Description
This CCNP Security Firewall 642-617 Quick Reference study pack helps you prepare for CCNP Security Firewall certification. Format: PDF
Sample of CCNP Security Firewall 642-617 Quick Reference
Cisco ASA features include the following:
■ State-of-the-art stateful packet inspection firewall
■ User-based authentication of inbound and outbound connections
■ Integrated protocol and application inspection engines that examine packet streams at Layers 4 through 7
■ Highly flexible and extensible modular security policy framework
■ Robust virtual private network (VPN) services for secure site-to-site and remote-access connections
■ Clientless and client-based Secure Sockets Layer (SSL) VPN
■ Full-featured intrusion prevention system (IPS) services for day-zero protection against threats, including application
and operating system vulnerabilities, directed attacks, worms, and other forms of malware
■ Denial-of-service (DoS) prevention through mechanisms such as protocol verification to rate limiting connections
and traffic flow
■ Content security services, including URL filtering, antiphishing, antispam, antivirus, antispyware, and content filtering using Trend Micro technologies
■ Multiple security contexts (virtual firewalls) within a single appliance
■ Stateful active/active or active/standby failover capabilities that ensure resilient network protection
■ Transparent deployment of security appliances into existing network environments without requiring re-addressing
of the network
■ Intuitive single-device management and monitoring services with the Cisco Adaptive Security Device Manager
(ASDM) and enterprise-class multidevice management services through Cisco Security Manage
■ port: Traffic using the TCP or UDP destination port or a contiguous range of ports.
■ precedence: The precedence value represented by the Type of Service (ToS) byte in the IP header.
■ rtp: Real-Time Transport Protocol (RTP) destination port.
■ tunnel-group: VPN tunnel traffic. If you use this criterion, you can also configure the class to match a specific destination IP
address within the tunnel group.
Class maps are assigned to policy maps.
Policy Maps
The class map determines what is matched, and the policy map associates one or more actions with a class of traffic.
The policy actions that can be configured are as follows:
■ Forward the traffic flow to the Security Services Module (when present) for intrusion protection or content security and control
services by creating an intrusion prevention system (IPS) or a content security and control (CSC) policy.
■ Perform a specified protocol inspection or inspections by creating an inspection policy.
■ Police the bandwidth used by the specified flow by creating a quality of service (QoS) police policy.
■ Direct the flow to the low-latency queue by creating a QoS priority policy.
■ Set connection parameters on the flows by creating a set connection policy.
Service Policies
The service policy activates a policy map on a targeted interface or globally on all interfaces. Service policies are represented
as service policy rules in the ASDM.
Application Layer Policies
The Cisco ASA Application Inspection and Control (AIC) features provide advanced application layer (OSI Layers 5 to 7)
filtering that provides a more granular level of control for modern day applications.
This advanced inspection helps to prevent malicious content from being delivered to endpoints protected by the ASA that
would normally bypass traditional Layers 3 and 4 Access Control Lists. AIC inspection can be performed against protocols
such as HTTP, FTP, DNS, ESMTP, and other common application protocols.
The following features are provided by Application Inspection and Control (AIC) on the Cisco ASA:
■ Protocol Minimization: Enables a minimal required set of protocol features through the ASA
■ Payload Minimization: Enables transport of minimally required payloads over the application session
■ Application Layer Signatures: Enables and drops known malicious payloads in application layer sessions
■ Protocol Verification: Detects and drops anomalous application layer protocol units
Configuring HTTP Inspection
Now take a look at configuring AIC for HTTP inspection. The ASA HTTP AIC inspection can granularly parse HTTP request
and responses and enable specific value and regular expression matching against this traffic. The HTTP inspector also verifies
adherence to the HTTP protocol and performs URL filtering and checking against several built in HTTP signatures.
For this example configure a HTTP protection policy that filters application layer traffic from the outside to the web server
previously configured that needs protecting. Create a protection policy that verifies adherence to the HTTP protocol and
enables only the HTTP GET method.
■ Detection of DoS attacks
■ Failed basic firewall checks
■ Detection of suspicious Internet Control Message Protocol (ICMP) packets
■ Packets failing application inspection
■ Interface overload
■ Detection of scanning attacks
■ Detection of incomplete sessions, such as TCP SYN attacks or no data UDP session attacks
The ASA tracks two types of rates for each monitored events: the average rate and burst rate. The average rate is the average
rate over a time interval, and the burst rate is the one-tenth of the average rate or 10 seconds, whichever is the highest.
Syslog messages are generated when either of the rates for the monitored events is exceeded.
The following table shows the default threshold rates for basic threat detection.
Default Threshold Rates for Basic Threat Detection
Packet Drop Reason Average Rate Burst Rate
DoS attack detected 100 drops per second over the last 600 seconds 400 drops per second over the last 10-second period
Bad packet format
Connection limits exceeded
Suspicious ICMP packets
Scanning attack detected 5 drops per second over the last 600 seconds 10 drops per second over the last 10-second period
Incomplete session 100 drops per second over the last 600 seconds 200 drops per second over the last 10-second period
Denial by access list 400 drops per second over the last 600 seconds 800 drops per second over the last 10-second period
Basic firewall checks failed 400 drops per second over the last 600 seconds 1600 drops per second over the last 10-second period
Packet failed application
inspection
Interface overload 2000 drops per second over the last 600 seconds 8000 drops per second over the last 10-second period
Reviews
There are no reviews yet.