©

© 2004, Cisco Systems,

2005 Cisco Systems, Inc.
Inc. All
All rights
rights reserved.
reserved. 1 1
Network Security 1

Module 3 – Security Devices

© 2005 Cisco Systems, Inc. All rights reserved. 2

Learning Objectives

3.1 Device Options

3.2 Using Security Device Manager
3.3 Introduction to the Cisco Security Appliance Family
3.4 Getting Started with the PIX Security Appliance
3.5 PIX Security Appliance Translations and Connections
3.6 Manage a PIX Security Appliance with Adaptive Security
Device Manager
3.7 PIX Security Appliance Routing Capabilities
3.8 Firewall Services Module Operation

© 2005 Cisco Systems, Inc. All rights reserved. 3

Module 3 – Security Devices

3.1 Device Options

© 2005 Cisco Systems, Inc. All rights reserved. 4

Sample Firewall Topology

© 2005 Cisco Systems, Inc. All rights reserved. 5

IOS Firewall
Network Integrated Solutions
Intrusion
VPN Firewall Protection V3PN

Security IPsec PKI CBAC Stateful Inspection IDS SSH SSL

Offerings
ACL AAA NAT MSCHAPv2 L2TP/EAP 802.1X

IP Services VoIP MPLS Multicast Application Aware QoS Netflow

IP Comp Multiprotocol BGP EIGRP OSPF DHCP/DNS GRE

Secure Device Access by Authentication Command

Operating Privilege Level per user via AAA Authorization via AAA
System
Foundation uRPF Activity Logging SNMPv3 HTTPS Secure ARP
(Unicast Reverse Path Forward)

© 2005 Cisco Systems, Inc. All rights reserved. 6

 PIX Security Appliance Lineup

Stateful Inspection Firewall

Appliance is Hardened OS
IPSec VPN
Integrated Intrusion Detection
Hot Standby, Stateful Failover PIX 535
Connectivity

Easy VPN Client/Server

VoIP Support
PIX 525

PIX 515E

PIX 506E

PIX 501 Gigabit Ethernet

SOHO ROBO SMB Enterprise Service Provider

Performance
© 2005 Cisco Systems, Inc. All rights reserved. 7
Adaptive Security Appliance Lineup

© 2005 Cisco Systems, Inc. All rights reserved. 8

 Catalyst Switch Integration
Appliance Capabilities Cisco Infrastructure

Security Services Modules

Virtual Private Network IDS
Firewall
VPN Firewall SSL NAM IDS
© 2002, Cisco Systems, Inc. All rights reserved.
© 2005 Cisco Systems, Inc. All rights reserved. 9
Module 3 – Security Devices

3.2 Using Security Device Manager

© 2005 Cisco Systems, Inc. All rights reserved. 10

Security Device Manager (SDM)

© 2005 Cisco Systems, Inc. All rights reserved. 11

 Obtaining SDM

• SDM is factory loaded on supported routers

manufactured as of June 2003.
• Always check www.cisco.com/go/sdm for the
latest information regarding SDM support.
• SDM cannot be ordered independent of the
router.

© 2005 Cisco Systems, Inc. All rights reserved. 12

Startup Wizard: Welcome Window

© 2005 Cisco Systems, Inc. All rights reserved. 13

 SDM Main Window Layout and Navigation
Menu bar

Toolbar

Router
Information

Configuration
Overview

© 2005 Cisco Systems, Inc. All rights reserved. 14

SDM Wizard Options

• LAN Configuration: Configure LAN interfaces and DHCP.

• WAN Configuration: Configure PPP, Frame Relay, and
HDLC WAN interfaces.
• Firewall: Access two types of firewall wizards:
– Simple inside/outside.
– Advanced inside/outside/DMZ with multiple
interfaces.
• VPN: Access three types of VPN wizards:
– Secure site-to-site VPN
– Easy VPN
– GRE tunnel with IPSec VPN
• Security Audit: Performs a router security audit and
button for router lockdown.
• IPS:
• QOS:
• Routing:
© 2005 Cisco Systems, Inc. All rights reserved. 15
WAN Wizard: Create a New WAN
Connection

© 2005 Cisco Systems, Inc. All rights reserved. 16

Reset to Factory Default Wizard

© 2005 Cisco Systems, Inc. All rights reserved. 17

 Monitor Mode

Overview

Interface
Stats

Firewall
Stats

VPN
Stats

© 2005 Cisco Systems, Inc. All rights reserved. 18

Monitor Interface Status

© 2005 Cisco Systems, Inc. All rights reserved. 19

Monitor Firewall Status

© 2005 Cisco Systems, Inc. All rights reserved. 20

Monitor VPN Status

© 2005 Cisco Systems, Inc. All rights reserved. 21

Monitor Logging

© 2005 Cisco Systems, Inc. All rights reserved. 22

Module 3 – Security Devices

3.3 Introduction to the Cisco Security

Appliance Family

© 2005 Cisco Systems, Inc. All rights reserved. 23

PIX Security Appliance Family

© 2005 Cisco Systems, Inc. All rights reserved. 24

PIX Security Appliance 501 Front Panel LEDs

Power Link/Act

VPN tunnel 100 MBPS

© 2005 Cisco Systems, Inc. All rights reserved. 25

PIX Security Appliance 501 Back Panel

4-port 10/100 Console Security

switch (RJ-45) port (RJ-45) lock slot

10BaseT Power
(RJ-45) connector

© 2005 Cisco Systems, Inc. All rights reserved. 26

 PIX Security Appliance 506E Front Panel
LEDs

Network
LED
Power LED

Active LED

© 2005 Cisco Systems, Inc. All rights reserved. 27

PIX Security Appliance 506E Back Panel

ACT(ivity) ACT(ivity)
LED LED
LINK LINK
LED LED Power switch

10BaseT 10BaseT USB

(RJ-45) (RJ-45) port
Console
Port (RJ-45)

© 2005 Cisco Systems, Inc. All rights reserved. 28

 PIX Security Appliance 515E Front Panel
LEDs

Network
LED
Power LED

Active failover firewall

© 2005 Cisco Systems, Inc. All rights reserved. 29

PIX Security Appliance 515E Back Panel

100 Mbps 100 Mbps

Failover
LED LED
connector
LINK FDX LINK FDX
LINK
LED LED LED LED
LED

10/100BaseTX 10/100BaseTX Console Power switch

Ethernet 1 Ethernet 0 port (RJ-45)
(RJ-45) (RJ-45)

© 2005 Cisco Systems, Inc. All rights reserved. 30

 PIX Security Appliance 515E Quad Card

Using the quad card requires the PIX Security Appliance 515E-UR license.

© 2005 Cisco Systems, Inc. All rights reserved. 31

PIX Security Appliance 515E
Two Single-Port Connectors

Using two single-port connectors requires

the PIX Security Appliance 515E-UR license.

© 2005 Cisco Systems, Inc. All rights reserved. 32

PIX Security Appliance 525 Front Panel
LEDs

Power LED

Active LED

© 2005 Cisco Systems, Inc. All rights reserved. 33

PIX Security Appliance 525 Back Panel

ACT(ivity) ACT(ivity)
LED LED
100Mbps Failover
LINK LINK
LED connection
LED LED

10/100BaseTX USB
Ethernet 1 port
(RJ-45)
10/100BaseTX Console
Ethernet 0 port (RJ-45)
(RJ-45)

© 2005 Cisco Systems, Inc. All rights reserved. 34

PIX Security Appliance 535 Front Panel
LEDs

Power
ACT

© 2005 Cisco Systems, Inc. All rights reserved. 35

PIX Security Appliance 535—Board Install
DB-15
failover

USB Slot 8 Slot 6 Slot 4 Slot 2 Slot 1

port
Slot 5 Slot 3 Slot 0
Console Slot 7
RJ-45
Bus 2 Bus 1 Bus 0
(32-bit/33 MHz) (64-bit/66 MHz) (64-bit/66 MHz)
• 1FE • 1GE-66
• 4FE
• VAC

© 2005 Cisco Systems, Inc. All rights reserved. 36

PIX Security Appliance 535 Back Panel

DB-15
failover

USB Slot 8 Slot 6 Slot 4 Slot 2 Slot 1

port
Console Slot 7 Slot 5 Slot 3 Slot 0
RJ-45

© 2005 Cisco Systems, Inc. All rights reserved. 37

ASA5510 Adaptive Security Appliance

• Up to five 10/100 Fast Ethernet interfaces

• Optional Security Services Module (SSM) slot which
provides inline IPS.
• Throughput of 100 Mbps with the ability to handle
up to 64,000 concurrent connections.
• Supports Active/standby failover.
• Can deliver 150 Mbps IPS throughput when an AIP
SSM model 10 is added to the appliance.

© 2005 Cisco Systems, Inc. All rights reserved. 38

ASA5520 Adaptive Security Appliance

• Four 10/100/1000 Gigabit Ethernet interfaces

• Supports an SSM slot which provides inline IPS.
• Throughput of 200 Mbps with the ability to handle
up to 130,000 concurrent connections.
• Supports active/standby and active/active failover.
• Can deliver 375 Mbps IPS throughput when an AIP
SSM model 20 is added to the appliance.

© 2005 Cisco Systems, Inc. All rights reserved. 39

ASA5540 Adaptive Security Appliance

• Four 10/100/1000 Gigabit Ethernet interfaces

• One 10/100 Fast Ethernet management interface
• Optional Security Services Module slot which
provides inline IPS.
• Throughput of 400 Mbps with the ability to handle
up to 280,000 concurrent connections.
• Can deliver 450 Mbps IPS throughput when an AIP
SSM model 20 is added to the appliance.

© 2005 Cisco Systems, Inc. All rights reserved. 40

Module 3 – Security Devices

3.4 Getting Started with the PIX Security

Appliance

© 2005 Cisco Systems, Inc. All rights reserved. 41

User Interface

• Unprivileged mode – This mode is available when the PIX is

first accessed. The > prompt is displayed. This mode provides
a restricted, limited, view of PIX settings.
• Privileged mode – This mode displays the # prompt and
enables users to change the current settings. Any
unprivileged command also works in privileged mode.
• Configuration mode – This mode displays the (config)#
prompt and enables users to change system configurations.
All privileged, unprivileged, and configuration commands
work in this mode.
• Monitor mode – This is a special mode that enables users to
update the image over the network or to perform password
recovery. While in the monitor mode, users can enter
commands specifying the location of the TFTP server and the
PIX software image or password recovery binary file to
download.

© 2005 Cisco Systems, Inc. All rights reserved. 42

Security Levels

• Higher security level interface to a lower security level

interface – For traffic originating from the inside interface of
the PIX with a security level of 100 to the outside interface of
the PIX with a security level of 0, all IP-based traffic is allowed
unless it is restricted by ACLs, authentication, or
authorization.
• Lower security level interface to a higher security level
interface – For traffic originating from the outside interface of
the PIX with a security level of 0 to the inside interface of the
PIX with a security level of 100,all packets are dropped unless
specifically allowed by an access-list command. The traffic
can be restricted further if authentication and authorization is
used.
• Same secure interface to a same secure interface – No traffic
flows between two Interfaces with the same security level.

© 2005 Cisco Systems, Inc. All rights reserved. 43

Basic Commands

• hostname – assigns a hostname to the PIX.

• interface – Configures the type and capability of each
perimeter interface.
• nameif – Assigns a name to each perimeter interface.
• ip address – Assigns an IP address to each interface.
• security level – Assigns the security level for the
perimeter interface.
• speed – Assigns the connection speed.
• duplex – Assigns the duplex communications.

© 2005 Cisco Systems, Inc. All rights reserved. 44

Additional Commands

• nat-control – Enable or disable NAT

configuration requirement.
• nat – Shields IP addresses on the inside network
from the outside network.
• global – Creates a pool of one or more IP
addresses for use in NAT and PAT.
• route – Defines a static or default route for an
interface.

© 2005 Cisco Systems, Inc. All rights reserved. 45

Module 3 – Security Devices

3.5 PIX Security Appliance Translations and

Connections

© 2005 Cisco Systems, Inc. All rights reserved. 46

UDP

© 2005 Cisco Systems, Inc. All rights reserved. 47

NAT

© 2005 Cisco Systems, Inc. All rights reserved. 48

Access through the PIX Security
Appliance

© 2005 Cisco Systems, Inc. All rights reserved. 49

PAT

© 2005 Cisco Systems, Inc. All rights reserved. 50

Static Translation

© 2005 Cisco Systems, Inc. All rights reserved. 51

Identity NAT

© 2005 Cisco Systems, Inc. All rights reserved. 52

Multiple Interfaces

© 2005 Cisco Systems, Inc. All rights reserved. 53

Module 3 – Security Devices

3.6 Manage a PIX Security Appliance with

Adaptive Security Device Manager

© 2005 Cisco Systems, Inc. All rights reserved. 54

Adaptive Security Device Manager (ASDM)

© 2005 Cisco Systems, Inc. All rights reserved. 55

ASDM Compatibility

© 2005 Cisco Systems, Inc. All rights reserved. 56

ASDM Home Window

© 2005 Cisco Systems, Inc. All rights reserved. 57

Module 3 – Security Devices

3.7 PIX Security Appliance Routing

Capabilities

© 2005 Cisco Systems, Inc. All rights reserved. 58

VLANs

© 2005 Cisco Systems, Inc. All rights reserved. 59

Static Routes

© 2005 Cisco Systems, Inc. All rights reserved. 60

Routing with RIP

© 2005 Cisco Systems, Inc. All rights reserved. 61

Routing with OSPF

© 2005 Cisco Systems, Inc. All rights reserved. 62

Module 3 – Security Devices

3.8 Firewall Services Module Operation

© 2005 Cisco Systems, Inc. All rights reserved. 63

Firewall Services Module (FWSM)

Designed for high end enterprise and service

providers
Runs in Catalyst 6500 switches and 7600
Series routers
Based on PIX Security Appliance technology
PIX Security Appliance 6.0 feature set (some
6.2)
1 million simultaneous connections
Over 100,000 connections per second
5 Gbps throughput
Up to 4 can be stacked in a chassis,
providing 20 Gbps throughput
1 GB DRAM
Supports 100 VLANs
Supports failover

© 2005 Cisco Systems, Inc. All rights reserved. 64

FWSM in the Catalyst 6500 Switch

Supervisor engine

Redundant supervisor
engine
Slots 1-9
(top to bottom) 48 Port 10/100 Ethernet

Switch fabric
module
Fan assembly

16 Port GBIC

FWSM

Power
supply 2

Power
supply 1

ESD ground strap

connector
© 2005 Cisco Systems, Inc. All rights reserved. 65
FWSM in the Cisco 7609 Internet Router

Supervisor engine

Fan assembly

FWSM
Switch fabric
module

Slots 1-9
(right to left)

Power Power
supply 1 supply 2

ESD ground strap

connection

© 2005 Cisco Systems, Inc. All rights reserved. 66

© 2005, Cisco Systems, Inc. All rights reserved. 67