Lecture CCNA Security - Chapter 10: Implementing the Cisco Adaptive Security Appliance (ASA)

The ASA is a standalone firewall device that is a primary component of the Cisco SecureX architecture. The following will be discussed in this chapter: Which kind of branch is appropriate for the IOS firewall solution? What is disadvantage of the IOS firewall solution? Inviting you to refer.
Nội dung trích xuất từ tài liệu:
Lecture CCNA Security - Chapter 10: Implementing the Cisco Adaptive Security Appliance (ASA)Implementing the Cisco Adaptive Security Appliance (ASA) CCNA Security 1Objectives 2Overview of the ASARefer to 10.1.1.1• Which kind of branch is appropriate for the IOS firewall solution ?• What is disadvantage of the IOS firewall solution ? 3Overview of the ASA 4Overview of the ASA• The ASA is a standalone firewall device that is a primary component of the Cisco SecureX architecture.• All six ASA models provide advanced stateful firewall features and VPN functionality.• The biggest difference between the models is the maximum traffic throughput handled by each model and the number and type of interfaces.• The choice of ASA model will depend on an organizations requirements, such as maximum throughput, maximum connections per second, and budget. 5Overview of the ASA• The ASA software combines firewall, VPN concentrator, and intrusion prevention functionality into one software image.• Previously, these functions were available in three separate devices, each with its own software and hardware. 1. PIX 2. VPN concentrator 3. IDS 6Overview of the ASAOther advanced ASA features include these: Refer to 10.1.1.11. ASA virtualization2. High availability with failover3. Identity firewall4. Threat control and containment services 7Overview of the ASA• All ASA models can be configured and managed using either the command line interface or the Adaptive Security Device Manager (ASDM). 8Overview of the ASA• By default, the ASA treats a defined inside interface as the trusted network, and any defined outside interfaces as untrusted networks.• Each interface has an associated security level• An ASA provides the same as ZPF/CBAC features but the configuration differs markedly from the IOS router configuration of ZPF.Refer to 10.1.1.2 9Overview of the ASA 10Overview of the ASA 11Overview of the ASA• The ASA is a stateful firewall. It tracks the state of the TCP or UDP network connections traversing it.• All traffic forwarded through an ASA is inspected using the Adaptive Security Algorithm and is either allowed to pass through or is dropped.Refer to 10.1.1.3 12Overview of the ASA• Session management path ?• Control plane path ?• Layer 7 inspection ?• Fast path ?Refer to 10.1.1.3 13Overview of the ASARefer to 10.1.1.4 14Overview of the ASA• Most ASA appliances come pre-installed with either a Base license or a Security Plus license.• To provide additional features to the ASA, additional time- based or optional licenses can be purchased.• Combining these additional licenses to the pre-installed licenses creates a permanent license. The permanent license is then activated by installing a permanent activation key using the activation-key command. 15Overview of the ASA• Only one permanent license key can be installed and once it is installed, it is referred to as the running license.• To verify the license information on an ASA device, use the show version or the show activation-key command. 16Overview of the ASARefer to 10.1.1.5The ASA 5505 Features• The Cisco ASA 5505 is a full-featured security appliance for small businesses, branch offices, and enterprise teleworker environments.• It delivers a high-performance firewall, SSL VPN, IPsec VPN, and rich networking services in a modular, plug-and- play appliance.Refer to 10.1.2.1 18Security Level• Security levels define the level of trustworthiness of an interface. The higher the level, the more trusted the interface. The security level numbers range between 0 (untrustworthy) to 100 (very trustworthy)• Each operational interface must have a name and a security level from 0 (lowest) to 100 (highest) assigned.Refer to 10.1.2.2Security levels help control:1. Network access2. Inspe ...