Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 3 City College.

Published byHollie Goodwin Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 3 City College."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 3 City College of San Francisco Spring 2007

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 3 – Security Devices

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives –3.1 Device Options –3.2 Using Security Device Manager –3.3 Introduction to the Cisco Security Appliance Family –3.4 Getting Started with the PIX Security Appliance –3.5 PIX Security Appliance Translations and Connections –3.6 Manage a PIX Security Appliance with Adaptive Security Device Manager –3.7 PIX Security Appliance Routing Capabilities –3.8 Firewall Services Module Operation

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.1 Device Options

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Sample Firewall Topology OutsideInside

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Security Offerings Secure Operating System Foundation IP Services IOS Firewall – Router as Firewall Network Integrated Solutions VPNFirewall Intrusion Protection V 3 PN IPsec CBAC Stateful Inspection IDSSSHSSL ACLAAANATL2TP/EAPMSCHAPv2 PKI 802.1X BGPGRE Multicast Application Aware QoS DHCP/DNS MPLSVoIP EIGRPOSPFMultiprotocol HTTPS Secure ARP uRPF Authentication per user via AAA Command Authorization via AAA Device Access by Privilege Level Activity Logging Netflow IP Comp SNMPv3 (Unicast Reverse Path Forward)

7 7 © 2005 Cisco Systems, Inc. All rights reserved. SMB Connectivity Performance Gigabit Ethernet PIX Security Appliance Lineup Enterprise ROBO PIX 515E PIX 525 PIX 535 SOHO PIX 501 PIX 506E Service Provider Stateful Inspection Firewall Appliance is Hardened OS IPSec VPN Integrated Intrusion Detection Hot Standby, Stateful Failover Easy VPN Client/Server VoIP Support

8 8 © 2005 Cisco Systems, Inc. All rights reserved. Adaptive Security Appliance Lineup

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Catalyst Switch Integration Firewall IDS Virtual Private Network Appliance Capabilities Cisco Infrastructure © 2002, Cisco Systems, Inc. All rights reserved. VPNSSLNAMIDSFirewall Security Services Modules

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.2 Using Security Device Manager

11 11 © 2005 Cisco Systems, Inc. All rights reserved. Security Device Manager (SDM)

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Obtaining SDM SDM is factory loaded on supported routers manufactured as of June 2003. Always check www.cisco.com/go/sdm for the latest information regarding SDM support. SDM cannot be ordered independent of the router.

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Startup Wizard: Welcome Window

14 14 © 2005 Cisco Systems, Inc. All rights reserved. SDM Main Window Layout and Navigation Menu bar Toolbar Router Information Configuration Overview

15 15 © 2005 Cisco Systems, Inc. All rights reserved. SDM Wizard Options LAN Configuration: Configure LAN interfaces and DHCP. WAN Configuration: Configure PPP, Frame Relay, and HDLC WAN interfaces. Firewall: Access two types of firewall wizards: –Simple inside/outside. –Advanced inside/outside/DMZ with multiple interfaces. VPN: Access three types of VPN wizards: –Secure site-to-site VPN –Easy VPN –GRE tunnel with IPSec VPN Security Audit: Performs a router security audit and button for router lockdown. IPS: QOS: Routing:

16 16 © 2005 Cisco Systems, Inc. All rights reserved. WAN Wizard: Create a New WAN Connection

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Reset to Factory Default Wizard

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Mode Overview Interface Stats Firewall Stats VPN Stats

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Interface Status

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Firewall Status

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Monitor VPN Status

22 22 © 2005 Cisco Systems, Inc. All rights reserved. Monitor Logging

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.3 Introduction to the Cisco Security Appliance Family

24 24 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance Family

25 25 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 501 Front Panel LEDs VPN tunnel Power 100 MBPS Link/Act

26 26 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 501 Back Panel Security lock slot Power connector 10BaseT (RJ-45) Console port (RJ-45) 4-port 10/100 switch (RJ-45)

27 27 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 506E Front Panel LEDs Network LED Active LED Power LED

28 28 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 506E Back Panel Console Port (RJ-45) Power switch USB port ACT(ivity) LED 10BaseT (RJ-45) 10BaseT (RJ-45) ACT(ivity) LED LINK LED LINK LED

29 29 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Front Panel LEDs Network LED Power LED Active failover firewall

30 30 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Back Panel Failover connector FDX LED LINK LED 100 Mbps LED FDX LED Console port (RJ-45) 10/100BaseTX Ethernet 1 (RJ-45) Power switch 100 Mbps LED 10/100BaseTX Ethernet 0 (RJ-45) LINK LED

31 31 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Quad Card Using the quad card requires the PIX Security Appliance 515E-UR license.

32 32 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 515E Two Single-Port Connectors Using two single-port connectors requires the PIX Security Appliance 515E-UR license.

33 33 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 525 Front Panel LEDs Power LED Active LED

34 34 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 525 Back Panel ACT(ivity) LED LINK LED LINK LED Failover connection 10/100BaseTX Ethernet 1 (RJ-45) 10/100BaseTX Ethernet 0 (RJ-45) USB port Console port (RJ-45) 100Mbps LED

35 35 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 535 Front Panel LEDs Power ACT

36 36 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance 535 Back Panel DB-15 failover Slot 8 Slot 7 Slot 6 Slot 5 Slot 4 Slot 3 Slot 2Slot 1 Slot 0Console RJ-45 USB port

37 37 © 2005 Cisco Systems, Inc. All rights reserved. ASA5510 Adaptive Security Appliance Up to five 10/100 Fast Ethernet interfaces Optional Security Services Module (SSM) slot which provides inline IPS. Throughput of 100 Mbps with the ability to handle up to 64,000 concurrent connections. Supports Active/standby failover. Can deliver 150 Mbps IPS throughput when an AIP SSM model 10 is added to the appliance.

38 38 © 2005 Cisco Systems, Inc. All rights reserved. ASA5520 Adaptive Security Appliance Four 10/100/1000 Gigabit Ethernet interfaces Supports an SSM slot which provides inline IPS. Throughput of 200 Mbps with the ability to handle up to 130,000 concurrent connections. Supports active/standby and active/active failover. Can deliver 375 Mbps IPS throughput when an AIP SSM model 20 is added to the appliance.

39 39 © 2005 Cisco Systems, Inc. All rights reserved. ASA5540 Adaptive Security Appliance Four 10/100/1000 Gigabit Ethernet interfaces One 10/100 Fast Ethernet management interface Optional Security Services Module slot which provides inline IPS. Throughput of 400 Mbps with the ability to handle up to 280,000 concurrent connections. Can deliver 450 Mbps IPS throughput when an AIP SSM model 20 is added to the appliance.

40 40 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.4 Getting Started with the PIX Security Appliance

41 41 © 2005 Cisco Systems, Inc. All rights reserved. User Interface Unprivileged mode – This mode is available when the PIX is first accessed. The > prompt is displayed. This mode provides a restricted, limited, view of PIX settings. Privileged mode – This mode displays the # prompt and enables users to change the current settings. Any unprivileged command also works in privileged mode. Configuration mode – This mode displays the (config)# prompt and enables users to change system configurations. All privileged, unprivileged, and configuration commands work in this mode. Monitor mode – This is a special mode that enables users to update the image over the network or to perform password recovery. While in the monitor mode, users can enter commands specifying the location of the TFTP server and the PIX software image or password recovery binary file to download.

42 42 © 2005 Cisco Systems, Inc. All rights reserved. Security Levels Higher security level interface to a lower security level interface – For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface of the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization. ICMP does not follow this rule. Lower security level interface to a higher security level interface – For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization is used. Same secure interface to a same secure interface – No traffic flows between two Interfaces with the same security level unless specifically allowed by an access-list command or with the comman:.

43 43 © 2005 Cisco Systems, Inc. All rights reserved. Basic Commands hostname – assigns a hostname to the PIX. interface – Configures the type and capability of each perimeter interface. nameif – Assigns a name to each perimeter interface. ip address – Assigns an IP address to each interface. security level – Assigns the security level for the perimeter interface. speed – Assigns the connection speed. duplex – Assigns the duplex communications.

44 44 © 2005 Cisco Systems, Inc. All rights reserved. Additional Commands nat-control – Enable or disable NAT configuration requirement. –If nat-control is enabled, you must configure a NAT rule before an inside host can communicate with any outside networks nat – Shields IP addresses on the inside network from the outside network. global – Creates a pool of one or more IP addresses for use in NAT and PAT. route – Defines a static or default route for an interface.

45 45 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.5 PIX Security Appliance Translations and Connections

46 46 © 2005 Cisco Systems, Inc. All rights reserved. UDP

47 47 © 2005 Cisco Systems, Inc. All rights reserved. NAT NAT substitutes the local address on a packet with a global address that is routable on the destination network. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control.

48 48 © 2005 Cisco Systems, Inc. All rights reserved. Access through the PIX Security Appliance

49 49 © 2005 Cisco Systems, Inc. All rights reserved. PAT - Many-to-one NAT

50 50 © 2005 Cisco Systems, Inc. All rights reserved. Static Translation

51 51 © 2005 Cisco Systems, Inc. All rights reserved. Identity NAT – nat 0 nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the local host. The nat 0 command lets administrators disable address translationso that inside IP addresses are visible on the outside without address translation

52 52 © 2005 Cisco Systems, Inc. All rights reserved. Multiple Interfaces

53 53 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.6 Manage a PIX Security Appliance with Adaptive Security Device Manager

54 54 © 2005 Cisco Systems, Inc. All rights reserved. Adaptive Security Device Manager (ASDM)

55 55 © 2005 Cisco Systems, Inc. All rights reserved. ASDM Compatibility

56 56 © 2005 Cisco Systems, Inc. All rights reserved. ASDM Home Window

57 57 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.7 PIX Security Appliance Routing Capabilities

58 58 © 2005 Cisco Systems, Inc. All rights reserved. VLANs With PIX Security Appliance Software Version 6.3 and higher, the administrator can assign VLANs to physical interfaces on the PIX or configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN.

59 59 © 2005 Cisco Systems, Inc. All rights reserved. Static Routes

60 60 © 2005 Cisco Systems, Inc. All rights reserved. Routing with RIP The clear rip command removes all the rip commands from the configuration.

61 61 © 2005 Cisco Systems, Inc. All rights reserved. Routing with OSPF

62 62 © 2005 Cisco Systems, Inc. All rights reserved. Routing with OSPF

63 63 © 2005 Cisco Systems, Inc. All rights reserved. Multicast Routing

64 64 © 2005 Cisco Systems, Inc. All rights reserved. Module 3 – Security Devices 3.8 Firewall Services Module Operation

65 65 © 2005 Cisco Systems, Inc. All rights reserved. Firewall Services Module (FWSM) –Designed for high end enterprise and service providers –Runs in Catalyst 6500 switches and 7600 Series routers –Based on PIX Security Appliance technology –PIX Security Appliance 6.0 feature set (some 6.2) –1 million simultaneous connections –Over 100,000 connections per second –5 Gbps throughput –Up to 4 can be stacked in a chassis, providing 20 Gbps throughput –1 GB DRAM –Supports 100 VLANs –Supports failover

66 66 © 2005 Cisco Systems, Inc. All rights reserved. FWSM in the Catalyst 6500 Switch Supervisor engine Redundant supervisor engine Slots 1-9 (top to bottom) Power supply 1 Power supply 2 ESD ground strap connector Switch fabric module 48 Port 10/100 Ethernet 16 Port GBIC Fan assembly FWSM

67 67 © 2005 Cisco Systems, Inc. All rights reserved. FWSM in the Cisco 7609 Internet Router Fan assembly Power supply 1 Power supply 2 Switch fabric module Supervisor engine ESD ground strap connection Slots 1-9 (right to left) FWSM

68 68 © 2005 Cisco Systems, Inc. All rights reserved. 68 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 3 City College."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved..

© 2003, Cisco Systems, Inc. All rights reserved..
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 4: Routing Concepts Routing Protocols.
Virtual LANs.

Virtual LANs.
PowerEdge M-Series CMC Management

PowerEdge M-Series CMC Management
 Category 6 Ethernet Cable, Single-mode Fiber Cable, and RJ45 Jacks  APC Netshelter SX 48U Racks and NetShelter AV Roof Fan Tray 825mm  Cisco 3800 ISR.

 Category 6 Ethernet Cable, Single-mode Fiber Cable, and RJ45 Jacks  APC Netshelter SX 48U Racks and NetShelter AV Roof Fan Tray 825mm  Cisco 3800 ISR.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
SIS - Security Lab Introductory Session University of Pittsburgh 2006.

SIS - Security Lab Introductory Session University of Pittsburgh 2006.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using the Cisco SDM.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using the Cisco SDM.
CEG3185 Tutorial 7 Routers and Routing. IP Address An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer,

CEG3185 Tutorial 7 Routers and Routing. IP Address An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer,
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—5-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Configuring Network Devices Working at a Small-to-Medium Business or ISP – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Configuring Network Devices Working at a Small-to-Medium Business or ISP – Chapter.

Similar presentations

Ads by Google