CISCO CCNA SECURITY EXAM OBJECTIVES COVERED IN THIS CHAPTER:
There are many additional firewall concepts you also should understand beyond configuring zone-based firewalling and network address translation. In this chapter we’ll look at some other firewall services as well as discuss the difference between a routed and a transparent firewall. Moreover, we’ll cover security contexts and configuring ASA management access. Finally, toward the end of this chapter the Modular Policy Framework approach to configuration will be covered.
In this chapter, you will learn the following:
The Cisco ASA 9.x firewall series (which is the firewall tested in the CCNA Security exam) has a rich set of features to offer. While it certainly can perform the firewall duties we have come to expect from any enterprise-level firewall, such as traffic filtering and control, it also offers many other functions. Among these are:
Application Inspection Control (AIC)—Also called application protocol control, this feature verifies the conformance of major application layer protocol operations to RFC standards. It can help prevent many of the tunneling attempts and application layer attacks that violate protocol specifications.
Network Address Translation (NAT)—As you learned in Chapter 14, the ASA supports many implementations of NAT including policy NAT, inside and outside NAT, one-to-one and one-to-many NAT, and port forwarding (static NAT)
IP Routing—The ASA has routing capabilities including static and dynamic routing with support for all major routing protocols such as EIGRP, RIP, OSPF, and BGP.
IPv6 support—The ASA supports IPv6 networking natively and can control access between IPv6 security domains.
DHCP—The ASA can be integrated as either a DHCP server or a DHCP client.
Multicast support—The ASA natively integrates with multicast networks supporting Internet Group Management Protocol (IGMP) and both Protocol Independent Multicast Sparse Mode (PIM-SM) and bidirectional Protocol Independent Multicast (PIM).
The ASA can be deployed in one of two modes, routed and transparent. The mode you choose will depend on requirements and needs. In this section, we differentiate these two modes of operation.
In router mode, the ASA is serving as a router and thus each of its interfaces will reside in a separate IP subnet. It can use all major routing protocols including RIP, EIGRP, OSPF, and BGP. In environments where static routing is in use, it can use IP SLA to perform static route tracking to detect when one static route is unavailable and therefore switch to a second static route.
In transparent mode, the ASA is not acting as a router and assumes a layer 2 identity much as a switch does. This makes the ASA transparent to devices on either side (from a layer 3 perspective); thus the name transparent mode. As with a switch, however, it is possible to configure the ASA with a management IP address for connecting to and managing the ASA.
Regardless of whether the ASA is operating in routed or transparent mode, it is providing valuable services to the network. Therefore, providing high availability for the ASA and thus for the services it provides is highly desirable. The ASA has several redundancy options available to satisfy this need. In this section we’ll cover three ways that multiple ASAs can be deployed to provide this redundancy.
In Active/Standby failover two security appliances are deployed with only one of the appliances processing traffic while the second one serves as a hot standby. This deployment model is shown in Figure 15.1 .
FIGURE 15.1 Active/Standby failover
In Active/Active failover two security appliances are deployed with both appliances processing traffic with the ability to survive a single device failure. This deployment model is shown in Figure 15.2 .
FIGURE 15.2 Active/Active failover
In Clustering, three or more security appliances are deployed as a single logical device. This allows for the management of the multiple ASAs as a unit. It provides increased throughput and redundancy. This deployment model is shown in Figure 15.3 .
FIGURE 15.3 Clustering
The ASA can be partitioned into multiple virtual firewalls or security contexts. Each context can have its own interfaces, policies, and administrators. This results functionally in multiple virtual firewalls as shown in Figure 15.4 , where multiple contexts are being used to support multiple customers.
FIGURE 15.4 Security contexts
While many administrators choose to manage and configure the ASA using the Adaptive Security Device Manager (ASDM), when you deploy a new ASA you will have to begin by setting up the ASA using the CLI. Only after an interface with an IP configuration is enabled will you be able to connect to the device using the ASDM. We will first cover this initial configuration and will then follow with the commands required to allow connections for the ASDM.
To perform the initial configuration of the ASA, connect to the device from the console port and perform the operations covered in the next procedure.
Before we get into interface configuration we need to discuss a concept that may be new to you if you have only configured routers. In the ASA interfaces have security levels. These security levels are one of the ways the ASA controls access from one interface to another. Security levels define the trustworthiness of the interface. The higher the level the more trusted the interface.
The most common configuration is to set the exterior interface (Internet) to a level of zero (or something very low in relation to the other interfaces) and the interior interface (LAN) to a very high security level value. Any other interfaces (such as a DMZ) can be set to a level that properly reflects the trust placed in that interface. With this configuration in place the typical traffic flows in your network will be as follows:
By default, the ASA uses these rules to control traffic between interfaces:
Of course, these defaults can be changed and often are changed. Figure 15.5 shows how this would work using security level values 0, 50, and 100. Green lines represent allowed traffic while the red lines represent denied traffic.
FIGURE 15.5 Security levels in action
In its role as a firewall the ASA uses security access policies to control traffic types allowed to flow from one interface to another. These access policies can be configured as interface access rules (much like the ACLs you may have experience with on a router) or by creating and linking object groups. In this section, we’ll discuss both methods.
If you apply no interface access rules on the ASA the default rules (as covered earlier) are:
This means that you will need to create an access rule to allow traffic in each of the following scenarios:
While interface rules operate like ACLs you may (depending on your CLI experience with the ASA) find it easier to create these rules in the ASDM rather than at the command line. In the next procedure, you will see how this is done in the ASDM.
While the previous procedure used the keyword ANY to select source and destination and HTTP for service, not very many configurations are that simple. In many cases we need to allow only a select group of devices rather than all devices, or we need only allow devices on a specific network to send traffic on an interface when there are multiple networks that might be traversing that interface. To make the creation and application of rules easier, the ASA can also use an object-based model for certain rules.
Objects can be created to represent any of the following:
Once these objects have been created, they can be linked together to create rules as we did in the previous procedure and simply use the browse button next to each of the drop-down boxes in the Add Access Rule dialog box to link them together. In the next procedure, you will create objects and then use them in an access rule.
In Chapters 4 and 14 you learned about the Cisco Modular Policy Framework (MPF). As review, there are three components that are used as building blocks to implement policies in this framework:
In the next procedure, you will use this framework to create a new policy by creating a class map that identifies Telnet as the traffic and a policy map that identifies an action of deny and apply the two to all interfaces with a service policy.
In this chapter, you learned how to set up the ASA so you can remotely administer it using the ASDM. You also learned the default security policies that are in place and how the default global policy interacts with configured policies. You also learned about interface security levels and the effect they have on traffic flows. The chapter reviewed the Cisco Modular Policy framework and how it is used to create policies. It also discussed the difference between a transparent and routed firewall. Finally, high-availability solutions were introduced including active-active, active-passive, and clustering approaches.
Identify firewall services provided by the ASA. These include Application Inspection Control (AIC), Network Address Translation (NAT), IP Routing, IPv6 support, DHCP, and Multicast support.
Describe the two modes of deploying the ASA. The ASA can be deployed in one of two modes, routed and transparent. In router mode, the ASA is serving as a router and thus each of its interfaces will reside in a separate IP subnet. In transparent mode, the ASA is not acting as a router and assumes a layer 2 identity much as a switch does.
Identify ASA high-availability methods. These include Active/Standby failover, Active/Active failover, and clustering.
Define security contexts in the ASA. The ASA can be partitioned into multiple virtual firewalls or security contexts. Each context can have its own interfaces, policies, and administrators.
Describe the steps required for initial setup of the ASA. These steps include assigning an IP address and mask to interfaces, enabling interfaces, and enabling the HTTP server. They also include permitting the remote management traffic generated when connecting with the ASDM.
List the default traffic rules in the ASA. By default, the ASA uses these rules to control traffic between interfaces: there is an implicit permit for traffic flowing from a high-security interface to a low-security interface, there is an implicit deny for traffic flowing from a low-security interface to a high-security interface, and there is an implicit deny for traffic flowing between two interfaces with the same security level.
Identify examples of items for which objects can be created in the ASA. Objects can be created to represent any of the following: networks, individual hosts, groups of services, or resources.
Describe the components of the Cisco Modular Policy Framework (MPF). There are three components that are used as building blocks to implement policies in this framework: class maps, used to categorize traffic types into classes (ACLs are typically used to define the traffic and then the ACL is referenced in the class map); policy maps, used to define the action to be taken for a particular class (actions that can be specified are allow, block, and rate-limit); and service policies, used to specify where the policy map should be implemented.
Which firewall feature can help prevent many tunneling attempts and application layer attacks?
In which mode does the ASA assume a layer 2 identity?
In which high-availability approach are three or more security appliances deployed as a single logical device?
What is it called when the ASA is partitioned into multiple virtual firewalls?
Which command is used to apply the name outside to an interface on the ASA?
Which command is required to connect to the device using the ASDM?
Which command defines an IP address on the inside network that will be allowed to connect to the ASA using HTTP to manage the ASA?
What value is used to determine the allowed traffic flows between the interfaces in the ASA?
There is an implicit permit for traffic flowing from a _______ security interface to a security ________ interface.
Which command assigns the security level 100 to an interface?
In which of the following scenarios will you need to create an access rule to allow traffic?
Which of the following is used to represent a select group of devices rather than all devices in a network?
Which of the following is used to categorize traffic types in the MPF?
You would like to apply a service policy to all interfaces of the ASA. What radio button do you choose for this in the ASDM?
You need to allow HTTP traffic from the 192.168.5.0/24 network inside the LAN to a web server with the IP address of 201.3.3.3 in the DMZ. What type of object do you create to represent the HTTP traffic?
Which of the following is used to specify where a policy map should be implemented in the MPF?
The ASA you manage has three interfaces that you have labeled inside (LAN), outside (Internet), and dmz. The security levels you have assigned are 100, 0, and 50 respectively. Currently the only rules in place are the global default rules. Which traffic is allowed?
In the following command output what does inside represent?
asa70(config)#ssh 192.168.5.20 255.555.255.255 inside
Which of the following is used to define the action to be taken for a traffic type in the MPF?
There is an implicit deny for traffic flowing from a ________ security interface to a ________ interface.
3.128.255.24