Chapter 1 - The Cisco Security ApplianceThe Cisco Security Appliance
What is a Firewall?
Firewall Technologies
Packet Filtering
Proxy Server
Stateful Packet Filtering
Security Appliances: What Are They?
Proprietary Operating System
Stateful Packet Inspection
Cut-Through Proxy Operation
Application-Aware Inspection
Modular Policy
Virtual Private Network
Security Context (Virtual Firewall)
Failover Capabilities: Active/Standby, Active/Active, and Stateful Failover
Transparent Firewall
Web-Based Management Solutions
Chapter 1 Review
Chapter 2 - Cisco PIX Security Appliance and ASA AdaptiveSecurity Appliance Families
Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families
PIX Firewall Security Appliance Family
ASA Adaptive Security Appliance Family
Cisco ASA 5510 Adaptive Security Appliance
Cisco ASA 5520 Adaptive Security Appliance
Cisco ASA 5540 Adaptive Security Appliance
ASA 5500 Series: Front and Back Panels
ASA 5500 Series: Connectors
Security Services Module
PIX Firewall Security Appliance Licensing
PIX License Types
VPN Encryption License
PIX Firewall Security Context Licenses
PIX 515E, 525, and 535 Licensing
ASA Adaptive Security Appliance Licensing
ASA Security Context Licenses
ASA 5510, 5520, and 5540 Licensing
Cisco Firewall Services Module
FWSM
FWSM in Catalyst 6500
Switch and Cisco 7600 Internet Router
Chapter 2 Review
Chapter 3 - Getting Started with Cisco Security AppliancesGetting Started with Cisco Security Appliances
User Interface
Security Appliance Access Modes
Access Privilege Mode
Access Configuration Mode: Configure Terminal Command
Help Command
File Management
Viewing and Saving Your Configuration
Clearing Running Configuration
Clearing Startup Configuration
Reload the Configuration: reload Command
File System
Displaying Stored Files: System and Configuration
Selecting Boot System File
Verifying the Startup System Image
Security Appliance Security Levels
Functions of the Security Appliance: Security Algorithm
Security Level Example
Basic Security Appliance Configuration
Hostname and CLI Prompt Configuration
Basic CLI Commands
interface Configuration
Naming the Interface
Assign Interface IP Address
DHCP-Assigned Address
Assign a Security Level
Speed and Duplex Commands
ASA Management Interface
NAT
Enable NAT Control
nat Command
global Command
Demo - Basic CLI Commands
Configuring a Static Route
Static Host Command
Configuration Example
Examining Security Appliance Status
show Commands
show memory Command
show cpu usage Command
show version Command
show ip address Command
show interface Command
show nameif Command
show run nat Command
show run global Command
show xlate Command
ping Command
show route Command
Setting Time and Using NTP Support
clock Command
Setting DST
ntp Command
Syslog Configuration
Using a Syslog Server
Logging Options
Logging Levels
Configure Message Output to a Syslog Server
Syslog Output Example
Customize Syslog Output
show logging Command
Demo - More Commands
Chapter 3 Review
Chapter 4 - Translations and ConnectionsTranslations and Connections
Transport Protocols
Sessions in an IP World
TCP
TCP from Inside to Outside
UDP
Network Address Translation
Addressing Scenarios
Access Through the Security Appliance
Inside Address Translation
Dynamic Inside NAT
Two Interfaces with NAT
Three Interfaces with NAT
Port Address Translation
PAT Example
PAT Using Egress Address
Mapping Subnets to PAT Addresses
Backing Up PAT Addresses by Using Multiple PATs
Augmenting a Global Pool with PAT
Identity NAT
Identity NAT: nat 0 Command
Demo - Dynamic NAT
Static Command
Global NAT and Static NAT
static Command: Parameters
static Command: Web Server
static Command: FTP Server
Net Static
Static PAT: Port Redirection
static pat Command
TCP Intercept and Connection Limits
Connection Limits
TCP Three-Way Handshake
TCP Intercept
SYN Cookies
Embryonic Connection Limit
UDP Maximum Connection Limit
Connections and Translations
Connections Versus Translations
show conn Command
show conn detail Command
show local-host Command
show xlate Command
show xlate detail Command
Security Appliance NAT Philosophy
Matching Outbound Packet Addresses
Configuring Multiple Interfaces
Additional Interface Support
Configuring Three Interfaces
Configuring Four Interfaces
Demo - Static NAT
Chapter 4 Review
|
|
Chapter 5 - ACLs and Content FilteringACLs and Content Filtering
ACLs
Security Levels Revisited
ACL Configuration
ACL Usage Guidelines
Inbound Traffic to DMZ Web Server
Create a Static Translation for Web Server
access-list Command
access-group Command
show access-list Command
clear access-list counters Command
Time Range Configuration
Time-Range Submode
Time-based ACL
Time-based ACL Example
ACL Logging
access-list deny-flow-max & alert-interval Commands
ACL Line Number and Comments
Inbound HTTP Access Solution
Inbound HTTPS Access Solution
icmp Command
nat 0 Plus acl Command
Policy NAT: nat Plus acl Command
Other Commands Plus acl
Malicious Active Code Filtering
Java Applet Filtering
ActiveX Blocking
ActiveX filter Command
URL Filtering
HTTP URL Filtering
Designate the URL-filtering Server
Enable HTTP URL Filtering
HTTPS and FTP Filtering
URL-filtering Configuration Example
Demo - ACL Configuration
About the CSC SSM
Deploying the Security Appliance with CSC SSM
CSC SSM Traffic Flow
CSC SSM Deployment Scenario
Chapter 5 Review
Chapter 6 - Object GroupingObject Grouping
Overview of Object Grouping
Using Object Groups in ACLs
Grouping Objects
Grouping Objects of Similar Types
Getting Started with Object Groups
Configuring and Using Object Groups
Configuring Network Object Groups
Configuring Service Object Groups
Adding Object Groups to an ACL
Configuring ICMP-Type Object Groups
Nested Object Groups
Configuring Nested Object Groups
Nested Object Group Example
group-object Command Example
Object Group Services Example
Apply Nested Object Group to ACL
Multiple Object Groups in ACLs
Displaying Configured Object Groups
Removing Configured Object Groups
Demo - Object Groups
Chapter 6 Review
Chapter 7 - Authentication, Authorization, and AccountingAuthentication, Authorization, and Accounting
Introduction
Types of Authentication
Types of Authorization
Types of Accounting
Installation of Cisco Secure ACS for Windows 2000
Installation Wizard
ACS Network Configuration
Security Appliance Access Authentication Configuration
Methods of Device Access
Configuring Authentication
Specify an AAA Server Group
AAA Server Group Subcommand
Designate an Authentication Server
Authentication of Console Access
How to Add Users to Cisco Secure ACS
How to Add Users to the LOCAL Database
Maximum Failed Attempts
Show Local Users
How to Change the Authentication Prompts
How to Change the Authentication Timeouts
Cut-Through Proxy Authentication Configuration
Cut-Through Proxy Operation
Configuring Cut-Through Authentication
Enable authentication match
aaa authentication match
Enable authentication include | exclude
Show Authentication
show aaa-server Command: TACACS+ Server
Authentication of Non-Telnet, -FTP, -HTTP, or -HTTPS Traffic
Virtual Telnet
Virtual HTTP
Configuration of Virtual HTTP Authentication
Tunnel Access Authentication Configuration
Tunnel User Authentication
VPN Tunnel Group Policy
Authorization Configuration
Security Appliance User Authorization
TACACS+ Authorization Configuration
Enable authorization match
Enable authorization include | exclude
Authorization Rules Allowing Specific Services
Allowing Specific Services to Specific Hosts
Authorization of Non-Telnet, -FTP, -HTTP, or -HTTPS Traffic
Downloadable ACLs
Downloadable ACL Authorization
Downloadable ACLs (Cont.)
Configuring Downloadable ACLs
Assigning the ACL to the User or Group
Show Downloaded ACLs
Show Authentication (Cont.)
RADIUS
Per-User Override
Example: Per-User Override
Accounting Configuration
AAA
Enable accounting match
Enable accounting include | exclude
How to View Accounting Information
Accounting of Non-Telnet, -FTP, or -HTTP Traffic
Admin Accounting
Viewing RADIUS Admin Access Accounting Information
Command Accounting
Viewing TACACS+ Admin Command Accounting
Demo - ACS Server
Chapter 7 Review
Chapter 8 - Switching and Routing
Switching and RoutingVLANs
Creating Logical and Physical Interfaces
Assigning VLAN Names and Security Levels
Assigning VLAN IP Addresses
VLAN Configuration
Maximum Number of Interfaces
Static and Dynamic Routing
Static Routes
Dynamic RIP Routes
OSPF
Configuring OSPF
Enabling OSPF Routing
Defining OSPF Networks
Two OSPF Processes
Configuring Two OSPF Areas
Multicasting
|