You are previewing Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition.
O'Reilly logo
Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition

Book Description

Cisco® ASA

All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition

Identify, mitigate, and respond to today’s highly-sophisticated network attacks.

Today, network attackers are far more sophisticated, relentless, and dangerous. In response, Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services has been fully updated to cover the newest techniques and Cisco technologies for maximizing end-to-end security in your environment. Three leading Cisco security experts guide you through every step of creating a complete security plan with Cisco ASA, and then deploying, configuring, operating, and troubleshooting your solution.

Fully updated for today’s newest ASA releases, this edition adds new coverage of ASA 5500-X, ASA 5585-X, ASA Services Module, ASA next-generation firewall services, EtherChannel, Global ACLs, clustering, IPv6 improvements, IKEv2, AnyConnect Secure Mobility VPN clients, and more. The authors explain significant recent licensing changes; introduce enhancements to ASA IPS; and walk you through configuring IPsec, SSL VPN, and NAT/PAT.

You’ll learn how to apply Cisco ASA adaptive identification and mitigation services to systematically strengthen security in network environments of all sizes and types. The authors present up-to-date sample configurations, proven design scenarios, and actual debugs–
all designed to help you make the most of Cisco ASA in your rapidly evolving network.

Jazib Frahim, CCIE® No. 5459 (Routing and Switching; Security), Principal Engineer in the Global Security Solutions team, guides top-tier Cisco customers in security-focused network design and implementation. He architects, develops, and launches new security services concepts. His books include Cisco SSL VPN Solutions and Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting.

Omar Santos, CISSP No. 463598, Cisco Product Security Incident Response Team (PSIRT) technical leader, leads and mentors engineers and incident managers in investigating and resolving vulnerabilities in Cisco products and protecting Cisco customers. Through 18 years in IT and cybersecurity, he has designed, implemented, and supported numerous secure networks for Fortune® 500 companies and the U.S. government. He is also the author of several other books and numerous whitepapers and articles.

Andrew Ossipov, CCIE® No. 18483 and CISSP No. 344324, is a Cisco Technical Marketing Engineer focused on firewalls, intrusion prevention, and data center security. Drawing on more than 16 years in networking, he works to solve complex customer technical problems, architect new features and products, and define future directions for Cisco’s product portfolio. He holds several pending patents.

Understand, install, configure, license, maintain, and troubleshoot the newest ASA devices

Efficiently implement Authentication, Authorization, and Accounting (AAA) services

Control and provision network access with packet filtering, context-aware Cisco ASA next-generation firewall services, and new NAT/PAT concepts

Configure IP routing, application inspection, and QoS

Create firewall contexts with unique configurations, interfaces, policies, routing tables, and administration

Enable integrated protection against many types of malware and advanced persistent threats (APTs) via Cisco Cloud Web Security and Cisco Security Intelligence Operations (SIO)

Implement high availability with failover and elastic scalability with clustering

Deploy, troubleshoot, monitor, tune, and manage Intrusion Prevention System (IPS) features

Implement site-to-site IPsec VPNs and all forms of remote-access VPNs (IPsec, clientless SSL, and client-based SSL)

Configure and troubleshoot Public Key Infrastructure (PKI)

Use IKEv2 to more effectively resist attacks against VPNs

Leverage IPv6 support for IPS, packet inspection, transparent firewalls, and site-to-site IPsec VPNs

Table of Contents

  1. About This eBook
  2. Title Page
  3. Copyright Page
  4. About the Authors
  5. About the Technical Reviewers
  6. Dedications
  7. Acknowledgments
  8. Contents at a Glance
  9. Contents
  10. Icons Used in This Book
  11. Command Syntax Conventions
  12. Foreword
  13. Introduction
    1. Who Should Read This Book?
    2. How This Book Is Organized
  14. Chapter 1. Introduction to Security Technologies
    1. Firewalls
    2. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
    3. Virtual Private Networks
    4. Cisco AnyConnect Secure Mobility
    5. Cloud and Virtualization Security
    6. Summary
  15. Chapter 2. Cisco ASA Product and Solution Overview
    1. Cisco ASA Model Overview
    2. Cisco ASA 5505 Model
    3. Cisco ASA 5510 Model
    4. Cisco ASA 5512-X Model
    5. Cisco ASA 5515-X Model
    6. Cisco ASA 5520 Model
    7. Cisco ASA 5525-X Model
    8. Cisco ASA 5540 Model
    9. Cisco ASA 5545-X Model
    10. Cisco ASA 5550 Model
    11. Cisco ASA 5555-X Model
    12. Cisco ASA 5585-X Models
    13. Cisco Catalyst 6500 Series ASA Services Module
    14. Cisco ASA 1000V Cloud Firewall
    15. Cisco ASA Next-Generation Firewall Services (Formerly Cisco ASA CX)
    16. Cisco ASA AIP-SSM Module
    17. Cisco ASA Gigabit Ethernet Modules
    18. Summary
  16. Chapter 3. Licensing
    1. Licensed Features on ASA
    2. Managing Licenses with Activation Keys
    3. Combined Licenses in Failover and Clustering
    4. Shared Premium VPN Licensing
    5. Summary
  17. Chapter 4. Initial Setup
    1. Accessing the Cisco ASA Appliances
    2. Managing Licenses
    3. Initial Setup
    4. Device Setup
    5. Setting Up the System Clock
    6. Summary
  18. Chapter 5. System Maintenance
    1. Configuration Management
    2. Remote System Management
    3. System Maintenance
    4. System Monitoring
    5. Device Monitoring and Troubleshooting
    6. Summary
  19. Chapter 6. Cisco ASA Services Module
    1. Cisco ASA Services Module Overview
    2. Managing Host Chassis
    3. Common Deployment Scenarios
    4. Trusted Flow Bypass with Policy Based Routing
    5. Summary
  20. Chapter 7. Authentication, Authorization, and Accounting (AAA) Services
    1. AAA Protocols and Services Supported by Cisco ASA
    2. Defining an Authentication Server
    3. Configuring Authentication of Administrative Sessions
    4. Authenticating Firewall Sessions (Cut-Through Proxy Feature)
    5. Customizing Authentication Prompts
    6. Configuring Authorization
    7. Configuring Accounting
    8. Troubleshooting Administrative Connections to Cisco ASA
    9. Summary
  21. Chapter 8. Controlling Network Access: The Traditional Way
    1. Packet Filtering
    2. Configuring Traffic Filtering
    3. Advanced ACL Features
    4. Deployment Scenario for Traffic Filtering
    5. Monitoring Network Access Control
    6. Summary
  22. Chapter 9. Implementing Next-Generation Firewall Services with ASA CX
    1. CX Integration Overview
    2. ASA CX Architecture
    3. Preparing ASA CX for Configuration
    4. Managing ASA CX with PRSM
    5. Defining CX Policy Elements
    6. Enabling User Identity Services
    7. Enabling TLS Decryption
    8. Enabling NG IPS
    9. Defining Context-Aware Access Policies
    10. Configuring ASA for CX Traffic Redirection
    11. Monitoring ASA CX
    12. Summary
  23. Chapter 10. Network Address Translation
    1. Types of Address Translation
    2. Address Translation Methods
    3. Security Protection Mechanisms Within Address Translation
    4. Understanding Address Translation Behavior
    5. Configuring Address Translation
    6. DNS Doctoring
    7. Monitoring Address Translations
    8. Summary
  24. Chapter 11. IPv6 Support
    1. IP Version 6 Introduction
    2. Configuring IPv6
    3. Summary
  25. Chapter 12. IP Routing
    1. Configuring Static Routes
    2. RIP
    3. OSPF
    4. EIGRP
    5. Summary
  26. Chapter 13. Application Inspection
    1. Enabling Application Inspection
    2. Selective Inspection
    3. CTIQBE Inspection
    4. DCERPC Inspection
    5. DNS Inspection
    6. ESMTP Inspection
    7. File Transfer Protocol
    8. General Packet Radio Service Tunneling Protocol
    9. H.323
    10. Cisco Unified Communications Advanced Support
    11. HTTP
    12. ICMP
    13. ILS
    14. Instant Messenger (IM)
    15. IPsec Pass-Through
    16. MGCP
    17. NetBIOS
    18. PPTP
    19. Sun RPC
    20. RSH
    21. RTSP
    22. SIP
    23. Skinny (SCCP)
    24. SNMP
    25. SQL*Net
    26. TFTP
    27. WAAS
    28. XDMCP
    29. Summary
  27. Chapter 14. Virtualization
    1. Architectural Overview
    2. Configuration of Security Contexts
    3. Deployment Scenarios
    4. Monitoring and Troubleshooting the Security Contexts
    5. Summary
  28. Chapter 15. Transparent Firewalls
    1. Architectural Overview
    2. Restrictions When Using Transparent Firewalls
    3. Configuration of Transparent Firewalls
    4. Deployment Scenarios
    5. Monitoring and Troubleshooting Transparent Firewalls
    6. Hosts Are Not Able to Communicate
    7. Moved Host Is Not Able to Communicate
    8. General Syslogging
    9. Summary
  29. Chapter 16. High Availability
    1. Redundant Interfaces
    2. Static Route Tracking
    3. Failover
    4. Clustering
    5. Summary
  30. Chapter 17. Implementing Cisco ASA Intrusion Prevention System (IPS)
    1. IPS Integration Overview
    2. Cisco IPS Software Architecture
    3. Preparing ASA IPS for Configuration
    4. Configuring CIPS Software on ASA IPS
    5. Maintaining ASA IPS
    6. Configuring ASA for IPS Traffic Redirection
    7. Botnet Traffic Filter
    8. Summary
  31. Chapter 18. Tuning and Monitoring IPS
    1. IPS Tuning Process
    2. Risk Ratings
    3. Disabling IPS Signatures
    4. Retiring IPS Signatures
    5. Tools to Help with Monitoring and Tuning
    6. Displaying and Clearing Statistics in the Cisco ASA IPS
    7. Summary
  32. Chapter 19. Site-to-Site IPsec VPNs
    1. Preconfiguration Checklist
    2. Configuration Steps
    3. Optional Attributes and Features
    4. Deployment Scenarios
    5. Monitoring and Troubleshooting Site-to-Site IPsec VPNs
    6. Summary
  33. Chapter 20. IPsec Remote-Access VPNs
    1. Cisco IPsec Remote Access VPN Solution
    2. Advanced Cisco IPsec VPN Features
    3. L2TP over IPsec Remote-Access VPN (IKEv1)
    4. Deployment Scenarios
    5. Monitoring and Troubleshooting Cisco Remote-Access VPNs
    6. Summary
  34. Chapter 21. Configuring and Troubleshooting PKI
    1. Introduction to PKI
    2. Installing Certificates
    3. The Local Certificate Authority
    4. Configuring IPsec Site-to-Site Tunnels Using Certificates
    5. Configuring the Cisco ASA to Accept Remote-Access IPsec VPN Clients Using Certificates
    6. Troubleshooting PKI
    7. Summary
  35. Chapter 22. Clientless Remote-Access SSL VPNs
    1. SSL VPN Design Considerations
    2. SSL VPN Prerequisites
    3. Pre-SSL VPN Configuration Guide
    4. Clientless SSL VPN Configuration Guide
    5. Cisco Secure Desktop
    6. Host Scan
    7. Dynamic Access Policies
    8. Deployment Scenario
    9. Monitoring and Troubleshooting SSL VPN
    10. Summary
  36. Chapter 23. Client-Based Remote-Access SSL VPNs
    1. SSL VPN Deployment Considerations
    2. SSL VPN Prerequisites
    3. Pre-SSL VPN Configuration Guide
    4. Cisco AnyConnect Secure Mobility Client Configuration Guide
    5. Deployment Scenario of AnyConnect Client
    6. Monitoring and Troubleshooting AnyConnect SSL VPNs
    7. Summary
  37. Chapter 24. IP Multicast Routing
    1. IGMP Support
    2. PIM Sparse Mode
    3. Configuring IP Multicast Routing
    4. Troubleshooting IP Multicast Routing
    5. Summary
  38. Chapter 25. Quality of Service
    1. QoS Types
    2. QoS Architecture
    3. Configuring Quality of Service
    4. QoS Deployment Scenario
    5. Monitoring QoS
    6. Summary
  39. Index