1© 2005 Cisco Systems, Inc. All rights reserved.
Network Security 1
Module 3 – Security Devices
2© 2005 Cisco Systems, Inc. All rights reserved.
Learning Objectives
3.1 Device Options
3.2 Using Security Device Manager
3.3 Introduction to the Cisco Security Appliance Family
3.4 Getting Started with the PIX Security Appliance
3.5 PIX Security Appliance Translations and Connections
3.6 Manage a PIX Security Appliance with Adaptive Security Device Manager
3.7 PIX Security Appliance Routing Capabilities
3.8 Firewall Services Module Operation
3© 2005 Cisco Systems, Inc. All rights reserved.
Module 3 – Security Devices
3.1 Device Options
4© 2005 Cisco Systems, Inc. All rights reserved.
Sample Firewall Topology
5© 2005 Cisco Systems, Inc. All rights reserved.
IOS Firewall
SecuritySecurityOfferingsOfferings
Network Integrated SolutionsNetwork Integrated Solutions
VPNVPN FirewallFirewall IntrusionIntrusionProtectionProtection VV33PNPN
IPsecIPsec CBAC Stateful InspectionCBAC Stateful Inspection IDSIDS SSHSSH SSLSSL
ACLACL AAAAAA NATNAT L2TP/EAPL2TP/EAPMSCHAPv2MSCHAPv2
PKIPKI
802.1X802.1X
BGPBGP GREGRE
MulticastMulticast Application Aware QoSApplication Aware QoS
DHCP/DNSDHCP/DNS
MPLSMPLSVoIPVoIP
EIGRPEIGRP OSPFOSPFMultiprotocolMultiprotocol
HTTPSHTTPS Secure ARPSecure ARPuRPFuRPF
Authentication Authentication per user via AAAper user via AAA
Command Command Authorization via AAAAuthorization via AAA
Device Access by Device Access by Privilege LevelPrivilege Level
Activity LoggingActivity Logging
NetflowNetflow
IP CompIP Comp
SNMPv3SNMPv3(Unicast Reverse Path Forward)(Unicast Reverse Path Forward)
IP Services
SecureOperating SystemFoundation
6© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance Lineup
SMBSMB
Con
nect
ivity
Performance
Gigabit Ethernet
EnterpriseEnterpriseROBOROBO
PIX 515E
PIX 525
PIX 535
SOHOSOHO
PIX 501
PIX 506E
Service ProviderService Provider
Stateful Inspection FirewallStateful Inspection FirewallAppliance is Hardened OSAppliance is Hardened OSIPSec VPNIPSec VPNIntegrated Intrusion DetectionIntegrated Intrusion DetectionHot Standby, Stateful Failover Hot Standby, Stateful Failover Easy VPN Client/ServerEasy VPN Client/ServerVoIP SupportVoIP Support
7© 2005 Cisco Systems, Inc. All rights reserved.
Adaptive Security Appliance Lineup
8© 2005 Cisco Systems, Inc. All rights reserved.
Catalyst Switch Integration
FirewallIDSVirtual Private Network
Appliance Capabilities Cisco Infrastructure
© 2002, Cisco Systems, Inc. All rights reserved.
VPN SSL NAM IDSFirewall
Security Services Modules
9© 2005 Cisco Systems, Inc. All rights reserved.
Module 3 – Security Devices
3.2 Using Security Device Manager
10© 2005 Cisco Systems, Inc. All rights reserved.
Security Device Manager (SDM)
11© 2005 Cisco Systems, Inc. All rights reserved.
Obtaining SDM
• SDM is factory loaded on supported routers manufactured as of June 2003.
• Always check www.cisco.com/go/sdm for the latest information regarding SDM support.
• SDM cannot be ordered independent of the router.
12© 2005 Cisco Systems, Inc. All rights reserved.
Initial Configuration
RouterP(config)# ip http server
RouterP(config)# ip http secure-server
RouterP(config)# ip http authentication local
RouterP(config)# username sdm privilege 15 password sdm
RouterP(config)# line vty 0 4
RouterP(config-line)# privilege level 15
RouterP(config-line)# login local
RouterP(config-line)# transport input telnet ssh
13© 2005 Cisco Systems, Inc. All rights reserved.
Startup Wizard: Welcome Window
14© 2005 Cisco Systems, Inc. All rights reserved.
SDM Main Window Layout and Navigation
Menu bar
Toolbar
RouterInformation
ConfigurationOverview
15© 2005 Cisco Systems, Inc. All rights reserved.
SDM Wizard Options
• LAN Configuration: Configure LAN interfaces and DHCP. • WAN Configuration: Configure PPP, Frame Relay, and
HDLC WAN interfaces.• Firewall: Access two types of firewall wizards:
– Simple inside/outside.– Advanced inside/outside/DMZ with multiple
interfaces.• VPN: Access three types of VPN wizards:
– Secure site-to-site VPN– Easy VPN– GRE tunnel with IPSec VPN
• Security Audit: Performs a router security audit and button for router lockdown.
• IPS:• QOS:• Routing:
16© 2005 Cisco Systems, Inc. All rights reserved.
WAN Wizard: Create a New WAN Connection
17© 2005 Cisco Systems, Inc. All rights reserved.
Reset to Factory Default Wizard
18© 2005 Cisco Systems, Inc. All rights reserved.
Monitor Mode
Overview
InterfaceStats
FirewallStats
VPNStats
19© 2005 Cisco Systems, Inc. All rights reserved.
Monitor Interface Status
20© 2005 Cisco Systems, Inc. All rights reserved.
Monitor Firewall Status
21© 2005 Cisco Systems, Inc. All rights reserved.
Monitor VPN Status
22© 2005 Cisco Systems, Inc. All rights reserved.
Monitor Logging
23© 2005 Cisco Systems, Inc. All rights reserved.
Module 3 – Security Devices
3.3 Introduction to the Cisco Security Appliance Family
24© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance Family
25© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 501 Front Panel LEDs
VPN tunnel
Power
100 MBPS
Link/Act
26© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 501 Back Panel
Security lock slot
Power connector
10BaseT (RJ-45)
Console port (RJ-45)
4-port 10/100 switch (RJ-45)
27© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 506E Front Panel LEDs
Network LED
Power LED
Active LED
28© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 506E Back Panel
LINKLED
Console Port (RJ-45)
Power switch
USBport
ACT(ivity)LED
10BaseT(RJ-45)
10BaseT(RJ-45)
ACT(ivity)
LED LINKLED
29© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 515E Front Panel LEDs
Network LED
Power LED
Active failover firewall
30© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 515E Back Panel
Failoverconnector
FDXLED
LINKLED
100 MbpsLED
FDXLED
Consoleport (RJ-45)
10/100BaseTXEthernet 1
(RJ-45)
Power switch
LINK
LED
100 MbpsLED
10/100BaseTXEthernet 0
(RJ-45)
LINK
LED
31© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 515E Quad Card
Using the quad card requires the PIX Security Appliance 515E-UR license.
32© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 515E Two Single-Port Connectors
Using two single-port connectors requires the PIX Security Appliance 515E-UR license.
33© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 525 Front Panel LEDs
Power LED
Active LED
34© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 525 Back Panel
100MbpsLED
ACT(ivity) LED
ACT(ivity) LED
LINKLED
LINKLED
Failoverconnection
10/100BaseTXEthernet 1
(RJ-45)10/100BaseTX
Ethernet 0(RJ-45)
USBport
Consoleport (RJ-45)
35© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 535 Front Panel LEDs
Power ACT
36© 2005 Cisco Systems, Inc. All rights reserved.
Bus 0(64-bit/66 MHz)
Bus 1(64-bit/66 MHz)
Bus 2(32-bit/33 MHz)
• 1FE• 4FE• VAC
• 1GE-66
PIX Security Appliance 535—Board InstallDB-15
failover
ConsoleRJ-45
USB port
Slot 8
Slot 7
Slot 6
Slot 5
Slot 4
Slot 3
Slot 2 Slot 1
Slot 0
37© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance 535 Back Panel
DB-15failover
Slot 8
Slot 7
Slot 6
Slot 5
Slot 4
Slot 3
Slot 2 Slot 1
Slot 0ConsoleRJ-45
USB port
38© 2005 Cisco Systems, Inc. All rights reserved.
ASA5510 Adaptive Security Appliance
• Up to five 10/100 Fast Ethernet interfaces
• Optional Security Services Module (SSM) slot which provides inline IPS.
• Throughput of 100 Mbps with the ability to handle up to 64,000 concurrent connections.
• Supports Active/standby failover.
• Can deliver 150 Mbps IPS throughput when an AIP SSM model 10 is added to the appliance.
39© 2005 Cisco Systems, Inc. All rights reserved.
ASA5520 Adaptive Security Appliance
• Four 10/100/1000 Gigabit Ethernet interfaces
• Supports an SSM slot which provides inline IPS.
• Throughput of 200 Mbps with the ability to handle up to 130,000 concurrent connections.
• Supports active/standby and active/active failover.
• Can deliver 375 Mbps IPS throughput when an AIP SSM model 20 is added to the appliance.
40© 2005 Cisco Systems, Inc. All rights reserved.
ASA5540 Adaptive Security Appliance
• Four 10/100/1000 Gigabit Ethernet interfaces
• One 10/100 Fast Ethernet management interface
• Optional Security Services Module slot which provides inline IPS.
• Throughput of 400 Mbps with the ability to handle up to 280,000 concurrent connections.
• Can deliver 450 Mbps IPS throughput when an AIP SSM model 20 is added to the appliance.
41© 2005 Cisco Systems, Inc. All rights reserved.
Module 3 – Security Devices
3.4 Getting Started with the PIX Security Appliance
42© 2005 Cisco Systems, Inc. All rights reserved.
User Interface
• Unprivileged mode – This mode is available when the PIX is first accessed. The > prompt is displayed. This mode provides a restricted, limited, view of PIX settings.
• Privileged mode – This mode displays the # prompt and enables users to change the current settings. Any unprivileged command also works in privileged mode.
• Configuration mode – This mode displays the (config)# prompt and enables users to change system configurations. All privileged, unprivileged, and configuration commands work in this mode.
• Monitor mode – This is a special mode that enables users to update the image over the network or to perform password recovery. While in the monitor mode, users can enter commands specifying the location of the TFTP server and the PIX software image or password recovery binary file to download.
43© 2005 Cisco Systems, Inc. All rights reserved.
Security Levels
• Higher security level interface to a lower security level interface – For traffic originating from the inside interface of the PIX with a security level of 100 to the outside interface ofthe PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by ACLs, authentication, or authorization.
• Lower security level interface to a higher security level interface – For traffic originating from the outside interface of the PIX with a security level of 0 to the inside interface of the PIX with a security level of 100,all packets are dropped unless specifically allowed by an access-list command. The traffic can be restricted further if authentication and authorization isused.
• Same secure interface to a same secure interface – No traffic flows between two Interfaces with the same security level.
44© 2005 Cisco Systems, Inc. All rights reserved.
Basic Commands
• hostname – assigns a hostname to the PIX.
• interface – Configures the type and capability of each perimeter interface.
• nameif – Assigns a name to each perimeter interface.
• ip address – Assigns an IP address to each interface.
• security level – Assigns the security level for the perimeter interface.
• speed – Assigns the connection speed.
• duplex – Assigns the duplex communications.
45© 2005 Cisco Systems, Inc. All rights reserved.
Additional Commands
•nat-control – Enable or disable NAT configuration requirement.
•nat – Shields IP addresses on the inside network from the outside network.
•global – Creates a pool of one or more IP addresses for use in NAT and PAT.
•route – Defines a static or default route for an interface.
46© 2005 Cisco Systems, Inc. All rights reserved.
Module 3 – Security Devices
3.5 PIX Security Appliance Translations and Connections
47© 2005 Cisco Systems, Inc. All rights reserved.
UDP
48© 2005 Cisco Systems, Inc. All rights reserved.
NAT
49© 2005 Cisco Systems, Inc. All rights reserved.
Access through the PIX Security Appliance
50© 2005 Cisco Systems, Inc. All rights reserved.
PAT
51© 2005 Cisco Systems, Inc. All rights reserved.
Static Translation
52© 2005 Cisco Systems, Inc. All rights reserved.
Identity NAT
53© 2005 Cisco Systems, Inc. All rights reserved.
Multiple Interfaces
54© 2005 Cisco Systems, Inc. All rights reserved.
Module 3 – Security Devices
3.6 Manage a PIX Security Appliance with Adaptive Security Device Manager
55© 2005 Cisco Systems, Inc. All rights reserved.
Adaptive Security Device Manager (ASDM)
56© 2005 Cisco Systems, Inc. All rights reserved.
ASDM Compatibility
57© 2005 Cisco Systems, Inc. All rights reserved.
ASDM Home Window
58© 2005 Cisco Systems, Inc. All rights reserved.
Module 3 – Security Devices
3.7 PIX Security Appliance Routing Capabilities
59© 2005 Cisco Systems, Inc. All rights reserved.
VLANs
60© 2005 Cisco Systems, Inc. All rights reserved.
Static Routes
61© 2005 Cisco Systems, Inc. All rights reserved.
Routing with RIP
62© 2005 Cisco Systems, Inc. All rights reserved.
Routing with OSPF
63© 2005 Cisco Systems, Inc. All rights reserved.
Multicast Routing
64© 2005 Cisco Systems, Inc. All rights reserved.
Module 3 – Security Devices
3.8 Firewall Services Module Operation
65© 2005 Cisco Systems, Inc. All rights reserved.
Firewall Services Module (FWSM)
Designed for high end enterprise and service providers
Runs in Catalyst 6500 switches and 7600 Series routers
Based on PIX Security Appliance technology
PIX Security Appliance 6.0 feature set (some 6.2)
1 million simultaneous connections
Over 100,000 connections per second
5 Gbps throughput
Up to 4 can be stacked in a chassis, providing 20 Gbps throughput
1 GB DRAM
Supports 100 VLANs
Supports failover
66© 2005 Cisco Systems, Inc. All rights reserved.
FWSM in the Catalyst 6500 Switch
Supervisor engine
Redundant supervisor engine
Slots 1-9(top to bottom) 48 Port 10/100 Ethernet
Switch fabricmoduleFan assembly
16 Port GBIC
FWSM
Powersupply 2
Powersupply 1
ESD ground strap connector
67© 2005 Cisco Systems, Inc. All rights reserved.
FWSM in the Cisco 7609 Internet Router
Supervisor engine
Fan assembly
Powersupply 1
Powersupply 2
Switch fabricmodule
ESD ground strap connection
FWSM
Slots 1-9(right to left)