CiscoASA:All-in-OneFirewall,IPS,andVPN
AdaptiveSecurityAppliance
ByJazibFrahim-CCIENo.5459,OmarSantos
...............................................
Publisher:CiscoPress
PubDate:October21,2005
ISBN:1-58705-209-1
Pages:840
TableofContents|Index
Thedefinitiveinsider'sguidetoplanning,installing,configuring,andmaintainingthe
newCiscoAdaptiveSecurityAppliance
DeliversexpertguidancefromCiscoTACengineersforsecuringsmalland
mediumbusinessnetworkswiththenewlyreleasedCiscoall-in-onenetwork
securitysolution
CoversthelatestPIXVersion7OS
Incorporatesdetailedconfigurationexampleswithscreenshotsandcommandlinereferences
Coversunifiedfirewall,IPS,andVPNmanagement
Achievingmaximumnetworksecurityhasbeenachallengeformanyorganizations,
especiallythosethatcannotaffordtopurchase,master,andmaintainaseparate
securitydevicesuchasaPIXorIPSsystemforeachandeverysecurityneed.To
bettermeettheneedsofthesecustomers,CiscoSystemsrecentlylaunchedanall-inonesecuritysolutioncalledASAthataimstoofferamoreaffordableandsimplified
securitysolution.CiscoASA:All-in-OneFirewall,IPS,andVPNAdaptiveSecurity
Applianceintroducesthisnewsuiteofconvergedsecurityappliancesandprovidesa
completeconfigurationandtroubleshootingguidefromtheTechnicalAssistance
Center(TAC)expertsatCiscoSystems.Thisbookbringstogetherexpertguidance
forvirtuallyeverychallengethereaderwillface--frombuildingbasicnetwork
securitypoliciestoadvancedVPNandIPSimplementations.Thisbookhasfiveparts,
whichcontainthreetechnology-basedsections:Firewall,IPS,andVPN.Eachsection
iscomprisedofmanysampleconfigurations,accompaniedbyin-depthanalysisof
designscenarios.Learningisfurtherenhancedbydiscussingasetofdebugsincluded
ineachsection.Ground-breakingfeatureslikeWebVPN,virtualandLayer-2firewalls
arediscussedextensively.
CiscoASA:All-in-OneFirewall,IPS,andVPN
AdaptiveSecurityAppliance
ByJazibFrahim-CCIENo.5459,OmarSantos
...............................................
Publisher:CiscoPress
PubDate:October21,2005
ISBN:1-58705-209-1
Pages:840
TableofContents|Index
Copyright
AbouttheAuthors
AbouttheTechnicalReviewers
Acknowledgments
Foreword
IconsUsedinThisBook
CommandSyntaxConventions
Introduction
WhoShouldReadThisBook
HowThisBookIsOrganized
PartI:ProductOverview
Chapter1.IntroductiontoNetworkSecurity
FirewallTechnologies
IntrusionDetectionandPreventionTechnologies
Network-BasedAttacks
VirtualPrivateNetworks
Summary
Chapter2.ProductHistory
CiscoFirewallProducts
CiscoIDSProducts
CiscoVPNProducts
CiscoASAAll-in-OneSolution
Summary
Chapter3.HardwareOverview
CiscoASA5510Model
CiscoASA5520Model
CiscoASA5540Model
AIP-SSMModules
Summary
PartII:FirewallSolution
Chapter4.InitialSetupandSystemMaintenance
AccessingtheCiscoASAAppliances
ManagingLicenses
InitialSetup
IPVersion6
SettingUptheSystemClock
ConfigurationManagement
RemoteSystemManagement
SystemMaintenance
SystemMonitoring
Summary
Chapter5.NetworkAccessControl
PacketFiltering
AdvancedACLFeatures
ContentandURLFiltering
DeploymentScenariosUsingACLs
MonitoringNetworkAccessControl
UnderstandingAddressTranslation
DNSDoctoring
MonitoringAddressTranslations
Summary
Chapter6.IPRouting
ConfiguringStaticRoutes
RIP
OSPF
IPMulticast
DeploymentScenarios
Summary
Chapter7.Authentication,Authorization,andAccounting(AAA)
AAAProtocolsandServicesSupportedbyCiscoASA
DefininganAuthenticationServer
ConfiguringAuthenticationofAdministrativeSessions
AuthenticatingFirewallSessions(Cut-ThroughProxyFeature)
ConfiguringAuthorization
ConfiguringAccounting
DeploymentScenarios
TroubleshootingAAA
Summary
Chapter8.ApplicationInspection
EnablingApplicationInspectionUsingtheModularPolicyFramework
SelectiveInspection
ComputerTelephonyInterfaceQuickBufferEncodingInspection
DomainNameSystem
ExtendedSimpleMailTransferProtocol
FileTransferProtocol
GeneralPacketRadioServiceTunnelingProtocol
H.323
HTTP
ICMP
ILS
MGCP
NetBIOS
PPTP
SunRPC
RSH
RTSP
SIP
Skinny
SNMP
SQL*Net
TFTP
XDMCP
DeploymentScenarios
Summary
Chapter9.SecurityContexts
ArchitecturalOverview
ConfigurationofSecurityContexts
DeploymentScenarios
MonitoringandTroubleshootingtheSecurityContexts
Summary
Chapter10.TransparentFirewalls
ArchitecturalOverview
TransparentFirewallsandVPNs
ConfigurationofTransparentFirewall
DeploymentScenarios
MonitoringandTroubleshootingtheTransparentFirewall
Summary
Chapter11.FailoverandRedundancy
ArchitecturalOverview
FailoverConfiguration
DeploymentScenarios
MonitoringandTroubleshootingFailovers
Summary
Chapter12.QualityofService
ArchitecturalOverview
ConfiguringQualityofService
QoSDeploymentScenarios
MonitoringQoS
Summary
PartIII:IntrusionPreventionSystem(IPS)Solution
Chapter13.IntrusionPreventionSystemIntegration
AdaptiveInspectionPreventionSecurityServicesModuleOverview(AIP-SSM)
DirectingTraffictotheAIP-SSM
AIP-SSMModuleSoftwareRecovery
AdditionalIPSFeatures
Summary
Chapter14.ConfiguringandTroubleshootingCiscoIPSSoftwareviaCLI
CiscoIPSSoftwareArchitecture
IntroductiontotheCIPS5.xCommand-LineInterface
UserAdministration
AIP-SSMMaintenance
AdvancedFeaturesandConfiguration
Summary
PartIV:VirtualPrivateNetwork(VPN)Solution
Chapter15.Site-to-SiteIPSecVPNs
PreconfigurationChecklist
ConfigurationSteps
AdvancedFeatures
OptionalCommands
DeploymentScenarios
MonitoringandTroubleshootingSite-to-SiteIPSecVPNs
Summary
Chapter16.RemoteAccessVPN
CiscoIPSecRemoteAccessVPNSolution
AdvancedCiscoIPSecVPNFeatures
DeploymentScenariosofCiscoIPSecVPN
MonitoringandTroubleshootingCiscoRemoteAccessVPN
CiscoWebVPNSolution
AdvancedWebVPNFeatures
DeploymentScenariosofWebVPN
MonitoringandTroubleshootingWebVPN
Summary
Chapter17.PublicKeyInfrastructure(PKI)
IntroductiontoPKI
EnrollingtheCiscoASAtoaCAUsingSCEP
Manual(Cut-and-Paste)Enrollment
ConfiguringCRLOptions
ConfiguringIPSecSite-to-SiteTunnelsUsingCertificates
ConfiguringtheCiscoASAtoAcceptRemote-AccessVPNClientsUsingCertificates
TroubleshootingPKI
Summary
PartV:AdaptiveSecurityDeviceManager
Chapter18.IntroductiontoASDM
SettingUpASDM
InitialSetup
FunctionalScreens
InterfaceManagement
SystemClock
ConfigurationManagement
RemoteSystemManagement
SystemMaintenance
SystemMonitoring
Summary
Chapter19.FirewallManagementUsingASDM
AccessControlLists
AddressTranslation
RoutingProtocols
AAA
ApplicationInspection
SecurityContexts
TransparentFirewalls
Failover
QoS
Summary
Chapter20.IPSManagementUsingASDM
AccessingtheIPSDeviceManagementConsolefromASDM
ConfiguringBasicAIP-SSMSettings
AdvancedIPSConfigurationandMonitoringUsingASDM
Summary
Chapter21.VPNManagementUsingASDM
Site-to-SiteVPNSetupUsingPresharedKeys
Site-to-SiteVPNSetupUsingPKI
CiscoRemote-AccessIPSecVPNSetup
WebVPN
VPNMonitoring
Summary
Chapter22.CaseStudies
CaseStudy1:DeployingtheCiscoASAatBranchOfficesandSmallBusinesses
CaseStudy2:LargeEnterpriseFirewall,VPN,andIPSDeployment
CaseStudy3:DataCenterSecuritywithCiscoASA
Summary
Index
Copyright
CiscoASA:All-in-OneFirewall,IPS,andVPN
AdaptiveSecurityAppliance
JazibFrahim,OmarSantos
Copyright©2006CiscoSystems,Inc.
Publishedby:
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedortransmittedinany
formorbyanymeans,electronicormechanical,includingphotocopying,
recording,orbyanyinformationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbriefquotationsina
review.
PrintedintheUnitedStatesofAmerica1234567890
FirstPrintingOctober2005
LibraryofCongressCataloging-in-PublicationNumber:2004108505
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobetrademarksorservice
markshavebeenappropriatelycapitalized.CiscoPressorCiscoSystems,Inc.,
cannotattesttotheaccuracyofthisinformation.Useofaterminthisbook
shouldnotberegardedasaffectingthevalidityofanytrademarkorservice
mark.
WarningandDisclaimer
ThisbookisdesignedtoprovideinformationaboutCiscoASA.Everyefforthas
beenmadetomakethisbookascompleteandasaccurateaspossible,butno
warrantyorfitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthors,CiscoPress,and
CiscoSystems,Inc.,shallhaveneitherliabilitynorresponsibilitytoanyperson
orentitywithrespecttoanylossordamagesarisingfromtheinformation
containedinthisbookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorandarenotnecessarily
thoseofCiscoSystems,Inc.
CorporateandGovernmentSales
CiscoPressoffersexcellentdiscountsonthisbookwhenorderedinquantityfor
bulkpurchasesorspecialsales.
Formoreinformationpleasecontact:U.S.CorporateandGovernmentSales
1-800-382-3419
ForsalesoutsidetheU.S.pleasecontact:InternationalSales
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksofthehighest
qualityandvalue.Eachbookiscraftedwithcareandprecision,undergoing
rigorousdevelopmentthatinvolvestheuniqueexpertiseofmembersfromthe
professionaltechnicalcommunity.
Readers'feedbackisanaturalcontinuationofthisprocess.Ifyouhaveany
commentsregardinghowwecouldimprovethequalityofthisbook,or
otherwisealterittobettersuityourneeds,youcancontactusthroughe-mailat
PleasemakesuretoincludethebooktitleandISBN
inyourmessage.
Wegreatlyappreciateyourassistance.
Publisher
JohnWait
Editor-in-Chief
JohnKane
Executive/AcquisitionsEditor
BrettBartow
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgramManager
JeffBradley
ProductionManager
PatrickKanouse
DevelopmentEditor
SheriCain
ProjectEditor
MarcFowler
CopyEditor
BillMcManus
TechnicalEditors
DavidWhite,Jr.,Andrew
Yourtchenko,andWenZhang
TeamCoordinator
TammiBarnett
CoverDesigner
LouisaAdair
Composition
InteractiveComposition
Corporation
Indexer
TimWright
CorporateHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-4000
800553-NETS(6387)
Fax:408526-4100
EuropeanHeadquarters
CiscoSystemsInternationalBV
Haarlerbergpark
Haarlerbergweg13-19
1101CHAmsterdam
TheNetherlands
www-europe.cisco.com
Tel:310203571000
Fax:310203571100
AmericasHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-7660
Fax:408527-0883
AsiaPacificHeadquarters
CiscoSystems,Inc.
CapitalTower
168RobinsonRoad
#22-01to#29-01
Singapore068912
www.cisco.com
Tel:+6563177777
Fax:+6563177799
CiscoSystemshasmorethan200officesinthefollowingcountriesandregions.
Addresses,phonenumbers,andfaxnumbersarelistedontheCisco.comWeb
siteatwww.cisco.com/go/offices.
Argentina•Australia•Austria•Belgium•Brazil•Bulgaria•Canada•Chile•
ChinaPRC•Colombia•CostaRica•Croatia•CzechRepublic•Denmark•
Dubai,UAE•Finland•France•Germany•Greece•HongKongSAR•
Hungary•India•Indonesia•Ireland•Israel•Italy•Japan•Korea•
Luxembourg•Malaysia•Mexico•TheNetherlands•NewZealand•Norway•
Peru•Philippines•Poland•Portugal•PuertoRico•Romania•Russia•Saudi
Arabia•Scotland•Singapore•Slovakia•Slovenia•SouthAfrica•Spain•
Sweden•Switzerland•Taiwan•Thailand•Turkey•Ukraine•UnitedKingdom
•UnitedStates•Venezuela•Vietnam•Zimbabwe
Copyright©2003CiscoSystems,Inc.Allrightsreserved.CCIP,CCSP,the
CiscoArrowlogo,theCiscoPoweredNetworkmark,theCiscoSystems
Verifiedlogo,CiscoUnity,FollowMeBrowsing,FormShare,iQNetReadiness
Scorecard,NetworkingAcademy,andScriptSharearetrademarksofCisco
Systems,Inc.;ChangingtheWayWeWork,Live,Play,andLearn,TheFastest
WaytoIncreaseYourInternetQuotient,andiQuickStudyareservicemarksof
CiscoSystems,Inc.;andAironet,ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,
CCNA,CCNP,Cisco,theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,
theCiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystemsCapital,the
CiscoSystemslogo,EmpoweringtheInternetGeneration,Enterprise/Solver,
EtherChannel,EtherSwitch,FastStep,GigaStack,InternetQuotient,IOS,IP/TV,
iQExpertise,theiQlogo,LightStream,MGX,MICA,theNetworkerslogo,
NetworkRegistrar,Packet,PIX,Post-Routing,Pre-Routing,RateMUX,
Registrar,SlideCast,SMARTnet,StrataViewPlus,Stratm,SwitchProbe,
TeleRouter,TransPath,andVCOareregisteredtrademarksofCiscoSystems,
Inc.and/oritsaffiliatesintheU.S.andcertainothercountries.
AllothertrademarksmentionedinthisdocumentorWebsitearethepropertyof
theirrespectiveowners.Theuseofthewordpartnerdoesnotimplyapartnership
relationshipbetweenCiscoandanyothercompany.(0303R)
PrintedintheUSA
Dedications
Iwouldliketodedicatethisbooktomyparents,FrahimandPerveen,who
supportandencouragemeonallofmyendeavors.Iwouldalsoliketo
dedicateittomysiblings,includingmybrotherShazibandmysisters
ErumandSana,mysister-in-lawAsiya,andmycutenephewShayanfor
theirpatienceandunderstandingduringthedevelopmentofthisbook.
JazibFrahim
IwouldliketodedicatethisbooktomylovelywifeJeannette,whohas
alwaysstoodbymeandsupportedmethroughoutthedevelopmentofthis
book.Ialsodedicatethisbooktomytwobeautifulchildren,Hannahand
Derek.
OmarSantos
AbouttheAuthors
JazibFrahim,CCIENo.5459,hasbeenwithCiscoSystemsformorethan6
years.Havingabachelor'sdegreeincomputerengineeringfromIllinoisInstitute
ofTechnology,hestartedoutasaTACengineerintheLANSwitchingteam.He
thenmovedtotheTACSecurityteam,whereheactedasatechnicalleaderfor
thesecurityproducts.Heledateamof20engineersasateamleaderinresolving
complicatedsecurityandVPNtechnologies.HeiscurrentlyworkingasaSenior
NetworkSecurityEngineerintheWorldwideSecurityServicesPracticeof
Cisco'sAdvancedServicesforNetworkSecurity.Heisresponsibleforguiding
customersinthedesignandimplementationoftheirnetworkswithafocusin
networksecurity.HeholdstwoCCIEs,oneinRoutingandSwitchingandthe
otherinSecurity.HehaswrittennumerousCiscoonlinetechnicaldocuments
andhasbeenanactivememberonCisco'sonlineforum,NetPro.Hehas
presentedatNetworkersonmultipleoccasionsandhastaughtmanyonsiteand
onlinecoursestoCiscocustomers,partners,andemployees.Heisalsopursuing
mastersofbusinessadministration(MBA)fromNorthCarolinaStateUniversity.
OmarSantosisaSeniorNetworkSecurityEngineerintheWorldwideSecurity
ServicesPracticeofCisco'sAdvancedServicesforNetworkSecurity.Hehas
morethan12yearsofexperienceinsecuredatacommunications.Omarhas
designed,implemented,andsupportednumeroussecurenetworksforFortune
500companiesandtheU.S.government,includingtheUnitedStatesMarine
Corps(USMC)andDepartmentofDefense(DoD).Heisalsotheauthorof
manyCiscoonlinetechnicaldocumentsandconfigurationguidelines.Priorto
hiscurrentrole,hewasatechnicalleaderofCisco'sTechnicalAssistanceCenter
(TAC),wherehetaught,led,andmentoredmanyengineerswithinthe
organization.HeisanactivememberoftheInfraGardorganization.InfraGardis
acooperativeundertakingbetweentheFederalBureauofInvestigationandan
associationofbusinesses,academicinstitutions,stateandlocallawenforcement
agencies,andotherparticipantsthatisdedicatedtoincreasingthesecurityofthe
criticalinfrastructuresoftheUnitedStatesofAmerica.Omarhasalsodelivered
numeroustechnicalpresentationstoCiscocustomers,partners,andother
organizations.
AbouttheTechnicalReviewers
DavidWhite,Jr.,CCIENo.12021,hasmorethan9yearsofnetworking
experiencewithafocusinnetworksecurity.HeiscurrentlyaTechnicalLeader
intheCiscoTAC,wherehehasbeenforover5years.InhisroleatCisco,heis
involvedinnewproductdesignandimplementationandisanactiveparticipant
inproducingCiscodocumentation,bothonlineandinprint.DavidholdsaCCIE
inSecurity,andisalsoNSAIAMcertified.PriortojoiningCisco,Davidworked
fortheU.S.government,wherehehelpedsecureitsworldwidecommunications
network.HewasbornandraisedinSt.Petersburg,Floridaandreceivedhis
bachelor'sdegreeincomputerengineeringfromtheGeorgiaInstituteof
Technology.
AndrewYourtchenko,CCIENo.5423,isaCustomerSupportEngineer
workinginthesecurityareaintheCiscoTechnicalAssistanceCentrein
Brussels,whichhejoinedin2000.BorninSt.Petersburg,Russia,hisfirst
experiencewithcomputerswasin1989,whichsparkedhisinterestincomputers
andmotivatedhimtostartself-studyincomputersciencewhilestillinschool.
HegraduatedSt.PetersburgStateTechnicalUniversityin1997.Andrew's
networkingexperiencestartedaround1992,whenhecommencedworkfora
systemsintegrationcompanyinSt.Petersburg.Inparallelwiththejobwhich
variedfromfibercableinstallationstocustomPerlprogrammingheobtained
NovellCNEcertificationforNetWare4.1.HebecameaCCIEinRoutingand
Switchingin1999andinSecurityin2002.
WenZhang,CCIENo.4302,isaseniorengineerintheCiscoTACEscalation
Team,withafocusinnetworksecurityandVPNtechnologies.Inthisrole,heis
responsibleforhandlingdifficultandcomplexescalationissues,workingon
criticalsoftwaredefects,andparticipatinginthenewproductdesignand
implementationprocess.HeearnedhisB.S.andM.S.degreesinelectrical
engineeringfromClemsonUniversity.
Acknowledgments
Wewouldliketothankthetechnicaleditors(DavidWhite,Andrew
Yourtchenko,andWenZhang)fortheirtimeandtechnicalexpertise.They
verifiedourworkandcorrectedusinallthemajorandminormistakesthatwere
hardtofind.
SpecialthanksgotoJayBiersbachandJamesClineforreviewingthe
manuscriptandmakingthisabetter-lookingbook.
WewouldliketothanktheCiscoPressteam,especiallyBrettBartow,Sheri
Cain,DaynaIsley,MichelleGrandinandMarcFowlerfortheirpatience,
guidance,andconsideration.Theireffortsaregreatlyappreciated.
Manythankstoourmanagers,WilliamBeachandJoeDallatore,fortheir
continuoussupport.Theyhighlyencouragedusthroughoutthisproject.
KudostotheCiscoASAproductdevelopmentteamfordeliveringsuchagreat
product.Theirsupportisalsogreatlyappreciatedduringthedevelopmentofthis
book.
Foreword
Networksecurityisatacriticaljuncturewherenosingletechnologycansolve
theprobleminsilos.Hundredsofmillionsofdollarsarebeingspentinreactively
solvingthevirus,worms,malwareproblemandtherapidpropagationofthese
vilethreats.Recognizingthis,CiscohasmodeledtheSelf-DefendingNetwork
(SDN)similartothewayourbodiesprotectusanddealwithdiseases.
TheSDNhasseveralprotectiveandintegratedlayersVPNs,firewalls,intrusion
prevention,andanomalymitigation.Whencombinedwithadvanced
virtualization,deeperpacketintelligence,andbehaviorallinkageswithend
systems,theSDNisabletoproactivelypreventdangerouselementsfrom
causinghavoconnetworks.Butakintothehumanbody,nonetworkcan
completelystopallbadthingsfromentering.Peopleneedtoeat,drink,and
breathe,andnetworksneedtoprocessanddeliverinformationfromawide
varietyofexternalsources.Withthisinmind,CiscoisconstructingSDNto
workatornearcapacityevenwheninvadedbydetrimentalentities,justasthe
humanbodycankeeponfunctioningevenwhenithasaninfection.
ThisbookoffersdeepinsightintooneofCisco'sflagshipandrecently
introducedproducts,theAdaptiveSecurityAppliance,ASA5500.ASA
exemplifiestheimportanceofintegration,collaboration,andadaptationto
differentthreatpatternsinsecurity.Itisoneoftheindustry'sfirstall-in-one
networksecurityplatforms,focusedonuncompromisedperformanceand
security.
Theauthorsofthisbook,JazibFrahimandOmarSantos,haveintimate
knowledgeofsecurityaswellasinternetworking.Togethertheyhaveabouttwo
decadesofnetworksecurityexpertiseandhavebeenstrongadvocatesof
thoughtfulsecuritypracticesanddesignsforCisco.Ihavefoundthisbookreally
highlightsthepracticalaspectsneededforbuildingreal-worldsecurity.Itoffers
theinsider'sguidanceneededtoplan,implement,configure,andtroubleshootthe
CiscoASAincustomerenvironmentsanddemonstratesthepotentialandpower
ofSDNs.IhopeyouenjoytheinsightsofthisbookasmuchasIandcometo
appreciatetheground-breakingsecuritypioneeredbyCiscooverthepastfew
years.
JayshreeUllal
SeniorVicePresident,SecurityTechnologyGroup
October2005
IconsUsedinThisBook
[Viewfullsizeimage]
CommandSyntaxConventions
Theconventionsusedtopresentcommandsyntaxinthisbookarethesame
conventionsusedintheCiscoIOSCommandReference,whichdescribesthese
conventionsasfollows:
Boldfaceindicatescommandsandkeywordsthatareenteredliterallyas
shown.
Italicsindicateargumentsforwhichyousupplyactualvalues.
Verticalbars(|)separatealternative,mutuallyexclusiveelements.
Squarebrackets,[],indicateoptionalelements.
Braces,{},indicatearequiredchoice.
Braceswithinbrackets,[{}],indicatearequiredchoicewithinanoptional
element.
Introduction
Networksecurityhasalwaysbeenachallengeformanyorganizationsthat
cannotdeployseparatedevicestoprovidefirewall,intrusionprevention,and
virtualprivatenetwork(VPN)services.CiscoASAisahigh-performance,
multifunctionsecurityappliancethatoffersfirewall,IPS,networkanti-virus,and
VPNservices.CiscoASAdeliversthesefeaturesthroughimprovednetwork
integration,resiliency,andscalability.
Thisbookisaninsider'sguidetoplanning,implementing,configuring,and
troubleshootingCiscoASA.ItdeliversexpertguidancefromseniorCisco
networksecurityconsultingengineers.Itdemonstrateshowadaptive
identificationandmitigationservicesonCiscoASAprovideasophisticated
networksecuritysolutiontosmall,medium,andlargeorganizations.Thisbook
bringstogetherexpertguidanceforvirtuallyeverychallengeyouwillfacefrom
buildingbasicnetworksecuritypoliciestoadvancedVPNandIPS
implementations.
WhoShouldReadThisBook
Thisbookservesasaguideforanynetworkprofessionalwhomanagesnetwork
securityorinstallsandconfiguresfirewalls,VPNdevices,orintrusion
detection/preventionsystems.Itencompassestopicsfromanintroductorylevel
toadvancedtopicsonsecurityandVPNs.Therequirementsofthereaderinclude
abasicknowledgeofTCP/IPandnetworking.
HowThisBookIsOrganized
Thisbookhasfiveparts,whichprovideaCiscoASAproductoverviewandthen
focusonfirewalls,intrusionprevention,VPNs,andAdaptiveSecurityDevice
Manager(ASDM).Eachpartcomprisesmanysampleconfigurations,
accompaniedbyin-depthanalysesofdesignscenarios.Yourlearningisfurther
enhancedbyadiscussionofasetofdebugsincludedineachtechnology.
Ground-breakingfeatures,suchasWebVPNandvirtualandLayer2firewalls,
arediscussedextensively.
PartI,"ProductOverview,"includesthefollowingchapters:
-Chapter1,"IntroductiontoNetworkSecurity"Thischapter
providesanoverviewofdifferenttechnologiesthataresupportedby
CiscoASAandwidelyusedbytoday'snetworksecurityprofessionals.
-Chapter2,"ProductHistory"Historically,CiscoPIXsecurity
appliances,theCiscoIOSAdvancedSecurityFeatureSet,andthe
securityservicesmodulesforCiscoCatalyst6500SeriesSwitches
haveprovidedintegratedsecuritysolutionstosmallandlarge
organizations.Asdescribedinthischapter,CiscoASAincorporates
featuresfromeachoftheseproducts,integratingcomprehensive
firewall,intrusiondetectionandprevention,andVPNtechnologiesin
acost-effective,single-boxformat.
-Chapter3,"HardwareOverview"Thischapterprovidesa
hardwareoverviewofCiscoASA,includingdetailedtechnical
specificationsandinstallationguidelines.Italsocoversanoverviewof
theAdaptiveInspectionandPreventionSecurityServicesModule
(AIP-SSM).
PartII,"FirewallSolution,"includesthefollowingchapters:
-Chapter4,"InitialSetupandSystemMaintenance"A
comprehensivelistofinitialsetuptasksandsystemmaintenance
proceduresisincludedinthischapter.Thesetasksandproceduresare
intendedtobeusedbynetworkprofessionalswhowillbeinstalling,
configuring,andmanagingCiscoASA.
-Chapter5,"NetworkAccessControl"CiscoASAcanprotectone
ormorenetworksfromintruders.Connectionsbetweenthesenetworks
canbecarefullycontrolledbyadvancedfirewallcapabilities,enabling
youtoensurethatalltrafficfromandtotheprotectednetworkspasses
onlythroughthefirewallbasedontheorganization'ssecuritypolicy.
Thischaptershowsyouhowtoimplementyourorganization'ssecurity
policyusingthefeaturesthatCiscoASAprovides.
-Chapter6,"IPRouting"Thischaptercoversthedifferentrouting
capabilitiesofCiscoASA.
-Chapter7,"Authentication,Authorization,andAccounting
(AAA)"CiscoASAsupportsawiderangeofAAAfeatures.This
chapterprovidesguidelinesonhowtoconfigureAAAservicesby
definingalistofauthenticationmethodsappliedtovarious
implementations.
-Chapter8,"ApplicationInspection"CiscoASAstateful
applicationinspectionhelpstosecuretheuseofapplicationsand
servicesinyournetwork.Thischapterdescribeshowtouseand
configureapplicationinspection.
-Chapter9,"SecurityContexts"CiscoASAvirtualfirewallfeature
introducestheconceptofoperatingmultipleinstancesoffirewalls
(contexts)withinthesamehardwareplatform.Thischaptershowshow
toconfigureandtroubleshooteachofthesesecuritycontexts.
-Chapter10,"TransparentFirewalls"Thischapterintroducesthe
transparent(Layer2)firewallmodelwithinCiscoASA.Itexplains
howuserscanconfigureCiscoASAintransparentsinglemodeand
multiplemodewhileaccommodatingtheirsecurityneeds.
-Chapter11,"FailoverandRedundancy"Thischapterdiscusses
thedifferentredundancyandfailovermechanismsthatCiscoASA
provides.Itincludesnotonlytheoverviewandconfiguration,butalso
detailedtroubleshootingprocedures.
-Chapter12,"QualityofService"QoSisanetworkfeaturethatlets
yougiveprioritytocertaintypesoftraffic.Thischaptercovershowto
configureandtroubleshootQoSinCiscoASA.
PartIII,"IntrusionPreventionSystem(IPS)Solution,"includesthe
followingchapters:
-Chapter13,"IntrusionPreventionSystemIntegration"Intrusion
detectionandpreventionsystemsprovidealevelofprotectionbeyond
thefirewallbysecuringthenetworkagainstinternalandexternal
attacksandthreats.ThischapterdescribestheintegrationofIntrusion
PreventionSystem(IPS)featureswithinCiscoASA.
-Chapter14,"ConfiguringandTroubleshootingCiscoIPS
SoftwareviatheCLI"Thischapterprovidesexpertguidanceonhow
toconfiguretheAIP-SSMIPSsoftwareviaitscommand-lineinterface
(CLI).Troubleshootingscenariosarealsoincludedtoenhance
learning.
PartIV,"VirtualPrivateNetwork(VPN)Solution,"includesthefollowing
chapters:
-Chapter15,"Site-to-SiteIPSecVPNs"CiscoASAsupportsIPSec
VPNfeaturesthatallowsyoutoconnectnetworksindifferent
geographiclocations.Thischapterprovidesconfigurationand
troubleshootingguidelinestosuccessfullydeploysite-to-siteIPSec
VPNs.
-Chapter16,"RemoteAccessVPNs"Thischapterdiscussesmany
differentremote-accessVPNsolutionsthataresupportedonCisco
ASA.Alargenumberofsampleconfigurationsandtroubleshooting