Opis: Cisco ASA - Omar Santos, Jazib Frahim, Andrew Ossipov

Cisco(R) ASA All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition Identify, mitigate, and respond to today's highly-sophisticated network attacks. Today, network attackers are far more sophisticated, relentless, and dangerous. In response, Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services has been fully updated to cover the newest techniques and Cisco technologies for maximizing end-to-end security in your environment. Three leading Cisco security experts guide you through every step of creating a complete security plan with Cisco ASA, and then deploying, configuring, operating, and troubleshooting your solution. Fully updated for today's newest ASA releases, this edition adds new coverage of ASA 5500-X, ASA 5585-X, ASA Services Module, ASA next-generation firewall services, EtherChannel, Global ACLs, clustering, IPv6 improvements, IKEv2, AnyConnect Secure Mobility VPN clients, and more. The authors explain significant recent licensing changes; introduce enhancements to ASA IPS; and walk you through configuring IPsec, SSL VPN, and NAT/PAT. You'll learn how to apply Cisco ASA adaptive identification and mitigation services to systematically strengthen security in network environments of all sizes and types. The authors present up-to-date sample configurations, proven design scenarios, and actual debugs- all designed to help you make the most of Cisco ASA in your rapidly evolving network. Jazib Frahim, CCIE(R) No. 5459 (Routing and Switching; Security), Principal Engineer in the Global Security Solutions team, guides top-tier Cisco customers in security-focused network design and implementation. He architects, develops, and launches new security services concepts. His books include Cisco SSL VPN Solutions and Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting. Omar Santos, CISSP No. 463598, Cisco Product Security Incident Response Team (PSIRT) technical leader, leads and mentors engineers and incident managers in investigating and resolving vulnerabilities in Cisco products and protecting Cisco customers. Through 18 years in IT and cybersecurity, he has designed, implemented, and supported numerous secure networks for Fortune(R) 500 companies and the U.S. government. He is also the author of several other books and numerous whitepapers and articles. Andrew Ossipov, CCIE(R) No. 18483 and CISSP No. 344324, is a Cisco Technical Marketing Engineer focused on firewalls, intrusion prevention, and data center security. Drawing on more than 16 years in networking, he works to solve complex customer technical problems, architect new features and products, and define future directions for Cisco's product portfolio. He holds several pending patents. Understand, install, configure, license, maintain, and troubleshoot the newest ASA devices Efficiently implement Authentication, Authorization, and Accounting (AAA) services Control and provision network access with packet filtering, context-aware Cisco ASA next-generation firewall services, and new NAT/PAT concepts Configure IP routing, application inspection, and QoS Create firewall contexts with unique configurations, interfaces, policies, routing tables, and administration Enable integrated protection against many types of malware and advanced persistent threats (APTs) via Cisco Cloud Web Security and Cisco Security Intelligence Operations (SIO) Implement high availability with failover and elastic scalability with clustering Deploy, troubleshoot, monitor, tune, and manage Intrusion Prevention System (IPS) features Implement site-to-site IPsec VPNs and all forms of remote-access VPNs (IPsec, clientless SSL, and client-based SSL) Configure and troubleshoot Public Key Infrastructure (PKI) Use IKEv2 to more effectively resist attacks against VPNs Leverage IPv6 support for IPS, packet inspection, transparent firewalls, and site-to-site IPsec VPNsIntroduction Chapter 1 Introduction to Security Technologies 1 Firewalls 2 Network Firewalls 2 Packet-Filtering Techniques 2 Application Proxies 3 Network Address Translation 3 Stateful Inspection Firewalls 6 Demilitarized Zones (DMZ) 7 Deep Packet Inspection 8 Next-Generation Context-Aware Firewalls 8 Personal Firewalls 9 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 9 Pattern Matching and Stateful Pattern-Matching Recognition 11 Protocol Analysis 12 Heuristic-Based Analysis 12 Anomaly-Based Analysis 12 Global Threat Correlation Capabilities 14 Virtual Private Networks 14 Technical Overview of IPsec 16 IKEv1 Phase 1 16 IKEv1 Phase 2 20 IKEv2 23 SSL VPNs 23 Cisco AnyConnect Secure Mobility 25 Cloud and Virtualization Security 26 Chapter 2 Cisco ASA Product and Solution Overview 29 Cisco ASA Model Overview 30 Cisco ASA 5505 Model 31 Cisco ASA 5510 Model 35 Cisco ASA 5512-X Model 38 Cisco ASA 5515-X Model 40 Cisco ASA 5520 Model 41 Cisco ASA 5525-X Model 42 Cisco ASA 5540 Model 43 Cisco ASA 5545-X Model 44 Cisco ASA 5550 Model 45 Cisco ASA 5555-X Model 46 Cisco ASA 5585-X Models 47 Cisco Catalyst 6500 Series ASA Services Module 51 Cisco ASA 1000V Cloud Firewall 52 Cisco ASA Next-Generation Firewall Services (Formerly Cisco ASA CX) 53 Cisco ASA AIP-SSM Module 53 Cisco ASA AIP-SSM-10 54 Cisco ASA AIP-SSM-20 54 Cisco ASA AIP-SSM-40 54 Cisco ASA Gigabit Ethernet Modules 55 Cisco ASA SSM-4GE 55 Cisco ASA 5580 Expansion Cards 56 Cisco ASA 5500-X Series 6-Port GE Interface Cards 57 Chapter 3 Licensing 59 Licensed Features on ASA 59 Basic Platform Capabilities 61 Advanced Security Features 63 Tiered Capacity Features 65 Displaying License Information 66 Managing Licenses with Activation Keys 68 Permanent and Time-Based Activation Keys 68 Combining Keys 69 Time-Based Key Expiration 70 Using Activation Keys 71 Combined Licenses in Failover and Clustering 73 License Aggregation Rules 73 Aggregated Time-Based License Countdown 75 Shared Premium VPN Licensing 75 Shared Server and Participants 76 Shared License 76 Shared Licensing Operation 76 Configuring Shared Licensing 78 Licensing Server 78 Participants 79 Backup Licensing Server 79 Monitoring Shared Licensing Operation 80 Chapter 4 Initial Setup 81 Accessing the Cisco ASA Appliances 81 Establishing a Console Connection 82 Command-Line Interface 85 Managing Licenses 87 Initial Setup 90 Initial Setup via CLI 90 Initial Setup of ASDM 92 Uploading ASDM 92 Setting Up the Appliance 93 Accessing ASDM 94 Functional Screens of ASDM 97 Device Setup 100 Setting Up a Device Name and Passwords 100 Configuring an Interface 102 Configuring a Data-Passing Interface 102 Configuring a Subinterface 106 Configuring an EtherChannel Interface 109 Configuring a Management Interface 111 DHCP Services 112 Setting Up the System Clock 114 Manual Clock Adjustment 114 Time Zone 114 Date 116 Time 116 Automatic Clock Adjustment Using the Network Time Protocol 116 Chapter 5 System Maintenance 119 Configuration Management 119 Running Configuration 119 Startup Configuration 123 Removing the Device Configuration 124 Remote System Management 126 Telnet 126 Secure Shell (SSH) 129 System Maintenance 132 Software Installation 132 Image Upgrade via Cisco ASDM 132 Image Upgrade via the Cisco ASA CLI 133 Image Upload Using ROMMON 136 Password Recovery Process 137 Disabling the Password Recovery Process 141 System Monitoring 144 System Logging 144 Enabling Logging 146 Defining Event List 147 Logging Types 149 Defining a Syslog Server 153 Defining an Email Server 154 Storing Logs Internally and Externally 154 Syslog Message ID Tuning 156 NetFlow Secure Event Logging (NSEL) 156 Step 1: Define a NetFlow Collector 157 Step 2: Define a NetFlow Export Policy 159 Simple Network Management Protocol (SNMP) 160 Configuring SNMP 161 SNMP Monitoring 164 Device Monitoring and Troubleshooting 165 CPU and Memory Monitoring 165 Troubleshooting Device Issues 168 Troubleshooting Packet Issues 168 Troubleshooting CPU Issues 172 Chapter 6 Cisco ASA Services Module 173 Cisco ASA Services Module Overview 173 Hardware Architecture 174 Host Chassis Integration 175 Managing Host Chassis 176 Assigning VLAN Interfaces 177 Monitoring Traffic Flow 178 Common Deployment Scenarios 180 Internal Segment Firewalling 181 Edge Protection 182 Trusted Flow Bypass with Policy Based Routing 183 Traffic Flow 185 Sample PBR Configuration 185 Chapter 7 Authentication, Authorization, and Accounting (AAA) Services 191 AAA Protocols and Services Supported by Cisco ASA 192 RADIUS 194 TACACS+ 195 RSA SecurID 196 Microsoft Windows NTLM 197 Active Directory and Kerberos 197 Lightweight Directory Access Protocol 197 Defining an Authentication Server 198 Configuring Authentication of Administrative Sessions 204 Authenticating Telnet Connections 204 Authenticating SSH Connections 206 Authenticating Serial Console Connections 207 Authenticating Cisco ASDM Connections 208 Authenticating Firewall Sessions (Cut-Through Proxy Feature) 209 Authentication Timeouts 214 Customizing Authentication Prompts 214 Configuring Authorization 215 Command Authorization 217 Configuring Downloadable ACLs 218 Configuring Accounting 219 RADIUS Accounting 220 TACACS+ Accounting 221 Troubleshooting Administrative Connections to Cisco ASA 222 Troubleshooting Firewall Sessions (Cut-Through Proxy) 225 ASDM and CLI AAA Test Utility 226 Chapter 8 Controlling Network Access: The Traditional Way 229 Packet Filtering 229 Types of ACLs 232 Standard ACLs 233 Extended ACLs 233 EtherType ACLs 233 Webtype ACLs 234 Comparing ACL Features 234 Through-the-Box-Traffic Filtering 235 To-the-Box-Traffic Filtering 240 Advanced ACL Features 243 Object Grouping 243 Object Types 243 Configuration of Object Types 245 Object Grouping and ACLs 248 Standard ACLs 250 Time-Based ACLs 251 Downloadable ACLs 254 ICMP Filtering 254 Deployment Scenario for Traffic Filtering 255 Using ACLs to Filter Inbound Traffic 255 Configuration Steps with ASDM 257 Configuration Steps with CLI 259 Monitoring Network Access Control 260 Monitoring ACLs 260 Chapter 9 Implementing Next-Generation Firewall Services with ASA CX 267 CX Integration Overview 268 Logical Architecture 269 Hardware Modules 270 Software Modules 271 High Availability 272 ASA CX Architecture 273 Data Plane 274 Eventing and Reporting 275 User Identity 275 TLS Decryption Proxy 276 HTTP Inspection Engine 276 Application Inspection Engine 276 Management Plane 276 Control Plane 276 Preparing ASA CX for Configuration 277 Managing ASA CX with PRSM 282 Using PRSM 283 Configuring User Accounts 286 CX Licensing 288 Component and Software Updates 290 Signatures and Engines 290 System Software 291 Configuration Database Backup 292 Defining CX Policy Elements 293 Network Groups 295 Identity Objects 296 URL Objects 298 User Agent Objects 299 Application Objects 299 Secure Mobility Objects 300 Interface Roles 301 Service Objects 302 Application-Service Objects 303 Source Object Groups 304 Destination Object Groups 305 File Filtering Profiles 306 Web Reputation Profiles 306 NG IPS Profiles 307 Enabling User Identity Services 309 Configuring Directory Servers 310 Connecting to AD Agent or CDA 312 Tuning Authentication Settings 313 Defining User Identity Discovery Policy 314 Enabling TLS Decryption 316 Configuring Decryption Settings 318 Defining a Decryption Policy 320 Enabling NG IPS 323 Defining Context-Aware Access Policies 324 Configuring ASA for CX Traffic Redirection 327 Monitoring ASA CX 329 Dashboard Reports 329 Connection and System Events 331 Packet Captures 332 Chapter 10 Network Address Translation 337 Types of Address Translation 338 Network Address Translation 338 Port Address Translation 340 Address Translation Methods 341 Static NAT/PAT 341 Dynamic NAT/PAT 343 Policy NAT/PAT 344 Identity NAT 344 Security Protection Mechanisms Within Address Translation 345 Randomization of Sequence Numbers 345 TCP Intercept 346 Understanding Address Translation Behavior 346 Address Translation Behavior Prior to Version 8.3 346 Packet Flow Sequence in Pre-8.3 Version 347 NAT Order of Operation for Pre-8.3 Versions 348 Redesigning Address Translation (Version 8.3 and Later) 349 NAT Modes in Version 8.3 and Later 349 NAT Order of Operation for Version 8.3 and Later 350 Configuring Address Translation 350 Auto NAT Configuration 351 Available Auto NAT Settings 351 Auto NAT Configuration Example 353 Manual NAT Configuration 356 Available Manual NAT Settings 356 Manual NAT Configuration Example 357 Integrating ACLs and NAT 359 Pre-8.3 Behavior for NAT and ACL Integration 359 Behavior of NAT and ACL Integration in Version 8.3 and Later 361 Configuration Use Cases 362 Use Case 1: Dynamic PAT for Inside Network with Static NAT for a DMZ Web Server 363 Use Case 2: Static PAT for a Web Server Located on the DMZ Network 364 Use Case 3: Static NAT for Overlapping Subnets Using Twice NAT 366 Use Case 4: Identity NAT for Site-to-Site VPN Tunnel 367 Use Case 5: Dynamic PAT for Remote-Access VPN Clients 369 DNS Doctoring 372 Monitoring Address Translations 375 Chapter 11 IPv6 Support 379 IP Version 6 Introduction 379 IPv6 Header 380 Supported IPv6 Address Types 381 Global Unicast Address 382 Site-Local Address 382 Link-Local Address 382 Configuring IPv6 382 IP Address Assignment 383 IPv6 DHCP Relay 384 Optional IPv6 Parameters 385 Neighbor Solicitation Messages 385 Neighbor Reachable Time 385 Router Advertisement Transmission Interval 385 Setting Up an IPv6 ACL 386 IPv6 Address Translation 389 Chapter 12 IP Routing 391 Configuring Static Routes 392 Static Route Monitoring 395 Displaying the Routing Table 399 RIP 400 Configuring RIP 401 RIP Authentication 403 RIP Route Filtering 406 Configuring RIP Redistribution 409 Troubleshooting RIP 409 Scenario 1: RIP Version Mismatch 410 Scenario 2: RIP Authentication Mismatch 411 Scenario 3: Multicast or Broadcast Packets Blocked 411 OSPF 412 Configuring OSPF 413 Enabling OSPF 414 OSPF Virtual Links 419 Configuring OSPF Authentication 422 Configuring OSPF Redistribution 426 Stub Areas and NSSAs 428 OSPF Type 3 LSA Filtering 429 OSPF neighbor Command and Dynamic Routing over a VPN Tunnel 431 OSPFv3 433 Troubleshooting OSPF 433 Useful Troubleshooting Commands 433 Mismatched Areas 440 OSPF Authentication Mismatch 440 Troubleshooting Virtual Link Problems 440 EIGRP 441 Configuring EIGRP 441 Enabling EIGRP 441 Configuring Route Filtering for EIGRP 445 EIGRP Authentication 447 Defining Static EIGRP Neighbors 448 Route Summarization in EIGRP 448 Split Horizon 450 Route Redistribution in EIGRP 450 Controlling Default Information 453 Troubleshooting EIGRP 454 Useful Troubleshooting Commands 454 Scenario 1: Link Failures 458 Scenario 2: Misconfigured Hello and Hold Intervals 459 Scenario 3: Misconfigured Authentication Parameters 462 Chapter 13 Application Inspection 465 Enabling Application Inspection 468 Selective Inspection 469 CTIQBE Inspection 473 DCERPC Inspection 476 DNS Inspection 476 ESMTP Inspection 481 File Transfer Protocol 484 General Packet Radio Service Tunneling Protocol 486 GTPv0 487 GTPv1 489 Configuring GTP Inspection 490 H.323 492 H.323 Protocol Suite 493 H.323 Version Compatibility 495 Enabling H.323 Inspection 496 Direct Call Signaling and Gatekeeper Routed Control Signaling 499 T.38 499 Cisco Unified Communications Advanced Support 499 Phone Proxy 500 TLS Proxy 505 Mobility Proxy 506 Presence Federation Proxy 506 HTTP 507 Enabling HTTP Inspection 507 strict-http Command 510 content-length Command 510 content-type-verification Command 511 max-header-length Command 511 max-uri-length Command 512 port-misuse Command 512 request-method Command 513 transfer-encoding type Command 515 ICMP 515 ILS 516 Instant Messenger (IM) 517 IPsec Pass-Through 518 MGCP 519 NetBIOS 521 PPTP 522 Sun RPC 522 RSH 523 RTSP 523 SIP 524 Skinny (SCCP) 525 SNMP 527 SQL*Net 528 TFTP 528 WAAS 528 XDMCP 529 Chapter 14 Virtualization 531 Architectural Overview 533 System Execution Space 533 Admin Context 535 User Context 535 Packet Classification 538 Packet Classification Criteria 538 Destination IP Address 539 Unique MAC Address 540 Packet Flow in Multiple Mode 541 Forwarding Without a Shared Interface 541 Forwarding with a Shared Interface 542 Configuration of Security Contexts 544 Step 1: Enable Multiple Security Contexts Globally 544 Step 2: Set Up the System Execution Space 547 Step 3: Configure Interfaces 549 Step 4: Specify a Configuration URL 550 Step 5: Configure an Admin Context 552 Step 6: Configure a User Context 553 Step 7: Manage the Security Contexts (Optional) 554 Step 8: Resource Management (Optional) 555 Step 1: Define a Resource Class 556 Step 2: Map the Resource Class to a Context 558 Deployment Scenarios 559 Virtual Firewall with Non-Shared Interfaces 559 Configuration Steps with ASDM 561 Configuration Steps with CLI 569 Virtual Firewall with a Shared Interface 572 Configuration Steps with ASDM 574 Configuration Steps Using CLI 582 Monitoring and Troubleshooting the Security Contexts 586 Monitoring 586 Troubleshooting 588 Security Contexts Are Not Added 588 Security Contexts Are Not Saved on the Local Disk 588 Security Contexts Are Not Saved on the FTP Server 589 User Having Connectivity Issues When Shared Security Contexts Are Used 590 Chapter 15 Transparent Firewalls 591 Architectural Overview 594 Single-Mode Transparent Firewalls 594 Packet Flow in an SMTF 595 Multimode Transparent Firewalls 597 Packet Flow in an MMTF 597 Restrictions When Using Transparent Firewalls 599 Transparent Firewalls and VPNs 599 Transparent Firewalls and NAT 600 Configuration of Transparent Firewalls 602 Configuration Guidelines 602 Configuration Steps 603 Step 1: Enable Transparent Firewalls 603 Step 2: Set Up Interfaces 604 Step 3: Configure an IP Address 605 Step 4: Set Up Routes 606 Step 5: Configure Interface ACLs 608 Step 6: Configure NAT (Optional) 611 Step 7: Add Static L2F Table Entries (Optional) 612 Step 8: Enable ARP Inspection (Optional) 613 Step 9: Modify L2F Table Parameters (Optional) 615 Deployment Scenarios 616 SMTF Deployment 617 Configuration Steps Using ASDM 618 Configuration Steps Using CLI 622 MMTF Deployment with Security Contexts 623 Configuration Steps Using ASDM 625 Configuration Steps Using CLI 632 Monitoring and Troubleshooting Transparent Firewalls 636 Monitoring 636 Troubleshooting 637 Hosts Are Not Able to Communicate 637 Moved Host Is Not Able to Communicate 639 General Syslogging 640 Chapter 16 High Availability 641 Redundant Interfaces 642 Using Redundant Interfaces 642 Deployment Scenarios 643 Configuration and Monitoring 644 Static Route Tracking 646 Configuring Static Routes with an SLA Monitor 647 Floating Connection Timeout 649 Sample Backup ISP Deployment 649 Failover 652 Unit Roles and Functions in Failover 652 Stateful Failover 653 Active/Standby and Active/Active Failover 654 Failover Hardware and Software Requirements 656 Zero Downtime Upgrade in Failover 657 Failover Licensing 658 Failover Interfaces 658 Stateful Link 659 Failover Link Security 659 Data Interface Addressing 660 Asymmetric Routing Groups 662 Failover Health Monitoring 664 State and Role Transition 666 Configuring Failover 667 Basic Failover Settings 668 Data Interface Configuration 671 Failover Policies and Timers 673 Active/Active Failover 674 Monitoring and Troubleshooting Failover 678 Active/Standby Failover Deployment Scenario 680 Clustering 685 Unit Roles and Functions in Clustering 685 Master and Slave Units 685 Flow Owner 686 Flow Director 686 Flow Forwarder 687 Clustering Hardware and Software Requirements 687 Zero Downtime Upgrade in Clustering 688 Unsupported Features 689 Cluster Licensing 690 Control and Data Interfaces 690 Spanned EtherChannel Mode 693 Individual Mode 695 Cluster Management 697 Cluster Health Monitoring 697 Network Address Translation 698 Performance 700 Centralized Features 701 Scaling Factors 701 Packet Flow 702 TCP Connection Processing 702 UDP Connection Processing 703 Centralized Connection Processing 705 State Transition 705 Configuring Clustering 706 Setting Interface Mode 707 Management Access for ASDM Deployment 708 Building a Cluster 710 Data Interface Configuration 714 Monitoring and Troubleshooting Clustering 717 Spanned EtherChannel Cluster Deployment Scenario 720 Chapter 17 Implementing Cisco ASA Intrusion Prevention System (IPS) 733 IPS Integration Overview 733 IPS Logical Architecture 735 IPS Hardware Modules 735 IPS Software Modules 736 Inline and Promiscuous Modes 737 IPS High Availability 739 Cisco IPS Software Architecture 739 MainApp 741 AuthenticationApp 741 Attack Response Controller 742 cipsWebserver 742 Logger 742 CtlTransSource 743 NotificationApp 743 SensorApp 743 CollaborationApp 744 EventStore 744 Preparing ASA IPS for Configuration 744 Installing CIPS System Software 744 Accessing CIPS from the ASA CLI 747 Configuring Basic Management Settings 748 Setting Up ASDM for IPS Management 752 Installing the CIPS License Key 752 <

Szczegóły: Cisco ASA - Omar Santos, Jazib Frahim, Andrew Ossipov

Tytuł: Cisco ASA
Autor: Omar Santos, Jazib Frahim, Andrew Ossipov
Producent: Cisco Press
ISBN: 9781587143076
Rok produkcji: 2014
Ilość stron: 1248
Oprawa: Miękka
Waga: 2 kg

Recenzje: Cisco ASA - Omar Santos, Jazib Frahim, Andrew Ossipov