Download presentation
Presentation is loading. Please wait.
Published byJoseph Phelps Modified over 9 years ago
1
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College of San Francisco Spring 2007
2
2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management
3
3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode 8.2 Configure PIX Security Appliance Failover 8.3 Configure Transparent Firewall Mode 8.4 PIX Security Appliance Management
4
4 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – PIX Security Appliance Contexts, Failover, and Management 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode
5
5 © 2005 Cisco Systems, Inc. All rights reserved. Security Contexts
6
6 © 2005 Cisco Systems, Inc. All rights reserved. Common Uses for Security Contexts
7
7 © 2005 Cisco Systems, Inc. All rights reserved. Multiple Contexts Example
8
8 © 2005 Cisco Systems, Inc. All rights reserved. Context Configuration Files
9
9 © 2005 Cisco Systems, Inc. All rights reserved. Packet Classification
10
10 © 2005 Cisco Systems, Inc. All rights reserved. Backing up the Single Mode Configuration
11
11 © 2005 Cisco Systems, Inc. All rights reserved. Admin Context
12
12 © 2005 Cisco Systems, Inc. All rights reserved. Enabling Multiple Context Mode
13
13 © 2005 Cisco Systems, Inc. All rights reserved. Adding a Context
14
14 © 2005 Cisco Systems, Inc. All rights reserved. Removing a Context
15
15 © 2005 Cisco Systems, Inc. All rights reserved. Changing the Admin Context
16
16 © 2005 Cisco Systems, Inc. All rights reserved. Changing Between Contexts
17
17 © 2005 Cisco Systems, Inc. All rights reserved. Viewing Context Information
18
18 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – PIX Security Appliance Contexts, Failover, and Management 8.2 Configure PIX Security Appliance Failover
19
19 © 2005 Cisco Systems, Inc. All rights reserved. Hardware Failover
20
20 © 2005 Cisco Systems, Inc. All rights reserved. Hardware and Stateful Failover
21
21 © 2005 Cisco Systems, Inc. All rights reserved. Failover Triggers The unit can fail if one of the following events occurs: The unit has a hardware failure or a power failure. The unit has a software failure. Too many monitored interfaces fail. The no failover active command is entered on the active unit or the failover active command is entered on the standby unit.
22
22 © 2005 Cisco Systems, Inc. All rights reserved. Failover Behavior
23
23 © 2005 Cisco Systems, Inc. All rights reserved. Failover Requirements
24
24 © 2005 Cisco Systems, Inc. All rights reserved. Failover Hardware Requirements The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM.
25
25 © 2005 Cisco Systems, Inc. All rights reserved. Software Requirements The two units in a failover configuration must be in the operating modes (routed or transparent, single or multiple context). They have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active.
26
26 © 2005 Cisco Systems, Inc. All rights reserved. License Requirements On the PIX security appliance platform, at least one of the units must have an unrestricted (UR) license. The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license, or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO or FO_AA licenses cannot be used together as a failover pair. The FO and FO_AA licenses are intended to be used solely for units in a failover configuration and not for units in standalone mode. If a failover unit with one of these licenses is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty.
27
27 © 2005 Cisco Systems, Inc. All rights reserved. Failover Link The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link: The unit state (active or standby). Power status (cable-based failover only—available only on the Cisco PIX security appliance platform). Hello messages (keep-alives). Network link status. MAC address exchange. Configuration replication and synchronization.
28
28 © 2005 Cisco Systems, Inc. All rights reserved. Types of Failover Cabling
29
29 © 2005 Cisco Systems, Inc. All rights reserved. Serial Cable – Active/Standby Failover
30
30 © 2005 Cisco Systems, Inc. All rights reserved. LAN-Based Failover You can use any unused Ethernet interface on the device as the failover link. Provides long-distance failover functionality Uses an Ethernet cable rather than the serial failover cable The failover link interface is not configured as a normal networking interface; it exists only for failover communication. Requires a dedicated switch, hub, or VLAN Uses message encryption and authentication to secure failover transmissions
31
31 © 2005 Cisco Systems, Inc. All rights reserved. Serial Cable Failover The serial Failover cable, or "cable-based failover," is only available on the PIX security appliance platform. The two units must be no more than six feet apart The cable that connects the two units is a modified RS-232 serial link cable that transfers data at 117,760 bps (115 Kbps). One end of the cable is labeled "Primary". The unit attached to this end of the cable automatically becomes the primary unit. The other end of the cable is labeled "Secondary".
32
32 © 2005 Cisco Systems, Inc. All rights reserved. Stateful Failover To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be on this link.
33
33 © 2005 Cisco Systems, Inc. All rights reserved. Active/Active Failover
34
34 © 2005 Cisco Systems, Inc. All rights reserved. Active/Active Failover
35
35 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – PIX Security Appliance Contexts, Failover, and Management 8.3 Configure Transparent Firewall Mode
36
36 © 2005 Cisco Systems, Inc. All rights reserved. Transparent Versus Routed Firewall
37
37 © 2005 Cisco Systems, Inc. All rights reserved. Transparent Firewall Benefits Easily integrated and maintained in existing network: IP readdressing not necessary. No NAT to configure. No IP routing to troubleshoot.
38
38 © 2005 Cisco Systems, Inc. All rights reserved. Transparent Firewall Guidelines Layer 3 traffic must be explicitly permitted. Each directly connected network must be on the same subnet. A management IP address is required for each context, even if you do not intend to use Telnet to the context. The management IP address must be on the same subnet as the connected network. Do not specify the PIX management IP address as the default gateway for connected devices. Devices need to specify the router on the other side of the PIX as the default gateway. Each interface must be a different VLAN interface
39
39 © 2005 Cisco Systems, Inc. All rights reserved. Unsupported Features The following features are not supported in transparent firewall mode: NAT Dynamic routing protocols IPv6 DHCP relay Quality of Service Multicast VPN termination for through traffic
40
40 © 2005 Cisco Systems, Inc. All rights reserved. View the Current Firewall Mode
41
41 © 2005 Cisco Systems, Inc. All rights reserved. Enable Transparent Firewall Mode
42
42 © 2005 Cisco Systems, Inc. All rights reserved. Assigning the Management IP Address
43
43 © 2005 Cisco Systems, Inc. All rights reserved. Configure ACLs
44
44 © 2005 Cisco Systems, Inc. All rights reserved. ARP Inspection
45
45 © 2005 Cisco Systems, Inc. All rights reserved. MAC Address Table
46
46 © 2005 Cisco Systems, Inc. All rights reserved. Disable MAC Address Learning
47
47 © 2005 Cisco Systems, Inc. All rights reserved. Adding a Static MAC Address
48
48 © 2005 Cisco Systems, Inc. All rights reserved. Viewing the MAC Address Table
49
49 © 2005 Cisco Systems, Inc. All rights reserved. debug Commands
50
50 © 2005 Cisco Systems, Inc. All rights reserved. Module 8 – PIX Security Appliance Contexts, Failover, and Management 8.4 PIX Security Appliance Management
51
51 © 2005 Cisco Systems, Inc. All rights reserved. Configure Telnet Access
52
52 © 2005 Cisco Systems, Inc. All rights reserved. SSH Connections to the PIX SSH connections to the PIX Security Appliance: Provide secure remote access. Provide strong authentication and encryption. Require RSA key pairs for the PIX. Require AES or 3DES activation keys. Allow up to five SSH clients to simultaneously access the PIX console. Use the Telnet password for local authentication.
53
53 © 2005 Cisco Systems, Inc. All rights reserved. SSH Connections
54
54 © 2005 Cisco Systems, Inc. All rights reserved. Command authorization Overview The purpose of command authorization is to securely and efficiently administer the PIX Security Appliance. It has the following types: Enable-level command authorization with passwords Command authorization using the local user database Command authorization using ACS
55
55 © 2005 Cisco Systems, Inc. All rights reserved. Create and Password Protect Privilege Levels
56
56 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Command Authorization
57
57 © 2005 Cisco Systems, Inc. All rights reserved. Viewing Command Authorization Configuration
58
58 © 2005 Cisco Systems, Inc. All rights reserved. Password Recovery ASA
59
59 © 2005 Cisco Systems, Inc. All rights reserved. Viewing Directory Contents
60
60 © 2005 Cisco Systems, Inc. All rights reserved. Viewing File Contents
61
61 © 2005 Cisco Systems, Inc. All rights reserved. Directory Management
62
62 © 2005 Cisco Systems, Inc. All rights reserved. Copying Files
63
63 © 2005 Cisco Systems, Inc. All rights reserved. Installing Software
64
64 © 2005 Cisco Systems, Inc. All rights reserved. File Backup
65
65 © 2005 Cisco Systems, Inc. All rights reserved. Viewing Version Information
66
66 © 2005 Cisco Systems, Inc. All rights reserved. Image Upgrade
67
67 © 2005 Cisco Systems, Inc. All rights reserved. Entering a New Activation Key
68
68 © 2005 Cisco Systems, Inc. All rights reserved. Upgrading the Image and Activation Key Complete the following steps to upgrade the image and the activation key at the same time: Step 1: Install the new image. Step 2: Reboot the system. Step 3: Update the activation key. Step 4: Reboot the system.
69
69 © 2005 Cisco Systems, Inc. All rights reserved. Troubleshooting the Activation Key Upgrade
70
70 © 2005 Cisco Systems, Inc. All rights reserved. 70 © 2005, Cisco Systems, Inc. All rights reserved.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.