translation

52 © 2005 Cisco Systems, Inc. All rights reserved. Multiple Interfaces

53 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.6 Manage a PIX Security Appliance with Adaptive Security Device Manager

54 © 2005 Cisco Systems, Inc. All rights reserved. Adaptive Security Device Manager (ASDM)

55 © 2005 Cisco Systems, Inc. All rights reserved. ASDM Compatibility

56 © 2005 Cisco Systems, Inc. All rights reserved. ASDM Home Window

57 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.7 PIX Security Appliance Routing Capabilities

58 © 2005 Cisco Systems, Inc. All rights reserved. VLANs With PIX Security Appliance Software Version 6.3 and higher, the administrator can assign VLANs to physical interfaces on the PIX or configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN.

59 © 2005 Cisco Systems, Inc. All rights reserved. Static Routes

60 © 2005 Cisco Systems, Inc. All rights reserved. Routing with RIP The clear rip command removes all the rip commands from the configuration.

61 © 2005 Cisco Systems, Inc. All rights reserved. Routing with OSPF

62 © 2005 Cisco Systems, Inc. All rights reserved. Routing with OSPF

63 © 2005 Cisco Systems, Inc. All rights reserved. Multicast Routing

64 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.8 Firewall Services Module Operation

65 © 2005 Cisco Systems, Inc. All rights reserved. Firewall Services Module (FWSM) –Designed for high end enterprise and service providers –Runs in Catalyst 6500 switches and 7600 Series routers –Based on PIX Security Appliance technology –PIX Security Appliance 6.0 feature set (some 6.2) –1 million simultaneous connections –Over 100,000 connections per second –5 Gbps throughput –Up to 4 can be stacked in a chassis, providing 20 Gbps throughput –1 GB DRAM –Supports 100 VLANs –Supports failover

66 © 2005 Cisco Systems, Inc. All rights reserved. FWSM in the Catalyst 6500 Switch Supervisor engine Redundant supervisor engine Slots 1-9 (top to bottom) Power supply 1 Power supply 2 ESD ground strap connector Switch fabric module 48 Port 10/100 Ethernet 16 Port GBIC Fan assembly FWSM

67 © 2005 Cisco Systems, Inc. All rights reserved. FWSM in the Cisco 7609 Internet Router Fan assembly Power supply 1 Power supply 2 Switch fabric module Supervisor engine ESD ground strap connection Slots 1-9 (right to left) FWSM

68 © 2005 Cisco Systems, Inc. All rights reserved. 68 © 2005, Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.