Textbook Notes (280,000)
CA (170,000)
U of A (2,000)
ECE (30)
ECE495 (20)
mint (20)
Chapter 3

ECE495 Chapter Notes - Chapter 3: Ipsec, Hot Standby Router Protocol, Failover


Department
Electrical and Computer Engineering
Course Code
ECE495
Professor
mint
Chapter
3

This preview shows page 1. to view the full 5 pages of the document.
Introduction to PIX/ASA Firewalls v1.10 – Aaron Balchunas
* * *
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
1
- Introduction to PIX/ASA Firewalls -
Cisco Security Appliances
Both Cisco routers and multilayer switches support the IOS firewall set,
which provides security functionality. Additionally, Cisco offers dedicated
security appliances:
PIX (Private Internet eXchange)
ASA (Adaptive Security Appliance)
PIX firewalls, though still in prevalent use, are being replaced with ASA
equivalents.
Cisco security appliances help protect against three categories of attacks:
Reconnaissance Attacks –used to document and map a network’s
infrastructure, including vulnerabilities.
Access Attacks –used to gain unauthorized access to data or systems.
Denial of Service (DoS) Attacks –used to disrupt access to services,
often by crashing or overloading a system.
Cisco security appliances offer features to safeguard against these attacks:
Packet Filtering – permits or denies traffic based on
source/destination IP addresses, or TCP/UDP port numbers using
Access Control Lists (ACLs),
Stateful Packet Inspection – tracks TCP and UDP sessions in a flow
table, using the Adaptive Security Algorithm.
Proxy – serves as the “middle-man” for communication, by
authenticating users before communication is allowed to occur.
Cisco security appliances employ a proprietary operating system called
Finesse (Fast InterNEt Server Executive). Cisco did not originally
develop this operating system - the PIX product line was acquired when
Cisco bought out Network Translation, Inc.
The Finesse operating system is referred to now as the PIX OS, and
employs a command-line interface that is similar to, but not quite, entirely
unlike the Cisco IOS. Various GUI interfaces are available as well,
depending on the PIX OS version, such as the PIX Device Manager (PDM)
or Adaptive Security Device Manager (ASDM).
(Reference: http://en.wikipedia.org/wiki/Cisco_PIX)
You're Reading a Preview

Unlock to view full version

Only page 1 are available for preview. Some parts have been intentionally blurred.

Introduction to PIX/ASA Firewalls v1.10 – Aaron Balchunas
* * *
All original material copyright © 2007 by Aaron Balchunas (aaron@routeralley.com),
unless otherwise noted. All other material copyright © of their respective owners.
This material may be copied and used freely, but may not be altered or sold without the expressed written
consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
2
PIX/ASA Security-Levels
Cisco security appliances protect trusted zones from untrusted zones.
Like most firewalls, a Cisco PIX/ASA will permit traffic from the trusted
interface to the untrusted interface, without any explicit configuration.
However, traffic from the untrusted interface to the trusted interface must be
explicitly permitted.
Thus, any traffic that is not explicitly permitted from the untrusted to trusted
interface will be implicitly denied.
A firewall is not limited to only two interfaces, but can contain multiple ‘less
trusted’ interfaces, often referred to as Demilitarized Zones (DMZ’s).
To control the trust value of each interface, each firewall interface is
assigned a security level, which is represented as a numerical value
between 0 – 100 on the Cisco PIX/ASA. For example, in the above diagram,
the Trusted Zone could be assigned a security value of 100, the Less Trusted
Zone a value of 75, and the Untrusted Zone a value of 0.
As stated previously, traffic from a higher security to lower security
interface is (generally) allowed by default, while traffic from a lower
security to higher security interface requires explicit permission.
You're Reading a Preview

Unlock to view full version