Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Lionel Hunt
Systems Engineer
Global Enterprise Theatre
Cisco Confidential
IOS FW in ASR
Most cost-effective
IOS FW in ISR
Branch
Private WAN
High Performance
Branch Edge
NetOps and SecOps
administrative domain
separation
QFP
Cisco Confidential
Cisco
Integrated
Services
Routers
Cisco ASA
Adaptive Security
Appliance
Cisco Intrusion
Prevention
Systems
Targeted Attack
Protection
Cisco
Security
Manager
Cisco
Security
MARS
Centralized Security
Management
Public WAN
Integrated
Multivector protections at all
points in the network and at
desktop and server endpoints
Branch infrastructure security
that enables end-to-end
architecture
Adaptive
Anomaly detection with inproduction learning
Network behavioral analysis
Visibility and mitigation
capabilities for blended contentbased threats
Real-time security posture
adjustment
Cisco Confidential
Collaborative
Cross-solution feedback linkages
Common policy management
Endpoint posture and security
policy enforcement
Passive and active fingerprinting
Cisco Security Agent IPS
collaboration
3
Examines multiple
levels
Internet
Permit traffic?
State Table
Existing
Very secure
connection?
Robust logging
Transparent
Maintains State
High performance
Branch-WAN 1.0 Solution Overview
PC
Cisco Confidential
Web Server
End User
Example Flow
Flow
SRC IP: 10.1.1.9
DST IP: 198.133.219.25
Protocol: TCP
Interfaces
Source: Inside
Destination: Outside
In
si
Packet Flow
de
Servers
Client: 10.1.1.9
Eng
Accounting
er
n
t
r
Outside
Pa
DM
Ho
st
in
of Configuration
Issues Boils Down
to Just the Two
Interfaces: Inside
and Outside
Server: 198.133.219.25
Branch-WAN 1.0 Solution Overview
Cisco Confidential
1.
Packet Arrives
2.
3.
4.
5.
Cisco Confidential
Stateful Firewall
Provides stateful connection security
Tracks source and destination ports and addresses, TCP sequences,
and additional TCP flags
TCP sequence numbers are randomized
Tracks UDP and TCP session state
Connections allowed outallows return session back flow (TCP ACK bit)
Supports authentication, authorization, syslog accounting
Cisco Confidential
Cisco Confidential
nameif ethernet0
outside security0
0
50
Firewall
DMZ
100
nameif ethernet1
inside security100
nameif ethernet2
DMZ security50
Private
Network
Cisco Confidential
Default Actions:
Higher to Lower:
PERMIT
Public
Network
0
Lower to Higher:
DENY
50
Between Same:
DENY
DMZ
100
Private
Network
Branch-WAN 1.0 Solution Overview
Cisco Confidential
10
1:
inside to
outside;
(Limit with
ACL)
Public
Network
out side
user
authentication
AAA
in side
3:
Private
Network
2:
Access List
(outside to inside)
Cisco Confidential
11
NAT
Cisco Confidential
12
NAT Example
Inside
Source Addr
Outside
Source Addr
10.0.1.3
Destination Addr
Destination Port
10.0.1.3
Destination
SourceAddr
Port
200.200.200.10
200.200.200.10
Destination Port
23
23
192.168.1.10
10.0.1.3
10.0.1.4
Translation table
192.168.1.10
192.168.1.10
Internet
Inside Local
IP Address
Global
IP Pool
10.0.1.3
192.168.1.10
10.0.1.4
192.168.1.254
Cisco Confidential
13
IOS Firewall
Cisco Confidential
14
Cisco Confidential
15
Cisco Confidential
16
Cisco Confidential
17
VPN
Infrastructure
Clients
Deny
Deny
Deny
Permit
Permit
VPN
Deny
Infrastructure
Deny
Permit
Clients
Deny
Permit
Permit
Deny
Branch
VPN Zone
Private WAN
Infrastructure Zone
VPN
Internet
WAN Zone
Client Zone
No CSM support for ZBFW planned till 3.3
Branch-WAN 1.0 Solution Overview
Cisco Confidential
18
Deny
WAN Edge
Deny
VPN
WAN Edge
Deny
Deny
Permit
Permit
VPN Zone
Private WAN
SP1
VPN
QFP
Private WAN
SP2
Cisco Confidential
19
Cut-through Proxy
Cisco Confidential
20
Internal/
2. Firewall intercepts
connection
3. Firewall prompts user for
username and password,
authenticates user and
checks security policy on
RADIUS or TACACS+ server
External
3.User
Username and Password Required
PIX Firewall
User Name:
student
Password:
123@456
OK
Cisco
Secure
Cancel
IS Resource
4. Firewall initiates
connection
from Firewall to the
destination IS resource
Cisco Confidential
21
100% Transparent
Cisco Confidential
22
User Authentication:
Cut-Through-Proxy
Cisco Confidential
23
Cisco Confidential
24