Firewall Techniques
network layer access control
decisions based on Layers 2 through 4, or the data link, network, and transport layers.
application layer access control
Layers 5 through 7, or the session, presentation, and application layers.
- Permissive access control. Reactive. All traffic is allowed to pass through unless it is explicitly blocked.
- Restrictive access control. Proactive. No traffic is allowed to pass through unless it is explicitly allowed.
Stateless Packet Filtering
Decisions to forward or block a packet are made on each packet
Stateful Packet Filtering (SPF)
Keep track of individual connections or sessions as packets are encountered. The firewall must maintain a state table for each active connection that is permitted, to verify that the pair of hosts is following an expected behavior as they communicate.
Stateful Packet Filtering with Application Inspection and Control (SPF with AIC)
To move beyond stateful packet filtering, firewalls must add additional analysis at the application layer. Inspection engines in the firewall reassemble UDP and TCP sessions and look inside the application layer protocols that are passing through. Application inspection and control (AIC) filtering, also known as deep packet inspection (DPI), can be
Network Intrusion Prevention System of course :)
Network Behavior Analysis (NBA)
Network behavior analysis systems examine network traffic over time to build statistical models of normal, baseline activity. Once the models are built, an NBA system can trigger on any activity that it considers to be an anomaly or that falls outside the normal conditions. In fact, NBA systems are often
called anomaly-based network IPSs.
Application Layer Gateway (Proxy) (ALG)
An application layer gateway or proxy is a device that acts as a gateway or intermediary between clients and servers.
NOTE COMMAND
ciscoasa# show <command> ... | {begin | include | exclude | grep [-v]}
ciscoasa(config)# boot config url
ciscoasa# show bootvar
ciscoasa(config)# wr
■ clear configure all: Clears the entire running configuration
■ clear configure primary: Clears all commands related to connectivity, including the ip address, mtu, monitor-interface, boot, route, failover, tftp-server, and shun commands
■ clear configure secondary: Clears all commands not related to ASA connectivity
■ clear configure command: Clears all commands that use the command keyword
ciscoasa# show running-config access-list test
access-list test extended permit ip any any
ciscoasa(config)# no access-list test
ERROR: % Incomplete command
ciscoasa(config)# clear configure access-list test
ciscoasa# rename backup-config config-old
ciscoasa# delete [/noconfirm] [/recursive] [device:]path
ciscoasa# reload at hh:mm [day month | month day]
ciscoasa# reload in {mm | hhh:mm}
ciscoasa# reload cancel
and ? of cource
ciscoasa# show nameif
Configuring Interface Redundancy
To keep an ASA interface up and active all the time, you can configure physical interfacesas redundant pairs. As a redundant pair, two interfaces are set aside for the same ASA function (inside, outside, and so on), and connect to the same network. Only one of the interfaces is active at any given time; the other interface stays in a standby state. As soon as the active interface loses its link status and goes down, the standby interface becomes active and takes over passing traffic.
ciscoasa(config)# interface redundant 1 ciscoasa(config-if)# member-interface ethernet0/0 INFO: security-level and IP address are cleared on Ethernet0/0. ciscoasa(config-if)# member-interface ethernet0/1 INFO: security-level and IP address are cleared on Ethernet0/1. ciscoasa(config-if)# no shutdown
Configuring VLAN Interfaces
ciscoasa(config)# interface ethernet0/3 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface ethernet0/3.1 ciscoasa(config-subif)# vlan 10 ciscoasa(config-subif)# no shutdown ciscoasa(config-subif)# interface ethernet0/3.2 ciscoasa(config-subif)# vlan 20 ciscoasa(config-subif)# no shutdown
Комментариев нет:
Отправить комментарий