Transcript Slide 1
I Introduction to ASA Security Appliances and Basic Configuration Tasks 1 1 ASA Product Famil 3 4 Cisco ASA Configuration T ▼ ▲ HIS CHAPTER INTRODUCES THE FEATURES AND HARDWARE OF CISCO’S ADAPTIVE SECURITY APPLIANCE (ASA) PRODUCT LINE. THE TOPICS INCLUDE FEATURES OF THE ASA, INCLUDING THE OPERATING SYSTEM, SECURITY ALGORITHM, REDUNDANCY, AND OTHERS THE HARDWARE OF THE ASAPRODUCT LINE, INCLUDING THE MODELS, SUPPORTED HARDWARE MODULES (CARDS), AND LICENSING ASAFEATURES CISCO’S ASA IS A SET OF STATEFUL SECURITY APPLIANCES RANGING FROM THE MODEL 5505, WHICH IS DESIGNED FOR SMALL OFFICE, HOME OFFICE (SOHO) ENVIRONMENTS, TO THE 5580, WHICH IS DESIGNED FOR LARGE ENTERPRISE NETWORKS AND ISP SITES. ALL OF THESE PRODUCTS USE THE SAME OPERATING SYSTEM AND MANAGEMENT TOOLS, EASING YOUR IMPLEMENTATION AND MONITORING TASKS. BECAUSE ALL THE SECURITY APPLIANCES USE THE SAME OPERATING SYSTEM, THE MAJOR DIFFERENCES BETWEEN THE MODELS PRIMARILY CONCERN SCALABILITY AND PERFORMANCE. THE ASA FAMILY OF PRODUCTS (AND THEIR OLDER SIBLINGS, THE PIX PRODUCTS) CAN BEST BE DESCRIBED AS HYBRID FIREWALLS. CISCO, HOWEVER, DOES NOT LIKE TO USE THE TERM “FIREWALL” TO DESCRIBE THEASAAND PIX PRODUCT FAMILY. INSTEAD, CISCO PREFERS USING THE TERM “SECURITY APPLIANCE,” MAINLY BECAUSE THE ASA PRODUCTS AND THE PRODUCTS THEY REPLACED, THE PIX PRODUCTS, ARE NOT JUST STATEFUL FIREWALLS; THEY ALSO SUPPORT MANY OTHER SECURITY FEATUR INCLUDING ▼ ■ SECURE, REAL-TIME, PROPRIETARY OPERATING SYSTEM STATEFUL FIREWALL USING THE CISCO SECURITY ALGORITHM (SA) ■ SEQUENCE NUMBER RANDOMIZATION (SNR) TO SECURE TCP CONNECTIONS ■ CUT-THROUGH PROXY (CTP) FOR AUTHENTICATING TELNET, HTTP, AND FTP CONNECTIONS ■ ■ ■ ■ ■ ▲ DEFAULT SECURITY POLICIES TO ENSURE MAXIMUM PROTECTION, AS WELL AS THE ABILITY TO CUSTOMIZE THESE POLICIES AND BUILD YOUR OWN POLICIES VIRTUAL PRIVATE NETWORK (VPN) ABILITIES: IPSEC, SSL, AND L2TP INTRUSION DETECTION AND PREVENTION SYSTEMS (IDS AND IPS) ADDRESS TRANSLATION USING DYNAMIC AND STATIC NETWORK AND PORT ADDRESS TRANSLATION STATEFUL REDUNDANCY OF CONNECTIONS AND VPNS BETWEEN TWO SECURITY APPLIANCES VIRTUALIZATION OF POLICIES USING CONTEXTS THIS IS JUST A SMALL LIST OF SOME MAJOR FEATURES OF THE SECURITY APPLIANCES. THE FOLLOWING SECTIONS PROVIDE AN OVERVIEW OF SOME OF THESE FEATURES. THE FEATURES THAT I DON’ BRIEFLY COVER IN THIS CHAPTER ARE COVERED IN SUBSEQUENT CHAPTERS. Chapter 1: ASA Product Family 5 NOTE THROUGHOUT THE BOOK, WHENEVER THE TERMS “SECURITY APPLIANCE” OR “APP REFER TO BOTH THEASAAND PIX PRODUCTS UNLESS OTHERWISE NOTED. OPERATING SYSTEM THE OPERATING SYSTEM (VERSION 7 AND LATER) YOU CURRENTLY SEE ON THE ASAAPPLIANCES AND ON THE PIX 515 AND HIGHER APPLIANCES IS BASED ON THE PIX FINESSE OPERATING SYSTEM (FOS). THE FOS IS A PROPRIETARY, STAND-ALONE OPERATING SYSTEM. IT IMPLEMENTS THE ACTUAL SECURITY FUNCTIONS THAT THE SECURITY APPLIANCE HARDWARE PERFORMS. IN THIS SENSE, IT IS SOMEWHAT SIMILAR TO THE INTERNETWORK OPERATING SYSTEM (IOS) OF CISCO ROUTERS AND SWITCHES, OR WHAT THE MICROSOFT WINDOWS XP OR LINUX OPERATING SYSTEMS ARE TO PCS. CISCO NO LONGER USES THE TERM FOS TO DESCRIBE THE OPERATING SYSTEM, THOUGH. STARTING IN VERSION 7 AND LATER, CISCO REFERS TO THE SECURITY APPLIANCE OPERATING SYSTEM AS JUST TH “OPERATING SYSTEM.” NOTE EVEN THOUGH CISCO’S PIX APPLIANCES ARE NO LONGER FOR SALE, WHICH CISCO OF-SALE (EOS), THE PIX 515S AND HIGHER SUPPORT THE SAME OPERATING SYSTEM AS THE DIFFERENCEBETWEENTHEPIXSANDASASISTHATTHELOWER-ENDPIX501AND506EDONOTSUP 7 AND LATER OF THE OS, AND NONE OF THE PIXS SUPPORTS SSLVPNS. THIS BOOK FOCUSES ASAS; HOWEVER, THE TOPICS DISCUSSED CAN BE EQUALLY APPLIED TO THE PIXS IN MOST FIREWALLAPPLICATIONS SOME FIREWALL PRODUCTS RUN ON TOP OF AN OPERATING SYSTEM; THESE SOLUTIONS ARE COMMO CALLED FIREWALL APPLICATIONS. ONE DISADVANTAGE THAT FIREWALL APPLICATIONS HAVE COMPAR WITH A PROPRIETARY OPERATING SYSTEM IS THAT THE FIREWALL VENDOR MUST DEAL WITH TWO SOF WARE PRODUCTS IN CREATING A FIREWALL: THE OPERATING SYSTEM AND THE FIREWALL APPLICATION THIS PROCESS CAN OFTEN LEAD TO A LESS SECURE SYSTEM. THIS IS ESPECIALLY TRUE WHEN YOU CON SIDER ALL THE SECURITY THREATS THAT HAVE BEEN DIRECTED SPECIFICALLY AT UNIX AND MICROSOFT OPERATING SYSTEMS. AN EXAMPLE OF A FIREWALL PRODUCT THAT USES FIREWALL APPLICATIONS IS CHECK POINT. THIS NOT TO SAY THAT CHECK POINT’S FIREWALL IS A WORSE SOLUTION THAN A FIREWALL PRODUCT THAT A PROPRIETARY OPERATING SYSTEM. HOWEVER, A FIREWALL VENDOR LIKE CHECK POINT WILL HAVE TO DO MANY MORE THINGS TO ENSURE THAT THE FIREWALL APPLICATION AND OPERATING SYSTEM PRO A SECURE SOLUTION. (NOTE THAT CHECK POINT’S NEXT-GENERATION PRODUCT, SECUREPLATFORM 1, MOVING AWAY FROM THIS APPROACH AND MOVING TOWARD AN INTEGRATED SOLUTION.) THE MAIN PROBLEM WITH A FIREWALL APPLICATION SOLUTION IS THAT THE VENDOR NOT ONLY H TOPROVIDE A SECURE FIREWALL APPLICATION, BUT MUST ALSO SECURE THE OPERATINGSYSTEM ITRUN ON. HOWEVER, FIREWALL APPLICATIONS DO PROVIDE TWO ADVANTAGES: ▼ THEY TEND TO BE EASY TO INSTALL AND MAINTAIN. ▲ THEY RUN ON A WIDE VARIETY OF PC/SERVER PLATFORMS. 6 Cisco ASA Configuration PROPRIETARY OPERATING SYSTEM PROPRIETARYOPERATINGSYSTEMSPROVIDEASECURITYADVANTAGEOVERFIREWALLAPPLICATIONS—A PROPRIETARY OPERATING SYSTEM VENDOR HAS TO BE CONCERNED ABOUT ONLY ONE SYSTEM, INSTE OF TWO, IN PROVIDING A SECURE FIREWALL SOLUTION. ANOTHER HUGE ADVANTAGE OF PROPRIETAR OPERATING SYSTEMS IS SCALABILITY. BECAUSE A PROPRIETARY OPERATING SYSTEM CAN BE CUSTOMIZEDTOASPECIFICHARDWAREPLATFORM,THISFIREWALLSYSTEMCANPROVIDEEXTREMELYFASTPACKET FILTERING ABILITIES AND SECURITY CAPABILITIES. OFF-THE-SHELF OPERATING SYSTEMS LIKE UNIX AND MICROSOFT WINDOWS ARE GENERALPURPOSE OPERATING SYSTEMS THAT WERE DEVELOPED TO PERFORM MANY TASKS, NOT ALL OF WHIC ARE PERFORMED AT AN OPTIMAL LEVEL. USING A GENERAL OPERATING SYSTEM DECREASES THE PERFORMANCE OF THE PACKET FILTERING AND FIREWALL FUNCTIONS OF THE FIREWALL APPLICATION. TO PROVIDE FOR SCALABILITY, YOU MUST LOAD YOUR FIREWALL APPLICATION ON VERY EXPENSIVE SERVE PLATFORMS. USING A PROPRIETARY OPERATING SYSTEM IN A FIREWALL SOLUTION ALSO MAKES IT MUCH MORE DIFFICULT FOR HACKERS TO PENETRATE THE FIREWALL.ATTACKERS ARE FAMILIAR WITH THE FUNCTION COMMON OPERATING SYSTEMS LIKE UNIX AND MICROSOFT PRODUCTS, WHICH MAKES IT A LITTLE BIT EASIER FOR THEM TO ATTACK THE FIREWALL APPLICATION. HOWEVER, WHEN VENDORS USE A PROPRI ETARY OPERATING SYSTEM TO IMPLEMENT THEIR FIREWALL SOLUTION, AN ATTACKER WILL HAVE LITTL OR NO KNOWLEDGE ABOUT THE FUNCTIONS AND PROCESSES OF THE OPERATING SYSTEM, MAKING IT VERY DIFFICULT FOR THE ATTACKER TO COMPROMISE THE FIREWALL SOLUTION. USING A PROPRIETARY OPERATING SYSTEM HAS SOME DISADVANTAGES. FIRST, BECAUSE THE OPERATING SYSTEM IS PROPRIETARY, YOUR SECURITY PERSONNEL WILL HAVE TO LEARN THE NEW SYSTEM MANY OF YOUR PERSONNEL WILL ALREADY HAVE EXPERIENCE WITH UNIX OR MICROSOFT WINDOWS, AND THUS THEIR LEARNING CURVE IN IMPLEMENTING THE SOLUTION WILL BE SHORTENED. NOTE WHEN YOU ARE USING AN UNDERLYING PROPRIETARY OPERATING SYSTEM SUCH APPLIANCES, THE ADMINISTRATOR IS UNABLE TO INTERACT WITH THE UNDERLYING OS. ALSO, BECAUSE FIREWALL APPLICATIONS ARE DEVELOPED FOR A SPECIFIC OPERATING SYSTEM PLATFORM LIKE UNIX OR MICROSOFT WINDOWS, YOUR SECURITY PERSONNEL WILL ALREADY BE FAMILIAR WITH THE INTERFACE THAT IS EMPLOYED BY THE FIREWALL. A GOOD EXAMPLE OF THIS IS CHECK POINT’S FIREWALL SOLUTION—IT HAS A VERY GOOD, INTUITIVE GUI INTERFACE, WHICH MAKES CONFIGURATION EASY AND ALSO REDUCES THE LIKELIHOOD OF MAKING MISTAKES AND OPENING UP UNINTENDED HOLES IN YOUR FIREWALL SYSTEM. HERE ARE SOME OF THE MAIN ADVANTAGES OF USING PROPRIETARY OSS FOR FIREWALLS: ▼ THEY TEND TO BE MORE SECURE THAN FIREWALL APPLICATIONS. ▲ THEY PROVIDE FOR BETTER SCALABILITY AND PACKET FILTERING SPEEDS BECAUSE THE OPERATING SYSTEM IS CUSTOMIZED DIRECTLY TO WORK WITH SPECIFIC HARDWARE. ASAMANAGEMENT BECAUSE THE SECURITY APPLIANCES USE THE SAME OPERATING SYSTEM, THE CONFIGURATION O CISCO’S ASAS AND PIXS IS SIMPLIFIED. YOU HAVE A CHOICE OF THREE METHODS TO CONFIGURE YOUR SECURITY APPLIANCE: Thank you for evaluating Wondershare PDF Editor. You can only convert 5 pages with the trial version. To get all the pages converted, you need to purchase the software from: http://cbs.wondershare.com/go.php?pid=1140&m=db