Cisco Adaptive Security Appliances (ASA) Firewall and Virtual
Cisco Press - Cisco ASA All-In-One Firewall 2nd Edition(2010)
-
Upload
thandieu92 -
Category
Documents
-
view
111 -
download
3
Transcript of Cisco Press - Cisco ASA All-In-One Firewall 2nd Edition(2010)
-
Cisco ASA All-in-One Firewall, IPS, Anti-X, andVPN Adaptive Security Appliance,Second Edition
Jazib Frahim, CCIE No. 5459
Omar Santos
Cisco Press800 East 96th Street
Indianapolis, IN 46240
-
Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPNAdaptive Security Appliance, Second EditionJazib Frahim, Omar Santos
Copyright 2010 Cisco Systems, Inc.
Published by:Cisco Press800 East 96th Street Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or by any information storage and retrievalsystem, without written permission from the publisher, except for the inclusion of brief quotations in areview.
Printed in the United States of America
First Printing December 2009
Library of Congress Cataloging-in-Publication data is on file.
ISBN-13: 978-1-58705-819-6
ISBN-10: 1-58705-819-7
Warning and DisclaimerThis book is designed to provide information about Cisco ASA. Every effort has been made to make thisbook as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc., shall haveneither liability nor responsibility to any person or entity with respect to any loss or damages arising fromthe information contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.
Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropriate-ly capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use ofa term in this book should not be regarded as affecting the validity of any trademark or service mark.
ii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
Corporate and Government SalesThe publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or spe-cial sales, which may include electronic versions and/or custom covers and content particular to your busi-ness, training goals, marketing focus, and branding interests. For more information, please contact: U.S.Corporate and Government Sales 1-800-382-3419 [email protected]
For sales outside the United States please contact: International [email protected]
Feedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each bookis crafted with care and precision, undergoing rigorous development that involves the unique expertise ofmembers from the professional technical community.
Readers feedback is a natural continuation of this process. If you have any comments regarding how wecould improve the quality of this book, or otherwise alter it to better suit your needs, you can contact usthrough email at [email protected]. Please make sure to include the book title and ISBN in yourmessage.
We greatly appreciate your assistance.
Publisher: Paul Boger Business Operation Manager, Cisco Press: Anand Sundaram
Associate Publisher: Dave Dusthimer Manager Global Certification: Erik Ullanderson
Executive Editor: Brett Bartow Technical Editors: Randy Ivener, Jay Johnston
Managing Editor: Patrick Kanouse Development Editors: Kimberley Debus, Dayna Isley
Project Editor: Seth Kerney Copy Editor: Margo Catts
Book and Cover Designer: Louisa Adair Editorial Assistant: Vanessa Evans
Composition: Mark Shirar Indexer: Ken Johnson
Proofreaders: Water Crest Publishing, Inc., Apostrophe Editing Services
iii
-
About the AuthorsJazib Frahim, CCIE No. 5459, has been with Cisco Systems for more than ten years.With a bachelors degree in computer engineering from Illinois Institute of Technology,he started out as a TAC engineer in the LAN Switching team. He then moved to the TACSecurity team, where he acted as a technical leader for the security products. He led ateam of 20 engineers in resolving complicated security and VPN technologies. He is cur-rently working as a technical leader in the Worldwide Security Services Practice ofAdvanced Services for Network Security. He is responsible for guiding customers in thedesign and implementation of their networks with a focus on network security. He holdstwo CCIEs, one in routing and switching and the other in security. He has written numer-ous Cisco online technical documents and has been an active member on the Cisco onlineforum NetPro. He has presented at Networkers on multiple occasions and has taughtmany on-site and online courses to Cisco customers, partners, and employees.
While working for Cisco, he pursued his master of business administration (MBA) degreefrom North Carolina State University.
He is also an author of the following Cisco Press books:
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Cisco Network Admission Control, Volume II: NAC Deployment andTroubleshooting
SSL Remote Access VPNs
Omar Santos is an incident manager at Ciscos Product Security Incident Response Team(PSIRT). Omar has designed, implemented, and supported numerous secure networks forFortune 500 companies and the U.S. government, including the United States MarineCorps (USMC) and the U.S. Department of Defense (DoD). He is also the author of manyCisco online technical documents and configuration guidelines. Prior to his current role,he was a technical leader within the World Wide Security Practice and Ciscos TechnicalAssistance Center (TAC), where he taught, led, and mentored many engineers within bothorganizations.
Omar has also delivered numerous technical presentations to Cisco customers and part-ners; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations.He is also the author of the following Cisco Press books:
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Cisco Network Admission Control, Volume II: NAC Deployment andTroubleshooting
End-to-End Network Security: Defense-in-Depth
iv Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
About the Technical ReviewersRandy Ivener, CCIE No. 10722, is a security engineer in the Cisco Security Researchand Operations team. He is a CISSP and PMI PMP. He has spent many years as a networksecurity consultant helping companies understand and secure their networks. Randy haspresented security topics at industry events including Blackhat and Cisco Networkers.Before becoming immersed in information security, he spent time in software develop-ment and as a training instructor. Randy graduated from the U.S. Naval Academy andholds an MBA.
Jay Johnston, CCIE No. 17663, is a security specialist in the Cisco TAC center located inResearch Triangle Park, North Carolina. His networking career began in 2002 when hejoined Cisco as a co-op while attending North Carolina State University. After graduatingwith a bachelors of computer science in 2004, he joined Cisco full time as a TACEngineer. He obtained his Security CCIE in 2007. He enjoys working for Cisco, especial-ly the constant technical challenges that working with customers in the TAC provides.
v
-
DedicationsJazib Frahim: I would like to dedicate this book to my lovely wife, Sadaf, who haspatiently put up with me during the writing process.
I would also like to dedicate this book to my parents, Frahim and Perveen, who supportand encourage me in all my endeavors.
Finally, I would like to thank my siblings, including my brother Shazib and sisters Erum andSana, sister-in-law Asiya, my cute nephew Shayan, and my adorable nieces Shiza and Alisha.Thank you for your patience and understanding during the development of this book.
Omar Santos: I would like to dedicate this book to my lovely wife, Jeannette, and mytwo beautiful children, Hannah and Derek, who have inspired and supported me through-out the development of this book.
I also dedicate this book to my parents, Jose and Generosa. Without their knowledge,wisdom, and guidance, I would not have the goals that I strive to achieve today.
AcknowledgmentsWe would like to thank the technical editors, Randy Ivener and Jay Johnston, for theirtime and technical expertise. They verified our work and corrected us in all the major andminor mistakes that were hard to find. Special thanks go to Aun Raza for reviewing manychapters prior to final editing.
We would like to thank the Cisco Press team, especially Brett Bartow, Dayna Isley,Kimberley Debus, and Andrew Cupp for their patience, guidance, and consideration.Their efforts are greatly appreciated.
Many thanks to our Cisco management team, including David Philips, Ken Cavanagh, andJean Reese for their continuous support. They highly encouraged us throughout this project.
Kudos to the Cisco ASA product development team for delivering such a great product.Their support is also greatly appreciated during the development of this book.
Finally, we would like to acknowledge the Cisco TAC. Some of the best and brightestminds in the networking industry work there, supporting our Cisco customers oftenunder very stressful conditions and working miracles daily. They are truly unsung heroes,and we are all honored to have had the privilege of working side by side with them in thetrenches of the TAC.
vi Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
Contents at a GlanceIntroduction xxiii
Part I: Product Overview
Chapter 1 Introduction to Security Technologies 1
Chapter 2 Cisco ASA Product and Solution Overview 25
Chapter 3 Initial Setup and System Maintenance 49
Part II: Firewall Technology
Chapter 4 Controlling Network Access 141
Chapter 5 IP Routing 231
Chapter 6 Authentication, Authorization, and Accounting (AAA) 311
Chapter 7 Application Inspection 349
Chapter 8 Virtualization 415
Chapter 9 Transparent Firewalls 474
Chapter 10 Failover and Redundancy 521
Chapter 11 Quality of Service 577
Part III: Intrusion Prevention System (IPS) Solutions
Chapter 12 Configuring and Troubleshooting Intrusion Prevention System (IPS) 615
Chapter 13 Tuning and Monitoring IPS 677
Part IV: Content Security
Chapter 14 Configuring Cisco Content Security and Control Security ServicesModule 689
Chapter 15 Monitoring and Troubleshooting the Cisco Content Security andControl Security Services Module 715
Part V: Virtual Private Network (VPN) Solutions
Chapter 16 Site-to-Site IPSec VPNs 735
Chapter 17 IPSec Remote-Access VPNs 799
Chapter 18 Public Key Infrastructure (PKI) 869
Chapter 19 Clientless Remote-Access SSL VPNs 923
Chapter 20 Client-Based Remote-Access SSL VPNs 1027
Index 1067
vii
-
ContentsIntroduction xxiii
Part I: Product Overview
Chapter 1 Introduction to Security Technologies 1
Firewalls 1
Network Firewalls 2
Stateful Inspection Firewalls 6
Deep Packet Inspection 7
Personal Firewalls 7
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 8
Pattern Matching and Stateful Pattern-Matching Recognition 9
Protocol Analysis 10
Heuristic-Based Analysis 11
Anomaly-Based Analysis 11
Virtual Private Networks 12
Technical Overview of IPSec 14
SSL VPNs 21
Summary 23
Chapter 2 Cisco ASA Product and Solution Overview 25
Cisco ASA 5505 Model 26
Cisco ASA 5510 Model 29
Cisco ASA 5520 Model 34
Cisco ASA 5540 Model 36
Cisco ASA 5550 Model 36
Cisco ASA 5580-20 and 5580-40 Models 38
Cisco ASA 5580-20 39
Cisco ASA 5580-40 40
Cisco ASA AIP-SSM Module 41
Cisco ASA AIP-SSM-10 43
Cisco ASA AIP-SSM-20 43
Cisco ASA AIP-SSM-40 43
Cisco ASA Gigabit Ethernet Modules 44
Cisco ASA 4GE-SSM 44
Cisco ASA 5580 Expansion Cards 45
Cisco ASA CSC-SSM Module 46
Summary 47
viii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
Chapter 3 Initial Setup and System Maintenance 49
Accessing the Cisco ASA Appliances 49
Establishing a Console Connection 50
Command-Line Interface 52
Managing Licenses 54
Initial Setup 57
Initial Setup via CLI 57
Initial Setup of ASDM 58
Device Setup 67
Setting Up Device Name and Passwords 67
Configuring an Interface 69
DHCP Services 76
IP Version 6 78
IPv6 Header 78
Configuring IPv6 80
Setting Up the System Clock 84
Manual Clock Adjustment 84
Automatic Clock Adjustment Using the Network Time Protocol 86
Configuration Management 88
Running Configuration 88
Startup Configuration 92
Removing the Device Configuration 93
Remote System Management 94
Telnet 95
Secure Shell (SSH) 98
System Maintenance 101
Software Installation 101
Password Recovery Process 106
Disabling the Password Recovery Process 109
System Monitoring 113
System Logging 113
NetFlow Secure Event Logging (NSEL) 125
Simple Network Management Protocol (SNMP) 128
Device Monitoring and Troubleshooting 133
CPU and Memory Monitoring 133
Troubleshooting Device Issues 136
Summary 139
ix
-
Part II: Firewall Technology
Chapter 4 Controlling Network Access 141
Packet Filtering 141
Types of ACLs 144
Comparing ACL Features 146
Configuring Traffic Filtering 147
Thru-Traffic Filtering via CLI 147
Thru-Traffic Filtering via ASDM 152
To-The-Box-Traffic Filtering 154
Set Up an IPv6 ACL (Optional) 157
Advanced ACL Features 159
Object Grouping 159
Standard ACLs 166
Time-Based ACLs 167
Downloadable ACLs 170
ICMP Filtering 172
Content and URL Filtering 173
Content Filtering 173
URL Filtering 175
Deployment Scenarios for Traffic Filtering 185
Using ACLs to Filter Inbound Traffic 185
Using Websense to Enable Content Filtering 190
Monitoring Network Access Control 193
Monitoring ACLs 193
Monitoring Content Filtering 198
Understanding Address Translation 199
Network Address Translation 200
Port Address Translation 202
Address Translation and Interface Security Levels 203
Packet Flow Sequence 204
Security Protection Mechanisms Within Address Translation 204
Configuring Address Translation 206
Bypassing Address Translation 218
NAT Order of Operation 222
Integrating ACLs and NAT 223
DNS Doctoring 225
Monitoring Address Translations 229
Summary 230
x Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
Chapter 5 IP Routing 231
Configuring Static Routes 231
Static Route Monitoring 234
Displaying the Routing Table 239
RIP 240
Configuring RIP 241
RIP Authentication 244
RIP Route Filtering 246
Configuring RIP Redistribution 249
Troubleshooting RIP 249
OSPF 252
Configuring OSPF 254
Troubleshooting OSPF 272
EIGRP 280
Configuring EIGRP 280
Troubleshooting EIGRP 292
IP Multicast 301
IGMP Stub Mode 301
PIM Sparse Mode 301
Configuring Multicast Routing 302
Troubleshooting IP Multicast Routing 308
Summary 310
Chapter 6 Authentication, Authorization, and Accounting (AAA) 311
AAA Protocols and Services Supported by Cisco ASA 312
RADIUS 314
TACACS+ 316
RSA SecurID 316
Microsoft Windows NT 317
Active Directory and Kerberos 318
Lightweight Directory Access Protocol 318
HTTP Form Protocol 318
Defining an Authentication Server 318
Configuring Authentication of Administrative Sessions 325
Authenticating Telnet Connections 325
Authenticating SSH Connections 327
Authenticating Serial Console Connections 329
Authenticating Cisco ASDM Connections 329
xi
-
Authenticating Firewall Sessions (Cut-Through Proxy Feature) 330
Authentication Timeouts 335
Customizing Authentication Prompts 335
Configuring Authorization 336
Command Authorization 338
Configuring Downloadable ACLs 339
Configuring Accounting 340
RADIUS Accounting 341
TACACS+ Accounting 343
Troubleshooting Administrative Connections to Cisco ASA 344
Troubleshooting Firewall Sessions (Cut-Through Proxy) 347
Summary 347
Chapter 7 Application Inspection 349
Enabling Application Inspection 351
Selective Inspection 353
Computer Telephony Interface Quick Buffer Encoding Inspection 356
Distributed Computing Environment Remote Procedure Calls (DCERPC) 358
Domain Name System 359
Extended Simple Mail Transfer Protocol 363
File Transfer Protocol 367
General Packet Radio Service Tunneling Protocol 369
GTPv0 369
GTPv1 372
Configuring GTP Inspection 373
H.323 376
H.323 Protocol Suite 376
H.323 Version Compatibility 378
Enabling H.323 Inspection 380
Direct Call Signaling and Gatekeeper Routed Control Signaling 382
T.38 382
Unified Communications Advanced Support 383
Phone Proxy 383
TLS Proxy 388
Mobility Proxy 389
Presence Federation Proxy 390
xii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
HTTP 390
Enabling HTTP Inspection 391
ICMP 399
ILS 399
Instant Messenger (IM) 400
IPSec Pass-Through 403
MGCP 404
NetBIOS 406
PPTP 406
Sun RPC 407
RSH 407
RTSP 408
SIP 408
Skinny (SCCP) 410
SNMP 411
SQL*Net 412
TFTP 412
WAAS 413
XDMCP 413
Summary 413
Chapter 8 Virtualization 415
Architectural Overview 417
System Execution Space 417
Admin Context 418
User Context 419
Packet Classification 421
Packet Flow in Multiple Mode 424
Configuration of Security Contexts 427
Step 1: Enable Multiple Security Contexts Globally 427
Step 2: Set Up the System Execution Space 430
Step 3: Allocate Interfaces 433
Step 4: Specify a Configuration URL 434
Step 5: Configure an Admin Context 435
Step 6: Configure a User Context 437
Step 7: Manage the Security Contexts (Optional) 438
Step 8: Resource Management (Optional) 439
xiii
-
Deployment Scenarios 443
Virtual Firewalls That Use Non-Shared Interfaces 443
Virtual Firewalls That Use a Shared Interface 454
Monitoring and Troubleshooting the Security Contexts 466
Monitoring 466
Troubleshooting 468
Summary 470
Chapter 9 Transparent Firewalls 471
Architectural Overview 474
Single-Mode Transparent Firewalls 474
Multimode Transparent Firewalls 477
Restrictions Within Transparent Firewalls 478
Transparent Firewalls and VPNs 479
Transparent Firewalls and NAT 479
Configuration of Transparent Firewalls 482
Configuration Guidelines 482
Configuration Steps 483
Deployment Scenarios 496
SMTF Deployment 496
MMTF Deployment with Security Contexts 502
Monitoring and Troubleshooting the Transparent Firewalls 514
Monitoring 514
Troubleshooting 516
Summary 519
Chapter 10 Failover and Redundancy 521
Architectural Overview 521
Conditions that Trigger Failover 523
Failover Interface Tests 523
Stateful Failover 524
Hardware and Software Requirements 525
Types of Failover 527
Interface-Level Failover 531
Failover Configuration 533
Device-Level Redundancy Configuration 533
ASDM Failover Wizard Configuration 548
Interface Level Redundancy Configuration 550
Optional Failover Commands 552
Zero-Downtime Software Upgrade 557
xiv Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
Deployment Scenarios 559
Active/Standby Failover in Single Mode 560
Active/Active Failover in Multiple Security Contexts 564
Monitoring and Troubleshooting Failovers 569
Monitoring 569
Troubleshooting 572
Summary 575
Chapter 11 Quality of Service 577
QoS Types 579
Traffic Prioritization 579
Traffic Policing 579
Traffic Shaping 581
QoS Architecture 582
Packet Flow Sequence 582
Packet Classification 583
QoS and VPN Tunnels 587
Configuring Quality of Service 588
QoS Configuration via ASDM 589
QoS Configuration via CLI 596
QoS Deployment Scenarios 600
QoS for VoIP Traffic 600
QoS for the Remote-Access VPN Tunnels 607
Monitoring QoS 611
Summary 613
Part III: Intrusion Prevention System (IPS) Solutions
Chapter 12 Configuring and Troubleshooting Intrusion Prevention System (IPS) 615
Overview of the Adaptive Inspection Prevention Security Services Module(AIP-SSM) and Adaptive Inspection Prevention Security Services Card(AIP-SSC) 615
AIP-SSM and AIP-SSC Management 616
Inline Versus Promiscuous Mode 617
Cisco IPS Software Architecture 619
MainApp 620
SensorApp 621
Attack Response Controller 622
AuthenticationApp 623
cipsWebserver 623
xv
-
Logger 624
EventStore 624
CtlTransSource 625
Configuring the AIP-SSM 625
Introduction to the CIPS CLI 625
User Administration 632
AIP-SSM Maintenance 636
Adding Trusted Hosts 636
Upgrading the CIPS Software and Signatures 637
Displaying Software Version and Configuration Information 643
Backing Up Your Configuration 647
Displaying and Clearing Events 648
Advanced Features and Configuration 650
Custom Signatures 651
IP Logging 656
Configuring Blocking (Shunning) 659
Cisco Security Agent Integration 662
Anomaly Detection 666
Cisco ASA Botnet Detection 670
Dynamic and Administrator Blacklist Data 670
DNS Snooping 672
Traffic Classification 672
Summary 675
Chapter 13 Tuning and Monitoring IPS 677
IPS Tuning 677
Disabling IPS Signatures 679
Retiring IPS Signatures 680
Monitoring and Tuning the AIP-SSM Using CS-MARS 681
Adding the AIP-SSM in CS-MARS 682
Tuning the AIP-SSM Using CS-MARS 683
Displaying and Clearing Statistics 684
Summary 688
Part IV: Content Security
Chapter 14 Configuring Cisco Content Security and Control Security ServicesModule 689
Initial CSC SSM Setup 690
xvi Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
Configuring CSC SSM Web-Based Features 694
URL Blocking and Filtering 695
File Blocking 697
HTTP Scanning 699
Configuring CSC SSM Mail-Based Features 701
SMTP Scanning 701
SMTP Anti-Spam 704
SMTP Content Filtering 708
POP3 Support 709
Configuring CSC SSM File Transfer Protocol (FTP) 709
Configuring FTP Scanning 709
FTP File Blocking 712
Summary 713
Chapter 15 Monitoring and Troubleshooting the Cisco Content Security andControl Security Services Module 715
Monitoring the CSC SSM 715
Detailed Live Event Monitoring 717
Configuring Syslog 718
Troubleshooting the CSC SSM 719
Re-Imaging the CSC SSM 719
Password Recovery 722
Configuration Backup 724
Upgrading the CSC SSM Software 726
CLI Troubleshooting Tools 726
Summary 734
Part V: Virtual Private Network (VPN) Solutions
Chapter 16 Site-to-Site IPSec VPNs 735
Preconfiguration Checklist 736
Configuration Steps 738
Step 1: Enable ISAKMP 739
Step 2: Create the ISAKMP Policy 739
Step 3: Set Up the Tunnel Groups 741
Step 4: Define the IPSec Policy 743
Step 5: Create a Crypto Map 745
Step 6: Configure Traffic Filtering (Optional) 749
Step 7: Bypass NAT (Optional) 751
Alternate Configuration Methods Through ASDM 752
xvii
-
Advanced Features 754
OSPF Updates over IPSec 755
Reverse Route Injection 757
NAT Traversal 758
Tunnel Default Gateway 759
Management Access 760
Perfect Forward Secrecy 761
Modifying Default Parameters 762
Security Association Lifetimes 763
Phase 1 Mode 764
Connection Type 764
ISAKMP Keepalives 766
IPSec and Packet Fragmentation 767
Deployment Scenarios 768
Single Site-to-Site Tunnel Configuration Using NAT-T 769
Fully Meshed Topology with RRI 775
Monitoring and Troubleshooting Site-to-Site IPSec VPNs 789
Monitoring Site-to-Site VPNs 789
Troubleshooting Site-to-Site VPNs 793
Summary 798
Chapter 17 IPSec Remote-Access VPNs 799
Cisco IPSec Remote Access VPN Solution 800
IPSec Remote-Access Configuration Steps 801
Step 2: Create the ISAKMP Policy 803
Step 3: Set Up Tunnel and Group Policies 805
Step 4: Define the IPSec Policy 809
Step 5: Configure User Authentication 810
Step 6: Assign an IP Address 812
Step 7: Create a Crypto Map 816
Step 8: Configure Traffic Filtering (Optional) 817
Step 9: Bypass NAT (Optional) 818
Step 10: Set Up Split Tunneling (Optional) 818
Step 11: Assign DNS and WINS (Optional) 821
Alternate Configuration Method through ASDM 822
Cisco VPN Client Configuration 824
xviii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
Advanced Cisco IPSec VPN Features 828
Tunnel Default Gateway 828
Transparent Tunneling 829
IPSec Hairpinning 831
VPN Load Balancing 833
Client Firewalling 836
Hardware-Based Easy VPN Client Features 840
L2TP Over IPSec Remote Access VPN Solution 843
L2TP over IPSec Remote-Access Configuration Steps 845
Windows L2TP over IPSec Client Configuration 848
Deployment Scenarios 849
Load Balancing of Cisco IPSec Clients and Site-to-Site Integration 849
L2TP over IPSec with Traffic Hairpinning 855
Monitoring and Troubleshooting Cisco Remote-Access VPN 860
Monitoring Cisco Remote Access IPSec VPNs 860
Troubleshooting Cisco IPSec VPN Clients 865
Summary 868
Chapter 18 Public Key Infrastructure (PKI) 869
Introduction to PKI 869
Certificates 870
Certificate Authority (CA) 871
Certificate Revocation List 873
Simple Certificate Enrollment Protocol 874
Installing Certificates 874
Installing Certificates Through ASDM 874
Installing Certificates Using the CLI 883
The Local Certificate Authority 896
Configuring the Local CA Through ASDM 896
Configuring the Local CA Using the CLI 899
Enrolling Local CA Users Through ASDM 901
Enrolling Local CA Users Through the CLI 904
Configuring IPSec Site-to-Site Tunnels Using Certificates 906
Configuring the Cisco ASA to Accept Remote-Access IPSec VPN ClientsUsing Certificates 910
Enrolling the Cisco VPN Client 911
Configuring the Cisco ASA 914
xix
-
Troubleshooting PKI 917
Time and Date Mismatch 917
SCEP Enrollment Problems 920
CRL Retrieval Problems 921
Summary 922
Chapter 19 Clientless Remote-Access SSL VPNs 923
SSL VPN Design Considerations 924
User Connectivity 924
ASA Feature Set 925
Infrastructure Planning 925
Implementation Scope 925
SSL VPN Prerequisites 926
SSL VPN Licenses 926
Client Operating System and Browser and Software Requirements 930
Infrastructure Requirements 931
Pre-SSL VPN Configuration Guide 931
Enroll Digital Certificates (Recommended) 931
Set Up Tunnel and Group Policies 937
Set Up User Authentication 943
Clientless SSL VPN Configuration Guide 947
Enable Clientless SSL VPN on an Interface 949
Configure SSL VPN Portal Customization 949
Configure Bookmarks 965
Configure Web-Type ACLs 970
Configure Application Access 973
Configure Client-Server Plug-ins 979
Cisco Secure Desktop 980
CSD Components 981
CSD Requirements 983
CSD Architecture 984
Configuring CSD 985
Host Scan 998
Host Scan Modules 999
Configuring Host Scan 1000
Dynamic Access Policies 1003
DAP Architecture 1004
xx Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
DAP Sequence of Events 1005
Configuring DAP 1006
Deployment Scenarios 1017
Step 1: Define Clientess Connections 1019
Step 2: Configure DAP 1020
Monitoring and Troubleshooting SSL VPN 1021
Monitoring SSL VPN 1021
Troubleshooting SSL VPN 1024
Summary 1026
Chapter 20 Client-Based Remote-Access SSL VPNs 1027
SSL VPN Deployment Considerations 1028
AnyConnect Licenses 1028
Cisco ASA Design Considerations 1031
SSL VPN Prerequisites 1032
Client Operating System and Browser and Software Requirements 1032
Infrastructure Requirements 1034
Pre-SSL VPN Configuration Guide 1035
Enrolling Digital Certificates (Recommended) 1035
Setting Up Tunnel and Group Policies 1035
Setting Up User Authentication 1038
AnyConnect VPN Client Configuration Guide 1040
Loading the AnyConnect Package 1042
Defining AnyConnect SSL VPN Client Attributes 1044
Advanced Full Tunnel Features 1049
AnyConnect Client Configuration 1055
Deployment Scenario of AnyConnect Client 1059
Step 1: Set Up CSD For Registry Check 1061
Step 2: Set Up RADIUS for Authentication 1061
Step 3: Configure AnyConnect SSL VPN 1061
Step 4: Enable Address Translation for Internet Access 1062
Monitoring and Troubleshooting AnyConnect SSL VPNs 1063
Monitoring SSL VPN 1063
Troubleshooting SSL VPN 1063
Summary 1066
Index 1067
xxi
-
Icons Used in This Book
Command Syntax ConventionsThe conventions used to present command syntax in this book are the same conventionsused in the IOS Command Reference. The Command Reference describes these conven-tions as follows:
Boldface indicates commands and keywords that are entered literally as shown. Inactual configuration examples and output (not general command syntax), boldfaceindicates commands that are manually input by the user (such as a show command).
Italic indicates arguments for which you supply actual values.
Vertical bars (|) separate alternative, mutually exclusive elements.
Square brackets ([ ]) indicate an optional element.
Braces ({ }) indicate a required choice.
Braces within brackets ([{ }]) indicate a required choice within an optional element.
PC Cisco ASA5500
SecureServer
CiscoCallManager
Terminal File Server
Web Server
Ciscoworks Workstation
Printer Laptop IBM Mainframe
Front End Processor
ClusterController
Modem
DSU/CSURouter Bridge Hub DSU/CSU Catalyst
Switch
Multilayer Switch
ATM Switch
ISDN/Frame Relay Switch
Communication Server
Gateway
AccessServer
Network Cloud
Voice-EnabledRouter
Line: Ethernet
FDDI
FDDI
Line: Serial Line: Switched Serial
V
xxii Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
xxiii
IntroductionNetwork security has always been a challenge for many organizations that cannot deployseparate devices to provide firewall, intrusion prevention, and virtual private network(VPN) services. The Cisco ASA is a high-performance, multifunction security appliancethat offers firewall, IPS, network antivirus, and VPN services. The Cisco ASA delivers thesefeatures through improved network integration, resiliency, and scalability.
This book is an insiders guide to planning, implementing, configuring, and troubleshootingthe Cisco Adaptive Security Appliances. It delivers expert guidance from senior Cisco net-work security consulting engineers. It demonstrates how adaptive identification and mitiga-tion services on the Cisco ASA provide a sophisticated network security solution to small,medium, and large organizations. This book brings together expert guidance for virtuallyevery challenge you will facefrom building basic network security policies to advancedVPN and IPS implementations.
Who Should Read This Book?This book serves as a guide for any network professional who manages network security orinstalls and configures firewalls, VPN devices, or intrusion detection/prevention systems. Itencompasses topics from an introductory level to advanced topics on security and VPNs. Therequirements of the reader include a basic knowledge of TCP/IP and networking.
How This Book Is OrganizedThis book has five parts, which provide a Cisco ASA product introduction and then focus onfirewall features, intrusion prevention, content security, and VPNs. Each part includes manysample configurations, accompanied by in-depth analyses of design scenarios. Your learning isfurther enhanced by a discussion of a set of debugs included in each technology. Ground-breaking features, such as SSL VPN and virtual and Layer 2 firewalls, are discussed extensively.
The core chapters, Chapters 2 through 12, cover the following topics:
Part I, Product Overview, includes the following chapters:
Chapter 1, Introduction to Security TechnologiesThis chapter provides anoverview of different technologies that are supported by the Cisco ASA and wide-ly used by todays network security professionals.
Chapter 2, Cisco ASA Product and Solution OverviewThis chapter describeshow the Cisco ASA incorporates features from each of these products, integratingcomprehensive firewall, intrusion detection and prevention, and VPN technologiesin a cost-effective, single-box format. Additionally, it provides a hardwareoverview of the Cisco ASA, including detailed technical specifications and instal-lation guidelines. It also covers an overview of the Adaptive Inspection andPrevention Security Services Module (AIP-SSM) and Content Security andControl Security Services Module (CSC-SSM).
-
Chapter 3, Initial Setup and System MaintenanceA comprehensive list ofinitial setup tasks and system maintenance procedures is included in this chapter.These tasks and procedures are intended to be used by network professionalswho will be installing, configuring, and managing the Cisco ASA.
Part II, Firewall Technology, includes the following chapters:
Chapter 4, Controlling Network AccessThe Cisco ASA can protect one ormore networks from intruders. Connections between these networks can becarefully controlled by advanced firewall capabilities, enabling you to ensurethat all traffic from and to the protected networks passes only through the fire-wall based on the organizations security policy. This chapter shows you how toimplement your organizations security policy, using the features the Cisco ASAprovides.
Chapter 5, IP RoutingThis chapter covers the different routing capabilitiesof the Cisco ASA.
Chapter 6, Authentication, Authorization, and Accounting (AAA)The CiscoASA supports a wide range of AAA features. This chapter provides guidelineson how to configure AAA services by defining a list of authentication methodsapplied to various implementations.
Chapter 7, Application InspectionThe Cisco ASA stateful applicationinspection helps to secure the use of applications and services in your network.This chapter describes how to use and configure application inspection.
Chapter 8, VirtualizationThe Cisco ASA virtual firewall feature introducesthe concept of operating multiple instances of firewalls (contexts) within thesame hardware platform. This chapter shows how to configure and troubleshooteach of these security contexts.
Chapter 9, Transparent FirewallsThis chapter introduces the transparent(Layer 2) firewall model within the Cisco ASA. It explains how users can config-ure the Cisco ASA in transparent single mode and multiple mode while accom-modating their security needs.
Chapter 10, Failover and RedundancyThis chapter discusses the differentredundancy and failover mechanisms that the Cisco ASA provides. It includesnot only the overview and configuration, but also detailed troubleshooting pro-cedures.
Chapter 11, Quality of ServiceQoS is a network feature that lets you givepriority to certain types of traffic. This chapter covers how to configure andtroubleshoot QoS in the Cisco ASA.
Part III, Intrusion Prevention System (IPS) Solutions, includes the following chapters:
Chapter 12, Configuring and Troubleshooting Intrusion Prevention System(IPS)Intrusion detection and prevention systems provide a level of protectionbeyond the firewall by securing the network against internal and external
xxiv Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
-
attacks and threats. This chapter describes the integration of IntrusionPrevention System (IPS) features within the Cisco ASA and expert guidance onhow to configure the AIP-SSM IPS software. Troubleshooting scenarios are alsoincluded to enhance learning.
Chapter 13, Tuning and Monitoring IPSThis chapter covers the IPS tuningprocess, as well as best practices on how to monitor IPS events.
Part IV, Content Security, includes the following chapters:
Chapter 14, Configuring Cisco Content Security and Control Security ServicesModuleThe Content Security and Control Security Services Module (CSC-SSM) is used to detect and take action on viruses, worms, Trojans, and othersecurity threats. It supports the inspection of SMTP, POP3, HTTP, and FTP net-work traffic. This chapter provides configuration and troubleshooting guide-lines to successfully deploy the CSC-SSM within your organization.
Chapter 15, Monitoring and Troubleshooting the Cisco Content Security andControl Security Services ModuleThis chapter provides best practices andmethodologies used while monitoring the CSC-SSM and troubleshooting anyproblems you may encounter.
Part V, Virtual Private Network (VPN) Solutions, includes the following chapters:
Chapter 16, Site-to-Site IPSec VPNsThe Cisco ASA supports IPSec VPNfeatures that enable you to connect networks in different geographic locations.This chapter provides configuration and troubleshooting guidelines to success-fully deploy site-to-site IPSec VPNs.
Chapter 17, IPSec Remote-Access VPNsThis chapter discusses two IPSecremote-access VPN solutions (Cisco IPSec and L2TP over IPSec) that are sup-ported on the Cisco ASA. A large number of sample configurations and trou-bleshooting scenarios are provided.
Chapter 18, Public Key Infrastructure (PKI)This chapter starts by introduc-ing PKI concepts. It then covers the configuration and troubleshooting of PKI inthe Cisco ASA.
Chapter 19, Clientless Remote-Access SSL VPNsThis chapter providesdetails about the Clientless SSL VPN functionality in Cisco ASA. This chaptercovers the Cisco Secure Desktop (CSD) solution in detail and also discusses theHost Scan feature that is used to collect posture information about end-work-stations. The dynamic access policy (DAP) feature, its usage, and detailed con-figuration examples are also provided. To reinforce learning, many differentdeployment scenarios are presented along with their configurations.
Chapter 20, Client-Based Remote-Access SSL VPNs This chapter providesdetails about the AnyConnect SSL VPN functionality in Cisco ASA.
xxv
-
This page intentionally left blank
-
Chapter 1
Introduction to Security Technologies
This chapter covers the following topics:
Firewalls
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
Monitoring and troubleshooting
The cost of reported computer and network security breaches at enterprises, schools,and government organizations has risen dramatically during the last several years. Bothhints and detailed instructions for creating exploits to break into networks and computersystems are becoming more easily available on the Internet, consequently requiring net-work security professionals to carefully analyze what techniques they deploy to mitigatethese risks.
Security threats vary from distributed denial-of-service (DDoS) attacks to viruses, worms,Trojan horses, and theft of information. These threats can easily destroy or corrupt vitaldata, requiring difficult and expensive remediation tasks to restore business continuity.
This chapter introduces the essentials of network security technologies and provides thenecessary foundation for technologies involved in the Cisco Adaptive SecurityAppliances (ASA) security features and solutions.
FirewallsA detailed understanding of how firewalls and their related technologies work is extreme-ly important for all network security professionals. This knowledge helps you to config-ure and manage the security of your networks accurately and effectively. The wordfirewall commonly describes systems or devices that are placed between a trusted and anuntrusted network.
Several network firewall solutions offer user and application policy enforcement that pro-vides protection for different types of security threats. They often provide logging capa-
-
2 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
bilities that enable the security administrators to identify, investigate, validate, and miti-gate such threats.
Additionally, several software applications can run on a system to protect only that host.These types of applications are known as personal firewalls. This section includes anoverview of network and personal firewalls and their related technologies.
Network Firewalls
Network-based firewalls provide key features used for perimeter security. The primarytask of a network firewall is to deny or permit traffic that attempts to enter the networkbased on explicit preconfigured policies and rules. The processes used to allow or blocktraffic may include the following:
Simple packet-filtering techniques
Multifaceted application proxies
Stateful inspection systems
Network address translation
Packet-Filtering Techniques
The purpose of packet filters is simply to control access to specific network segments bydefining which traffic can pass through them. They usually inspect incoming traffic at thetransport layer of the Open System Interconnection (OSI) model. For example, packet fil-ters can analyze Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)packets and judge them against a set of predetermined rules called access control lists(ACLs). They inspect the following elements within a packet:
Source address
Destination address
Source port
Destination port
Protocol
Note Packet filters do not commonly inspect additional Layer 3 and Layer 4 fields suchas sequence numbers, TCP control flags, and TCP acknowledgement (ACK) fields.
Various packet-filtering firewalls can also inspect packet header information to find outwhether the packet is from a new or an existing connection. Simple packet-filtering fire-walls have several limitations and weaknesses:
Their ACLs or rules can be relatively large and difficult to manage.
-
Chapter 1: Introduction to Security Technologies 3
They can be deceived into permitting unauthorized access of spoofed packets.Attackers can orchestrate a packet with an IP address that is authorized by the ACL.
Numerous applications can build multiple connections on arbitrarily negotiatedports. This makes it difficult to determine which ports will be selected and used untilafter the connection is completed. Examples of this type of application are multime-dia applications such as RealAudio, QuickTime, and other streaming audio and videoapplications. Packet filters do not understand the underlying upper-layer protocolsused by this type of application, and providing support for this type of application isdifficult because the ACLs need to be manually configured in packet-filtering fire-walls.
Application Proxies
Application proxies, or proxy servers, are devices that operate as intermediary agents onbehalf of clients that are on a private or protected network. Clients on the protected net-work send connection requests to the application proxy to transfer data to the unprotect-ed network or the Internet. Consequently, the application proxy sends the request onbehalf of the internal client. The majority of proxy firewalls work at the application layerof the OSI model. Most proxy firewalls can cache information to accelerate their transac-tions. This is a great tool for networks that have numerous servers that experience highusage. Additionally, proxy firewalls can protect against some web-server specific attacks;however, in most cases, they do not provide any protection against the web applicationitself. Another disadvantage of application proxies is their inability to scale. This makesthem difficult to deploy in large environments.
Network Address Translation
Several Layer 3 devices can provide Network Address Translation (NAT) services. TheLayer 3 device translates the internal hosts private (or local) IP addresses to a publiclyroutable (or global) address. NAT is often used by firewalls; however, other devices suchas routers and wireless access points provide support for NAT. By using NAT, the firewallhides the internal private addresses from the unprotected network, and exposes only itsown address or public range. This enables a network professional to use any IP addressspace as the internal network. A best practice is to use the address spaces that arereserved for private use (see RFC 1918, Address Allocation for Private Internets). Table1-1 lists the private address ranges specified in RFC 1918.
Table 1-1 RFC 1918 Private Address Ranges
Network Address Range Network/Mask
10.0.0.010.255.255.255 10.0.0.0/8
172.16.0.0172.31.255.255 172.16.0.0/12
192.168.0.0192.168.255.255 192.168.0.0/16
-
4 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
209.165.200.228
Outside
209.165.200.232
Source Address: 10.10.10.8Destination Address: 209.165.200.232
Source Port: 1024Destination Port: 80
Source Address: 209.165.200.228Destination Address: 209.165.200.232
Source Port: 1188Destination Port: 80
Inside
10.10.10.0/24
Host A
ASA PerformingPort Address Translation (PAT)
Figure 1-1 PAT Example
It is important to think about the different private address spaces when you plan yournetwork (for example, the number of hosts and subnets that can be configured). Carefulplanning and preparation leads to substantial time savings if changes are encountereddown the road.
Tip The whitepaper titled A Security-Oriented Approach to IP Addressing providesnumerous tips on planning and preparing your network IP address scheme. This whitepaperis posted at the following link:
http://www.cisco.com/web/about/security/intelligence/security-for-ip-addr.html
Port Address Translation
Normally, firewalls perform a technique called Port Address Translation (PAT). This fea-ture is a subset of the NAT feature that allows many devices on the internal protectednetwork to share one IP address by inspecting the Layer 4 information on the packet.This address is usually the firewalls public address; however, it can be configured to anyother available public IP address. Figure 1-1 shows how PAT works.
As illustrated in Figure 1-1, several hosts on a protected network labeled inside are con-figured with an address from the network 10.10.10.0 with a 24-bit subnet mask. The ASA
-
Chapter 1: Introduction to Security Technologies 5
is performing PAT for the internal hosts and translating the 10.10.10.x addresses into itsown address (209.165.200.228). In this example, Host A sends a TCP port 80 packet tothe web server located in the outside unprotected network. The ASA translates therequest from the original 10.10.10.8 IP address of Host A to its own address. It does thisby randomly selecting a different Layer 4 source port when forwarding the request to theweb server. The TCP source port is modified from 1024 to 1188 in this example.
Static Translation
A different methodology is used when hosts in the unprotected network need to initiatea new connection to specific hosts behind the NAT device. You do so by creating a staticone-to-one mapping of the public (global) IP address to the address of the internal (local)protected device. For example, static NAT can be configured when a web server resideson the internal network and has a private IP address but needs to be contacted by hostslocated in the unprotected network or the Internet. Figure 1-2 demonstrates how statictranslation works.
In Figure 1-2, the web server address (10.10.10.230) is statically translated to an addressin the outside network (209.165.200.230, in this case). This allows the outside host to ini-tiate a connection to the web server by directing the traffic to 209.165.200.230. Thedevice performing NAT then translates and sends the request to the web server on theinside network.
10.10.10.230
209.165.200.228
Outside
209.165.200.240
Source Address: 209.165.200.240Destination Address: 10.10.10.230
Source Address: 209.165.200.240Destination Address: 209.165.200.230
Web Server
Inside
10.10.10.230 Is StaticallyTranslated To 209.165.200.230
Figure 1-2 Example of Static Translation
-
6 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
Internet
Internal Network
DMZ 2DMZ 1
Business Partner
Figure 1-3 Firewall DMZ Configurations
Address translation is not limited to firewalls. Nowadays, all sorts of lower-end networkdevices such as simple small office, home office (SOHO) routers and wireless accesspoints can perform different NAT techniques.
Stateful Inspection Firewalls
Stateful inspection firewalls provide enhanced benefits when compared to simple packet-filtering firewalls. They track every packet passing through their interfaces by assuringthat they are valid, established connections. They examine not only the packet headercontents, but also the application layer information within the payload. This is donebecause the packets payload is examined; subsequently, different rules can be created onthe firewall to permit or deny traffic based on specific payload patterns. A stateful fire-wall monitors the state of the connection and maintains a database with this information,usually called the state table. The state of the connection details whether such a connec-tion has been established, closed, reset, or is being negotiated. These mechanisms offerprotection for different types of network attacks.
Firewalls can be configured to separate multiple network segments (or zones), usuallycalled demilitarized zones (DMZ). These zones provide security to the systems thatreside within them with different security levels and policies between them. DMZs canhave several purposes; for example, they can serve as segments on which a web serverfarm resides or as extranet connections to a business partner. Figure 1-3 shows a firewall(a Cisco ASA in this case) with two DMZs.
-
Chapter 1: Introduction to Security Technologies 7
DMZs minimize the exposure of devices and clients on your internal network by allow-ing only recognized and managed services on those hosts to be accessible from theInternet.
In Figure 1-3, DMZ 1 hosts web servers that are accessible by internal and Internet hosts.The Cisco ASA controls access from an extranet business partner connection on DMZ 2.
Note In large organizations, you can deploy multiple firewalls in different segmentsand DMZs.
Deep Packet Inspection
Several applications require special handling of data packets when they pass through fire-walls. These include applications and protocols that embed IP addressing information inthe data payload of the packet or open secondary channels on dynamically assignedports. Sophisticated firewalls and security appliances such as the Cisco ASA, Cisco PIXfirewall, and Cisco IOS firewall offer application inspection mechanisms to handle theembedded addressing information to allow the previously mentioned applications andprotocols to work. Using application inspection, these security appliances can identifythe dynamic port assignments and allow data exchange on these ports during a specificconnection.
With deep packet inspection, firewalls can look at specific Layer 7 payloads to protectagainst security threats. For example, you can configure a Cisco ASA or a Cisco PIX fire-wall running version 7.0 or later to not allow peer-to-peer (P2P) applications to be trans-ferred over the HTTP protocol. You can also configure these devices to deny specificFTP commands, HTTP content types, and other application protocols.
Note The Cisco ASA and Cisco PIX firewall running version 7.0 or later provide aModular Policy Framework (MPF) that offers a consistent and flexible way to configureapplication inspection and other features to specific traffic flows in a manner similar to theCisco IOS Software Modular quality of service (QoS) command-line interface (CLI).
Personal Firewalls
Personal firewalls are popular software applications that you can install on end-usermachines or servers to protect them from external security threats and intrusions. Theterm personal firewall typically applies to basic software that can control Layer 3 andLayer 4 access to client machines. Today, sophisticated software is available that not onlyprovides basic personal firewall features but also protects the system based on the behav-ior of the applications installed on such systems. An example of this type of software isthe Cisco Security Agent (CSA), which provides several features that offer more robustsecurity than a traditional personal firewall, such as host intrusion prevention and protec-tion against spyware, viruses, worms, Trojans, and other types of malware.
-
8 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
Web ServersAttacker
IDS
Alert!
CS-MARS
Figure 1-4 IDS Example
Intrusion Detection Systems (IDS) and IntrusionPrevention Systems (IPS)
Intrusion detection systems (IDS) are devices that detect (in promiscuous mode) attemptsfrom an attacker to gain unauthorized access to a network or a host, to create perform-ance degradation, or to steal information. They also detect distributed denial of service(DDoS) attacks, worms, and virus outbreaks. Figure 1-4 shows how an IDS device is con-figured to promiscuously detect security threats.
In Figure 1-4, an attacker sends a malicious packet to a web server. The IDS device ana-lyzes the packet and sends an alert to a monitoring system (CS-MARS in this example).The malicious packet still successfully arrives at the web server.
Intrusion prevention system (IPS) devices, on the other hand, are capable of detecting allthese security threats; however, they are also able to drop malicious packets inline.
Figure 1-5 shows how an IPS device is placed inline and drops the noncompliant packetwhile sending an alert to the monitoring system.
Two different types of IPS exist:
Network-based (NIPS)
Host-based (HIPS)
Note Examples of NIPSs are the Cisco IPS 4200 sensors, the Catalyst 6500 IPS Module,and the Cisco ASA with the Advanced Inspection and Prevention Security ServicesModule (AIP-SSM). An example of a host-based IPS is the Cisco Security Agent (CSA).
The Cisco ASA 5500 Series IPS Solution provides intrusion prevention, firewall, and VPNin a single, easy-to-deploy platform. Intrusion prevention services enhance firewall protec-tion by looking deeper into the flows to provide protection against threats and vulnerabili-ties. Detailed IPS configuration and troubleshooting methodologies are included inChapter 12. Additionally, Chapter 13 includes information on tuning and monitoring IPS.
-
Chapter 1: Introduction to Security Technologies 9
Web Servers
Attacker
Alert!
CS-MARS
IPS
Figure 1-5 IPS Example
Network-based IDS and IPS use several detection methodologies, such as the following:
Pattern matching and stateful pattern-matching recognition
Protocol analysis
Heuristic-based analysis
Anomaly-based analysis
Pattern Matching and Stateful Pattern-Matching Recognition
Pattern matching is a methodology in which the intrusion detection device searches for afixed sequence of bytes within the packets traversing the network. Generally, the patternis aligned with a packet that is related to a specific service or, in particular, associatedwith a source and destination port. This approach reduces the amount of inspectionmade on every packet. However, it is limited to services and protocols that are associatedwith well defined ports. Protocols that do not use any Layer 4 port information are notcategorized. Examples of these protocols are Encapsulated Security Payload (ESP),Authentication Header (AH), and Generic Routing Encapsulation (GRE) protocol.
This tactic uses the concept of signatures. A signature is a set of conditions that pointout some type of intrusion occurrence. For example, if a specific TCP packet has a desti-nation port of 1234 and its payload contains the string ff11ff22, an alert is triggered todetect that string.
-
10 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
Alternatively, the signature could include an explicit starting point and endpoint forinspection within the specific packet.
The benefits of the plain pattern-matching technique include the following:
Direct correlation of an exploit
Trigger alerts on the pattern specified
Can be applied across different services and protocols
One of the main disadvantages is that pattern matching can lead to a considerably highrate of false positives. False positives are alerts that do not represent a genuine maliciousactivity. In contrast, any alterations to the attack can lead to overlooked events of realattacks, which are normally referred as false negatives.
To address some of these limitations, a more refined method was created. This methodol-ogy is called stateful pattern-matching recognition. This process dictates that systemsperforming this type of signature analysis must consider the chronological order of pack-ets in a TCP stream. In particular, they should judge and maintain a stateful inspection ofsuch packets and flows.
The advantages of stateful pattern-matching recognition include the following:
It has the capability to directly correlate a specific exploit within a given pattern.
Supports all non-encrypted IP protocols.
Systems that perform stateful pattern matching keep track of the arrival order of non-encrypted packets and handle matching patterns across packet boundaries.
However, stateful pattern-matching recognition shares some of the same restrictions ofthe simple pattern-matching methodology, which was discussed previously, including anuncertain rate of false positives and a possibility of some false negatives. Additionally,stateful pattern-matching consumes more resources in the IPS device because it requiresmore memory and CPU processing.
Protocol Analysis
Protocol analysis (or protocol decode-base signatures) is often referred to as the exten-sion to stateful pattern recognition. A Network Intrusion Detection System (NIDS)accomplishes protocol analysis by decoding all protocol or client-server conversations.The NIDS identifies the elements of the protocol and analyzes them while looking for aninfringement. Some intrusion detection systems look at explicit protocol fields within theinspected packets. Others require more sophisticated techniques, such as examination ofthe length of a field within the protocol or the number of arguments. For example, inSMTP, the device may look at specific commands and fields such as HELO, MAIL, RCPT,DATA, RSET, NOOP, and QUIT. This technique diminishes the possibility of encounter-ing false positives if the protocol being analyzed is properly defined and enforced. On
-
Chapter 1: Introduction to Security Technologies 11
the other hand, the system can generate numerous false positives if the protocol defini-tion is ambiguous or tolerates flexibility in its implementation.
Heuristic-Based Analysis
A different approach to network intrusion detection is to perform heuristic-based analy-sis. Heuristic scanning uses algorithmic logic from statistical analysis of the traffic pass-ing through the network. Its tasks are CPU and resource intensive, so it is an importantconsideration while planning your deployment. Heuristic-based algorithms may requirefine tuning to adapt to network traffic and minimize the possibility of false positives. Forexample, a system signature can generate an alarm if a range of ports is scanned on a par-ticular host or network. The signature can also be orchestrated to restrict itself from spe-cific types of packets (for example, TCP SYN packets). Heuristic-based signatures call formore tuning and modification to better respond to their distinctive network environment.
Anomaly-Based Analysis
A different practice keeps track of network traffic that diverges from normal behavioralpatterns. This practice is called anomaly-based analysis. The limitation is that what isconsidered to be normal must be defined. Systems and applications whose behavior canbe easily considered as normal could be classified as heuristic-based systems.
However, sometimes it is challenging to classify a specific behavior as normal or abnor-mal based on different factors. These factors include negotiated protocols and ports, spe-cific application changes, and changes in the architecture of the network.
A variation of this type of analysis is profile-based detection. This allows systems toorchestrate their alarms on alterations in the way that other systems or end users interre-late on the network.
Another kind of anomaly-based detection is protocol-based detection. This scheme isrelated to, but not to be confused with, the protocol-decode method. The protocol-baseddetection technique depends on well-defined protocols, as opposed to the protocol-decode method, which classifies as an anomaly any unpredicted value or configurationwithin a field in the respective protocol. For example, a buffer overflow can be detectedwhen specific strings are detected within the payload of the inspected IP packets.
Note A buffer overflow occurs when a program attempts to store more data in a tempo-rary storage area within memory (buffer) than it was designed to hold. This might cause thedata to incorrectly overflow into an adjacent area of memory. An attacker may craft specif-ic data inserted into the adjacent buffer. Subsequently, when the corrupted data is read, thetarget computer executes new instructions and malicious commands.
Traditional IDS and IPS provide excellent application layer attack-detection capabilities.However, they do have a weakness: They cannot detect DDoS attacks where the attacker
-
12 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
uses valid packets. IDS and IPS devices are optimized for signature-based applicationlayer attack detection. Another weakness is that these systems utilize specific signaturesto identify malicious patterns, yet if a new threat appears on the network before a signa-ture is created to identify the traffic, this could lead to false negatives. An attack forwhich there is no signature is called a zero-day attack.
Although some IPS devices do offer anomaly-based capabilities, which are required todetect such attacks, they require extensive manual tuning and have a major risk of gener-ating false positives.
Tip Cisco IPS Software Version 6.x and later support more sophisticated anomaly detec-tion techniques. More information can be obtained at http://www.cisco.com/go/ips.
You can use more elaborate anomaly-based detection systems to mitigate DDoS attacksand zero-day outbreaks. Typically, an anomaly detection system monitors network trafficand alerts or reacts to any sudden increase in traffic and any other anomalies. Cisco deliv-ers a complete DDoS protection solution based on the principles of detection, diversion,verification, and forwarding to help ensure total protection. Examples of sophisticatedanomaly detection systems are the Cisco Traffic Anomaly Detectors and the Cisco GuardDDoS Mitigation Appliances.
You can also use NetFlow as an anomaly detection tool. NetFlow is a Cisco proprietaryprotocol that provides detailed reporting and monitoring of IP traffic flows through anetwork device, such as a router, switch, or the Cisco ASA.
Note Refer to the Cisco feature navigator to find out in what Cisco IOS image NetFlowis supported. You can access this tool at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp.
Netflow support was introduced in the Cisco ASA in software version 8.2.
NetFlow uses a UDP-based protocol to periodically report on flows seen by the CiscoIOS device. A flow consists of session setup, data transfer, and session teardown. Youcan also integrate NetFlow with Cisco Secure Monitoring and Response System (CS-MARS). When NetFlow is integrated with CS-MARS, you can use statistical profiling,which can pinpoint day-zero attacks such as worm outbreaks, to take advantage of anom-aly detection.
Virtual Private NetworksOrganizations deploy VPNs to provide data integrity, authentication, and data encryp-tion to assure confidentiality of the packets sent over an unprotected network or theInternet. VPNs are designed to avoid the cost of unnecessary leased lines.
-
Chapter 1: Introduction to Security Technologies 13
Many different protocols are used for VPN implementations, including
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Forwarding (L2F) Protocol
Layer 2 Tunneling Protocol (L2TP)
Generic Routing Encapsulation (GRE) Protocol
Multiprotocol Label Switching (MPLS) VPN
Internet Protocol Security (IPsec)
Secure Socket Layer (SSL)
Note L2F, L2TP, GRE, and MPLS VPNs do not provide data integrity, authentication,and data encryption. On the other hand, you can combine L2TP, GRE, and MPLS withIPsec to provide these benefits. Many organizations use IPsec as their preferred protocolbecause it supports all three of these features.
VPN implementations can be categorized into two distinct groups:
Site-to-site VPNsEnable organizations to establish VPN tunnels between two ormore network infrastructure devices in different sites so that they can communicateover a shared medium such as the Internet. Many organizations use IPsec, GRE, andMPLS VPN as site-to-site VPN protocols.
Remote-access VPNsEnable users to work from remote locations such as theirhomes, hotels, and other premises as if they were directly connected to their corpo-rate network.
Note Typically, site-to-site VPN tunnels are terminated between two or more networkinfrastructure devices, as opposed to remote access VPN where the tunnels are formed bya VPN head-end device a end-user workstation or hardware VPN client.
Figure 1-6 illustrates a site-to-site IPsec tunnel between two sites (corporate headquartersand a branch office).
-
14 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
Ipsec Tunnel
Internet
Corporate Headquarters Branch Office
Figure 1-6 Site-to-Site VPN Example
Figure 1-7 shows an example of remote access VPN. In this example, a telecommuter usesIPSec VPN while a remote user from a hotel uses SSL VPN to connect to the corporateheadquarters.
Technical Overview of IPSec
IPsec uses the Internet Key Exchange (IKE) Protocol to negotiate and establish securedsite-to-site or remote access VPN tunnels. IKE is a framework provided by the InternetSecurity Association and Key Management Protocol (ISAKMP) and parts of two otherkey management protocols, namely Oakley and Secure Key Exchange Mechanism(SKEME).
Note IKE is defined in RFC 2409, The Internet Key Exchange.
ISAKMP has two phases. Phase 1 is used to create a secure bidirectional communicationchannel between the IPsec peers. This channel is known as the ISAKMP SecurityAssociation (SA). Phase 2 is used to negotiate the IPsec SAs.
-
Chapter 1: Introduction to Security Technologies 15
Internet
Corporate Headquarters
Remote User at a Hotel
TelecommuterIpsec T
unnel
SSL VPN Tunnel
Figure 1-7 Remote Access VPN Example
Phase 1
Within Phase 1 negotiation, several attributes are exchanged, including the following:
Encryption algorithms
Hashing algorithms
Diffie-Hellman groups
Authentication method
Vendor-specific attributes
-
16 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
The following are the typical encryption algorithms:
Data Encryption Standard (DES): 64 bits long
Triple DES (3DES): 168 bits long
Advanced Encryption Standard (AES): 128 bits long
AES 192: 192 bits long
AES 256: 256 bits long
Hashing algorithms include these:
Secure Hash Algorithm (SHA)
Message digest algorithm 5 (MD5)
The common authentication methods are preshared keys (where peers use a shared secretto authenticate each other) and digital certificates with the use of Public KeyInfrastructure (PKI).
Note Typically, small and medium-sized organizations use preshared keys as theirauthentication mechanism. Several large organizations use digital certificates for scalabili-ty, for centralized management, and for the use of additional security mechanisms.
You can establish a Phase 1 SA in main mode or aggressive mode.
In main mode, the IPsec peers complete a six-packet exchange in three round trips tonegotiate the ISAKMP SA, whereas aggressive mode completes the SA negotiation inthree packet exchanges. Main mode provides identity protection if preshared keys areused. Aggressive mode provides identity protection only if digital certificates are used.
Note Cisco products that support IPsec typically use main mode for site-to-site tunnelsand aggressive mode for remote-access VPN tunnels. This is the default behavior when pre-shared keys are used as the authentication method.
Figure 1-8 illustrates the six-packet exchange in main mode negotiation.
In Figure 1-8, two Cisco ASAs are configured to terminate a site-to-site VPN tunnelbetween them. The Cisco ASA labeled as ASA-1 is the initiator, and ASA-2 is the respon-der. The following are the steps illustrated in Figure 1-8.
Step 1. ASA-1 (the initiator) has two ISAKMP proposals configured. In the first pack-et, ASA-1 sends its configured proposals to ASA-2.
-
Chapter 1: Introduction to Security Technologies 17
ASA-2ASA-1
Initiator
IKE
Responder
DESMD5DH1
Preshared
DESMD5DH1
Preshared
HDR, KE i, Nonce i
HDR, KE R, Nonce R
HDR*, ID i, HASH i
HDR*, ID R, HASH R
Diffie-Hellman Key Exchange SKEYID
Derived
IDs Are Exchanged and HASH Is Verified.*These Two Packets
Are Encrypted.
1
2
3
4
5
6
HDR, SA proposal
HDR, SA choice
Phase 1 SA parameter negotiation complete
3DESSHADH2
Preshared
Figure 1-8 IKE Negotiation
Step 2. ASA-2 evaluates the received proposal. Because it has a proposal that matchesthe offer of the initiator, ASA-2 sends the accepted proposal back to ASA-1 inthe second packet.
Step 3. Diffie-Hellman exchange and calculation is started. Diffie-Hellman is a keyagreement protocol that enables two users or devices to authenticate eachothers pre-shared keys without actually sending the keys over the unsecuredmedium. ASA-1 sends the Key Exchange (KE) payload and a randomly gener-ated value called a nonce.
Step 4. ASA-2 receives the information and reverses the equation, using the proposedDiffie-Hellman group/exchange to generate the SKEYID. The SKEYID is astring derived from secret material that is known only to the active partici-pants in the exchange.
Step 5. ASA-1 sends its identity information. The fifth packet is encrypted with thekeying material derived from the SKEYID. The asterisk in Figure 1-8 is usedto illustrate that this packet is encrypted.
Step 6. ASA-2 validates the identity of ASA-1, and ASA-2 sends its own identityinformation to ASA-1. This packet is also encrypted.
-
18 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
Note IKE uses UDP port 500 for communication. UDP port 500 is used to send all thepackets described in the previous steps.
Phase 2
Phase 2 is used to negotiate the IPsec SAs. This phase is also known as quick mode. TheISAKMP SA protects the IPsec SAs because all payloads are encrypted except theISAKMP header.
A single IPSec SA negotiation always creates two security associationsone inboundand one outbound. Each SA is assigned a unique security parameter index (SPI) valueone by the initiator and the other by the responder.
Tip The security protocols (AH or ESP) are Layer 3 protocols and do not have Layer 4port information. If an IPSec peer is behind a PAT device, the ESP or AH packets are typi-cally dropped. To work around this, many vendors, including Cisco Systems, use a featurecalled IPSec pass-thru. The PAT device that is IPSec pass-thru capable builds the Layer 4translation table by looking at the SPI values on the packets.
Many industry vendors, including Cisco Systems, implement another new feature calledNAT Traversal (NAT-T). With NAT-T, the VPN peers dynamically discover whether anaddress translation device exists between them. If they detect a NAT/PAT device, they useUDP port 4500 to encapsulate the data packets, subsequently allowing the NAT device tosuccessfully translate and forward the packets.
Another interesting point is that if the VPN router needs to connect multiple networksover the tunnel, it needs to negotiate twice as many IPSec SAs. Remember, each IPSec SAis unidirectional, so if three local subnets need to go over the VPN tunnel to talk to theremote network, then six IPSec SAs are negotiated. IPSec can use quick mode to negoti-ate these multiple Phase 2 SAs, using the single pre-established ISAKMP SA. The numberof IPSec SAs can be reduced, however, if source and/or destination networks are summa-rized.
Many different IPSec attributes are negotiated in quick mode, as shown in Table 1-3.
In addition to generating the keying material, quick mode also negotiates identity infor-mation. The Phase 2 identity information specifies what network, protocol, and/or portnumber to encrypt. Hence, the identities can vary anywhere from an entire network to asingle host address, allowing a specific protocol and port.
Figure 1-9 illustrates the Phase 2 negotiation between the two routers that just completedPhase 1.
-
Chapter 1: Introduction to Security Technologies 19
ASA-2ASA-1
Initiator Responder
ESP3DESSHA
ESP3DESSHA
HDR*, HASH2, SA proposal, Nonce r [KEr], [ID ci, ID cr]
HDR*, HASH2
1
2
HDR*, HASH1, SA proposal, Nonce I [KEi], [ID ci, ID cr]
3
Phase 2 Quick Mode
Figure 1-9 IPsec Phase 2 Negotiation
The following are the steps illustrated in Figure 1-9.
Step 1. ASA-1 sends the identity information, IPsec SA proposal, nonce payload, and(optional) Key Exchange (KE) payload if Perfect Forward Secrecy (PFS) isused. PFS is used to provide additional Diffie-Hellman calculations.
Step 2. ASA-2 evaluates the received proposal against its configured proposal andsends the accepted proposal back to ASA-1, along with its identity informa-tion, nonce payload, and the optional KE payload.
Step 3. ASA-1 evaluates the ASA-2 proposal and sends a confirmation that the IPsecSAs have been successfully negotiated. This starts the data encryption process.
Table 1-3 IPSec Attributes
Attribute Possible Values
Encryption None, DES, 3DES, AES128, AES192,AES256
Hashing MD5, SHA, or null
Identity information Network, Protocol, Port number
Lifetime 1202,147,483,647 seconds102,147,483,647 kilobytes
Mode Tunnel or transport
Perfect Forward Secrecy (PFS) group None, 1, 2, or 5
-
20 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
IPsec uses two different protocols to encapsulate the data over a VPN tunnel:
Encapsulation Security Payload (ESP): IP Protocol 50
Authentication Header (AH): IP Protocol 51
Note ESP is defined in RFC 4303, IP Encapsulating Security Payload (ESP), and AH isdefined in RFC 4305, IP Authentication Header.
IPsec can use two modes with either AH or ESP:
Transport modeProtects upper-layer protocols, such as User Datagram Protocol(UDP) and TCP
Tunnel modeProtects the entire IP packet
Transport mode is used to encrypt and authenticate the data packets between the peers.A typical example of this is the use of GRE over an IPsec tunnel. Tunnel mode is used toencrypt and authenticate the IP packets when they are originated by the hosts connectedbehind the Virtual Private Network (VPN) device. Tunnel mode adds an additional IPheader to the packet, as illustrated in Figure 1-10.
Figure 1-10 demonstrates the major difference between transport and tunnel mode. Itincludes an example of an IP packet encapsulated in GRE and the difference when it isencrypted in transport mode and tunnel mode. As demonstrated in Figure 1-10, tunnelmode increases the overall size of the packet in comparison to transport mode.
IP Hdr 1 TCP Hdr Data
IP Hdr 1 TCP Hdr DataGRE HdrIP Hdr 2
IP Hdr 1 TCP Hdr DataGRE HdrESP Hdr
IP Hdr 1 TCP Hdr DataGRE HdrIP Hdr 2
IP Hdr 2
ESP HdrIP Hdr 3
Encrypted
Encrypted
Original Packet
GRE Encapsulation
GRE Over IPSecTransport Mode
GRE Over IPSecTunnel Mode
Figure 1-10 Transport vs. Tunnel Mode
-
Chapter 1: Introduction to Security Technologies 21
Note Tunnel mode is the default mode in Cisco IPsec devices.
SSL VPNs
SSL-based VPNs leverage the SSL protocol. SSL, also referred to as Transport LayerSecurity (TLS), is a matured protocol that has been in existence since the early 1990s.The Internet Engineering Task Force (IETF) created TLS to consolidate the different SSLvendor versions into a common and open standard.
One of the most popular features of SSL VPN is the capability to launch a browser suchas Microsoft Internet Explorer and Firefox and simply connect to the address of the VPNdevice, as opposed to running a separate VPN client program to establish an IPSec VPNconnection. In most implementations, a clientless solution is possible. Users can accesscorporate intranet sites, portals, and email from almost anywhere (even from an airportkiosk). Because most people allow SSL (TCP port 443) over their firewalls, it is unneces-sary to open additional ports.
The most successful application running on top of SSL is HTTP because of the hugepopularity of the World Wide Web. All the most popular web browsers in use today sup-port HTTPS (HTTP over SSL/TLS). This ubiquity, if used in remote access VPNs, pro-vides some appealing properties:
Secure communication using cryptographic algorithmsIt offers confidentiality,integrity, and authentication.
UbiquityThe ubiquity of SSL/TLS makes it possible for VPN users to remotelyaccess corporate resources from anywhere, using any PC, without having to prein-stall a remote access VPN client.
Low management costThe clientless access makes this type of remote access VPNfree of deployment costs and free of maintenance problems at the end-user side. Thisis a huge benefit for the IT management personnel, who would otherwise spend con-siderable resources to deploy and maintain their remote access VPN solutions.
Effective operation with a firewall and NATSSL VPN operates on the same portas HTTPS (TCP/443). Most Internet firewalls, proxy servers, and NAT devices havebeen configured to correctly handle TCP/443 traffic. Subsequently, there is no needfor any special consideration to transport SSL VPN traffic over the networks. Thishas been viewed as a significant advantage over native IPsec VPN, which operatesover IP protocol 50 (ESP) or 51 (AH), which in many cases needs special configura-tion on the firewall or NAT devices to let them pass through.
As SSL VPN evolves to fulfill another important requirement of remote access VPN,namely the requirement of supporting any application, some of these properties are nolonger true, depending on which SSL VPN technology the VPN users choose. But over-all, these properties are the main drivers for the popularity of SSL VPN in recent yearsand are heavily marketed by SSL VPN vendors as the main reasons for IPsec replacement.
-
22 Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance
Todays SSL VPN technology uses SSL/TLS as secure transport and employs a heteroge-neous collection of remote access technologies such as reverse proxy, tunneling, and ter-minal services to provide users with different types of access methods that fit differentenvironments. Subsequent chapters examine some commonly used SSL VPN technolo-gies, such as
Reverse proxy technology
Port-forwarding technology
SSL VPN tunnel client
Integrated terminal services
HTTPS provides secure web communication between a browser and a web server thatsupports the HTTPS protocol. SSL VPN extends this model to allow VPN users to accesscorporate internal web applications and other corporate application servers that might ormight not support HTTPS, or even HTTP. SSL VPN does this by using several techniquesthat are collectively called reverse proxy technology.
A reverse proxy is a proxy server that resides in front of the application servers, normal-ly web servers, and functions as an entry point for Internet users who want to access thecorporate internal web application resources. To the external clients, a reverse proxy serv-er appears to be the true web server. Upon receiving the users web request, a reverseproxy relays the user request to the internal web server to fetch the content on behalf ofthe users and relays the web content to the user with or without additional modificationsto the data being presented to the user.
Many web server implementations support reverse proxy. One example is the mod_proxymodule in Apache. With so many implementations, you might wonder why you need anSSL VPN solution to have this functionality. The answer is that SSL VPN offers muchmore functionality than traditional reverse proxy technologies:
SSL VPN can transform complicated web and some non-web applications that simplereverse proxy servers cannot handle. The content transformation process is some-times called webification. For example, SSL VPN solutions enable users to accessWindows or UNIX file systems. The SSL VPN gateway needs to be able to communi-cate with internal Windows or UNIX servers and webify the file access in a webbrowserpresentable format for the VPN users.
SSL VPN supports a wide range of business applications. For applications that can-not be webified, SSL VPN can use other resource access methods to support them.For users who demand ultimate access, SSL VPN can provide network-layer accessto directly connect a remote system to the corporate network, in the same manner asan IPsec VPN.
SSL VPN provides a true remote access VPN package, including user authentication,resource access privilege management, logging and accounting, endpoint security,and user experience.
-
Chapter 1: Introduction to Security Technologies 23
The reverse proxy mode in SSL VPN is also known as clientless web access or clientlessaccess because it does not require any client-side applications to be installed on the clientmachine.
Note Configuration and troubleshooting of clientless remote access SSL VPN is coveredin Chapter 19. Configuration and troubleshooting of client-based remote access SSL VPNis covered in Chapter 20.
SummaryNetwork security is a science that needs to be put into practice carefully. There are manydifferent techniques at the disposal of a network administrator to prevent attackers fromgaining access to private networks and computer systems. This chapter provides anoverview of the different technologies, principles, and protocols related to the integratedfeatures of Cisco ASA. An overview of different firewall technologies and implementa-tions was covered in the beginning of the chapter, followed by the introduction of IDSand IPS solutions. At the end, a technical overview of site-to-site and remote access VPNtechnologies was discussed in detail.
-
This page intentionally left blank
-
Chapter 2
Cisco ASA Product and Solution Overview
This chapter covers the following topics:
Cisco ASA 5505 hardware overview
Cisco ASA 5510 hardware overview
Cisco ASA 5520 hardware overview
Cisco ASA 5540 hardware overview
Cisco ASA 5550 hardware overview
Cisco ASA 5580-20 hardware overview
Cisco ASA 5580-40 hardware overview
Cisco ASA AIP-SSM module overview
Cisco ASA CSC-SSM module overview
Deployment examples
The Cisco ASA 5500 Series Adaptive Security Appliances integrate firewall, IPS, andVPN capabilities, providing an all-in-one solution for your network. Incorporating allthese solutions into Cisco ASA secures the network without the need for extra overlayequipment or network alterations. This is something that many Cisco customers and net-work professionals have requested in a security product.
There are several Cisco ASA 5500 Series models. These include
Cisco ASA 5505
Cisco ASA 5510
Cisco ASA 5520
Cisco ASA 5540
-
26 Deploying Cisco Wide Area Application Services
Cisco ASA 5550
Cisco ASA 5580-20
Cisco ASA 5580-40
This chapter provides an overview of the Cisco ASA 5500 Series Adaptive SecurityAppliance hardware, including performance and technical specifications. It also providesan overview of the Adaptive Inspection and Prevention Security Services Module (AIP-SSM), which is required for IPS features. Additionally, it introduces the Content Securityand Control Security Services Module (CSC-SSM), designed to provide antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking/filtering, and content filter-ing. This chapter also discusses the Cisco ASA 4-Port Gigabit Ethernet Security ServicesModule (4GE SSM) that extends the number of physical interfaces in an appliance.
Cisco ASA 5505 ModelThe Cisco ASA 5505 Adaptive Security Appliance is designed for small business, branchoffice, and telecommuting environments. Despite its small size, it provides firewall, SSLand IPsec VPN, and numerous networking services expected on a bigger appliance.Figure 2-1 shows the front view of the Cisco ASA 5505.
The front panel has the following components:
Step 1. USB PortReserved for future use.
Step 2. Speed and Link Activity LEDsThe Cisco ASA 5505 has a speed indicatorLED and a separate link activity indicator LED for each of its eight ports.When the speed ind