asa防火墙课件snpa40sl01安全平台概述

1、Lesson 1 2005 Cisco Systems, Inc. All rights reserved.SNPA v4.02-1Cisco Security Appliance Technology and FeaturesFirewall 2005 Cisco Systems, Inc. All rights reserved.SNPA v4.02-2What Is a Firewall?A firewall is a system or group of systems that manages access between two or more networks.Outside N

2、etworkDMZ NetworkInside NetworkInternetFirewall TechnologiesFirewall operations are based on one of three technologies:Packet filteringProxy serverStateful packet filteringPacket FilteringLimits information that is allowed into a network based on the destination and source addressData A BData A CInt

3、ernetDMZ:Server BInside:Server CHost AAB-YesAC-NoProxy ServerRequests connections on behalf of a client that is inside the firewall and the InternetOutside NetworkProxyServerInside NetworkInternetStateful Packet FilteringData HTTP A BInternetDMZ:Server BInside:Server CHost A0110268049091Syn0049769Sy

4、n102680Source portDestination addressSource addressInitial sequence #Destination portFlagAckState TableLimits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table contentSecurity Appliance Overview 2005 Cisco Systems,

5、Inc. All rights reserved.SNPA v4.02-8Security Appliances: What Are They?Cisco security appliances deliver enterprise-class security for small-to-medium-sized business and enterprise networks in a modular, purpose-built appliance. Some features of Cisco security appliances are:Proprietary operating s

6、ystemStateful packet inspectionUser-based authenticationProtocol and application inspectionModular policyVirtual private networkingSecurity contexts (virtual firewalls)Stateful failover capabilitiesTransparent firewallsWeb-based management solutionsProprietary Operating SystemEliminates the risks as

7、sociated with general-purpose operating systemsStateful Packet InspectionThe stateful packet inspection algorithm provides stateful connection security:It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags.It randomizes the initial TCP sequence number o

8、f each new connection.By default, the stateful packet inspection algorithm allows connections originating from hosts on inside (higher security level) interfaces. By default, the stateful packet inspection algorithm drops connection attempts originating from hosts on outside (lower security level) i

9、nterfaces.The stateful packet inspection algorithm supports authentication, authorization, and accounting.Cut-Through Proxy OperationInternal orExternal UserISP1.The user makes a request to an ISP.2.The security appliance intercepts the connection.3.At the application layer, the security appliance p

10、rompts the user for a username and password. It then authenticates the user against a RADIUS or TACACS+ server and checks the security policy.5.The security appliance directly connects theinternal or external user to the ISP via the security appliance. Communication then takes place at a lower level

11、 of the OSI model.4.The security appliance initiates a connection from the security appliance to the destination ISP.CiscoSecureSecurity ApplianceUsername and Password RequiredEnter username for CCO at User Name:Password:OKCancelstudent1234563.Application-Aware InspectionProtocols such as FTP, HTTP,

12、 H.323, and SQL*Net need to negotiate connections to dynamically assigned source or destination ports through the firewall. The security appliance inspects packets above the network layer.The security appliance securely opens and closes negotiated ports for legitimate client-server connections throu

13、gh the firewall.FTPServerClientControlPort2008DataPort2010DataPort20ControlPort21Data - Port 2010 Port 2010 OKDataModular PolicyHeadquartersSystem EngineerInternetSite BExecutivesSite CT1InternetSEexecS2SS2S Construction of flow-based policies:Identify specific flows.Apply services to that flow.Clas

14、s MapTraffic flowDefaultInternetSystem EngineerExecutivesSite to SitePolicy MapServicesInspectIPSPolicePriorityService PolicyInterface/GlobalGlobalOutsideVirtual Private NetworkB A N KB A N KSite to SiteRemote AccessIPSec VPNSSL VPNInternetSecurity Context (Virtual Firewall)InternetInternetFour Phys

15、ical FirewallsOne Physical FirewallFour Virtual FirewallsAbility to create multiple security contexts (virtual firewalls) within a single security applianceFailover Capabilities: Active/Standby, Active/Active, and Stateful Failover Failover protects the network should the primary go offline.Active/s

16、tandbyOnly one unit can be actively processing traffic; the other is hot standby.Active/ActiveBoth units can process traffic and serve as backup units. Stateful failover maintains operating state during failover.Primary: Failed FirewallInternetSecondary: Active FirewallSecondary: Active/ActivePrimar

17、y: Failed/StandbyFailover:Active/StandbyInternetFailover:Active/Active212Contexts1Transparent FirewallHas the ability to deploy a security appliance in a secure bridging modeProvides rich Layers 2 through 7 security services as a Layer 2 deviceInternetWeb-Based Management SolutionsAdaptive Security Device ManagerSummaryThere are three firewall technologies: packet filtering, proxy server, and stateful packet filtering.Features of the Cisco PIX Firewall Security Appli