So far in Part II, "Securing Network Infrastructures with ASDM" (the deployment section of this book), the following has been completed:
In this chapter, perimeter protection on your ASA/PIX security appliance has been deployed. Perimeter protection has mitigated several different forms of attacks. Most of these attacks have been DoS attacks. However, by also using restrictive access rules, you have blocked unknown other types of attacks. Specifically, within this chapter, you
Attack mitigation was achieved with each one of these items listed. Enforcing protocol specification stops an attacker from exploiting a protocol to attack your network. This is effectively done with the default inspection parameters set by default in the ASA/PIX. You stepped through an exercise customizing protocol inspections, which enabled you to dynamically create a new filter that discovers and classifies new attacks against your system. You stepped through the creation of new access rules, and you enforced restrictive inbound filtering on your security appliance, which will mitigate more attacks than you can calculate. You then went through an exercise of examining and understanding the importance of ASA/PIX timeouts. The timeout defaults are effective in both reducing the amount of overhead caused by DoS attacks and returning CPU and memory back to the device so that it can better handle the traffic that you want to allow through your security appliance. The remaining steps to fully deploy defense in depth in your network are covered in the following chapters:
|