Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

Published byKristopher Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance."— Presentation transcript:

1 Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance

2 Firewall © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-2

3 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-3 What Is a Firewall? A firewall is a system or group of systems that manages access between two or more networks. Outside Network DMZ Network Inside Network Internet

4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-4 Firewall Technologies Firewall operations are based on one of three technologies: Packet filtering Proxy server Stateful packet filtering

5 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-5 Packet Filtering Limits information that is allowed into a network based on the destination and source address Data A B Data A C Internet DMZ: Server B Inside: Server C Host A AB-Yes AC-No

6 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-6 Proxy Server Requests connections on behalf of a client that is inside the firewall and the Internet Outside Network Proxy Server Inside Network Internet

7 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-7 Stateful Packet Filtering Data HTTP A B Internet DMZ: Server B Inside: Server C Host A 172.16.0.50 10.0.0.11 1026 80 49091 Syn 172.16.0.50 192.168.0.20 49769 Syn 1026 80 Source port Destination address Source address Initial sequence # Destination port Flag Ack State Table Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content

8 Security Appliance Overview © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-8

9 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-9 Security Appliances: What Are They? Cisco security appliances deliver enterprise-class security for small-to-medium-sized business and enterprise networks in a modular, purpose-built appliance. Some features of Cisco security appliances are: Proprietary operating system Stateful packet inspection User-based authentication Protocol and application inspection Modular policy Virtual private networking Security contexts (virtual firewalls) Stateful failover capabilities Transparent firewalls Web-based management solutions

10 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-10 Proprietary Operating System Eliminates the risks associated with general-purpose operating systems

11 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-11 Stateful Packet Inspection The stateful packet inspection algorithm provides stateful connection security: –It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags. –It randomizes the initial TCP sequence number of each new connection. By default, the stateful packet inspection algorithm allows connections originating from hosts on inside (higher security level) interfaces. By default, the stateful packet inspection algorithm drops connection attempts originating from hosts on outside (lower security level) interfaces. The stateful packet inspection algorithm supports authentication, authorization, and accounting.

12 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-12 Cut-Through Proxy Operation Internal or External User ISP 1.The user makes a request to an ISP. 2.The security appliance intercepts the connection. 3.At the application layer, the security appliance prompts the user for a username and password. It then authenticates the user against a RADIUS or TACACS+ server and checks the security policy. 5.The security appliance directly connects the internal or external user to the ISP via the security appliance. Communication then takes place at a lower level of the OSI model. 4.The security appliance initiates a connection from the security appliance to the destination ISP. Cisco Secure Security Appliance Username and Password Required Enter username for CCO at www.com User Name: Password: OKCancel student 123@456 3.

13 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-13 Application-Aware Inspection Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections to dynamically assigned source or destination ports through the firewall. The security appliance inspects packets above the network layer. The security appliance securely opens and closes negotiated ports for legitimate client-server connections through the firewall. FTP Server Client Control Port 2008 Data Port 2010 Data Port 20 Control Port 21 Data - Port 2010 Port 2010 OK Data

14 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-14 Modular Policy Headquarters System Engineer Internet Site B Executives Site C T1 Internet SE exec S2S Construction of flow-based policies: Identify specific flows. Apply services to that flow. Class Map Traffic flow Default Internet System Engineer Executives Site to Site Policy Map Services Inspect IPS Police Priority Service Policy Interface/Global Global Outside

15 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-15 Virtual Private Network B A N K Site to Site Remote Access IPSec VPN SSL VPN Internet

16 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-16 Security Context (Virtual Firewall) Internet Four Physical Firewalls One Physical Firewall Four Virtual Firewalls Ability to create multiple security contexts (virtual firewalls) within a single security appliance

17 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-17 Failover Capabilities: Active/Standby, Active/Active, and Stateful Failover Failover protects the network should the primary go offline. –Active/standby—Only one unit can be actively processing traffic; the other is hot standby. –Active/Active—Both units can process traffic and serve as backup units. Stateful failover maintains operating state during failover. Primary: Failed Firewall Internet Secondary: Active Firewall Secondary: Active/Active Primary: Failed/Standby Failover: Active/Standby Internet Failover: Active/Active 2 1 2 Contexts 1

18 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-18 Transparent Firewall Has the ability to deploy a security appliance in a secure bridging mode Provides rich Layers 2 through 7 security services as a Layer 2 device Internet 192.168.1.2 192.168.1.5

19 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-19 Web-Based Management Solutions Adaptive Security Device Manager

20 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—1-20 Summary There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. Features of the Cisco PIX Firewall Security Appliances and ASA Security Appliances features include the following: proprietary operating system, stateful packet inspection, cut-through proxy, stateful failover, modular policy, VPNs, transparent firewall, security contexts, web-based management, and stateful packet filtering.

21

Download ppt "Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.

Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.

Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:

ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Similar presentations

Ads by Google