Documente Academic
Documente Profesional
Documente Cultură
Use the show vlan command on an asasm to display the current list of
assigned vlans.
Common deployment scenarios for sm
Protecting the internal segment from the external network
Protecting a fragile network from other internal networks
2.
3.
4.
5.
6.
Web-type acl
Mainly for restrict traffic coming through ssl vpn tunnels.
Object groups
Using object grouping you can heavily decrease the number o faces. It is possible
using both asdm and cli. One ace could consist of an object group in every field.
That ace would represent many more than a regular one. The decreased number
of aces used is only visual. Using too large object groups could unexpectedly
affect multiple aces.
Different group types.
Protocol gives the ability to group together different protocol types.
Useful when more than one protocol involved for the same S/D.
Network sourve and dest purposes 2 hosts/networks can be grouped
together.
Service http, dns. DMZ might have several services available, bundle
those together for one ace.
Local user group used when identity-based firewall is deployed.
Security group used within cisco trustsec. Filter traffic based on
information downloaded from external identity repository.
Icmp type bind the various types of control messages together.
Time-based acl:
Implemented when traffic needs to be filtered at ceratin times.
2 parameters are used: absolute, a one time happning only. Periodic, for
re-occuring events (everyday).
These acls can be combined, however the absolute is prioritized.
Downloadable acl: compatible with radius or tacacs. The server maintains acl
which server downloads and applies to itself for when a user authenticates and
connects and handles the host traffic according to the downloaded acl.
Routed firewalls separated two ip-subnets, can filter l3 and higher. Can not filter
on l2.
Tranparent firewalls can filter l2 and higher. Segregates one IP-subnet, uses
bridge virtual interfaves for self-generated packets, do switchover through
console with firewall transparent command, because you will lose telnet and ssh.
The asa works as a switch, l2f entries are learned dynamically when packets
traverse.
Arp inspection arp packets are generally not filtered, however ethertype acl can
block it. Arp spoofing = attacker sends fake arp messages. Wants to associate his
mac address with IP address of host on lan. Transparent mode provides a way to
prevent attacks related to arp spoofing. Enable per interface. Relies heavily on
static arp entries.
Virtualization partitions a physical firewall into multiple standalone firewalls.
Good for cost, segregation, different security policies, integration.
System execution space also known as system context. No network settings or
connectivity. Mainly used to define the settings of other contexts.
cips components.
Interprocess communication api
Mainapp
Sensorapp
Collaborationapp
Eventstore
CLI.
Site-to-Site VPN
1. Enable ikev1/v2
2. Create isakmp policy
3. Set up tunnel groups
4. Define interesting traffic
5. Define ipsec policy
6. Create crypto map.
Different useages for nat
1 to 1 mapping. Assigned static or by a pool of addresses. Inside to outside.
Higher sec zone to lower.
Methods of nat/pat
Static NAT: dns, email
Dynamic nat: protocols without l4 info. GRE DDP
Dynamic PAT: source IP, source ports. Tcp/udp.
Policy: acls define if the traffic should be translated or not.
Identity: mainly for nat exemption, you nat a network to itself to exclude it from
another nat function.
Nat hides the original ip-address. Limits the number of public ip addresses a
company must use for both economy and security purposes.
TCP intercept: prevents dos traffic by setting a maximum of TCP/udp connections.
Auto NAT: configure inside an object, does not take consideration in the
destination.
Manual nat: configured in global mode, makes it possible to translate and address
differently.
NAT order of operations to prevent conflict between different NAT policies, the
security appliance prioritizes certain nat rules.
Nat exemptions, static nat, staic pat, policy nat/pat, identity nat, dynamic nat,
dynamic pat.
AAA- radius. Is a widely implemented protocol with client/server model. Network
access server. Asa acts as nas and authenticates users bsed on radius response.
Radius authentication process.
User attempts to connect to asa. Asa prompts the user for username and pw.
Credentials are sent to the asa from the user. Asa send authentication request to
the radius server. Acc/acc or acc/rej is sent back from the radius server. Asas
responds to user.
Tacacs.
Kerberos
Windows nt
Rsa securid
LDAP.
Cisco asa protects the networks inside and in dmz by inspecting traffic that
passes through it. An acl is a collection of security rules and policies that allows
or denies packets after looking at packet headers and attributes.
Acls are used for: packet identification for nat and VPN encryption. Route
redistribution. Qos packet classification. Access control.
One entry in an ACL is called ACE. Classifies packets by inspecting headers for a
number of parameters. L2,3 protocol info. L3,4 header info. L7 info.
An interface ACL overrides a global ACL. Global acl look at all traffic passing the
asa.
Through-the-box traffic filtering: traffic sourcing from the outside going to the
inside network. Traffic passing through the asa. Asa check nat before acl.
To-the-box traffic filtering: traffic going to the asa. Apply using control-plane
keyword.
Traffic from high sec zone going to a lower sec zone is allowed. However: the asa
considers DHCP,eigrp,ospf, multicast and rip as special types of traffic. Meaning
they are considered connectionless traffic types. Therefore an extended acl must
be applied on both interfaces for communication.
4 types of acl.
Standard, extend, ethertype, web-type.
Ethertype works only in transparent mode.
Object groups. Using object grouping you can heavily decrease the number o
faces. It is possible using both adm and cli. One ace could consist of an object
group in every field. That ace would represent many more than a regular one.
The decreased number o faces used is only visual. Using too large object groups
could unexpectedly affect multiple aces.
Different group types: protocol, network, service, icmp type, local user group,
security group.
Time-based acl: implemented when traffic needs to be filtered at ceratin times.
Absolute or periodic.
Routed firewalls: separates two ip-subnets can filter L3 and higher. Can not filter
on L2.
Transparent firewalls: can filter L2 and higher. Segregates on IP-subnet. Uses BVIs
for self-generated packets. Do switchover through console with firewall
transparent command. Because you will lose telnet and ssh.
Arp packets are generally not filtered, however ethertype acls can block it.
Transparent mode provides a way to prevent attacks related to ARP spoofing.
Virtualization: partitions a physical firewall into multiple standalone firewalls.
Cost, segregation, different security policies. Integration.
3. IDS med terkoppling p ACL. IDS sger till ACL att blocka framtida
anslutningar av denna typ. Den sger till ASA att inte slppa in mer av en
viss trafik om den upptcker att den r bogus.
4. HIDS = p en host. NIDS= tar han om hela ntet.
1. Mnstermatching signaturebased. Kollar mnster/pattern i filer som gr
igenom.
2. Protokoll analys baseline och tar ut onormala frhllanden.
3. Heuristisk analys utgende frn erfarenhet och vrderingar. kolla alla
ryska packets
4. Anomalitetsdetektering filtrerar all ny och ovanlig trafik.
Anledningar till NAT: skerhet, brist p addresser, utan NAT kommer du
ingenstans.
b. PAT delar upp en address ytterligare genom att lgga en slumpgenererad
port p slutet.
System: skapar contexts. Assignar interface och skvg till fil. Configurl.disk0: .cfg
Admin: kan komma t allt
User: the users context. They can conf the things that has been applied to
them.
Frdelar: den filtrerar p lager 2, extra skerhet p insidan, den r osynlig
fr boven. Arp inspection.
Inga vpns, ingen routing, kan inte ta emot multicast, hard to troubleshoot.
Crypto map: set peer, set transform set. Match address ACL.