Transcript Slide 1

I
Introduction to
ASA Security
Appliances and Basic
Configuration Tasks
1
1
ASA Product Famil
3
4
Cisco ASA Configuration
T
▼
▲
HIS CHAPTER INTRODUCES THE FEATURES AND HARDWARE OF CISCO’S ADAPTIVE SECURITY
APPLIANCE (ASA) PRODUCT LINE. THE TOPICS INCLUDE
FEATURES OF THE ASA, INCLUDING THE OPERATING SYSTEM, SECURITY ALGORITHM,
REDUNDANCY, AND OTHERS
THE HARDWARE OF THE ASAPRODUCT LINE, INCLUDING THE MODELS, SUPPORTED
HARDWARE MODULES (CARDS), AND LICENSING
ASAFEATURES
CISCO’S ASA IS A SET OF STATEFUL SECURITY APPLIANCES RANGING FROM THE MODEL 5505, WHICH
IS DESIGNED FOR SMALL OFFICE, HOME OFFICE (SOHO) ENVIRONMENTS, TO THE 5580, WHICH IS
DESIGNED FOR LARGE ENTERPRISE NETWORKS AND ISP SITES. ALL OF THESE PRODUCTS USE THE SAME
OPERATING SYSTEM AND MANAGEMENT TOOLS, EASING YOUR IMPLEMENTATION AND MONITORING
TASKS. BECAUSE ALL THE SECURITY APPLIANCES USE THE SAME OPERATING SYSTEM, THE MAJOR DIFFERENCES BETWEEN THE MODELS PRIMARILY CONCERN SCALABILITY AND PERFORMANCE.
THE ASA FAMILY OF PRODUCTS (AND THEIR OLDER SIBLINGS, THE PIX PRODUCTS) CAN BEST BE
DESCRIBED AS HYBRID FIREWALLS. CISCO, HOWEVER, DOES NOT LIKE TO USE THE TERM “FIREWALL” TO
DESCRIBE THEASAAND PIX PRODUCT FAMILY. INSTEAD, CISCO PREFERS USING THE TERM “SECURITY
APPLIANCE,” MAINLY BECAUSE THE ASA PRODUCTS AND THE PRODUCTS THEY REPLACED, THE PIX
PRODUCTS, ARE NOT JUST STATEFUL FIREWALLS; THEY ALSO SUPPORT MANY OTHER SECURITY FEATUR
INCLUDING
▼
■
SECURE, REAL-TIME, PROPRIETARY OPERATING SYSTEM
STATEFUL FIREWALL USING THE CISCO SECURITY ALGORITHM (SA)
■
SEQUENCE NUMBER RANDOMIZATION (SNR) TO SECURE TCP CONNECTIONS
■
CUT-THROUGH PROXY (CTP) FOR AUTHENTICATING TELNET, HTTP, AND FTP CONNECTIONS
■
■
■
■
■
▲
DEFAULT SECURITY POLICIES TO ENSURE MAXIMUM PROTECTION, AS WELL AS THE ABILITY
TO CUSTOMIZE THESE POLICIES AND BUILD YOUR OWN POLICIES
VIRTUAL PRIVATE NETWORK (VPN) ABILITIES: IPSEC, SSL, AND L2TP
INTRUSION DETECTION AND PREVENTION SYSTEMS (IDS AND IPS)
ADDRESS TRANSLATION USING DYNAMIC AND STATIC NETWORK AND PORT ADDRESS
TRANSLATION
STATEFUL REDUNDANCY OF CONNECTIONS AND VPNS BETWEEN TWO SECURITY APPLIANCES
VIRTUALIZATION OF POLICIES USING CONTEXTS
THIS IS JUST A SMALL LIST OF SOME MAJOR FEATURES OF THE SECURITY APPLIANCES. THE FOLLOWING SECTIONS PROVIDE AN OVERVIEW OF SOME OF THESE FEATURES. THE FEATURES THAT I DON’
BRIEFLY COVER IN THIS CHAPTER ARE COVERED IN SUBSEQUENT CHAPTERS.
Chapter 1:
ASA Product Family
5
NOTE THROUGHOUT THE BOOK, WHENEVER THE TERMS “SECURITY APPLIANCE” OR “APP
REFER TO BOTH THEASAAND PIX PRODUCTS UNLESS OTHERWISE NOTED.
OPERATING SYSTEM
THE OPERATING SYSTEM (VERSION 7 AND LATER) YOU CURRENTLY SEE ON THE ASAAPPLIANCES AND
ON THE PIX 515 AND HIGHER APPLIANCES IS BASED ON THE PIX FINESSE OPERATING SYSTEM
(FOS). THE FOS IS A PROPRIETARY, STAND-ALONE OPERATING SYSTEM. IT IMPLEMENTS THE ACTUAL SECURITY FUNCTIONS THAT THE SECURITY APPLIANCE HARDWARE PERFORMS. IN THIS SENSE, IT
IS SOMEWHAT SIMILAR TO THE INTERNETWORK OPERATING SYSTEM (IOS) OF CISCO ROUTERS AND
SWITCHES, OR WHAT THE MICROSOFT WINDOWS XP OR LINUX OPERATING SYSTEMS ARE TO PCS.
CISCO NO LONGER USES THE TERM FOS TO DESCRIBE THE OPERATING SYSTEM, THOUGH. STARTING
IN VERSION 7 AND LATER, CISCO REFERS TO THE SECURITY APPLIANCE OPERATING SYSTEM AS JUST TH
“OPERATING SYSTEM.”
NOTE EVEN THOUGH CISCO’S PIX APPLIANCES ARE NO LONGER FOR SALE, WHICH CISCO
OF-SALE (EOS), THE PIX 515S AND HIGHER SUPPORT THE SAME OPERATING SYSTEM AS THE
DIFFERENCEBETWEENTHEPIXSANDASASISTHATTHELOWER-ENDPIX501AND506EDONOTSUP
7 AND LATER OF THE OS, AND NONE OF THE PIXS SUPPORTS SSLVPNS. THIS BOOK FOCUSES
ASAS; HOWEVER, THE TOPICS DISCUSSED CAN BE EQUALLY APPLIED TO THE PIXS IN MOST
FIREWALLAPPLICATIONS
SOME FIREWALL PRODUCTS RUN ON TOP OF AN OPERATING SYSTEM; THESE SOLUTIONS ARE COMMO
CALLED FIREWALL APPLICATIONS. ONE DISADVANTAGE THAT FIREWALL APPLICATIONS HAVE COMPAR
WITH A PROPRIETARY OPERATING SYSTEM IS THAT THE FIREWALL VENDOR MUST DEAL WITH TWO SOF
WARE PRODUCTS IN CREATING A FIREWALL: THE OPERATING SYSTEM AND THE FIREWALL APPLICATION
THIS PROCESS CAN OFTEN LEAD TO A LESS SECURE SYSTEM. THIS IS ESPECIALLY TRUE WHEN YOU CON
SIDER ALL THE SECURITY THREATS THAT HAVE BEEN DIRECTED SPECIFICALLY AT UNIX AND MICROSOFT
OPERATING SYSTEMS.
AN EXAMPLE OF A FIREWALL PRODUCT THAT USES FIREWALL APPLICATIONS IS CHECK POINT. THIS
NOT TO SAY THAT CHECK POINT’S FIREWALL IS A WORSE SOLUTION THAN A FIREWALL PRODUCT THAT
A PROPRIETARY OPERATING SYSTEM. HOWEVER, A FIREWALL VENDOR LIKE CHECK POINT WILL HAVE TO
DO MANY MORE THINGS TO ENSURE THAT THE FIREWALL APPLICATION AND OPERATING SYSTEM PRO
A SECURE SOLUTION. (NOTE THAT CHECK POINT’S NEXT-GENERATION PRODUCT, SECUREPLATFORM 1,
MOVING AWAY FROM THIS APPROACH AND MOVING TOWARD AN INTEGRATED SOLUTION.)
THE MAIN PROBLEM WITH A FIREWALL APPLICATION SOLUTION IS THAT THE VENDOR NOT ONLY H
TOPROVIDE A SECURE FIREWALL APPLICATION, BUT MUST ALSO SECURE THE OPERATINGSYSTEM ITRUN
ON. HOWEVER, FIREWALL APPLICATIONS DO PROVIDE TWO ADVANTAGES:
▼ THEY TEND TO BE EASY TO INSTALL AND MAINTAIN.
▲ THEY RUN ON A WIDE VARIETY OF PC/SERVER PLATFORMS.
6
Cisco ASA Configuration
PROPRIETARY OPERATING SYSTEM
PROPRIETARYOPERATINGSYSTEMSPROVIDEASECURITYADVANTAGEOVERFIREWALLAPPLICATIONS—A
PROPRIETARY OPERATING SYSTEM VENDOR HAS TO BE CONCERNED ABOUT ONLY ONE SYSTEM, INSTE
OF TWO, IN PROVIDING A SECURE FIREWALL SOLUTION. ANOTHER HUGE ADVANTAGE OF PROPRIETAR
OPERATING SYSTEMS IS SCALABILITY. BECAUSE A PROPRIETARY OPERATING SYSTEM CAN BE CUSTOMIZEDTOASPECIFICHARDWAREPLATFORM,THISFIREWALLSYSTEMCANPROVIDEEXTREMELYFASTPACKET FILTERING ABILITIES AND SECURITY CAPABILITIES.
OFF-THE-SHELF OPERATING SYSTEMS LIKE UNIX AND MICROSOFT WINDOWS ARE GENERALPURPOSE OPERATING SYSTEMS THAT WERE DEVELOPED TO PERFORM MANY TASKS, NOT ALL OF WHIC
ARE PERFORMED AT AN OPTIMAL LEVEL. USING A GENERAL OPERATING SYSTEM DECREASES THE PERFORMANCE OF THE PACKET FILTERING AND FIREWALL FUNCTIONS OF THE FIREWALL APPLICATION. TO
PROVIDE FOR SCALABILITY, YOU MUST LOAD YOUR FIREWALL APPLICATION ON VERY EXPENSIVE SERVE
PLATFORMS.
USING A PROPRIETARY OPERATING SYSTEM IN A FIREWALL SOLUTION ALSO MAKES IT MUCH MORE
DIFFICULT FOR HACKERS TO PENETRATE THE FIREWALL.ATTACKERS ARE FAMILIAR WITH THE FUNCTION
COMMON OPERATING SYSTEMS LIKE UNIX AND MICROSOFT PRODUCTS, WHICH MAKES IT A LITTLE BIT
EASIER FOR THEM TO ATTACK THE FIREWALL APPLICATION. HOWEVER, WHEN VENDORS USE A PROPRI
ETARY OPERATING SYSTEM TO IMPLEMENT THEIR FIREWALL SOLUTION, AN ATTACKER WILL HAVE LITTL
OR NO KNOWLEDGE ABOUT THE FUNCTIONS AND PROCESSES OF THE OPERATING SYSTEM, MAKING IT
VERY DIFFICULT FOR THE ATTACKER TO COMPROMISE THE FIREWALL SOLUTION.
USING A PROPRIETARY OPERATING SYSTEM HAS SOME DISADVANTAGES. FIRST, BECAUSE THE OPERATING SYSTEM IS PROPRIETARY, YOUR SECURITY PERSONNEL WILL HAVE TO LEARN THE NEW SYSTEM
MANY OF YOUR PERSONNEL WILL ALREADY HAVE EXPERIENCE WITH UNIX OR MICROSOFT WINDOWS,
AND THUS THEIR LEARNING CURVE IN IMPLEMENTING THE SOLUTION WILL BE SHORTENED.
NOTE WHEN YOU ARE USING AN UNDERLYING PROPRIETARY OPERATING SYSTEM SUCH
APPLIANCES, THE ADMINISTRATOR IS UNABLE TO INTERACT WITH THE UNDERLYING OS.
ALSO, BECAUSE FIREWALL APPLICATIONS ARE DEVELOPED FOR A SPECIFIC OPERATING SYSTEM
PLATFORM LIKE UNIX OR MICROSOFT WINDOWS, YOUR SECURITY PERSONNEL WILL ALREADY BE FAMILIAR WITH THE INTERFACE THAT IS EMPLOYED BY THE FIREWALL. A GOOD EXAMPLE OF THIS IS
CHECK POINT’S FIREWALL SOLUTION—IT HAS A VERY GOOD, INTUITIVE GUI INTERFACE, WHICH MAKES
CONFIGURATION EASY AND ALSO REDUCES THE LIKELIHOOD OF MAKING MISTAKES AND OPENING UP
UNINTENDED HOLES IN YOUR FIREWALL SYSTEM.
HERE ARE SOME OF THE MAIN ADVANTAGES OF USING PROPRIETARY OSS FOR FIREWALLS:
▼ THEY TEND TO BE MORE SECURE THAN FIREWALL APPLICATIONS.
▲ THEY PROVIDE FOR BETTER SCALABILITY AND PACKET FILTERING SPEEDS BECAUSE THE
OPERATING SYSTEM IS CUSTOMIZED DIRECTLY TO WORK WITH SPECIFIC HARDWARE.
ASAMANAGEMENT
BECAUSE THE SECURITY APPLIANCES USE THE SAME OPERATING SYSTEM, THE CONFIGURATION O
CISCO’S ASAS AND PIXS IS SIMPLIFIED. YOU HAVE A CHOICE OF THREE METHODS TO CONFIGURE
YOUR SECURITY APPLIANCE:
Thank you for evaluating Wondershare PDF Editor.
You can only convert 5 pages with the trial version.
To get all the pages converted, you need to purchase the software from:
http://cbs.wondershare.com/go.php?pid=1140&m=db