642-523 - Securing Networks with PIX and Adaptive Security Appliance (SNPA)
Total Page:16
File Type:pdf, Size:1020Kb
642-523 - Securing Networks with PIX and Adaptive Security Appliance (SNPA)
Course Introduction 4m
Chapter 1 - The Cisco Security Appliance 26m The Cisco Security Appliance What is a Firewall? Firewall Technologies Packet Filtering Proxy Server Stateful Packet Filtering Security Appliances: What Are They? Proprietary Operating System Stateful Packet Inspection Cut-Through Proxy Operation Application-Aware Inspection Modular Policy Virtual Private Network Security Context (Virtual Firewall) Failover Capabilities: Active/Standby, Active/Active, and Stateful Failover Transparent Firewall Web-Based Management Solutions Chapter 1 Review
Chapter 2 - Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families 21m Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families PIX Firewall Security Appliance Family ASA Adaptive Security Appliance Family Cisco ASA 5510 Adaptive Security Appliance Cisco ASA 5520 Adaptive Security Appliance Cisco ASA 5540 Adaptive Security Appliance ASA 5500 Series: Front and Back Panels ASA 5500 Series: Connectors Security Services Module PIX Firewall Security Appliance Licensing PIX License Types VPN Encryption License PIX Firewall Security Context Licenses PIX 515E, 525, and 535 Licensing ASA Adaptive Security Appliance Licensing ASA Security Context Licenses ASA 5510, 5520, and 5540 Licensing Cisco Firewall Services Module FWSM FWSM in Catalyst 6500 Switch and Cisco 7600 Internet Router Chapter 2 Review
Chapter 3 - Getting Started with Cisco Security Appliances 2h 3m Getting Started with Cisco Security Appliances User Interface Security Appliance Access Modes Access Privilege Mode Access Configuration Mode: Configure Terminal Command Help Command File Management Viewing and Saving Your Configuration Clearing Running Configuration Clearing Startup Configuration Reload the Configuration: reload Command File System Displaying Stored Files: System and Configuration Selecting Boot System File Verifying the Startup System Image Security Appliance Security Levels Functions of the Security Appliance: Security Algorithm Security Level Example Basic Security Appliance Configuration Hostname and CLI Prompt Configuration Basic CLI Commands interface Configuration Naming the Interface Assign Interface IP Address DHCP-Assigned Address Assign a Security Level Speed and Duplex Commands ASA Management Interface NAT Enable NAT Control nat Command global Command Demo - Basic CLI Commands Configuring a Static Route Static Host Command Configuration Example Examining Security Appliance Status show Commands show memory Command show cpu usage Command show version Command show ip address Command show interface Command show nameif Command show run nat Command show run global Command show xlate Command ping Command show route Command Setting Time and Using NTP Support clock Command Setting DST ntp Command Syslog Configuration Using a Syslog Server Logging Options Logging Levels Configure Message Output to a Syslog Server Syslog Output Example Customize Syslog Output show logging Command Demo - More Commands Chapter 3 Review
Chapter 4 - Translations and Connections 1h 38m Translations and Connections Transport Protocols Sessions in an IP World TCP TCP from Inside to Outside UDP Network Address Translation Addressing Scenarios Access Through the Security Appliance Inside Address Translation Dynamic Inside NAT Two Interfaces with NAT Three Interfaces with NAT Port Address Translation PAT Example PAT Using Egress Address Mapping Subnets to PAT Addresses Backing Up PAT Addresses by Using Multiple PATs Augmenting a Global Pool with PAT Identity NAT Identity NAT: nat 0 Command Demo - Dynamic NAT Static Command Global NAT and Static NAT static Command: Parameters static Command: Web Server static Command: FTP Server Net Static Static PAT: Port Redirection static pat Command TCP Intercept and Connection Limits Connection Limits TCP Three-Way Handshake TCP Intercept SYN Cookies Embryonic Connection Limit UDP Maximum Connection Limit Connections and Translations Connections Versus Translations show conn Command show conn detail Command show local-host Command show xlate Command show xlate detail Command Security Appliance NAT Philosophy Matching Outbound Packet Addresses Configuring Multiple Interfaces Additional Interface Support Configuring Three Interfaces Configuring Four Interfaces Demo - Static NAT Chapter 4 Review
Chapter 5 - ACLs and Content Filtering 1h 7m ACLs and Content Filtering ACLs Security Levels Revisited ACL Configuration ACL Usage Guidelines Inbound Traffic to DMZ Web Server Create a Static Translation for Web Server access-list Command access-group Command show access-list Command clear access-list counters Command Time Range Configuration Time-Range Submode Time-based ACL Time-based ACL Example ACL Logging access-list deny-flow-max & alert-interval Commands ACL Line Number and Comments Inbound HTTP Access Solution Inbound HTTPS Access Solution icmp Command nat 0 Plus acl Command Policy NAT: nat Plus acl Command Other Commands Plus acl Malicious Active Code Filtering Java Applet Filtering ActiveX Blocking ActiveX filter Command URL Filtering HTTP URL Filtering Designate the URL-filtering Server Enable HTTP URL Filtering HTTPS and FTP Filtering URL-filtering Configuration Example Demo - ACL Configuration About the CSC SSM Deploying the Security Appliance with CSC SSM CSC SSM Traffic Flow CSC SSM Deployment Scenario Chapter 5 Review
Chapter 6 - Object Grouping 30m Object Grouping Overview of Object Grouping Using Object Groups in ACLs Grouping Objects Grouping Objects of Similar Types Getting Started with Object Groups Configuring and Using Object Groups Configuring Network Object Groups Configuring Service Object Groups Adding Object Groups to an ACL Configuring ICMP-Type Object Groups Nested Object Groups Configuring Nested Object Groups Nested Object Group Example group-object Command Example Object Group Services Example Apply Nested Object Group to ACL Multiple Object Groups in ACLs Displaying Configured Object Groups Removing Configured Object Groups Demo - Object Groups Chapter 6 Review
Chapter 7 - Authentication, Authorization, and Accounting 1h 17m Authentication, Authorization, and Accounting Introduction Types of Authentication Types of Authorization Types of Accounting Installation of Cisco Secure ACS for Windows 2000 Installation Wizard ACS Network Configuration Security Appliance Access Authentication Configuration Methods of Device Access Configuring Authentication Specify an AAA Server Group AAA Server Group Subcommand Designate an Authentication Server Authentication of Console Access How to Add Users to Cisco Secure ACS How to Add Users to the LOCAL Database Maximum Failed Attempts Show Local Users How to Change the Authentication Prompts How to Change the Authentication Timeouts Cut-Through Proxy Authentication Configuration Cut-Through Proxy Operation Configuring Cut-Through Authentication Enable authentication match aaa authentication match Enable authentication include | exclude Show Authentication show aaa-server Command: TACACS+ Server Authentication of Non-Telnet, -FTP, -HTTP, or -HTTPS Traffic Virtual Telnet Virtual HTTP Configuration of Virtual HTTP Authentication Tunnel Access Authentication Configuration Tunnel User Authentication VPN Tunnel Group Policy Authorization Configuration Security Appliance User Authorization TACACS+ Authorization Configuration Enable authorization match Enable authorization include | exclude Authorization Rules Allowing Specific Services Allowing Specific Services to Specific Hosts Authorization of Non-Telnet, -FTP, -HTTP, or -HTTPS Traffic Downloadable ACLs Downloadable ACL Authorization Downloadable ACLs (Cont.) Configuring Downloadable ACLs Assigning the ACL to the User or Group Show Downloaded ACLs Show Authentication (Cont.) RADIUS Per-User Override Example: Per-User Override Accounting Configuration AAA Enable accounting match Enable accounting include | exclude How to View Accounting Information Accounting of Non-Telnet, -FTP, or -HTTP Traffic Admin Accounting Viewing RADIUS Admin Access Accounting Information Command Accounting Viewing TACACS+ Admin Command Accounting Demo - ACS Server Chapter 7 Review
Chapter 8 - Switching and Routing 47m Switching and Routing VLANs Creating Logical and Physical Interfaces Assigning VLAN Names and Security Levels Assigning VLAN IP Addresses VLAN Configuration Maximum Number of Interfaces Static and Dynamic Routing Static Routes Dynamic RIP Routes OSPF Configuring OSPF Enabling OSPF Routing Defining OSPF Networks Two OSPF Processes Configuring Two OSPF Areas Multicasting IP Multicasting Configuring Outside Interface Configuring Inside Interface Inside Receiving Hosts Configuring Other IGMP Options PIM Sparse Mode Overview Configuring PIM Viewing SMR Configuration Debugging SMR Configuration Demo - SubInt Commands/OSPF Chapter 8 Review
Chapter 9 - Modular Policy Framework 48m Modular Policy Framework Modular Policy Framework Overview Modular Policy Configuring a Class Map Assigning a Class Map Name Defining a Class of Traffic Defining Class Match Criteria show run class-map Command Configuring a Policy Map Policy Map Overview Assigning a Policy Map Name Defining a Policy for the Class Police Policy Overview Example: Police Policy Intrusion Prevention Policy Overview Intrusion Prevention Policy Inspect Policy Overview Priority Policy Overview Example: Priority Policy Set Policy Overview Example: Set Policy show run policy-map Command Configuring a Service Policy Service Policy Overview show run service policy Command Displaying Service Policies Demo - Policy-Based Configurations Chapter 9 Review
Chapter 10 - Advanced Protocol Handling 1h 8m Advanced Protocol Handling Need for Advanced Protocol Handling inspect Command Default Traffic Inspection and Port Numbers Default Protocol Inspection Policy Delete Inspection for a Protocol Add a Protocol Inspection Port Number FTP Application Inspection FTP Inspection Active Mode FTP Inspection Passive Mode FTP Inspection Filtering Commands with FTP Deep Packet Inspection Configuring FTP Deep Packet Inspection request-command deny Command Example: FTP Inspection HTTP Application Inspection HTTP Inspection Enhanced HTTP Inspection HTTP-Map: RFC and Extension Methods HTTP Map Message Content Criteria HTTP Map Application and Encoding Inspection Enhanced HTTP Inspection Configuration Applying HTTP Inspection Protocol Application Inspection Remote Shell SQL*Net ESMTP Inspection DNS Inspection DNS Record Translation ICMP Inspection SNMP Inspection Multimedia Support Why Multimedia Is an Issue Real-Time Streaming Protocol Standard RTP Mode RealNetworks RDP Mode RTSP Inspection H.323 Inspection SIP Inspection SCCP Inspection CTIQBE Inspection MGCP Inspection MGCP Configuration Creating Inspection Policy and Class Maps Creating a Regular Expression MetaCharacters Test and Create a Regular Expression Creating a Regular Expression Class Map Identifying Traffic in an Inspection Class Map Defining Actions in an Inspection Policy Map show run Command show service_policy Command Chapter 10 Review
Chapter 11 - Virtual Private Network Configuration 1h 5m Virtual Private Network Configuration Secure VPNs VPN Overview IPSec Enables Security Appliance VPN Features What Is IPSec? IPSec Standards Supported by Security Appliance How IPSec Works Five Steps of IPSec Step 1: Interesting Traffic Step 2: IKE Phase 1 IKE Phase 1 Policy Sets DH Key Exchange Authenticate Peer Identity Step 3: IKE Phase 2 IPSec Transform Sets Sas SA Lifetime Step 4: IPSec Session Step 5: Tunnel Termination Configure VPN Connection Parameters tunnel-group Command tunnel-group general- attributes Command tunnel-group ipsec-attributes Command IPSec Configuration Tasks Configuring IPSec Encryption Task 1: Prepare to Configure VPN Support Task 1: Prepare for IKE and IPSec Determine IKE Phase 1 Policy Determine IPSec (IKE Phase 2) Policy Task 2: Configure IKE Parameters Task 2: Configure IKE Enable or Disable IKE Configure IKE Phase 1 Policy Configure a Tunnel Group Configure Tunnel Group Attributes Pre-Shared Key Verify IKE Phase 1 Policy Task 3: Configure IPSec Parameters Task 3: Configure IPSec Configure Interesting Traffic Example: Crypto ACLs Configure Interesting Traffic NAT 0 Configure an IPSec Transform Set Available IPSec Transforms Configure the Crypto Map Apply the Crypto Map to an Interface Crypto Map for Security Appliance 1 Crypto Map for Security Appliance 6 Task 4: Test and Verify VPN Configuration Scale Security Appliance VPNs CA Server Fulfilling Requests from IPSec Peers Enroll a Security Appliance with a CA Demo - IPSec Chapter 11 Review
Chapter 12 - Configuring Security Appliance Remote Access Using Cisco Easy VPN 36m Configuring Security Appliance Remote Access Using Cisco Easy VPN Introduction to Cisco Easy VPN Cisco Easy VPN Features of Cisco Easy VPN Server Supported Easy VPN Servers Supported Easy VPN Remote Clients Easy VPN Remote Modes of Operation Easy VPN Remote Client Mode Easy VPN Remote Network Extension Mode Overview of Cisco VPN Client Cisco VPN Software Client for Windows Cisco VPN Client Features and Benefits Cisco VPN Client Specifications How Cisco Easy VPN Works Easy VPN Remote Connection Process Step 1: Cisco VPN Client Initiates IKE Phase 1 Process Step 2: Cisco VPN Client Negotiates an IKE SA Step 3: Easy VPN Server Accepts SA Proposal Step 4: Easy VPN Username/ Password Challenge Step 5: Mode Configuration Process Is Initiated Step 6: IKE Quick Mode Completes Connection Configuring Users and Groups Group Policy Groups and Users group-policy Command group-policy attributes Command Users and User Attributes Configuring the Easy VPN Server for Extended Authentication Easy VPN Server General Configuration Tasks Task 1: Create ISAKMP Policy for Remote VPN Client Access Task 2: Create IP Address Pool Task 3: Define Group Policy for Mode Configuration Push Step 1: Set the Tunnel Group Type Step 2: Configure IKE Pre-Shared Key Step 3: Specify Local IP Address Pool Step 4: Configure the Group Policy Type Step 5: Enter the Group-Policy Attributes Step 6: Specify DNS Servers Step 7: Specify WINS Servers Step 8: Specify DNS Domain Step 9: Specify Idle Timeout Task 4: Create Transform Set Task 5: Create Dynamic Crypto Map Task 6: Assign Dynamic to Static Crypto Map Task 7: Apply Dynamic Crypto Map to Interface Task 8: Configure Xauth Step 1: Enable AAA Login Authentication Step 2: Define AAA Server IP Address and Encryption Key Step 3: Enable IKE Xauth for Tunnel Group Task 9: Configure NAT and NAT 0 Task 10: Enable IKE DPD Easy VPN Server Configuration Summary Configure Security Appliance Hub-and-Spoke VPNs Benefits of Hub-and-Spoke VPNs Limitations of Benefits of Hub-and-Spoke VPNs Configure Hub-and-Spoke VPN Cisco VPN Client Manual Configuration Tasks Task 1: Install Cisco VPN Client Task 2: Create New Connection Entry Task 3: Configure Cisco VPN Client Transport Properties Task 4: Configure Cisco VPN Client Backup Servers Properties Task 5: (Optional) Configure Dialup Properties Working with the Cisco VPN Client Cisco VPN Client Program Menu Virtual Adapter Setting MTU Size Cisco VPN Client Statistics Menu Chapter 12 Review
Chapter 13 - Configuring ASA for WebVPN 42m Configuring ASA for WebVPN WebVPN Feature Overview WebVPN Features WebVPN and IPSec Comparison WebVPN End-User Interface Home Page Website Access and Browsing Files Port Forwarding Configure WebVPN General Parameters Enabling the HTTP Server WebVPN Subcommand Mode Enabling WebVPN Interfaces NBNS Server Configuration Authentication Server Configuration Home Page Look and Feel Configuration Configure WebVPN Servers and URLs Enable WebVPN Protocol for Group Policy Enable URL Entry for WebVPN Users url-list Command Example: Servers and URL Configuration Configure WebVPN Port Forwarding Enable Port Forwarding for WebVPN Users port-forward Command Port Forwarding Configuration Example Configure WebVPN E-Mail Proxy Enable E-mail Proxy for WebVPN Users Defining Proxy Servers Defining E-Mail Server and Authentication Server Defining Authentication Type Example: E-mail Proxy Configuration Configure WebVPN Content Filters and ACLs HTML Content Filtering WebVPN ACLs Demo - Web VPN Chapter 13 Review
Chapter 14 - Configuring Transparent Firewall 26m Configuring Transparent Firewall Transparent Firewall Mode Overview Transparent Versus Routed Firewall Transparent Firewall Benefits Transparent Firewall Guidelines Transparent Firewall Unsupported Features Enabling Transparent Firewall Mode Viewing the Current Firewall Mode Enabling Transparent Firewall Mode Versus Router Mode Assigning the Management IP Address Configure ACLS EtherType ACLS ARP Inspection Monitoring and Maintaining Transparent Firewall Mode MAC Address Table Disabling MAC Address Learning Adding a Static MAC Address Viewing the MAC Address Table Debug Commands Demo - Switch Mode Chapter 14 Review
Chapter 15 - Configuring Security Contexts 20m Configuring Security Contexts Security Context Overview Virtualization Common Uses for Security Contexts Security Appliance with Multiple Contexts Context Configuration Files Packet Classification Enabling Multiple Context Mode Backing Up the Single-Mode Configuration The Admin Context Viewing the Current Context Mode Enabling and Disabling Multiple Context Mode Configuring a Security Context Adding a Context Config Context Submode: Allocating Interfaces Configuration of Contexts Designating the Configuration File Saving Context Configurations Managing Security Contexts Removing a Security Context Changing the Admin Context Changing Between Contexts Viewing Context Information Chapter 15 Review
Chapter 16 – Failover 41m Failover Understanding Failover Hardware and Stateful Failover Hardware Failover: Active/Standby Hardware Failover: Active/Active Failover Requirements Failover Interface Test Types of Failover Links Serial Cable-Based Failover Configuration Serial Cable: Active/Standby Failover Configuring Failover with a Failover Serial Cable Step 1: Cable the Secondary Security Appliance Step 2: Connecting the Failover Cable Step 3: Configuring the Primary Security Appliance show failover Command Configuration Replication Step 4: Powering on the Secondary Firewall show failover Command (Cont.) Force Control Back Active/Standby LAN-Based Failover Configuration LAN-Based Failover Overview LAN-Based Failover Configuration Overview Cabling LAN Failover Configuring Primary and Standby IP Addresses Configuring LAN Failover: Primary Stateful Failover show failover Command with LAN-Based Failover Configuring LAN Failover: Secondary Replication to Secondary show failover Command with LAN-Based Failover (Cont.) failover mac address Command Active/Active Failover Configuration Active/Active Failover Configure Failover Link Failover Group Allocate Interfaces and Assign a Failover Group Context: Configure Interfaces Show Failover: Part 1 Show Failover: Part 2 Show Failover: Part 3 Show Failover Group Switch a Failover State Chapter 16 Review
Chapter 17 - Cisco Security Appliance Device Manager 1h 1m Cisco Security Appliance Device Manager ASDM Overview and Operating Requirements What Is ASDM? ASDM Features ASDM Security Appliance Requirements ASDM Browser Requirements Supported Platforms Running ASDM Preparing for ASDM Configure the Security Appliance to Use ASDM Setup Dialog Navigating ASDM Configuration Windows ASDM Home Window Startup Wizard VPN Wizard Configuration Window Interfaces Security Policy NAT VPN VPN Policy Configuration Routing Building Blocks Device Administration Properties Monitoring Button Interface Graphs Panel Search Options > Preferences Tools Help Online Help Navigating ASDM Multimode Windows Multimode Home Page System Configuration System Monitoring Context Configuration Context Monitoring Demo - ASDM Configuration Requirements Configuring the CSC SSM for Content Security Obtain Software Activation Key from Cisco.com Gather Information Starting ASDM The Main ASDM Window Verify Time Settings Run the CSC Setup Wizard Chapter 17 Review
Chapter 18 - Managing Security Appliance 44m Managing Security Appliance Managing System Access Configuring Telnet Access to the Console Viewing and Disabling Telnet SSH Connections to the Security Appliance Configuring SSH Access to the Console Connecting to the with an SSH Client Viewing, Disabling, and Debugging SSH Managing User Access Levels Command Authorization Overview Enable-Level Command Authorization Create and Password-Protect Your Privilege Levels Enable and Privilege Authorization Command Authorization Using the Local Users Creating User Accounts in the Local Database Configuring Authentication with the Local Database Command Authorization Using ACS aaa authorization Command with ACS Viewing Your Command Authorization Configuration Lockout Password Recovery PIX Password Recovery ASA Managing Software, Licenses, and Configurations Viewing Directory Contents Viewing File Contents Directory Management Copying Files Installing Application or ASDM Software Example Downloading and Backing Up Configuration Files Example Image Upgrade and Activation Keys Viewing Version Information Image Upgrade Entering a New Activation Key Upgrading the Image and the Activation Key Troubleshooting the Activation Key Upgrade Demo - Administrative Access Chapter 18 Review Course Closure
Total Duration: 15 hrs 46 min