Escolar Documentos
Profissional Documentos
Cultura Documentos
Lesson 1
SNPA v5.01-1
Firewalls
SNPA v5.01-2
What Is a Firewall?
DMZ Network
Internet
Outside Network
Inside Network
A firewall is a system or group of systems that manages access between two or more networks.
SNPA v5.01-3
Firewall Technologies
Firewall operations are based on one of three technologies:
Packet filtering Proxy server Stateful packet filtering
SNPA v5.01-4
Packet Filtering
DMZ: Server B
Host A Internet
Data
Inside: Server C
Data
C AB-Yes AC-No
Limits information that is allowed into a network based on the destination and source address
2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-5
Proxy Server
Proxy Server
Internet
Outside Network
Inside Network
SNPA v5.01-6
Host A
Data Internet
HTTP
Inside: Server C
State Table
Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content
Source address Destination address Source port Destination port Initial sequence no. Ack Flag
Syn
Syn
SNPA v5.01-7
SNPA v5.01-8
SNPA v5.01-10
The stateful packet inspection algorithm supports authentication, authorization, and accounting.
2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-11
Security Appliance
Enter username for CCO at www.com
student 123@456
OK Cancel
ISP
4. The security appliance initiates a connection from the security appliance to the destination ISP.
5. The security appliance directly connects the internal or external user to the ISP via the security appliance. Communication then takes place at a lower level of the OSI model.
SNPA v5.01-12
Modular Policy
System Engineer
SE
Internet Headquarters T1
exec
Executives
Internet
S2S
S2S
Site C
Site B
Class Map
Traffic Flow Default Internet Systems Engineer Executives Site to Site
Policy Map
Services Inspect IPS Police Priority
Service Policy
Interface/Global Global Outside
Construction of flow-based policies: Identify specific flows Apply services to that flow
2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-13
SNPA v5.01-14
Internet
Internet
Ability to create multiple security contexts (virtual firewalls) within a single security appliance
SNPA v5.01-15
Contexts
2 Secondary: Active/Active
Internet
Internet
Failover protects the network if the primary security appliance goes offline.. Active/standby: Only one unit can be actively processing traffic; the other is hot standby. Active/Active: Both units can process traffic and serve as backup units. Stateful failover maintains the operating state during failover.
2007 Cisco Systems, Inc. All rights reserved. SNPA v5.01-16
Transparent Firewall
192.168.1.5
192.168.1.2
Internet
SNPA v5.01-18
Summary
SNPA v5.01-19
Summary
There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. Features of the Cisco PIX security appliances and Cisco ASA security appliances include the following: proprietary operating system, stateful packet inspection, cut-through proxy, stateful failover, modular policy, VPNs, transparent firewall, security contexts, web-based management, and stateful packet filtering.
SNPA v5.01-20