Cisco ASA All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

Name: Cisco ASA All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Price: 6.93 USD
Availability: InStock
ISBN: 9781587052095

ISBN-10: 1587052091

ISBN-13: 9781587052095

Edition: 2006

Authors: Omar Santos, Jazib Frahim

List price: $80.00

30 day, 100% satisfaction guarantee!

Marketplace

2 new & used from $6.93

what's this?

Rush Rewards U
Members Receive:

You have reached 400 XP and carrot coins. That is the daily max!

Description:

Identify, mitigate, and respond to network attacks Understand the evolution of security technologies that make up the unified ASA device and how to install the ASA hardware Examine firewall solutions including network access control, IP routing, AAA, application inspection, virtual firewalls, transparent (Layer 2) firewalls, failover and redundancy, and QoS Evaluate Intrusion Prevention System (IPS) solutions including IPS integration and Adaptive Inspection and Prevention Security Services Module (AIP-SSM) configuration Deploy VPN solutions including site-to-site IPsec VPNs, remote- access VPNs, and Public Key Infrastructure (PKI) Learn to manage firewall, IPS, and VPN… solutions with Adaptive Security Device Manager (ASDM) Achieving maximum network security is a challenge for most organizations. Cisco(R) ASA, a new unified security device that combines firewall, network antivirus, intrusion prevention, and virtual private network (VPN) capabilities, provides proactive threat defense that stops attacks before they spread through the network. This new family of adaptive security appliances also controls network activity and application traffic and delivers flexible VPN connectivity. The result is a powerful multifunction network security device that provides the security breadth and depth for protecting your entire network, while reducing the high deployment and operations costs and complexities associated with managing multiple point products. "Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance" is a practitioner' s guide to planning, deploying, and troubleshooting a comprehensivesecurity plan with Cisco ASA. The book provides valuable insight and deployment examples and demonstrates how adaptive identification and mitigation services on Cisco ASA provide a sophisticated security solution for both large and small network environments. The book contains many useful sample configurations, proven design scenarios, and discussions of debugs that help you understand how to get the most out of Cisco ASA in your own network. " I have found this book really highlights the practical aspects needed for building real-world security. It offers the insider' s guidance needed to plan, implement, configure, and troubleshoot the Cisco ASA in customer environments and demonstrates the potential and power of Self-Defending Networks." -Jayshree Ullal, Sr. Vice President, Security Technologies Group, Cisco Systems(R) This security book is part of the Cisco Press(R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Book details

List price: $80.00
Copyright year: 2006
Publisher: Cisco Press
Publication date: 10/14/2005
Binding: Paperback
Pages: 840
Size: 7.50" wide x 9.25" long x 1.75" tall
Weight: 2.992
Language: English



Foreword


Introduction



Product Overview



Introduction to Network Security


Firewall Technologies


Network Firewalls


Packet-Filtering Techniques


Application Proxies


Network Address Translation


Port Address Translation


Static Translation


Stateful Inspection Firewalls


Personal Firewalls


Intrusion Detection and Prevention Technologies


Network-Based Intrusion Detection and Prevention Systems


Pattern Matching and Stateful Pattern-Matching Recognition


Protocol Analysis


Heuristic-Based Analysis


Anomaly-Based Analysis


Host-Based Intrusion Detection Systems


Network-Based Attacks


DoS Attacks


TCP SYN Flood Attacks


land.c Attacks


Smurf Attacks


DDoS Attacks


Session Hijacking


Virtual Private Networks


Understanding IPSec


Internet Key Exchange


IKE Phase 1


IKE Phase 2


IPSec Protocols


Authentication Header


Encapsulation Security Payload


IPSec Modes


Transport Mode


Tunnel Mode


Summary



Product History


Cisco Firewall Products


Cisco PIX Firewalls


Cisco FWSM


Cisco IOS Firewall


Cisco IDS Products


Cisco VPN Products


Cisco ASA All-in-One Solution


Firewall Services


IPS Services


VPN Services


Summary



Hardware Overview


Cisco ASA 5510 Model


Cisco ASA 5520 Model


Cisco ASA 5540 Model


AIP-SSM Modules


Summary



Firewall Solution



Initial Setup and System Maintenance


Accessing the Cisco ASA Appliances


Establishing a Console Connection


Command-Line Interface


Managing Licenses


Initial Setup


Setting Up the Device Name


Configuring an Interface


Configuring a Subinterface


Configuring a Management Interface


DHCP Services


IP Version 6


IPv6 Header


Configuring IPv6


IP Address Assignment


Setting Up the System Clock


Manual Clock Adjustment Using clock set


Automatic Clock Adjustment Using the Network Time Protocol


Time Zones and Daylight Savings Time


Configuration Management


Running Configuration


Startup Configuration


Removing the Device Configuration


Remote System Management


Telnet


Secure Shell


System Maintenance


Software Installation


Image Upgrade via the Cisco ASA CLI


Image Recovery Using ROMMON


Password Recovery Process


Disabling the Password Recovery Process


System Monitoring


System Logging


Enabling Logging


Logging Types


Additional Syslog Parameters


Simple Network Management Protocol


Configuring SNMP


SNMP Monitoring


CPU and Memory Monitoring


Summary



Network Access Control


Packet Filtering


Types of ACLs


Standard ACLs


Extended ACLs


IPv6 ACLs


EtherType ACLs


WebVPN ACLs


Comparing ACL Features


Configuring Packet Filtering


Step 1: Set Up an ACL


Step 2: Apply an ACL to an Interface


Step 3: Set Up an IPv6 ACL (Optional)


Advanced ACL Features


Object Grouping


Object Types


Object Grouping and ACLs


Standard ACLs


Time-Based ACLs


Absolute


Periodic


Downloadable ACLs


ICMP Filtering


Content and URL Filtering


Content Filtering


ActiveX Filtering


Java Filtering


Configuring Content Filtering


URL Filtering


Configuring URL Filtering


Deployment Scenarios Using ACLs


Using ACLs to Filter Inbound and Outbound Traffic


Enabling Content Filtering Using Websense


Monitoring Network Access Control


Monitoring ACLs


Monitoring Content Filtering


Understanding Address Translation


Network Address Translation


Port Address Translation


Packet Flow Sequence


Configuring Address Translation


Static NAT


Dynamic Network Address Translation


Static Port Address Translation


Dynamic Port Address Translation


Policy NAT/PAT


Bypassing Address Translation


Identity NAT


NAT Exemption


NAT Order of Operation


Integrating ACLs and NAT


DNS Doctoring


Monitoring Address Translations


Summary



IP Routing


Configuring Static Routes


RIP


Configuring RIP


Verifying the Configuration


Troubleshooting RIP


Scenario 1: RIP Version Mismatch


Scenario 2: RIP Authentication Mismatch


Scenario 3: Multicast or Broadcast Packets Blocked


Scenario 4: Correct Configuration and Behavior


OSPF


Configuring OSPF


Enabling OSPF


Virtual Links


Configuring OSPF Authentication


Configuring the Cisco ASA as an ASBR


Stub Areas and NSSAs


ABR Type 3 LSA Filtering


OSPF neighbor Command and Dynamic Routing over VPN


Troubleshooting OSPF


Useful Troubleshooting Commands


Mismatched Areas


OSPF Authentication Mismatch


Troubleshooting Virtual Link Problems


IP Multicast


IGMP


IP Multicast Routing


Configuring Multicast Routing


Enabling Multicast Routing


Statically Assigning an IGMP Group


Limiting IGMP States


IGMP Query Timeout


Defining the IGMP Version


Configuring Rendezvous Points


Configuring Threshold for SPT Switchover


Filtering RP Register Messages


PIM Designated Router Priority


PIM Hello Message Interval


Configuring a Static Multicast Route


Troubleshooting IP Multicast Routing


show Commands


debug Commands


Deployment Scenarios


Deploying OSPF


Deploying IP Multicast


Summary



Authentication, Authorization, and Accounting (AAA)


AAA Protocols and Services Supported by Cisco ASA


RADIUS


TACACS+


RSA SecurID


Microsoft Windows NT


Active Directory and Kerberos


Lightweight Directory Access Protocol


Defining an Authentication Server


Configuring Authentication of Administrative Sessions


Authenticating Telnet Connections


Authenticating SSH Connections


Authenticating Serial Console Connections


Authenticating Cisco ASDM Connections


Authenticating Firewall Sessions (Cut-Through Proxy Feature)


Authentication Timeouts


Customizing Authentication Prompts


Configuring Authorization


Command Authorization


Configuring Downloadable ACLs


Configuring Accounting


RADIUS Accounting


TACACS+ Accounting


Deployment Scenarios


Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions


Deploying Cut-Through Proxy Authentication


Troubleshooting AAA


Troubleshooting Administrative Connections to Cisco ASA


Troubleshooting Firewall Sessions (Cut-Through Proxy)


Summary



Application Inspection


Enabling Application Inspection Using the Modular Policy Framework


Selective Inspection


Computer Telephony Interface Quick Buffer Encoding Inspection


Domain Name System


Extended Simple Mail Transfer Protocol


File Transfer Protocol


General Packet Radio Service Tunneling Protocol


GTPv0


GTPv1


Configuring GTP Inspection


H.323


H.323 Protocol Suite


H.323 Version Compatibility


Enabling H.323 Inspection


Direct Call Signaling and Gatekeeper Routed Control Signaling


T.38


HTTP


Enabling HTTP Inspection


strict-http


content-length


content-type-verification


max-header-length


max-uri-length


port-misuse


request-method


transfer-encoding type


ICMP


ILS


MGCP


NetBIOS


PPTP


Sun RPC


RSH


RTSP


SIP


Skinny


SNMP


SQLNet


TFTP


XDMCP


Deployment Scenarios


ESMTP


HTTP


FTP


Summary



Security Contexts


Architectural Overview


System Execution Space


Admin Context


Customer Context


Packet Flow in Multiple Mode


Packet Classification


Packet Forwarding Between Contexts


Configuration of Security Contexts


Step 1: Enabling Multiple Security Contexts Globally


Step 2: Setting Up the System Execution Space


Step 3: Specifying a Configuration URL


Step 4: Allocating the Interfaces


Step 5: Configuring an Admin Context


Step 6: Configuring a Customer Context


Step 7: Managing the Security Contexts (Optional)


Deployment Scenarios


Virtual Firewall Using Two Customer Contexts


Virtual Firewall Using a Shared Interface


Monitoring and Troubleshooting the Security Contexts


Monitoring


Troubleshooting


Summary



Transparent Firewalls


Architectural Overview


Single-Mode Transparent Firewall


Packet Flow in an SMTF


Multimode Transparent Firewall


Packet Flow in an MMTF


Transparent Firewalls and VPNs


Configuration of Transparent Firewall


Configuration Guidelines


Configuration Steps


Step 1: Enabling Transparent Firewalls


Step 2: Setting Up Interfaces


Step 3: Configuring an IP Address


Step 4: Configuring Interface ACLs


Step 5: Adding Static L2F Table Entries (Optional)


Step 6: Enabling ARP Inspection (Optional)


Step 7: Modifying L2F Table Parameters (optional)


Deployment Scenarios


SMTF Deployment


MMTF Deployment with Security Contexts


Monitoring and Troubleshooting the Transparent Firewall


Monitoring


Troubleshooting


Summary



Failover and Redundancy


Architectural Overview


Conditions that Trigger Failover


Failover Interface Tests


Stateful Failover


Hardware and Software Requirements


Types of Failover


Active/Standby Failover


Active/Active Failover


Asymmetric Routing


Failover Configuration


Active/Standby Failover Configuration


Step 1: Select the Failover Link


Step 2: Assign Failover IP Addresses


Step 3: Set the Failover Key (Optional)


Step 4: Designating the Primary Cisco ASA


Step 5: Enable Stateful Failover (Optional)


Step 6: Enable Failover Globally


Step 7: Configure Failover on the Secondary Cisco ASA


Active/Active Failover Configuration


Step 1: Select the Failover Link


Step 2: Assign Failover Interface IP Addresses


Step 3: Set Failover Key


Step 4: Designate the Primary Cisco ASA


Step 5: Enable Stateful Failover


Step 6: Set Up Failover Groups


Step 7: Assign Failover Group Membership


Step 8: Assign Interface IP Addresses


Step 9: Set Up Asymmetric Routing (Optional)


Step 10: Enable Failover Globally


Step 11: Configure Failover on the Secondary Cisco ASA


Optional Failover Commands


Specifying Failover MAC Addresses


Configuring Interface Policy


Managing Failover Timers


Monitoring Failover Interfaces


Zero-Downtime Software Upgrade


Deployment Scenarios


Active/Standby Failover in Single Mode


Active/Active Failover in Multiple Security Contexts


Monitoring and Troubleshooting Failovers


Monitoring


Troubleshooting


Summary



Quality of Service


Architectural Overview


Traffic Policing


Traffic Prioritization


Packet Flow Sequence


Packet Classification


IP Precedence Field


IP DSCP Field


IP Access Control List


IP Flow


VPN Tunnel Group


QoS and VPN Tunnels


Configuring Quality of Service


Step 1: Set Up a Class Map


Step 2: Configure a Policy Map


Step 3: Apply the Policy Map on the Interface


Step 4: Tune the Priority Queue (Optional)


QoS Deployment Scenarios


QoS for VoIP Traffic


QoS for the Remote-Access VPN Tunnels


Monitoring QoS


Summary



Intrusion Prevention System (IPS) Solution



Intrusion Prevention System Integration


Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)


AIP-SSM Management


Inline Versus Promiscuous Mode


Directing Traffic to the AIP-SSM


AIP-SSM Module Software Recovery


Additional IPS Features


IP Audit


Shunning


Summary



Configuring and Troubleshooting Cisco IPS Software via CLI


Cisco IPS Software Architecture


MainApp


SensorApp


Network Access Controller


AuthenticationApp


cipsWebserver


LogApp


EventStore


TransactionSource


Introduction to the CIPS 5.x Command-Line Interface


Logging In to the AIP-SSM via the CLI


CLI Command Modes


Initializing the AIP-SSM


User Administration


User Account Roles and Levels


Administrator Account


Operator Account


Viewer Account


Service Account


Adding and Deleting Users by Using the CLI


Creating Users


Deleting Users


Changing Passwords


AIP-SSM Maintenance


Adding Trusted Hosts


SSH Known Host List


TLS Known Host List


Upgrading the CIPS Software and Signatures via the CLI


One-Time Upgrades


Scheduled Upgrades


Displaying Software Version and Configuration Information


Backing Up Your Configuration


Displaying and Clearing Events


Displaying and Clearing Statistics


Advanced Features and Configuration


IPS Tuning


Disabling and Retiring IPS Signatures


Custom Signatures


IP Logging


Automatic Logging


Manual Logging of Specific Host Traffic


Configuring Blocking (Shunning)


Summary



Virtual Private Network (VPN) Solution



Site-to-Site IPSec VPNs


Preconfiguration Checklist


Configuration Steps


Step 1: Enable ISAKMP


Step 2: Create the ISAKMP Policy


Step 3: Set the Tunnel Type


Step 4: Configure ISAKMP Preshared Keys


Step 5: Define the IPSec Policy


Step 6: Specify Interesting Traffic


Step 7: Configure a Crypto Map


Step 8: Apply the Crypto Map to an Interface


Step 9: Configuring Traffic Filtering


Step 10: Bypassing NAT (Optional)


Advanced Features


OSPF Updates over IPSec


Reverse Route Injection


NAT Traversal


Tunnel Default Gateway


Optional Commands


Perfect Forward Secrecy


Security Association Lifetimes


Phase 1 Mode


Connection Type


Inheritance


ISAKMP Keepalives


Deployment Scenarios


Single Site-to-Site Tunnel Configuration Using NAT-T


Fully Meshed Topology with RRI


Monitoring and Troubleshooting Site-to-Site IPSec VPNs


Monitoring Site-to-Site VPNs


Troubleshooting Site-to-Site VPNs


ISAKMP Proposal Unacceptable


Mismatched Preshared keys


Incompatible IPSec Transform Set


Mismatched Proxy Identities


Summary



Remote Access VPN


Cisco IPSec Remote Access VPN Solution


Configuration Steps


Step 1: Enable ISAKMP


Step 2: Create the ISAKMP Policy


Step 3: Configure Remote-Access Attributes


Step 4: Define the Tunnel Type


Step 5: Configure ISAKMP Preshared Keys


Step 6: Configure User Authentication


Step 7: Assign an IP Address


Step 8: Define the IPSec Policy


Step 9: Set Up a Dynamic Crypto Map


Step 10: Configure the Crypto Map


Step 11: Apply the Crypto Map to an Interface


Step 12: Configure Traffic Filtering


Step 13: Set Up a Tunnel Default Gateway (Optional)


Step 14: Bypass NAT (Optional)


Step 15: Set Up Split Tunneling (Optional)


Cisco VPN Client Configuration


Software-Based VPN Clients


Hardware-Based VPN Clients


Advanced Cisco IPSec VPN Features


Transparent Tunneling


NAT Traversal


IPSec over TCP


IPSec over UDP


IPSec Hairpinning


VPN Load-Balancing


Client Auto-Update


Client Firewalling


Personal Firewall Check


Central Protection Policy


Hardware based Easy VPN Client Features


Interactive Hardware Client Authentication


Individual User Authentication


Cisco IP Phone Bypass


Leap Bypass


Hardware Client Network Extension Mode


Deployment Scenarios of Cisco IPSec VPN


IPSec Hairpinning with Easy VPN and Firewalling


Load-Balancing and Site-to-Site Integration


Monitoring and Troubleshooting Cisco Remote Access VPN


Monitoring Cisco Remote Access IPSec VPNs


Troubleshooting Cisco IPSec VPN Clients


Cisco WebVPN Solution


Configuration Steps


Step 1: Enable the HTTP Service


Step 2: Enable WebVPN on the Interface


Step 3: Configure WebVPN Look and Feel


Step 4: Configure WebVPN Group Attributes


Step 5: Configure User Authentication


Advanced WebVPN Features


Port Forwarding


Configuring URL Mangling


E-Mail Proxy


Authentication Methods for E-Mail Proxy


Identifying E-Mail Servers for E-Mail Proxies


Delimiters


Windows File Sharing


WebVPN Access Lists


Deployment Scenarios of WebVPN


WebVPN with External Authentication


WebVPN with E-Mail Proxies


Monitoring and Troubleshooting WebVPN


Monitoring WebVPN


Troubleshooting WebVPN


SSL Negotiations


WebVPN Data Capture


E-Mail Proxy Issues


Summary



Public Key Infrastructure (PKI)


Introduction to PKI


Certificates


Certificate Authority


Certificate Revocation List


Simple Certificate Enrollment Protocol


Enrolling the Cisco ASA to a CA Using SCEP


Generating the RSA Key Pair


Configuring a Trustpoint


Manual (Cut-and-Paste) Enrollment


Configuration for Manual Enrollment


Obtaining the CA Certificate


Generating the ID Certificate Request and Importing the ID Certificate


Configuring CRL Options


Configuring IPSec Site-to-Site Tunnels Using Certificates


Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates


Enrolling the Cisco VPN Client


Configuring the Cisco ASA


Troubleshooting PKI


Time and Date Mismatch


SCEP Enrollment Problems


CRL Retrieval Problems


Summary



Adaptive Security Deviceï¿½Manager



Introduction to ASDM


Setting Up ASDM


Uploading ASDM


Setting Up Cisco ASA


Accessing ASDM


Initial Setup


Startup Wizard


Functional Screens


Configuration Screen


Monitoring Screen


Interface Management


System Clock


Configuration Management


Remote System Management


Telnet


SSH


SSL (ASDM)


System Maintenance


Software Installation


File Management


System Monitoring


System Logging


SNMP


Summary



Firewall Management Using ASDM


Access Control Lists


Address Translation


Routing Protocols


RIP


OSPF


Multicast


AAA


Application Inspection


Security Contexts


Transparent Firewalls


Failover


QoS


Summary



IPS Management Using ASDM


Accessing the IPS Device Management Console from ASDM


Configuring Basic AIP-SSM Settings


Licensing


Verifying Network Settings


Adding Allowed Hosts


Configuring NTP


Adding Users


Advanced IPS Configuration and Monitoring Using ASDM


Disabling and Enabling Signatures


Configuring Blocking


Creating Custom Signatures


Creating Event Action Filters


Installing Signature Updates and Software Service Packs


Configuring Auto-Update


Summary



VPN Management Using ASDM


Site-to-Site VPN Setup Using Preshared Keys


Site-to-Site VPN Setup Using PKI


Cisco Remote-Access IPSec VPN Setup


WebVPN


VPN Monitoring


Summary



Case Studies


Case Study 1: Deploying the Cisco ASA at Branch Offices and Small Businesses


Branch Offices


Small Business Partners


Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment


Internet Edge and DMZ


Filtering Websites


Remote Access VPN Cluster


Application Inspection


IPS


Case Study 3: Data Center Security with Cisco ASA


Summary


Index