Quản trị mạng - Implementing the cisco adaptive security appliance (asa)

Implementing the Cisco Adaptive Security Appliance (ASA) CCNA Security 1 Objectives 2 Overview of the ASA • Which kind of branch is appropriate for the IOS firewall solution ? Refer to 10.1.1.1 • What is disadvantage of the IOS firewall solution ? 3 Overview of the ASA 4 Overview of the ASA • The ASA is a standalone firewall device that is a primary component of the Cisco SecureX architecture. • All six ASA models provide advanced stateful firewall features and VPN functionality. • The biggest difference between the models is the maximum traffic throughput handled by each model and the number and type of interfaces. • The choice of ASA model will depend on an organization's requirements, such as maximum throughput, maximum connections per second, and budget. 5 Overview of the ASA • The ASA software combines firewall, VPN concentrator, and intrusion prevention functionality into one software image. • Previously, these functions were available in three separate devices, each with its own software and hardware. 1. PIX 2. VPN concentrator 3. IDS 6 Overview of the ASA Other advanced ASA features include these: 1. ASA virtualization 2. High availability with failover 3. Identity firewall 4. Threat control and containment services Refer to 10.1.1.1 7 Overview of the ASA • All ASA models can be configured and managed using either the command line interface or the Adaptive Security Device Manager (ASDM). 8 Overview of the ASA • By default, the ASA treats a defined inside interface as the trusted network, and any defined outside interfaces as untrusted networks. • Each interface has an associated security level • An ASA provides the same as ZPF/CBAC features but the configuration differs markedly from the IOS router configuration of ZPF. 9 Refer to 10.1.1.2 Overview of the ASA 10 Overview of the ASA 11 Overview of the ASA • The ASA is a stateful firewall. It tracks the state of the TCP or UDP network connections traversing it. • All traffic forwarded through an ASA is inspected using the Adaptive Security Algorithm and is either allowed to pass through or is dropped. 12 Refer to 10.1.1.3 Overview of the ASA • Session management path ? • Control plane path ? • Layer 7 inspection ? • Fast path ? 13 Refer to 10.1.1.3 Overview of the ASA Refer to 10.1.1.4 14 Overview of the ASA • Most ASA appliances come pre-installed with either a Base license or a Security Plus license. • To provide additional features to the ASA, additional time- based or optional licenses can be purchased. • Combining these additional licenses to the pre-installed licenses creates a permanent license. The permanent license is then activated by installing a permanent activation key using the activation-key command. 15 Overview of the ASA • Only one permanent license key can be installed and once it is installed, it is referred to as the running license. • To verify the license information on an ASA device, use the show version or the show activation-key command. 16 Overview of the ASA Refer to 10.1.1.5 The ASA 5505 Features • The Cisco ASA 5505 is a full-featured security appliance for small businesses, branch offices, and enterprise teleworker environments. • It delivers a high-performance firewall, SSL VPN, IPsec VPN, and rich networking services in a modular, plug-and- play appliance. 18 Refer to 10.1.2.1 Security Level • Security levels define the level of trustworthiness of an interface. The higher the level, the more trusted the interface. The security level numbers range between 0 (untrustworthy) to 100 (very trustworthy) • Each operational interface must have a name and a security level from 0 (lowest) to 100 (highest) assigned. 19 Refer to 10.1.2.2 Security levels help control: 1.Network access 2. Inspection engines 3.Filtering Security Level • On an ASA 5505, Layer 3 parameters are configured on a switch virtual interface (SVI). An SVI, a logical VLAN interface, requires a name, interface security level, and IP address. Refer to 10.1.2.2 20 The Deployment of the ASA 5505 • The ASA 5505 is commonly used as an edge security device that connects a small business to an ISP device, such as a DSL or cable modem, for access to the Internet. Refer to 10.1.2.3 21 The ASA 5510 Features Refer to 10.1.2.4 22 Default Configuration of ASA 5510 and higher • The default factory configuration includes the following: 1. The management interface, Management 0/0, is preconfigured with the IP address 192.168.1.1 and mask 255.255.255.0. 2. The DHCP server is enabled on the ASA, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. 3. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. 23 Refer to 10.1.2.5 ASA Access Modes • User EXEC mode - ciscoasa> en • Privileged EXEC mode - ciscoasa# config t • Global configuration mode - ciscoasa(config)# • Various sub-configuration modes, for example - ciscoasa(config-if)# • ROMMON mode - ROMMON> 24 ASA Access Modes 25 IOS and ASA Commands 1. Execute any ASA CLI command regardless of the current configuration mode prompt. The IOS do command is not required or recognized. 2. Provide a brief description and command syntax when Unlike an ISR, the ASA performs as follows: help is entered followed by the command. 3. Interrupt show command output using Q. The IOS requires the use of Ctrl+C (^C). 26 Refer to 10.2.1.1 IOS and ASA Commands 27 Default Configuration • The ASA 5505 ships with a default configuration that, in most cases, is sufficient for a basic SOHO deployment. • The configuration includes two preconfigured VLAN networks: VLAN1 and VLAN2. VLAN 1 is for the inside network and VLAN 2 is for the outside network. • The ASA can be restored to its factory default configuration by using the configure factory-default global configuration command. 28 Refer to 10.2.1.2 Erase Configuration and Reboot • The ASA startup configuration can be erased using the write erase and reload commands. • Note: Unlike router IOS, the ASA does not recognize the erase startup-config command. • Once rebooted, the ASA displays the following prompt "Pre-configure Firewall now through interactive prompts [yes]?" 29 Refer to 10.2.1.3 Configuration Management Settings and Services • Configure Basic Settings • Configure the Interfaces Refer to 10.2.2.1 30 Configuration Management Settings and Services Refer to 10.2.2.2 31 Configuration Management Settings and Services • Configure a Default Route Refer to 10.2.2.2 32 Configuration Management Settings and Services • Configure Telnet Access Refer to 10.2.2.3 33 Configuration Management Settings and Services • Configure NTP Services Refer to 10.2.2.3 34 Configuration Management Settings and Services • Configure DHCP Services Refer to 10.2.2.4 35 Configuration Management Settings and Services • Configure DHCP Services Refer to 10.2.2.4 36 Introduction to ASDM • The management interface depends on the model of ASA: – Cisco ASA 5505 - The management switch port can be any port, except for Ethernet 0/0. – Cisco ASA 5510 and higher - The interface to connect is Management 0/0. 37 Note: To remove and disable the ASA HTTP server service, use the global configuration command clear configure http. Refer to 10.2.3.1 Introduction to ASDM Refer to 10.2.3.2 - 5 38 ASDM Wizards Refer to 10.2.4.1 - 4 39 Object Groups • The advantage is that when an object is modified, the change is automatically applied to all rules that use the specified object. Therefore, objects make it easy to maintain configurations. 40 Refer to 10.2.5.1 - 5 ACLs • ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., 255.255.255.0) instead of a wildcard mask (e.g. 0.0.0.255). Also most ASA ACLs are named instead of numbered. 41 Refer to 10.2.6.1 - 5 NAT Service on an ASA • The ASA supports NAT and PAT and these addresses can also be provided either statically or dynamically. 42 Refer to 10.2.7.1 - 4 Access Control on an ASA • The ASA can authenticate all administrative connections to the ASA, including Telnet, SSH, console, ASDM using HTTPS, and privileged EXEC. • The ASA can authorize the following items: – Management commands – Network access – VPN access 43 Refer to 10.2.8.1 - 5 Service Policies on an ASA • Modular Policy Framework (MPF) configuration defines a set of rules for applying firewall features, such as traffic inspection and QoS, to the traffic that traverses the ASA. 44 Refer to 10.2.9.1 - 5 ASA Remote-Access VPN Options • Enterprise users are requesting support for their mobile devices including smart phones, tablets, notebooks, and a broader range of laptop manufacturers and operating systems. 45 Refer to 10.3.1.1 - 5 ASA Remote-Access VPN Options • Cisco AnyConnect is available for the following platforms: – iOS devices (iPhone, iPad, and iPod Touch) – Android OS (select models) – BlackBerry – Windows Mobile 6.1 – HP webOS – Nokia Symbian 46 Refer to 10.3.1.1 - 5 Clientless SSL VPN 47 Refer to 10.3.2.1 - 2 Configuring Clientless SSL VPN 48 Refer to 10.3.3.1 - 4 AnyConnect SSL VPN 49 Refer to 10.3.4.1 - 2 Configuring AnyConnect SSL VPN 50 Refer to 10.3.5.1 - 5