Download Title: First Slide in a Presentation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
Document related concepts

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Cisco Systems wikipedia , lookup

Transcript 
CNIT 221 Security 1 ver.2
Module 3
City College of San Francisco
Spring 2007
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2004,
2005 Cisco
1
1
Network Security 1
Module 3 – Security Devices
© 2005 Cisco Systems, Inc. All rights reserved.
2
Learning Objectives
–3.1 Device Options
–3.2 Using Security Device Manager
–3.3 Introduction to the Cisco Security Appliance Family
–3.4 Getting Started with the PIX Security Appliance
–3.5 PIX Security Appliance Translations and Connections
–3.6 Manage a PIX Security Appliance with Adaptive Security
Device Manager
–3.7 PIX Security Appliance Routing Capabilities
–3.8 Firewall Services Module Operation
© 2005 Cisco Systems, Inc. All rights reserved.
3
Module 3 – Security Devices
3.1 Device Options
© 2005 Cisco Systems, Inc. All rights reserved.
4
Sample Firewall Topology
Outside
© 2005 Cisco Systems, Inc. All rights reserved.
Inside
5
IOS Firewall – Router as Firewall
Network Integrated Solutions
VPN
Security
Offerings
IPsec
PKI
ACL
IP Services
VoIP
Intrusion
Protection
Firewall
CBAC Stateful Inspection
AAA
MPLS
NAT
Multicast
MSCHAPv2
V3PN
IDS
SSH
SSL
L2TP/EAP
802.1X
Application Aware QoS
Netflow
IP Comp Multiprotocol BGP EIGRP OSPF DHCP/DNS GRE
Secure
Operating
System
Foundation
Device Access by
Privilege Level
uRPF
Authentication
per user via AAA
Activity Logging
SNMPv3
Command
Authorization via AAA
HTTPS Secure ARP
(Unicast Reverse Path Forward)
© 2005 Cisco Systems, Inc. All rights reserved.
6
Connectivity
PIX Security Appliance Lineup
Stateful Inspection Firewall
Appliance is Hardened OS
IPSec VPN
Integrated Intrusion Detection
Hot Standby, Stateful Failover
Easy VPN Client/Server
VoIP Support
PIX 535
PIX 525
PIX 515E
PIX 506E
Gigabit Ethernet
PIX 501
SOHO
ROBO
SMB
Enterprise
Service Provider
Performance
© 2005 Cisco Systems, Inc. All rights reserved.
7
Adaptive Security Appliance Lineup
© 2005 Cisco Systems, Inc. All rights reserved.
8
Catalyst Switch Integration
Appliance Capabilities
Cisco Infrastructure
Security Services Modules
Virtual Private Network
VPN
Firewall
© 2002, Cisco Systems, Inc. All rights reserved.
© 2005 Cisco Systems, Inc. All rights reserved.
Firewall
SSL
NAM
IDS
IDS
9
Module 3 – Security Devices
3.2 Using Security Device Manager
© 2005 Cisco Systems, Inc. All rights reserved.
10
Security Device Manager (SDM)
© 2005 Cisco Systems, Inc. All rights reserved.
11
Obtaining SDM
• SDM is factory loaded on supported routers
manufactured as of June 2003.
• Always check www.cisco.com/go/sdm for the
latest information regarding SDM support.
• SDM cannot be ordered independent of the
router.
© 2005 Cisco Systems, Inc. All rights reserved.
12
Startup Wizard: Welcome Window
© 2005 Cisco Systems, Inc. All rights reserved.
13
SDM Main Window Layout and Navigation
Menu bar
Toolbar
Router
Information
Configuration
Overview
© 2005 Cisco Systems, Inc. All rights reserved.
14
SDM Wizard Options
• LAN Configuration: Configure LAN interfaces and DHCP.
• WAN Configuration: Configure PPP, Frame Relay, and
HDLC WAN interfaces.
• Firewall: Access two types of firewall wizards:
– Simple inside/outside.
– Advanced inside/outside/DMZ with multiple
interfaces.
• VPN: Access three types of VPN wizards:
– Secure site-to-site VPN
– Easy VPN
– GRE tunnel with IPSec VPN
• Security Audit: Performs a router security audit and
button for router lockdown.
• IPS:
• QOS:
• Routing:
© 2005 Cisco Systems, Inc. All rights reserved.
15
WAN Wizard: Create a New WAN
Connection
© 2005 Cisco Systems, Inc. All rights reserved.
16
Reset to Factory Default Wizard
© 2005 Cisco Systems, Inc. All rights reserved.
17
Monitor Mode
Overview
Interface
Stats
Firewall
Stats
VPN
Stats
© 2005 Cisco Systems, Inc. All rights reserved.
18
Monitor Interface Status
© 2005 Cisco Systems, Inc. All rights reserved.
19
Monitor Firewall Status
© 2005 Cisco Systems, Inc. All rights reserved.
20
Monitor VPN Status
© 2005 Cisco Systems, Inc. All rights reserved.
21
Monitor Logging
© 2005 Cisco Systems, Inc. All rights reserved.
22
Module 3 – Security Devices
3.3 Introduction to the Cisco Security
Appliance Family
© 2005 Cisco Systems, Inc. All rights reserved.
23
PIX Security Appliance Family
© 2005 Cisco Systems, Inc. All rights reserved.
24
PIX Security Appliance 501 Front Panel LEDs
Power
VPN tunnel
© 2005 Cisco Systems, Inc. All rights reserved.
Link/Act
100 MBPS
25
PIX Security Appliance 501 Back Panel
4-port 10/100
switch (RJ-45)
Console
port (RJ-45)
10BaseT
(RJ-45)
© 2005 Cisco Systems, Inc. All rights reserved.
Security
lock slot
Power
connector
26
PIX Security Appliance 506E Front Panel
LEDs
Network
LED
Power LED
Active LED
© 2005 Cisco Systems, Inc. All rights reserved.
27
PIX Security Appliance 506E Back Panel
ACT(ivity)
LED
ACT(ivity)
LED
LINK
LINK
LED
LED
10BaseT
(RJ-45)
10BaseT
(RJ-45)
Power switch
USB
port
Console
Port (RJ-45)
© 2005 Cisco Systems, Inc. All rights reserved.
28
PIX Security Appliance 515E Front Panel
LEDs
Network
LED
Power LED
Active failover firewall
© 2005 Cisco Systems, Inc. All rights reserved.
29
PIX Security Appliance 515E Back Panel
100 Mbps
LED
LINK
LED
100 Mbps
LED
FDX
LED
10/100BaseTX
Ethernet 1
(RJ-45)
© 2005 Cisco Systems, Inc. All rights reserved.
LINK
LED
Failover
connector
FDX
LED
10/100BaseTX
Ethernet 0
(RJ-45)
Console
port (RJ-45)
Power switch
30
PIX Security Appliance 515E Quad Card
Using the quad card requires the PIX Security Appliance 515E-UR license.
© 2005 Cisco Systems, Inc. All rights reserved.
31
PIX Security Appliance 515E
Two Single-Port Connectors
Using two single-port connectors requires
the PIX Security Appliance 515E-UR license.
© 2005 Cisco Systems, Inc. All rights reserved.
32
PIX Security Appliance 525 Front Panel
LEDs
Power LED
Active LED
© 2005 Cisco Systems, Inc. All rights reserved.
33
PIX Security Appliance 525 Back Panel
100Mbps
LED
ACT(ivity)
LED
ACT(ivity)
LED
LINK
LED
10/100BaseTX
Ethernet 1
(RJ-45)
USB
port
10/100BaseTX
Ethernet 0
(RJ-45)
© 2005 Cisco Systems, Inc. All rights reserved.
Failover
connection
LINK
LED
Console
port (RJ-45)
34
PIX Security Appliance 535 Front Panel
LEDs
Power
ACT
© 2005 Cisco Systems, Inc. All rights reserved.
35
PIX Security Appliance 535 Back Panel
DB-15
failover
USB
port
Console
RJ-45
Slot 8 Slot 6
Slot 7
Slot 4
Slot 5
© 2005 Cisco Systems, Inc. All rights reserved.
Slot 3
Slot 2
Slot 1
Slot 0
36
ASA5510 Adaptive Security Appliance
• Up to five 10/100 Fast Ethernet interfaces
• Optional Security Services Module (SSM) slot which
provides inline IPS.
• Throughput of 100 Mbps with the ability to handle
up to 64,000 concurrent connections.
• Supports Active/standby failover.
• Can deliver 150 Mbps IPS throughput when an AIP
SSM model 10 is added to the appliance.
© 2005 Cisco Systems, Inc. All rights reserved.
37
ASA5520 Adaptive Security Appliance
• Four 10/100/1000 Gigabit Ethernet interfaces
• Supports an SSM slot which provides inline IPS.
• Throughput of 200 Mbps with the ability to handle
up to 130,000 concurrent connections.
• Supports active/standby and active/active failover.
• Can deliver 375 Mbps IPS throughput when an AIP
SSM model 20 is added to the appliance.
© 2005 Cisco Systems, Inc. All rights reserved.
38
ASA5540 Adaptive Security Appliance
• Four 10/100/1000 Gigabit Ethernet interfaces
• One 10/100 Fast Ethernet management interface
• Optional Security Services Module slot which
provides inline IPS.
• Throughput of 400 Mbps with the ability to handle
up to 280,000 concurrent connections.
• Can deliver 450 Mbps IPS throughput when an AIP
SSM model 20 is added to the appliance.
© 2005 Cisco Systems, Inc. All rights reserved.
39
Module 3 – Security Devices
3.4 Getting Started with the PIX Security
Appliance
© 2005 Cisco Systems, Inc. All rights reserved.
40
User Interface
• Unprivileged mode – This mode is available when the PIX is
first accessed. The > prompt is displayed. This mode provides
a restricted, limited, view of PIX settings.
• Privileged mode – This mode displays the # prompt and
enables users to change the current settings. Any
unprivileged command also works in privileged mode.
• Configuration mode – This mode displays the (config)#
prompt and enables users to change system configurations.
All privileged, unprivileged, and configuration commands
work in this mode.
• Monitor mode – This is a special mode that enables users to
update the image over the network or to perform password
recovery. While in the monitor mode, users can enter
commands specifying the location of the TFTP server and the
PIX software image or password recovery binary file to
download.
© 2005 Cisco Systems, Inc. All rights reserved.
41
Security Levels
• Higher security level interface to a lower security level
interface – For traffic originating from the inside interface of
the PIX with a security level of 100 to the outside interface of
the PIX with a security level of 0, all IP-based traffic is allowed
unless it is restricted by ACLs, authentication, or
authorization. ICMP does not follow this rule.
• Lower security level interface to a higher security level
interface – For traffic originating from the outside interface of
the PIX with a security level of 0 to the inside interface of the
PIX with a security level of 100,all packets are dropped unless
specifically allowed by an access-list command. The traffic
can be restricted further if authentication and authorization is
used.
• Same secure interface to a same secure interface – No traffic
flows between two Interfaces with the same security level
unless specifically allowed by an access-list command or
with the comman:.
© 2005 Cisco Systems, Inc. All rights reserved.
42
Basic Commands
• hostname – assigns a hostname to the PIX.
• interface – Configures the type and capability of each
perimeter interface.
• nameif – Assigns a name to each perimeter interface.
• ip address – Assigns an IP address to each interface.
• security level – Assigns the security level for the
perimeter interface.
• speed – Assigns the connection speed.
• duplex – Assigns the duplex communications.
© 2005 Cisco Systems, Inc. All rights reserved.
43
Additional Commands
• nat-control – Enable or disable NAT configuration
requirement.
– If nat-control is enabled, you must configure a NAT rule
before an inside host can communicate with any outside
networks
• nat – Shields IP addresses on the inside network from
the outside network.
• global – Creates a pool of one or more IP addresses
for use in NAT and PAT.
• route – Defines a static or default route for an
interface.
© 2005 Cisco Systems, Inc. All rights reserved.
44
Module 3 – Security Devices
3.5 PIX Security Appliance Translations and
Connections
© 2005 Cisco Systems, Inc. All rights reserved.
45
UDP
© 2005 Cisco Systems, Inc. All rights reserved.
46
NAT
NAT substitutes the local address on a packet with a global address that
is routable on the destination network.
If you want to enforce a NAT policy that requires hosts on a higher
security interface (inside) to use NAT when communicating with a
lower security interface (outside), you can enable NAT control.
© 2005 Cisco Systems, Inc. All rights reserved.
47
Access through the PIX Security
Appliance
© 2005 Cisco Systems, Inc. All rights reserved.
48
PAT - Many-to-one NAT
© 2005 Cisco Systems, Inc. All rights reserved.
49
Static Translation
© 2005 Cisco Systems, Inc. All rights reserved.
50
Identity NAT – nat 0
The nat 0 command lets administrators disable address translationso that
inside IP addresses are visible on the outside without address translation
nat 0 (identity NAT) command is that identity NAT requires that traffic
be initiated from the local host.
© 2005 Cisco Systems, Inc. All rights reserved.
51
Multiple Interfaces
© 2005 Cisco Systems, Inc. All rights reserved.
52
Module 3 – Security Devices
3.6 Manage a PIX Security Appliance with
Adaptive Security Device Manager
© 2005 Cisco Systems, Inc. All rights reserved.
53
Adaptive Security Device Manager (ASDM)
© 2005 Cisco Systems, Inc. All rights reserved.
54
ASDM Compatibility
© 2005 Cisco Systems, Inc. All rights reserved.
55
ASDM Home Window
© 2005 Cisco Systems, Inc. All rights reserved.
56
Module 3 – Security Devices
3.7 PIX Security Appliance Routing
Capabilities
© 2005 Cisco Systems, Inc. All rights reserved.
57
VLANs
With PIX Security Appliance Software Version 6.3 and higher,
the administrator can assign VLANs to physical interfaces on the PIX
or configure multiple logical interfaces on a single physical interface
and assign each logical interface to a specific VLAN.
© 2005 Cisco Systems, Inc. All rights reserved.
58
Static Routes
© 2005 Cisco Systems, Inc. All rights reserved.
59
Routing with RIP
The clear rip command removes all the rip commands from the configuration.
© 2005 Cisco Systems, Inc. All rights reserved.
60
Routing with OSPF
© 2005 Cisco Systems, Inc. All rights reserved.
61
Routing with OSPF
© 2005 Cisco Systems, Inc. All rights reserved.
62
Multicast Routing
© 2005 Cisco Systems, Inc. All rights reserved.
63
Module 3 – Security Devices
3.8 Firewall Services Module Operation
© 2005 Cisco Systems, Inc. All rights reserved.
64
Firewall Services Module (FWSM)
–Designed for high end enterprise and
service providers
–Runs in Catalyst 6500 switches and 7600
Series routers
–Based on PIX Security Appliance
technology
–PIX Security Appliance 6.0 feature set
(some 6.2)
–1 million simultaneous connections
–Over 100,000 connections per second
–5 Gbps throughput
–Up to 4 can be stacked in a chassis,
providing 20 Gbps throughput
–1 GB DRAM
–Supports 100 VLANs
–Supports failover
© 2005 Cisco Systems, Inc. All rights reserved.
65
FWSM in the Catalyst 6500 Switch
Supervisor engine
Redundant supervisor
engine
Slots 1-9
(top to bottom)
48 Port 10/100 Ethernet
Switch fabric
module
Fan assembly
16 Port GBIC
FWSM
Power
supply 2
Power
supply 1
ESD ground strap
connector
© 2005 Cisco Systems, Inc. All rights reserved.
66
FWSM in the Cisco 7609 Internet Router
Supervisor engine
Fan assembly
FWSM
Switch fabric
module
Slots 1-9
(right to left)
Power
supply 2
Power
supply 1
ESD ground strap
connection
© 2005 Cisco Systems, Inc. All rights reserved.
67
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2005,
2005 Cisco
68
68
Related documents
If your staff need to upgrade or re
If your staff need to upgrade or re
JOB DESCRIPTION NETWORK ADMINISTRATOR
JOB DESCRIPTION NETWORK ADMINISTRATOR
Research Scientist – Prague, Czech Republic Cisco Systems
Research Scientist – Prague, Czech Republic Cisco Systems
Cisco PWR-C45-1000AC= power supply unit (PWR
Cisco PWR-C45-1000AC= power supply unit (PWR
Career Highlights - University of the Pacific
Career Highlights - University of the Pacific
Course Overview
Course Overview
Ch10b
Ch10b
Alexander-Ereweles-CV
Alexander-Ereweles-CV
Learning Services
Learning Services
Rex Spell - rabidcat.org
Rex Spell - rabidcat.org
O L G A F O S T... Inside Sales Account Manager
O L G A F O S T... Inside Sales Account Manager