Scribd Logo
Carica

Benvenuto in Scribd!

  • What Is A Firewall 3333

    Caricato da

    iamsaiarun
    23 visualizzazioni20 pagine
    Cisco security appliances deliver enterprise-class security for smallto-medium-sized business and enterprise networks in a modular, purpose-built appliance. SNPA v5.0--1-9 Proprietary Operating System Eliminates the risks associated with general-purpose operating systems. Stateful Packet filtering DMZ: server B Host A Internet Data a Data a Limits information that is allowed into a network based on the destination and source address.

    Descrizione originale:

    Titolo originale

    What is a Firewall 3333

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PPT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Cisco security appliances deliver enterprise-class security for smallto-medium-sized business and enterprise networks in a modular, purpose-built appliance. SNPA v5.0--1-9 Proprietary Operating System Eliminates the risks associated with general-purpose operating systems. Stateful Packet filtering DMZ: server B Host A Internet Data a Data a Limits information that is allowed into a network based on the destination and source address.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    23 visualizzazioni20 pagine

    What Is A Firewall 3333

    Caricato da

    iamsaiarun
    Cisco security appliances deliver enterprise-class security for smallto-medium-sized business and enterprise networks in a modular, purpose-built appliance. SNPA v5.0--1-9 Proprietary Operating System Eliminates the risks associated with general-purpose operating systems. Stateful Packet filtering DMZ: server B Host A Internet Data a Data a Limits information that is allowed into a network based on the destination and source address.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 20

    Cisco Security Appliance Technology and Features

    Lesson 1

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-1

    Firewalls

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-2

    What Is a Firewall?
    DMZ Network

    Internet

    Outside Network

    Inside Network

    A firewall is a system or group of systems that manages access between two or more networks.

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-3

    Firewall Technologies
    Firewall operations are based on one of three technologies:
    Packet filtering Proxy server Stateful packet filtering

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-4

    Packet Filtering
    DMZ: Server B

    Host A Internet

    Data

    Inside: Server C

    Data

    C AB-Yes AC-No

    Limits information that is allowed into a network based on the destination and source address
    2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-5

    Proxy Server
    Proxy Server

    Internet

    Outside Network

    Inside Network

    Requests connections on behalf of a client

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-6

    Stateful Packet Filtering


    DMZ: Server B

    Host A

    Data Internet

    HTTP

    Inside: Server C

    State Table

    Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content

    Source address Destination address Source port Destination port Initial sequence no. Ack Flag

    192.168.0.20 172.16.0.50 1026 80 49769

    10.0.0.11 172.16.0.50 1026 80 49091

    Syn

    Syn

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-7

    Security Appliance Overview

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-8

    Security Appliances: What Are They?


    Cisco security appliances deliver enterprise-class security for smallto-medium-sized business and enterprise networks in a modular, purpose-built appliance. Some features of Cisco security appliances are:
    Proprietary operating system Stateful packet inspection User-based authentication Protocol and application inspection Modular policy framework Virtual private networking Security contexts (virtual firewalls) Stateful failover capabilities Transparent firewalls Web-based management solutions
    2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-9

    Proprietary Operating System

    Eliminates the risks associated with general-purpose operating systems

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-10

    Stateful Packet Inspection


    The stateful packet inspection algorithm provides stateful connection security. It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags. It randomizes the initial TCP sequence number of each new connection. By default, the stateful packet inspection algorithm allows connections originating from hosts on inside (higher security level) interfaces. By default, the stateful packet inspection algorithm drops connection attempts originating from hosts on outside (lower security level) interfaces.

    The stateful packet inspection algorithm supports authentication, authorization, and accounting.
    2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-11

    Cut-Through Proxy Operation


    Internal or External User 3. 1. The user makes a request to an ISP. 2. The security appliance intercepts the connection. 3. At the application layer, the security appliance prompts the user for a username and password. It then authenticates the user against a RADIUS or TACACS+ server and checks the security policy.
    Cisco Secure

    Username and Password Required

    Security Appliance
    Enter username for CCO at www.com

    User Name: Password:

    student 123@456
    OK Cancel

    ISP

    4. The security appliance initiates a connection from the security appliance to the destination ISP.

    5. The security appliance directly connects the internal or external user to the ISP via the security appliance. Communication then takes place at a lower level of the OSI model.

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-12

    Modular Policy
    System Engineer
    SE

    Internet Headquarters T1
    exec

    Executives

    Internet

    S2S

    S2S

    Site C

    Site B

    Class Map
    Traffic Flow Default Internet Systems Engineer Executives Site to Site

    Policy Map
    Services Inspect IPS Police Priority

    Service Policy
    Interface/Global Global Outside

    Construction of flow-based policies: Identify specific flows Apply services to that flow
    2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-13

    Virtual Private Network

    Site to Site Internet

    IPsec VPN SSL VPN


    Headquarters Remote Access

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-14

    Security Context (Virtual Firewall)


    Four Physical Firewalls

    One Physical Firewall Four Virtual Firewalls

    Internet

    Internet

    Ability to create multiple security contexts (virtual firewalls) within a single security appliance

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-15

    Failover Capabilities: Active/Standby, Active/Active, and Stateful Failover


    Failover: Active/Standby Failover: Active/Active

    Contexts

    1 Primary: Failed Firewall Secondary: Active Firewall Primary: Failed/Standby

    2 Secondary: Active/Active

    Internet

    Internet

    Failover protects the network if the primary security appliance goes offline.. Active/standby: Only one unit can be actively processing traffic; the other is hot standby. Active/Active: Both units can process traffic and serve as backup units. Stateful failover maintains the operating state during failover.
    2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-16

    Transparent Firewall

    192.168.1.5

    192.168.1.2

    Internet

    Has the ability to deploy a security appliance in a secure bridging mode


    Provides rich Layers 2 through 7 security services as a Layer 2 device
    2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-17

    Web-Based Management Solutions

    Adaptive Security Device Manager

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-18

    Summary

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-19

    Summary
    There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. Features of the Cisco PIX security appliances and Cisco ASA security appliances include the following: proprietary operating system, stateful packet inspection, cut-through proxy, stateful failover, modular policy, VPNs, transparent firewall, security contexts, web-based management, and stateful packet filtering.

    2007 Cisco Systems, Inc. All rights reserved.

    SNPA v5.01-20

    Potrebbero piacerti anche