Perimeter Protection Enhancements
| ASA/PIX version 7 offers six new features related to perimeter protection. All of the features are enhancements to access control lists (called access rules in ASDM):
Time-Based Enabled Access Control ListsASA/PIX version 7 allows you the flexibility to control the time, day, and month that access rules will be enforced. You can use this feature to enforce access such as ensuring that your network can be accessed only during business hours, not after hours or weekends. This enforcement helps to mitigate some attacks because many hackers won't attempt to break into systems during hours they think that administrators might be viewing logs. You configure this feature through various ASDM panels. You can first create the time range using the following panel:
Then apply them to security policies and access rules using the following panels:
Granular Outbound Access RulesASA/PIX version 7 now allows more control over access rules by adding functions to control whether the ACLs are applied inbound or outbound on a selected interface. This feature allows you to contain possible malicious traffic that might be sourced from the inside of your network by unsuspecting users who might have been infected by an e-mail virus or an attack against a vulnerable user application such as a web browser or desktop service. This feature can be configured through the ASDM panel using either of the following operations:
Transparent FirewallsThis new ASA/PIX version 7 feature enables you to create a security appliance that acts like a network bridge and is transparent to the rest of the network. With this feature enabled, the ASA/PIX Security Appliance operates as a Layer 2 device and makes the appliance invisible to hackers who might be running tools to "discover" all your network devices before they begin an attack. This feature is not configurable from ASDM and, therefore, is not covered in this book. Refer to your ASA/PIX version 7 operating system documentation or go to http://www.cisco.com/go/pix for more information. Access Control Lists Enforcing Ethernet TypesASA/PIX version 7 now enables you to filter ethertypes that traverse the security appliance. This functionality ensures that only IP traffic framed in the correct ethertype format transverses the security appliance. This function is used to support a new feature called transparent firewalls (see previous paragraph) and can be configured using the following ASDM panel:
Enabling and Disabling of Access Control ListsASA/PIX version 7 now gives you the flexibility to enable or disable access lists with a single click. This flexibility can save you substantial time (for example, when you just need to add a rule to troubleshoot). Allowing ICMP through the security appliance is not something you want to do as a best practice. However, you could configure the rule, leave it disabled, and then, if you need the rule for a few minutes for troubleshooting, you would just go into ASDM and click Enable, run your test, and then again disable it immediately. You configure this feature through the Access Rules panel by clicking the Enable check box. IP Fragment Re-AssemblyASA/PIX version 7 has new capabilities to recognize and respond to IPv4 and IPv6 fragmented packets. These packets are subject to the same filtering as all security appliance traffic and then put into a queue for fragmentation assembly. If the fragments are valid packets, they are forwarded to their destination. If the assembled packets aren't completed and don't match protocol specifications, it is assumed that they are either erroneous or part of an attack and are subsequently dropped. This is a significant security feature because attackers try to use fragmentation in many different ways to subvert security appliance security. You will also see this technology referred to as traffic normalization. This feature is turned on by default and can be controlled through the ASDM panel:
|
EAN: 2147483647
Pages: 120