CCNA Security Ch 9

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Other Access lists

- Contain one or more ACEs to specify source and destination addresses and protocols, ports, Or icmp type. - The type access list, configured only if security appliance is running in transparent mode.

ASA + AAA

ASA can be configured to authenticate using a local user database. Local AAA uses a local database for authentication. Local AAA is ideal for small networks. Server based AAA uses Radius or Tacacs+

Transport mode

ASA not considered as a router hop. ASA assigned an IP on local network for management. Simplifies network configuration.No support for dynamic routing protocols, VPNs, QoS or DHCP.

ASA Access lists

ASA supports different access lists. Standard. Web type. IPv6.

ASA NAT

ASA supports network address translation. Translates private IP network addresses into Public IP addresses.

ASA firewall features.

ASA virtualisation. High availability with failover. Identity firewall.

ASA models

All models provide stateful firewall features, the difference between models is the traffic throughput which can be handled.

ASA 505

An edge security device. Connects businesses to ISP devices for access to the internet. can interconnect and protect server workstations, network printers, and IP phones.

Inspection engines

Application inspection engines are dependant on security levels. Interfaces with the same level as the ASA inspects traffic in either direction.

Level 0 - 100

Assigned to a network DMZ.

Level 0

Assigned to an outside interface.

Lavel 100

Assigned to most secure network, the inside interface.

Bidirectional NAT

Both inside NAT and outside NAT used together.

ASA virtualisation

Can be partitioned into multiple virtual devices. Each virtual device known as security context. Each context is an independent device, it has its own security policy, interfaces and administrator.

Object groups

Can be used in an access control entry. Limitations of object groups: objects and groups share the same name space. Object groups must have unique names. Object group cannot be removed or emptied if it is used in a command. ASA does not support IPv6 object groups.

Classify traffic

Class maps. Identify traffic on which to perform MPF. Create layer 3/4 class map that can contain multiple match criteria.

Service object

Contains protocol and optional source and/or destination port. Configured using object service command. Can group TCP, UDP and UDP ports into an object. can contain a mix of tcp services, udp services

ACL

Control access in a network, prevent defined traffic from entering or exiting the network. Made up of Access control entries. Sequential from the top down. Implicit deny any at the bottom. Only one ACL can be applied per interface , per protocol, per direction.

DMZ

Demilitarized zone allows both inside and outside users access to protected network resources.

IPv6 Access list

Determines which traffic to block, which traffic to forward

Application filtering

HTTP and FTP filtering oly apllied on outbound connections from high to lower interface levels. If communication is enabled for interfaces with the same security level the traffic can be filtered in either direction.

ASA

Helps provide high performance connectivity and protection for critical assets. ASA integrates: Firewall technology. IPS. High performance VPNs with always on remote access. Failover.

Inside NAT

Host from a high security interface has traffic destined for a lower security interfae and the ASA translates the internal host haddress into a global address. ASA then restores original IP address for return traffic.

High availability with failover.

Identical ASAs can be paired into an active failover cofiguration for device redundancy.

Public network object

Identifies the public IP addresses to be translated to.

Standard access list

Identify the destination IP address, used for OSPF routes.

Network access

Implicit permit from a high security level to a low security level. Hosts on high security level can access hosts on a low security interface. Can have multiple interfaces with the same level. If communication enabled for interfaces with the same security level, Implicit permit for traffic between the interfaces.

Interfaces

Interfaces have security levels. These enables ASA to implement Security policies. Resources that may be needed by outside users such as a web or FTP server. can be located in a DMZ. Firewalls alllow limited access to the DMZ while protecting the inside network.

To the box traffic filtering

Known as Management access rule. Applies to traffic terminating on the ASA. Filters traffic on the control plane.

User group

Locally created as well as imported AD user groups.

Dyanamic NAT

Many to many translation. Inside pool of addresses requireing public addresses from another pool. Identifies the internal address to be translated.

Dynamic PAT

Many to one translation. Known as NAT overloads. Inside pool of private addresses. Over loading an outside interface or outside addresses.

MPF

Modular police framework. Defines a set of rules for applying firewall features, traffic inspection and QoS. To the traffic that traverses the ASA. Allows Granular Clasification of traffic flows, to apply advanced policies to different flows.

NAT and Network objects

Network object required in the implementation of NAT in ASA. Network object has only one entry. Host, subnet, range of ip addresses. can be used in NAT implementation to indicate the pool of public addresses to be used for translation or the range of internal hosts allowed to be translated.

Outside network

Network or zone that is outside the protection of the firewall. ASA treats a defined outside network as Untrusted.

Inside network

Network or zone that is protected and behind the firewall. Firewalls protect inside networks from unauthorised access. Also protect users from each other. Can keep users separate from one another. ASA treats inside interfaces as a trusted network.

NGFW

Next generation firewalls. Deliver threat defence across the entire attack continuum.

Objects and groups

Objects are used in place of an inline IP address in any given Configuration. Object defined with an IP, Subnet, and a range of addresses, Protocol, Specific port, Range of ports. Objects can be used in several configurations. Objects can be used in NAT, ACL.

Static NAT

One to One translation. Outside address mappting to an internal server.

Outbound and Returning traffic

Outbound traffic is allowed and inspected by default. turning traffic allowed because of stateful packet inspection. Internal users on the inside interface can easily access resources in the DMZ, can initiate a connection to the interface with no restrictions.

Policy NAT

Policy based NAT is based on set of rules. Rules specify only certain source address intended for specific destination addresses or specific ports will be translated.

Define actions

Policy maps, define a policy map, create a policy map that can contain multiple class maps with associated actions.

Network Requirements of dynamic NAT

Pool of public addresses, which internal addresses cna be translated to. Must identify the internal addresses to be translated and then binds the two objects together Defines using range or subnet command. The network objects are then bound together using NAT dynamic commands.

Identity firewall

Provides granular access control based on an association of IP addresses to active directory.

ASA Models

SOHO; 5505,5506,5512,5515. Medium business; 5525,5555. Data center; 5585.

Network object

Single IP and subnet can be host, subnet, or range. COnfigured using object network command. Host - assigns IP to the named object. Subnet - assigns network subnet to named object. Range - Assigns range of ip addresses to named object.

License

Specifies the options that are enabled on an ASA. Upgrading licences supports higher connection capacity.

Threat control and containment services

Supports IPS features. Advanced IPS can only be used by integrating special hardware modules with the asa architecture. Use advanced inspection and prevention modules. Antimalware capabilities integrated using the content security and control.

ASA 5505

Supports three security features by default. Intrusion prevention. Stateful inspection. VPN concentrator.

Outside NAT

Traffic from lower security interface is destined for host on a higher security interface. Must be translated. make host located outside of internal network appear as one from a known internal ip address.

Security level rules

Traffic moving from an interface with high security level to a interface with a lower security level is outbound traffic. Traffic moving from an interface with lower security level to an interface with a higher security level is considered inbound traffic.

Through traffic filtering

Traffic passing through security appliance from one interface to another interface.

Routed mode

Two or more interfaces on separate networks. Routed mode supports multiple interfaces. Each interface is on a different subnet and requires an IP address on that subnet. ASA considered a router Hop

Firewall modes

Two types of firewall modes: Routed Mode, Transport mode.

ASA ACLS

Types of ASA ACL filtering: Through traffic. To the box traffic.

Difference with IOS & ASA

Use a show command in a general configuration mode, ASA can use the command directly where as the router needs 'DO' command first.

ASA Acls

Use the subnet mask defining a network. Whereas IOS ACLs use the wildcard mask.

Web type access list

Used for config that supports clientless SSL VPN

Security group

Used in features that support cisco Trust.

Ether type ACL

Used only if the security appliance is running in transparent mode.

Security Levels

Used to distinguish between inside and outside networks. Security levels define trustworthiness of interface. The higher the level the more trusted the the interface. 0 = Untrustworthy. 100 = Very trustworthy.

Extended ACL

Used to specify the source and destination addresses and protocol ports, or the icmp type

Web type ACl

Used to support the filtering for clientless SSl VPN

Standard ACL

used to identify the destination IP address only

ICMP-type group

uses unique types to send control messages. Groups neccessary types requires to meet an organisations security needs


Set pelajaran terkait

Chapter 7 The Cell Cycle and Cell Division

View Set

NUR1306 Test #2 QUESTIONS Neurology

View Set

Life-Unit 7: Life Insurance Policy Provisions

View Set

anatomy extra credit regional anatomy

View Set

Chapter 3 Review (Multiple Choice)

View Set

Chapter 11 The Economics of the Public Sector

View Set

Organizational Behavior Chapter 13 Quiz

View Set