Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services, 3rd Edition

Description

• Copyright 2014
• Dimensions: 7-3/8" x 9-1/8"
• Edition: 3rd

• eBook (Watermarked)
• ISBN-10: 0-13-295440-0
• ISBN-13: 978-0-13-295440-2

Cisco® ASA

All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition

Identify, mitigate, and respond to today’s highly-sophisticated network attacks.

Today, network attackers are far more sophisticated, relentless, and dangerous. In response, Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services has been fully updated to cover the newest techniques and Cisco technologies for maximizing end-to-end security in your environment. Three leading Cisco security experts guide you through every step of creating a complete security plan with Cisco ASA, and then deploying, configuring, operating, and troubleshooting your solution.

Fully updated for today’s newest ASA releases, this edition adds new coverage of ASA 5500-X, ASA 5585-X, ASA Services Module, ASA next-generation firewall services, EtherChannel, Global ACLs, clustering, IPv6 improvements, IKEv2, AnyConnect Secure Mobility VPN clients, and more. The authors explain significant recent licensing changes; introduce enhancements to ASA IPS; and walk you through configuring IPsec, SSL VPN, and NAT/PAT.

You’ll learn how to apply Cisco ASA adaptive identification and mitigation services to systematically strengthen security in network environments of all sizes and types. The authors present up-to-date sample configurations, proven design scenarios, and actual debugs–
all designed to help you make the most of Cisco ASA in your rapidly evolving network.

Jazib Frahim, CCIE® No. 5459 (Routing and Switching; Security), Principal Engineer in the Global Security Solutions team, guides top-tier Cisco customers in security-focused network design and implementation. He architects, develops, and launches new security services concepts. His books include Cisco SSL VPN Solutions and Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting.

Omar Santos, CISSP No. 463598, Cisco Product Security Incident Response Team (PSIRT) technical leader, leads and mentors engineers and incident managers in investigating and resolving vulnerabilities in Cisco products and protecting Cisco customers. Through 18 years in IT and cybersecurity, he has designed, implemented, and supported numerous secure networks for Fortune® 500 companies and the U.S. government. He is also the author of several other books and numerous whitepapers and articles.

Andrew Ossipov, CCIE® No. 18483 and CISSP No. 344324, is a Cisco Technical Marketing Engineer focused on firewalls, intrusion prevention, and data center security. Drawing on more than 16 years in networking, he works to solve complex customer technical problems, architect new features and products, and define future directions for Cisco’s product portfolio. He holds several pending patents.

Understand, install, configure, license, maintain, and troubleshoot the newest ASA devices

Efficiently implement Authentication, Authorization, and Accounting (AAA) services

Control and provision network access with packet filtering, context-aware Cisco ASA next-generation firewall services, and new NAT/PAT concepts

Configure IP routing, application inspection, and QoS

Create firewall contexts with unique configurations, interfaces, policies, routing tables, and administration

Enable integrated protection against many types of malware and advanced persistent threats (APTs) via Cisco Cloud Web Security and Cisco Security Intelligence Operations (SIO)

Implement high availability with failover and elastic scalability with clustering

Deploy, troubleshoot, monitor, tune, and manage Intrusion Prevention System (IPS) features

Implement site-to-site IPsec VPNs and all forms of remote-access VPNs (IPsec, clientless SSL, and client-based SSL)

Configure and troubleshoot Public Key Infrastructure (PKI)

Use IKEv2 to more effectively resist attacks against VPNs

Leverage IPv6 support for IPS, packet inspection, transparent firewalls, and site-to-site IPsec VPNs



Sample Content

Table of Contents

Introduction 

Chapter 1 Introduction to Security Technologies 1

Firewalls 2

    Network Firewalls 2

        Packet-Filtering Techniques 2

        Application Proxies 3

        Network Address Translation 3

        Stateful Inspection Firewalls 6

    Demilitarized Zones (DMZ) 7

    Deep Packet Inspection 8

    Next-Generation Context-Aware Firewalls 8

    Personal Firewalls 9

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) 9

    Pattern Matching and Stateful Pattern-Matching Recognition 11

    Protocol Analysis 12

    Heuristic-Based Analysis 12

    Anomaly-Based Analysis 12

    Global Threat Correlation Capabilities 14

Virtual Private Networks 14

    Technical Overview of IPsec 16

        IKEv1 Phase 1 16

        IKEv1 Phase 2 20

        IKEv2 23

    SSL VPNs 23

Cisco AnyConnect Secure Mobility 25

Cloud and Virtualization Security 26

Chapter 2 Cisco ASA Product and Solution Overview 29

Cisco ASA Model Overview 30

Cisco ASA 5505 Model 31

Cisco ASA 5510 Model 35

Cisco ASA 5512-X Model 38

Cisco ASA 5515-X Model 40

Cisco ASA 5520 Model 41

Cisco ASA 5525-X Model 42

Cisco ASA 5540 Model 43

Cisco ASA 5545-X Model 44

Cisco ASA 5550 Model 45

Cisco ASA 5555-X Model 46

Cisco ASA 5585-X Models 47

Cisco Catalyst 6500 Series ASA Services Module 51

Cisco ASA 1000V Cloud Firewall 52

Cisco ASA Next-Generation Firewall Services (Formerly Cisco ASA CX) 53

Cisco ASA AIP-SSM Module 53

    Cisco ASA AIP-SSM-10 54

    Cisco ASA AIP-SSM-20 54

    Cisco ASA AIP-SSM-40 54

Cisco ASA Gigabit Ethernet Modules 55

    Cisco ASA SSM-4GE 55

    Cisco ASA 5580 Expansion Cards 56

    Cisco ASA 5500-X Series 6-Port GE Interface Cards 57

Chapter 3 Licensing 59

Licensed Features on ASA 59

    Basic Platform Capabilities 61

    Advanced Security Features 63

    Tiered Capacity Features 65

    Displaying License Information 66

Managing Licenses with Activation Keys 68

    Permanent and Time-Based Activation Keys 68

        Combining Keys 69

        Time-Based Key Expiration 70

    Using Activation Keys 71

Combined Licenses in Failover and Clustering 73

    License Aggregation Rules 73

    Aggregated Time-Based License Countdown 75

Shared Premium VPN Licensing 75

    Shared Server and Participants 76

        Shared License 76

        Shared Licensing Operation 76

    Configuring Shared Licensing 78

        Licensing Server 78

        Participants 79

        Backup Licensing Server 79

        Monitoring Shared Licensing Operation 80

Chapter 4 Initial Setup 81

Accessing the Cisco ASA Appliances 81

    Establishing a Console Connection 82

    Command-Line Interface 85

Managing Licenses 87

Initial Setup 90

    Initial Setup via CLI 90

    Initial Setup of ASDM 92

        Uploading ASDM 92

        Setting Up the Appliance 93

        Accessing ASDM 94

        Functional Screens of ASDM 97

Device Setup 100

    Setting Up a Device Name and Passwords 100

    Configuring an Interface 102

        Configuring a Data-Passing Interface 102

        Configuring a Subinterface 106

        Configuring an EtherChannel Interface 109

        Configuring a Management Interface 111

    DHCP Services 112

Setting Up the System Clock 114

    Manual Clock Adjustment 114

        Time Zone 114

        Date 116

        Time 116

    Automatic Clock Adjustment Using the Network Time Protocol 116

Chapter 5 System Maintenance 119

Configuration Management 119

    Running Configuration 119

    Startup Configuration 123

    Removing the Device Configuration 124

Remote System Management 126

    Telnet 126

    Secure Shell (SSH) 129

System Maintenance 132

    Software Installation 132

        Image Upgrade via Cisco ASDM 132

        Image Upgrade via the Cisco ASA CLI 133

        Image Upload Using ROMMON 136

    Password Recovery Process 137

    Disabling the Password Recovery Process 141

System Monitoring 144

    System Logging 144

        Enabling Logging 146

        Defining Event List 147

        Logging Types 149

        Defining a Syslog Server 153

        Defining an Email Server 154

        Storing Logs Internally and Externally 154

        Syslog Message ID Tuning 156

    NetFlow Secure Event Logging (NSEL) 156

        Step 1: Define a NetFlow Collector 157

        Step 2: Define a NetFlow Export Policy 159

    Simple Network Management Protocol (SNMP) 160

        Configuring SNMP 161

        SNMP Monitoring 164

Device Monitoring and Troubleshooting 165

    CPU and Memory Monitoring 165

    Troubleshooting Device Issues 168

        Troubleshooting Packet Issues 168

        Troubleshooting CPU Issues 172

Chapter 6 Cisco ASA Services Module 173

Cisco ASA Services Module Overview 173

    Hardware Architecture 174

    Host Chassis Integration 175

Managing Host Chassis 176

    Assigning VLAN Interfaces 177

    Monitoring Traffic Flow 178

Common Deployment Scenarios 180

    Internal Segment Firewalling 181

    Edge Protection 182

Trusted Flow Bypass with Policy Based Routing 183

    Traffic Flow 185

    Sample PBR Configuration 185

Chapter 7 Authentication, Authorization, and Accounting (AAA) Services 191

AAA Protocols and Services Supported by Cisco ASA 192

    RADIUS 194

    TACACS+ 195

    RSA SecurID 196

    Microsoft Windows NTLM 197

    Active Directory and Kerberos 197

    Lightweight Directory Access Protocol 197

Defining an Authentication Server 198

Configuring Authentication of Administrative Sessions 204

    Authenticating Telnet Connections 204

    Authenticating SSH Connections 206

    Authenticating Serial Console Connections 207

    Authenticating Cisco ASDM Connections 208

Authenticating Firewall Sessions (Cut-Through Proxy Feature) 209

    Authentication Timeouts 214

Customizing Authentication Prompts 214

Configuring Authorization 215

    Command Authorization 217

    Configuring Downloadable ACLs 218

Configuring Accounting 219

    RADIUS Accounting 220

    TACACS+ Accounting 221

Troubleshooting Administrative Connections to Cisco ASA 222

    Troubleshooting Firewall Sessions (Cut-Through Proxy) 225

    ASDM and CLI AAA Test Utility 226

Chapter 8 Controlling Network Access: The Traditional Way 229

Packet Filtering 229

    Types of ACLs 232

        Standard ACLs 233

        Extended ACLs 233

        EtherType ACLs 233

        Webtype ACLs 234

    Comparing ACL Features 234

    Through-the-Box-Traffic Filtering 235

    To-the-Box-Traffic Filtering 240

Advanced ACL Features 243

    Object Grouping 243

        Object Types 243

        Configuration of Object Types 245

        Object Grouping and ACLs 248

    Standard ACLs 250

    Time-Based ACLs 251

    Downloadable ACLs 254

    ICMP Filtering 254

Deployment Scenario for Traffic Filtering 255

    Using ACLs to Filter Inbound Traffic 255

        Configuration Steps with ASDM 257

        Configuration Steps with CLI 259

Monitoring Network Access Control 260

    Monitoring ACLs 260

Chapter 9 Implementing Next-Generation Firewall Services with ASA CX 267

CX Integration Overview 268

    Logical Architecture 269

    Hardware Modules 270

    Software Modules 271

    High Availability 272

ASA CX Architecture 273

    Data Plane 274

    Eventing and Reporting 275

    User Identity 275

    TLS Decryption Proxy 276

    HTTP Inspection Engine 276

    Application Inspection Engine 276

    Management Plane 276

    Control Plane 276

Preparing ASA CX for Configuration 277

Managing ASA CX with PRSM 282

    Using PRSM 283

    Configuring User Accounts 286

    CX Licensing 288

    Component and Software Updates 290

        Signatures and Engines 290

        System Software 291

    Configuration Database Backup 292

Defining CX Policy Elements 293

    Network Groups 295

    Identity Objects 296

    URL Objects 298

    User Agent Objects 299

    Application Objects 299

    Secure Mobility Objects 300

    Interface Roles 301

    Service Objects 302

    Application-Service Objects 303

    Source Object Groups 304

    Destination Object Groups 305

    File Filtering Profiles 306

    Web Reputation Profiles 306

    NG IPS Profiles 307

Enabling User Identity Services 309

    Configuring Directory Servers 310

    Connecting to AD Agent or CDA 312

    Tuning Authentication Settings 313

    Defining User Identity Discovery Policy 314

Enabling TLS Decryption 316

    Configuring Decryption Settings 318

    Defining a Decryption Policy 320

Enabling NG IPS 323

Defining Context-Aware Access Policies 324

Configuring ASA for CX Traffic Redirection 327

Monitoring ASA CX 329

    Dashboard Reports 329

    Connection and System Events 331

    Packet Captures 332

Chapter 10 Network Address Translation 337

Types of Address Translation 338

    Network Address Translation 338

    Port Address Translation 340

Address Translation Methods 341

    Static NAT/PAT 341

    Dynamic NAT/PAT 343

    Policy NAT/PAT 344

    Identity NAT 344

Security Protection Mechanisms Within Address Translation 345

    Randomization of Sequence Numbers 345

    TCP Intercept 346

Understanding Address Translation Behavior 346

    Address Translation Behavior Prior to Version 8.3 346

        Packet Flow Sequence in Pre-8.3 Version 347

        NAT Order of Operation for Pre-8.3 Versions 348

    Redesigning Address Translation (Version 8.3 and Later) 349

        NAT Modes in Version 8.3 and Later 349

        NAT Order of Operation for Version 8.3 and Later 350

Configuring Address Translation 350

    Auto NAT Configuration 351

        Available Auto NAT Settings 351

        Auto NAT Configuration Example 353

    Manual NAT Configuration 356

        Available Manual NAT Settings 356

        Manual NAT Configuration Example 357

    Integrating ACLs and NAT 359

        Pre-8.3 Behavior for NAT and ACL Integration 359

        Behavior of NAT and ACL Integration in Version 8.3 and Later 361

    Configuration Use Cases 362

        Use Case 1: Dynamic PAT for Inside Network with Static NAT for a DMZ Web Server 363

        Use Case 2: Static PAT for a Web Server Located on the DMZ Network 364

        Use Case 3: Static NAT for Overlapping Subnets Using Twice NAT 366

        Use Case 4: Identity NAT for Site-to-Site VPN Tunnel 367

        Use Case 5: Dynamic PAT for Remote-Access VPN Clients 369

DNS Doctoring 372

Monitoring Address Translations 375

Chapter 11 IPv6 Support 379

IP Version 6 Introduction 379

    IPv6 Header 380

    Supported IPv6 Address Types 381

        Global Unicast Address 382

        Site-Local Address 382

        Link-Local Address 382

Configuring IPv6 382

    IP Address Assignment 383

    IPv6 DHCP Relay 384

    Optional IPv6 Parameters 385

        Neighbor Solicitation Messages 385

        Neighbor Reachable Time 385

        Router Advertisement Transmission Interval 385

    Setting Up an IPv6 ACL 386

    IPv6 Address Translation 389

Chapter 12 IP Routing 391

Configuring Static Routes 392

    Static Route Monitoring 395

    Displaying the Routing Table 399

RIP 400

    Configuring RIP 401

    RIP Authentication 403

    RIP Route Filtering 406

    Configuring RIP Redistribution 409

    Troubleshooting RIP 409

        Scenario 1: RIP Version Mismatch 410

        Scenario 2: RIP Authentication Mismatch 411

        Scenario 3: Multicast or Broadcast Packets Blocked 411

OSPF 412

    Configuring OSPF 413

        Enabling OSPF 414

    OSPF Virtual Links 419

    Configuring OSPF Authentication 422

    Configuring OSPF Redistribution 426

    Stub Areas and NSSAs 428

    OSPF Type 3 LSA Filtering 429

    OSPF neighbor Command and Dynamic Routing over a VPN Tunnel 431

    OSPFv3 433

    Troubleshooting OSPF 433

        Useful Troubleshooting Commands 433

        Mismatched Areas 440

        OSPF Authentication Mismatch 440

        Troubleshooting Virtual Link Problems 440

EIGRP 441

    Configuring EIGRP 441

        Enabling EIGRP 441

        Configuring Route Filtering for EIGRP 445

        EIGRP Authentication 447

        Defining Static EIGRP Neighbors 448

        Route Summarization in EIGRP 448

        Split Horizon 450

        Route Redistribution in EIGRP 450

        Controlling Default Information 453

    Troubleshooting EIGRP 454

        Useful Troubleshooting Commands 454

        Scenario 1: Link Failures 458

        Scenario 2: Misconfigured Hello and Hold Intervals 459

        Scenario 3: Misconfigured Authentication Parameters 462

Chapter 13 Application Inspection 465

Enabling Application Inspection 468

Selective Inspection 469

CTIQBE Inspection 473

DCERPC Inspection 476

DNS Inspection 476

ESMTP Inspection 481

File Transfer Protocol 484

General Packet Radio Service Tunneling Protocol 486

    GTPv0 487

    GTPv1 489

    Configuring GTP Inspection 490

H.323 492

    H.323 Protocol Suite 493

    H.323 Version Compatibility 495

    Enabling H.323 Inspection 496

    Direct Call Signaling and Gatekeeper Routed Control Signaling 499

    T.38 499

Cisco Unified Communications Advanced Support 499

    Phone Proxy 500

    TLS Proxy 505

    Mobility Proxy 506

    Presence Federation Proxy 506

HTTP 507

    Enabling HTTP Inspection 507

        strict-http Command 510

        content-length Command 510

        content-type-verification Command 511

        max-header-length Command 511

        max-uri-length Command 512

        port-misuse Command 512

        request-method Command 513

        transfer-encoding type Command 515

ICMP 515

ILS 516

Instant Messenger (IM) 517

IPsec Pass-Through 518

MGCP 519

NetBIOS 521

PPTP 522

Sun RPC 522

RSH 523

RTSP 523

SIP 524

Skinny (SCCP) 525

SNMP 527

SQL*Net 528

TFTP 528

WAAS 528

XDMCP 529

Chapter 14 Virtualization 531

Architectural Overview 533

    System Execution Space 533

    Admin Context 535

    User Context 535

    Packet Classification 538

        Packet Classification Criteria 538

        Destination IP Address 539

        Unique MAC Address 540

    Packet Flow in Multiple Mode 541

        Forwarding Without a Shared Interface 541

        Forwarding with a Shared Interface 542

Configuration of Security Contexts 544

    Step 1: Enable Multiple Security Contexts Globally 544

    Step 2: Set Up the System Execution Space 547

    Step 3: Configure Interfaces 549

    Step 4: Specify a Configuration URL 550

    Step 5: Configure an Admin Context 552

    Step 6: Configure a User Context 553

    Step 7: Manage the Security Contexts (Optional) 554

    Step 8: Resource Management (Optional) 555

        Step 1: Define a Resource Class 556

        Step 2: Map the Resource Class to a Context 558

Deployment Scenarios 559

    Virtual Firewall with Non-Shared Interfaces 559

        Configuration Steps with ASDM 561

        Configuration Steps with CLI 569

    Virtual Firewall with a Shared Interface 572

        Configuration Steps with ASDM 574

        Configuration Steps Using CLI 582

Monitoring and Troubleshooting the Security Contexts 586

    Monitoring 586

    Troubleshooting 588

        Security Contexts Are Not Added 588

        Security Contexts Are Not Saved on the Local Disk 588

        Security Contexts Are Not Saved on the FTP Server 589

        User Having Connectivity Issues When Shared Security Contexts Are Used 590

Chapter 15 Transparent Firewalls 591

Architectural Overview 594

    Single-Mode Transparent Firewalls 594

        Packet Flow in an SMTF 595

    Multimode Transparent Firewalls 597

        Packet Flow in an MMTF 597

Restrictions When Using Transparent Firewalls 599

    Transparent Firewalls and VPNs 599

    Transparent Firewalls and NAT 600

Configuration of Transparent Firewalls 602

    Configuration Guidelines 602

    Configuration Steps 603

        Step 1: Enable Transparent Firewalls 603

        Step 2: Set Up Interfaces 604

        Step 3: Configure an IP Address 605

        Step 4: Set Up Routes 606

        Step 5: Configure Interface ACLs 608

        Step 6: Configure NAT (Optional) 611

        Step 7: Add Static L2F Table Entries (Optional) 612

        Step 8: Enable ARP Inspection (Optional) 613

        Step 9: Modify L2F Table Parameters (Optional) 615

Deployment Scenarios 616

    SMTF Deployment 617

        Configuration Steps Using ASDM 618

        Configuration Steps Using CLI 622

    MMTF Deployment with Security Contexts 623

        Configuration Steps Using ASDM 625

        Configuration Steps Using CLI 632

Monitoring and Troubleshooting Transparent Firewalls 636

    Monitoring 636

    Troubleshooting 637

Hosts Are Not Able to Communicate 637

Moved Host Is Not Able to Communicate 639

General Syslogging 640

Chapter 16 High Availability 641

Redundant Interfaces 642

    Using Redundant Interfaces 642

    Deployment Scenarios 643

    Configuration and Monitoring 644

Static Route Tracking 646

    Configuring Static Routes with an SLA Monitor 647

    Floating Connection Timeout 649

    Sample Backup ISP Deployment 649

Failover 652

    Unit Roles and Functions in Failover 652

    Stateful Failover 653

    Active/Standby and Active/Active Failover 654

    Failover Hardware and Software Requirements 656

        Zero Downtime Upgrade in Failover 657

        Failover Licensing 658

    Failover Interfaces 658

        Stateful Link 659

        Failover Link Security 659

        Data Interface Addressing 660

        Asymmetric Routing Groups 662

    Failover Health Monitoring 664

    State and Role Transition 666

    Configuring Failover 667

        Basic Failover Settings 668

        Data Interface Configuration 671

        Failover Policies and Timers 673

        Active/Active Failover 674

    Monitoring and Troubleshooting Failover 678

    Active/Standby Failover Deployment Scenario 680

Clustering 685

    Unit Roles and Functions in Clustering 685

        Master and Slave Units 685

        Flow Owner 686

        Flow Director 686

        Flow Forwarder 687

    Clustering Hardware and Software Requirements 687

        Zero Downtime Upgrade in Clustering 688

        Unsupported Features 689

        Cluster Licensing 690

    Control and Data Interfaces 690

        Spanned EtherChannel Mode 693

        Individual Mode 695

        Cluster Management 697

    Cluster Health Monitoring 697

    Network Address Translation 698

    Performance 700

        Centralized Features 701

        Scaling Factors 701

    Packet Flow 702

        TCP Connection Processing 702

        UDP Connection Processing 703

        Centralized Connection Processing 705

    State Transition 705

    Configuring Clustering 706

        Setting Interface Mode 707

        Management Access for ASDM Deployment 708

        Building a Cluster 710

        Data Interface Configuration 714

    Monitoring and Troubleshooting Clustering 717

    Spanned EtherChannel Cluster Deployment Scenario 720

Chapter 17 Implementing Cisco ASA Intrusion Prevention System (IPS) 733

IPS Integration Overview 733

    IPS Logical Architecture 735

    IPS Hardware Modules 735

    IPS Software Modules 736

    Inline and Promiscuous Modes 737

    IPS High Availability 739

Cisco IPS Software Architecture 739

    MainApp 741

        AuthenticationApp 741

        Attack Response Controller 742

        cipsWebserver 742

        Logger 742

        CtlTransSource 743

        NotificationApp 743

    SensorApp 743

    CollaborationApp 744

    EventStore 744

Preparing ASA IPS for Configuration 744

    Installing CIPS System Software 744

    Accessing CIPS from the ASA CLI 747

    Configuring Basic Management Settings 748

    Setting Up ASDM for IPS Management 752

    Installing the CIPS License Key 752

<



Updates

Errata

We've made every effort to ensure the accuracy of this book and its companion content. Any errors that have been confirmed since this book was published can be downloaded below.

Download the errata from the main title

Submit Errata

