CCNA Security Ch 9
Other Access lists
- Contain one or more ACEs to specify source and destination addresses and protocols, ports, Or icmp type. - The type access list, configured only if security appliance is running in transparent mode.
ASA + AAA
ASA can be configured to authenticate using a local user database. Local AAA uses a local database for authentication. Local AAA is ideal for small networks. Server based AAA uses Radius or Tacacs+
Transport mode
ASA not considered as a router hop. ASA assigned an IP on local network for management. Simplifies network configuration.No support for dynamic routing protocols, VPNs, QoS or DHCP.
ASA Access lists
ASA supports different access lists. Standard. Web type. IPv6.
ASA NAT
ASA supports network address translation. Translates private IP network addresses into Public IP addresses.
ASA firewall features.
ASA virtualisation. High availability with failover. Identity firewall.
ASA models
All models provide stateful firewall features, the difference between models is the traffic throughput which can be handled.
ASA 505
An edge security device. Connects businesses to ISP devices for access to the internet. can interconnect and protect server workstations, network printers, and IP phones.
Inspection engines
Application inspection engines are dependant on security levels. Interfaces with the same level as the ASA inspects traffic in either direction.
Level 0 - 100
Assigned to a network DMZ.
Level 0
Assigned to an outside interface.
Lavel 100
Assigned to most secure network, the inside interface.
Bidirectional NAT
Both inside NAT and outside NAT used together.
ASA virtualisation
Can be partitioned into multiple virtual devices. Each virtual device known as security context. Each context is an independent device, it has its own security policy, interfaces and administrator.
Object groups
Can be used in an access control entry. Limitations of object groups: objects and groups share the same name space. Object groups must have unique names. Object group cannot be removed or emptied if it is used in a command. ASA does not support IPv6 object groups.
Classify traffic
Class maps. Identify traffic on which to perform MPF. Create layer 3/4 class map that can contain multiple match criteria.
Service object
Contains protocol and optional source and/or destination port. Configured using object service command. Can group TCP, UDP and UDP ports into an object. can contain a mix of tcp services, udp services
ACL
Control access in a network, prevent defined traffic from entering or exiting the network. Made up of Access control entries. Sequential from the top down. Implicit deny any at the bottom. Only one ACL can be applied per interface , per protocol, per direction.
DMZ
Demilitarized zone allows both inside and outside users access to protected network resources.
IPv6 Access list
Determines which traffic to block, which traffic to forward
Application filtering
HTTP and FTP filtering oly apllied on outbound connections from high to lower interface levels. If communication is enabled for interfaces with the same security level the traffic can be filtered in either direction.
ASA
Helps provide high performance connectivity and protection for critical assets. ASA integrates: Firewall technology. IPS. High performance VPNs with always on remote access. Failover.
Inside NAT
Host from a high security interface has traffic destined for a lower security interfae and the ASA translates the internal host haddress into a global address. ASA then restores original IP address for return traffic.
High availability with failover.
Identical ASAs can be paired into an active failover cofiguration for device redundancy.
Public network object
Identifies the public IP addresses to be translated to.
Standard access list
Identify the destination IP address, used for OSPF routes.
Network access
Implicit permit from a high security level to a low security level. Hosts on high security level can access hosts on a low security interface. Can have multiple interfaces with the same level. If communication enabled for interfaces with the same security level, Implicit permit for traffic between the interfaces.
Interfaces
Interfaces have security levels. These enables ASA to implement Security policies. Resources that may be needed by outside users such as a web or FTP server. can be located in a DMZ. Firewalls alllow limited access to the DMZ while protecting the inside network.
To the box traffic filtering
Known as Management access rule. Applies to traffic terminating on the ASA. Filters traffic on the control plane.
User group
Locally created as well as imported AD user groups.
Dyanamic NAT
Many to many translation. Inside pool of addresses requireing public addresses from another pool. Identifies the internal address to be translated.
Dynamic PAT
Many to one translation. Known as NAT overloads. Inside pool of private addresses. Over loading an outside interface or outside addresses.
MPF
Modular police framework. Defines a set of rules for applying firewall features, traffic inspection and QoS. To the traffic that traverses the ASA. Allows Granular Clasification of traffic flows, to apply advanced policies to different flows.
NAT and Network objects
Network object required in the implementation of NAT in ASA. Network object has only one entry. Host, subnet, range of ip addresses. can be used in NAT implementation to indicate the pool of public addresses to be used for translation or the range of internal hosts allowed to be translated.
Outside network
Network or zone that is outside the protection of the firewall. ASA treats a defined outside network as Untrusted.
Inside network
Network or zone that is protected and behind the firewall. Firewalls protect inside networks from unauthorised access. Also protect users from each other. Can keep users separate from one another. ASA treats inside interfaces as a trusted network.
NGFW
Next generation firewalls. Deliver threat defence across the entire attack continuum.
Objects and groups
Objects are used in place of an inline IP address in any given Configuration. Object defined with an IP, Subnet, and a range of addresses, Protocol, Specific port, Range of ports. Objects can be used in several configurations. Objects can be used in NAT, ACL.
Static NAT
One to One translation. Outside address mappting to an internal server.
Outbound and Returning traffic
Outbound traffic is allowed and inspected by default. turning traffic allowed because of stateful packet inspection. Internal users on the inside interface can easily access resources in the DMZ, can initiate a connection to the interface with no restrictions.
Policy NAT
Policy based NAT is based on set of rules. Rules specify only certain source address intended for specific destination addresses or specific ports will be translated.
Define actions
Policy maps, define a policy map, create a policy map that can contain multiple class maps with associated actions.
Network Requirements of dynamic NAT
Pool of public addresses, which internal addresses cna be translated to. Must identify the internal addresses to be translated and then binds the two objects together Defines using range or subnet command. The network objects are then bound together using NAT dynamic commands.
Identity firewall
Provides granular access control based on an association of IP addresses to active directory.
ASA Models
SOHO; 5505,5506,5512,5515. Medium business; 5525,5555. Data center; 5585.
Network object
Single IP and subnet can be host, subnet, or range. COnfigured using object network command. Host - assigns IP to the named object. Subnet - assigns network subnet to named object. Range - Assigns range of ip addresses to named object.
License
Specifies the options that are enabled on an ASA. Upgrading licences supports higher connection capacity.
Threat control and containment services
Supports IPS features. Advanced IPS can only be used by integrating special hardware modules with the asa architecture. Use advanced inspection and prevention modules. Antimalware capabilities integrated using the content security and control.
ASA 5505
Supports three security features by default. Intrusion prevention. Stateful inspection. VPN concentrator.
Outside NAT
Traffic from lower security interface is destined for host on a higher security interface. Must be translated. make host located outside of internal network appear as one from a known internal ip address.
Security level rules
Traffic moving from an interface with high security level to a interface with a lower security level is outbound traffic. Traffic moving from an interface with lower security level to an interface with a higher security level is considered inbound traffic.
Through traffic filtering
Traffic passing through security appliance from one interface to another interface.
Routed mode
Two or more interfaces on separate networks. Routed mode supports multiple interfaces. Each interface is on a different subnet and requires an IP address on that subnet. ASA considered a router Hop
Firewall modes
Two types of firewall modes: Routed Mode, Transport mode.
ASA ACLS
Types of ASA ACL filtering: Through traffic. To the box traffic.
Difference with IOS & ASA
Use a show command in a general configuration mode, ASA can use the command directly where as the router needs 'DO' command first.
ASA Acls
Use the subnet mask defining a network. Whereas IOS ACLs use the wildcard mask.
Web type access list
Used for config that supports clientless SSL VPN
Security group
Used in features that support cisco Trust.
Ether type ACL
Used only if the security appliance is running in transparent mode.
Security Levels
Used to distinguish between inside and outside networks. Security levels define trustworthiness of interface. The higher the level the more trusted the the interface. 0 = Untrustworthy. 100 = Very trustworthy.
Extended ACL
Used to specify the source and destination addresses and protocol ports, or the icmp type
Web type ACl
Used to support the filtering for clientless SSl VPN
Standard ACL
used to identify the destination IP address only
ICMP-type group
uses unique types to send control messages. Groups neccessary types requires to meet an organisations security needs
