1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Slides:



Advertisements
Similar presentations
© 2004, Cisco Systems, Inc. All rights reserved.
Advertisements

Basic IP Traffic Management with Access Lists
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
1 Enabling Secure Internet Access with ISA Server.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.
© 2002, Cisco Systems, Inc. All rights reserved..
Chabot College ELEC Ports (Layer 4).
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
Mr. Mark Welton.  Firewalls are devices that prevent traffic from entering or leaving a network  Firewalls are often used between networks, or when.
Access Control Lists (ACLs)
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Access Control List (ACL)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CCNA – Cisco Certified Network Associates Access Control List (ACL) By Roshan Chaudhary Lecturer Islington College.
Access-Lists Securing Your Router and Protecting Your Network.
ACLs ACLs are hard. Read, read, read. Practice, practice, practice ON TEST4.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
1 What Are Access Lists? –Standard –Checks Source address –Generally permits or denies entire protocol suite –Extended –Checks Source and Destination address.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Modular Policy Framework (MPF)
Sem 3 Access Control Lists. Summary of Access Lists Access lists perform serveral functions within a Cisco router, including: ** Implement security /
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.
Configuring the PIX Firewall Presented by Drew Spesard.
ACCESS CONTROL LIST.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access.
Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping.
Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections.
Wild Stuff ExtendedACLGeneralACLStandardACL Got the Right Number?
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-1 Lesson 5 Configuring Inbound Access Thru a Cisco Security Appliance.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
© 2001, Cisco Systems, Inc. CSPFA 2.0—6-1 Chapter 6 Configuring Multiple Interfaces.
Extended Access Control Lists. Extended ACLs Can Filter on One or Many Data Fields.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling.
Only Two Ways through the PIX Firewall
Access Control Configuration and Content Filtering
Cisco IOS Firewall Context-Based Access Control Configuration
Chapter 4: Access Control Lists (ACLs)
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 9 – Configure Filtering on a PIX Security Appliance

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 9.1 Configure ACLs and Content Filters 9.2 Object Grouping 9.3 Configure a Security Appliance Modular Policy 9.4 Configure Advanced Protocol Inspection

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.1 Configure ACLs and Content Filters

5 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance ACLs

6 © 2005 Cisco Systems, Inc. All rights reserved. ACL Usage Guidelines

7 © 2005 Cisco Systems, Inc. All rights reserved. access-list command

8 © 2005 Cisco Systems, Inc. All rights reserved. access-group command

9 © 2005 Cisco Systems, Inc. All rights reserved. Show access-list

10 © 2005 Cisco Systems, Inc. All rights reserved. Clear access-list counters

11 © 2005 Cisco Systems, Inc. All rights reserved. ACL Line Numbers

12 © 2005 Cisco Systems, Inc. All rights reserved. icmp command

13 © 2005 Cisco Systems, Inc. All rights reserved. nat 0 access-list command

14 © 2005 Cisco Systems, Inc. All rights reserved. Turbo ACLs Turbo ACL processingRegular ACL processing ACL A Entry 1 Entry2 Entry 3 Entry N Compiled data table Packet header value IndexACL Entry Bit Maps ACLs organized internally as linked lists. Linear search to find matching entry to deny or permit packet. Increased search time when ACL A contains large number of entries, which leads to performance degradation. ACLs compiled into sets of lookup data tables. Improved search time for large ACLs. Required minimum of 2.1 MB of memory. ACL A

15 © 2005 Cisco Systems, Inc. All rights reserved. Turbo ACL access-list compiled access-list acl_ID compiled pixfirewall(config)# Enables the Turbo ACL feature for a specific ACL. Enables the Turbo ACL feature on all ACLs. Turbo compiles all ACLs with 19 or more entries.

16 © 2005 Cisco Systems, Inc. All rights reserved. Using ACLs - Deny Web Access to the Internet

17 © 2005 Cisco Systems, Inc. All rights reserved. Using ACLs – Inbound HTTP solution

18 © 2005 Cisco Systems, Inc. All rights reserved. Using ACLs – Partner Web Access to DMZ and DMZ access to Mail

19 © 2005 Cisco Systems, Inc. All rights reserved. Java Applet Filtering

20 © 2005 Cisco Systems, Inc. All rights reserved. ActiveX Blocking

21 © 2005 Cisco Systems, Inc. All rights reserved. filter activex | java Command Filters out ActiveX usage from outbound packets. Filters out Java applets that return to the PIX Security Appliance from an outbound connection. pixfirewall(config)# filter activex | java port [-port] local_ip mask foreign_ip mask

22 © 2005 Cisco Systems, Inc. All rights reserved. URL Filtering

23 © 2005 Cisco Systems, Inc. All rights reserved. Designate the URL-Filtering Server

24 © 2005 Cisco Systems, Inc. All rights reserved. Configure the PIX Security Appliance to Work with a URL-Filtering Server

25 © 2005 Cisco Systems, Inc. All rights reserved. HTTPS and FTP Filtering

26 © 2005 Cisco Systems, Inc. All rights reserved. URL Filtering Example

27 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.2 Object Grouping

28 © 2005 Cisco Systems, Inc. All rights reserved. Grouping Objects of Similar Types

29 © 2005 Cisco Systems, Inc. All rights reserved. Using Object Groups in ACLs pixfirewall(config)# access-list ACLOUT permit object-group MYPROTOCOLS object-group CLIENTS object-group SERVERS pixfirewall(config)# access-list ACLOUT permit tcp host pixfirewall(config)# access-list ACLOUT permit icmp host pixfirewall(config)# access-list ACLOUT permit tcp host pixfirewall(config)# access-list ACLOUT permit icmp host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host

30 © 2005 Cisco Systems, Inc. All rights reserved. Using Object Groups in ACLs

31 © 2005 Cisco Systems, Inc. All rights reserved. Configuring and Using Object Groups

32 © 2005 Cisco Systems, Inc. All rights reserved. object-group Command Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode. pixfirewall(config)# object-group network CLIENTS pixfirewall(config)# object-group network grp_id object-group service grp_id tcp | udp | tcp-udp object-group protocol grp_id object-group icmp-type grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol subcommand mode. Assigns a name to a Service group and enables the Service subcommand mode. Assigns a name to a Network group and enables the Network subcommand mode. Assigns the name CLIENTS to a Network group and enables the Network subcommand mode.

33 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Network Object Groups Creates a Network object group named CLIENTS which consists of host , and network pixfirewall(config)# object-group network CLIENTS pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object network-object host host_addr | host_name pixfirewall(config-network)# pixfirewall(config)# object-group network grp_id Assigns hosts to the Network object group. Assigns a name to the group and enables the Network sub-command mode. network-object net_addr netmask pixfirewall(config-network)# Assigns networks to the Network object group.

34 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Service Object Groups pixfirewall(config)# object-group service MYSERVICES tcp pixfirewall(config-service)# port-object eq http pixfirewall(config-service)# port-object eq ftp port-object eq service pixfirewall(config-service)# Assigns a single TCP or UDP port number to the Service object group. Creates a Service group named MYSERVICES, which contains HTTP and FTP. port-object range begin_service end_service pixfirewall(config-service)# Assigns a range of TCP or UDP port numbers to the Service object group. object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# Assigns a name to a Service group and enables the Service sub-command mode.

35 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Protocol Object Groups pixfirewall(config)# object-group protocol MYPROTOCOLS pixfirewall(config-protocol)# protocol-object icmp pixfirewall(config-protocol)# protocol-object tcp protocol-object protocol pixfirewall(config-protocol)# Assigns a protocol to the Protocol object group. Creates a Protocol group named MYPROTOCOLS, which contains ICMP and TCP. object-group protocol grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol sub-command mode.

36 © 2005 Cisco Systems, Inc. All rights reserved. Configuring ICMP-Type Object Groups pixfirewall(config)# object-group icmp-type PING pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply icmp-object icmp-type pixfirewall(config-icmp-type)# Assigns an ICMP message type to the object group. Creates an ICMP-Type group named PING which contains echo and echo-reply message types. object-group icmp-type grp_id pixfirewall(config)# Assigns a name to an ICMP-Type group and enables the icmp-type sub-command mode.

37 © 2005 Cisco Systems, Inc. All rights reserved. access-list Command for Object Grouping

38 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Groups

39 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Nested Object Groups

40 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Group Example

41 © 2005 Cisco Systems, Inc. All rights reserved. group-object Command

42 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Group Example

43 © 2005 Cisco Systems, Inc. All rights reserved. Apply Nested Object Group to ACL

44 © 2005 Cisco Systems, Inc. All rights reserved. Multiple Object Groups in ACLs

45 © 2005 Cisco Systems, Inc. All rights reserved. Displaying configured Object Groups

46 © 2005 Cisco Systems, Inc. All rights reserved. Removing Configured Object Groups

47 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.3 Configure a Security Appliance Modular Policy

48 © 2005 Cisco Systems, Inc. All rights reserved. Modular Policy Overview

49 © 2005 Cisco Systems, Inc. All rights reserved. Modular Policy

50 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Class Map Name

51 © 2005 Cisco Systems, Inc. All rights reserved. Class Map – Define a Class of Traffic

52 © 2005 Cisco Systems, Inc. All rights reserved. Define a class match criteria

53 © 2005 Cisco Systems, Inc. All rights reserved. Show run class map

54 © 2005 Cisco Systems, Inc. All rights reserved. Policy Map Overview

55 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Policy Map Name

56 © 2005 Cisco Systems, Inc. All rights reserved. Define a Policy Map for the class

57 © 2005 Cisco Systems, Inc. All rights reserved. Show run policy-map

58 © 2005 Cisco Systems, Inc. All rights reserved. Service Policy

59 © 2005 Cisco Systems, Inc. All rights reserved. Show service-policy

60 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.4 Configure Advanced Protocol Inspection

61 © 2005 Cisco Systems, Inc. All rights reserved. Need for Advanced Protocol Handling

62 © 2005 Cisco Systems, Inc. All rights reserved. inspect Command

63 © 2005 Cisco Systems, Inc. All rights reserved. Default traffic inspection

64 © 2005 Cisco Systems, Inc. All rights reserved. Default protocol inspection policy

65 © 2005 Cisco Systems, Inc. All rights reserved. Delete Inspection for a Protocol

66 © 2005 Cisco Systems, Inc. All rights reserved. Add a Protocol Inspection Port Number

67 © 2005 Cisco Systems, Inc. All rights reserved. FTP Inspection

68 © 2005 Cisco Systems, Inc. All rights reserved. Active Mode FTP Inspection

69 © 2005 Cisco Systems, Inc. All rights reserved. Passive Mode FTP Inspection

70 © 2005 Cisco Systems, Inc. All rights reserved. FTP Deep Packet Inspection – Command Filtering

71 © 2005 Cisco Systems, Inc. All rights reserved. FTP Deep Packet Inspection Configuration

72 © 2005 Cisco Systems, Inc. All rights reserved. FTP Map – Deny Request

73 © 2005 Cisco Systems, Inc. All rights reserved. FTP Inspection Example

74 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Inspection

75 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Inspection

76 © 2005 Cisco Systems, Inc. All rights reserved. Enhanced HTTP Inspection

77 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Map – RFC and Extension Methods

78 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Map – Message Content Criteria

79 © 2005 Cisco Systems, Inc. All rights reserved. Enhaced HTTP Configuration

80 © 2005 Cisco Systems, Inc. All rights reserved. Apply HTTP Inspection Example

81 © 2005 Cisco Systems, Inc. All rights reserved. Application Inspection – Remote Shell

82 © 2005 Cisco Systems, Inc. All rights reserved. Application Inspection – SQL*Net

83 © 2005 Cisco Systems, Inc. All rights reserved. Application Inspection – ESMTP

84 © 2005 Cisco Systems, Inc. All rights reserved. ICMP Inspection

85 © 2005 Cisco Systems, Inc. All rights reserved. SNMP Inspection

86 © 2005 Cisco Systems, Inc. All rights reserved. DNS Inspection

87 © 2005 Cisco Systems, Inc. All rights reserved. DNS Record Translation

88 © 2005 Cisco Systems, Inc. All rights reserved. Why Multimedia Is an Issue Multimedia applications behave in unique ways: Use dynamic ports. Transmit a request using TCP and get responses in UDP or TCP. Use the same port for source and destination. The PIX Security Appliance: Dynamically opens and closes conduits for secure multimedia connections. Supports multimedia with or without NAT.

89 © 2005 Cisco Systems, Inc. All rights reserved. Real-Time Streaming Protocol

90 © 2005 Cisco Systems, Inc. All rights reserved. Standard RTP Mode

91 © 2005 Cisco Systems, Inc. All rights reserved. RealNetworks’ RDT Mode

92 © 2005 Cisco Systems, Inc. All rights reserved. H.323 Inspection

93 © 2005 Cisco Systems, Inc. All rights reserved. SIP Inspection

94 © 2005 Cisco Systems, Inc. All rights reserved. SCCP Inspection

95 © 2005 Cisco Systems, Inc. All rights reserved. CTIQBE Inspection

96 © 2005 Cisco Systems, Inc. All rights reserved. MGCP Inspection

97 © 2005 Cisco Systems, Inc. All rights reserved. MGCP Inspection Configuration

98 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IP Phones and the PIX Security Appliance’s DHCP Server Cisco IP phones: Download their configurations from a TFTP server. Request an IP address and the IP address of a TFTP server from a DHCP server. The PIX Security Appliance: Supports DHCP option 150 for providing the IP addresses of a list of TFTP servers. Supports DHCP option 66 for providing the IP address of a single TFTP server.

99 © 2005, Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.