FIREWALLS


A firewall is a traffic control point between a private network and one or more public networks. It's a gateway that selectively decides what may enter or leave a protected network. To do this, a firewall must be the sole gateway between the network it protects and the outside. If traffic can go around a firewall, the security it provides is worthless. A basic tenet is that all inbound and outbound traffic must pass through the firewall. A normal router could serve as a rudimentary firewall if it were configured as a choke point. Figure 7-1 shows how a firewall acts as a funnel through which all traffic must pass.

image from book
Figure 7-1: A firewall is partly defined by its position as a traffic bottleneck

There is a necessary trade-off between security and network performance. If you substituted cars and trucks for IP packets in Figure 7-1, you'd see traffic from several highways squeezed through a single on-ramp. If security weren't a concern, to boost performance, private internetworks would be surrounded on all sides by routers.

Firewall Basics

In simple terms, a firewall is a traffic filter. Traffic enters through one network interface and leaves through another, and in basic firewalls, messages are handled at the network layer (layer 3) of the seven-layer OSI model. Higher security application-filtering firewalls handle messages and filter at layer 7 as well.

Firewalls operate by intercepting and inspecting each packet that enters any of their network interfaces. The inspections vary according to the firewall's sophistication and how tight the security policy is. But the goal is always to identify a match between each packet's contents and the security rules the firewall has been programmed to enforce. The basic steps of intercepting and inspecting packets are shown in Figure 7-2.

image from book
Figure 7-2: Firewalls inspect all packets and apply security rules to them

There's nothing fancy about how a firewall intercepts traffic. It does so by funneling all traffic entering its network interfaces over a single path (called a data bus in computer terminology). By having all traffic pass through the firewall's internal data bus and memory, software running on the central processing unit (CPU) is given the opportunity to check each packet against the security rules it's been programmed to enforce.

The actual inspection on a packet filtering firewall is done by reading the packet's header for conditions that match rules set up in security tables. Security tables usually include dozens of rules, each designed to explicitly accept or reject specific kinds of traffic by applying a pass/fail test to the packet. If the packet passes, it's forwarded to its destination. If it fails, the packet is dropped at the network interface and ceases to exist.

Firewalls Map Out a Defensive Landscape

Routers tend to take a friendly view of the world. They focus on addresses and the best routes to deliver messages to them. By contrast, firewalls take a militaristic view of things where addresses are still important, but for inspection and clearance instead of delivery. Firewalls define the world as either inside networks or outside networks, with the division made according to what lies beyond the security perimeter. The security perimeter itself is established by one or more firewalls placed between the secured network and the outside. The firewall places every network it encounters into one of three classifications:

  • Trusted network Inside the security perimeter and under complete administrative control of the enterprise.

  • Untrusted network Outside the security perimeter and known to the firewall, but beyond the enterprise's administrative control.

  • Unknown network A network that the firewall has received no information or instructions about-this includes almost the entire Internet. Of course, unknown networks are untrusted networks.

The security perimeter is drawn right down the middle of the firewall, with the physical configuration of the device itself defining what's internal and external. The network interfaces on the firewall are designated as internal ( inside, external outside), and DMZ (in some cases) interfaces. The network attached to each interface in turn takes on its interface's designation. In Figure 7-3, for example, network 10.1.13.0 is attached to an inside interface, and thus is defined as being inside the security perimeter, and therefore a trusted network.

image from book
Figure 7-3: Firewalls define security perimeters and classify networks accordingly

In terms of network security, administrative control is the ability to do such things as assign IP addresses, issue user accounts and passwords, and maintain network device configuration files. Usually, the network media-LANs and WANs-over which a secured network operates are owned and controlled by the enterprise. The major exception to this is the VPN, which runs mostly over intermediate network segments that are operated by somebody else but that are still regarded as trusted networks.

Security Is a Matter of Policy, Not Technology

Internetwork security isn't just a matter of how much control you can exert, it's also how much you choose to exert. Much like the trade-off between security and performance, a trade-off also exists between security and connectivity. In theory, any LAN could have an externally impenetrable security posture by simply unplugging all routers, switches, and modems leading to the outside.

But enterprises are compelled to connect to the outside because the benefits of connectivity outweigh the risk it brings. In fact, almost all businesses are now connected to the most unknown and dangerous public network of all: the Internet. Every time you hit a company's Web site to look up information, download software, or place an order, that enterprise has taken a calculated risk by letting you access some part of its system. Most enterprises need to open their internal networks to the public to at least some degree. Businesses do it to sell and support, governments to serve, and educational organizations to teach. Firewalls try to help accommodate this intentional security compromise by defining a middle ground called a demilitarized zone, or DMZ for short. Figure 7-4 shows a typical DMZ configuration.

image from book
Figure 7-4: Many firewall configurations include a DMZ to run public servers

LAN segments on the firewall's outside are called the external perimeter networks, and ones on the inside are called internal perimeter networks. Usually, each perimeter network has a router attached, and access lists are typically configured to block some "bad" traffic. However, the bulk of the traffic is allowed to go to the firewall, where it can do its job of inspecting the traffic for malicious intent and to perform "block or allow" enforcement based upon rules defined on the firewall. The outside router is often referred to as the screening or shield router, which usually has an Internet service provider (ISP) attached to at least one of its interfaces. In addition to Internet-to-intranet duty, the firewall (or firewalls) are also called upon to protect the servers in the DMZ from attack and to restrict what those servers are allowed to communicate with on the intranet. The key point to understand is that a firewall is a critical part of a secure environment that is purposebuilt to protect the intranet and the DMZ from malicious traffic and to enforce specific security rules as defined by its owner (or administrator).

How Firewalls Work

Security rules can be defined globally so that they apply to the entire firewall, and other more specific rules can be defined and applied to a specific network interface. This is true whether the firewall is a router trying to serve as a firewall or a high-tech dedicated device, such as the Cisco PIX Firewall or Cisco ASA. Generally speaking, each packet or flow is inspected and then filtered based on rules applied to the specific network interface card through which it entered the firewall. The act of configuring a firewall, then, is largely a matter of assigning security rules to each firewall interface.

The Access List Is the Most Basic Internetwork Security Tool

The simplest form of network security technology is the access list. It's not much of a firewall anymore, but it is certainly useful in a variety of situations. Also called an access control list (ACL), or filter, the access list is a basic component of any firewall's configuration. As the name implies, the access list restricts certain traffic from gaining access to a network. It provides a basic level of network security by filtering packets according to these criteria:

  • Source and destination IP address The IP address from which the packet originated and is addressed

  • Source and destination port number The port number from which the packet originated and is addressed

  • Source and destination protocol number The protocol number from which the packet originated or is addressed

Cisco calls these extended access lists-the extension being the port number, protocol number (source and/or destination), and/or destination IP address. Early Cisco products used only source addresses, which were referred to as standard access lists. But don't be misled by this terminology; extended access lists are the basic type of access lists being used now.

Note 

Port numbers (also called network ports or just ports) aren't physical interface ports like S0 or E3. Messages sent using the TCP or UDP transport-layer protocols (layer 4) use port numbers to identify which application protocol the transmission will run. For example, the number for HTTP (WWW) is port 80; SMTP's port is 25; and FTP's port is 20 and 21.

Network administrators create access lists in the router's configuration file. One access list is created for each network interface. If an interface handles traffic in multiple network protocols-for example, IP, IPX, and AppleTalk-each network protocol has its own access list format. Therefore, a separate access list must be created for each protocol to run over that network interface. Regardless of the network protocol used, each criterion (access rule) occupies a line on the list. Figure 7-5 depicts how access lists work. This example uses a router restricting the flow of traffic between departments within an organization.

image from book
Figure 7-5: An access list fi lters packets at each router interface

As each packet attempts to enter an interface, its header is examined to see if anything matches the access list. The router is looking for positive matches. Once it finds a match, no further evaluations are performed. If the rule matched is a permit rule, the packet is forwarded out a network interface on the other side of the router. If the matched rule is a deny, the packet is dropped right there at the interface.

If a packet's evaluation runs all the way to the bottom of the access list without a match, it is dropped by default. This mechanism is called the implicit deny rule, which provides an added measure of security by dealing with conditions not anticipated in the access list.

The router evaluates the packet one rule at a time, working its way from the top line to the bottom. The bottom part of Figure 7-6 is an example taken from a router's access list.

image from book
Figure 7-6: Access list statements are security rules

Each line in the list is a rule that either permits or denies a specific type of traffic. The top of Figure 7-6 charts the parts of a rule's statement, starting with the access-list command followed by various modifiers. Keep in mind that this example is for IP; syntax varies slightly for IPX, AppleTalk, and other non-IP network protocols.

A cohesive access list is created by using a common access list name at the beginning of each statement for an IP access list. Each statement must declare a transport protocol, such as the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), or the Internet Control Messaging Protocol (ICMP). If the rule involves a network application, the statement must first declare a transport protocol and end with the application protocol. In the example rule at the top of Figure 7-6, the transport protocol is TCP, and the application protocol is HTTP.

Keep in mind that ACLs can have other protocols as well:

  • ahp Authentication Header Protocol

  • eigrp Cisco's Enhance Interior Gateway Routing Protocol (EIGRP) routing protocol

  • esp Encapsulation Security Payload

  • gre Cisco's Generic Routing Encapsulation (GRE) tunneling

  • icmp Internet Control Message Protocol

  • igmp Internet Gateway Message Protocol

  • ip Any Internet Protocol

  • ipinip IP in IP tunneling

  • nos KA9Q NOS compatible IP over IP tunneling

  • ospf Open Shortest Path First (OSPF) routing protocol

  • pcp Payload Compression Protocol

  • pim Protocol Independent Multicast

  • tcp Transmission Control Protocol

  • udp User Datagram Protocol

To apply a rule to incoming traffic, you must put the outside host's IP address in the from position, which always precedes the to position. This order is reversed so as to restrict outbound traffic. The modifier any is used to indicate all networks. The statement at the top of Figure 7-6, then, is saying, "Permit host 209.98.208.25 to access any network in order to run the HTTP application over TCP."

The access list is activated on an interface by using the access-group command, as shown in the following code snippet. The first line "points" the IOS to serial0 interface, and the second line applies access list 100 to all incoming traffic trying to enter through serial0:

 MyRouter(config)# interface serial0 MyRouter(config-if)# ip access-group 100 in 

Routers look for matches between packet header content and the interface's access list. A catch would be a source address, destination address, protocol, or port number. If the matched rule is a permit rule, the packet is forwarded. If, however, a deny rule is matched, the packet is dropped without evaluating against any rules further down the list.

An access list can have as many filtering rules as desired, with the practical limit being the amount of router memory you wish to use for security filtering instead of productive routing. Because access list rules are evaluated from top to bottom, the most frequently encountered matches should be put toward the top of the list so as not to waste router CPU cycles.

Keep in mind that an access list alone doesn't turn a router into a firewall. The majority of access lists are used for basic traffic management within internetworks. However, you could physically configure a router as a choke point so that all traffic must pass an access list, thereby making it into a lightweight firewall. This is frequently done to restrict access among networks making up an internetwork. In fact, standard IOS has dozens of security-oriented commands beyond the access-list command that are also used in Cisco's firewall products. However, relying on the access list as the centerpiece of a firewall configuration results in questionable security.

Firewalls Track Internetwork Sessions

Firewall technology builds on access lists by keeping track of sessions. This technology is called stateful or context-based packet filtering, because an individual packet can be handled based on the larger context of its connection. This type of filtering uses what some call reflexive access lists, so named because their contents dynamically change in reflexive response to the state of individual sessions (whether the session was initiated from an inside host, how long it's been running, and so on). Figure 7-7 shows how context-based firewalls track sessions.

image from book
Figure 7-7: Context-based firewalls track connection states

Note 

TCP and UDP are protocols running at the transport layer (layer 4) of the seven-layer OSI reference model. TCP stands for Transmission Control Protocol, a connection-oriented protocol designed to deliver full-duplex communications with guaranteed delivery. The bulk of IP traffic goes through TCP connections. UDP stands for User Datagram Protocol-a no-frills, low-overhead, connectionless protocol that has no guaranteed delivery or error correction. UDP is used by relatively simple applications like TFTP (Trivial File Transfer Protocol). A third transport protocol is ICMP (Internet Control Message Protocol), a specialized protocol used by applications such as ping and traceroute. Transport protocols are covered in Chapter 2.

The astute reader might wonder how a firewall can track UDP sessions, given that UDP is a so-called connectionless transport protocol lacking the formal handshakes and acknowledgments of TCP. UDP filtering works by noting the source/destination address and port number of the session, and then guessing that all packets sharing those three characteristics belong to the same session. Because timeout periods are so brief for UDP sessions (usually a fraction of maximum times set for TCP sessions), the firewall almost always guesses right.

Using Global Addresses to Hide Internal Network Topology

Cisco's IOS software has a capability called Network Address Translation (NAT) used by routers and firewalls to mask internal network addresses from the outside world. As discussed in Chapter 2, IP allows the use of private addresses instead of registered IP addresses-for example, 10.1.13.1 instead of 209.78.124.12. This is done for a variety of reasons, but mainly it's done to conserve addresses (sometimes called address space), because there simply aren't enough IP addresses to uniquely number all the hosts, devices, and LANs in most internetworks. It's possible to run an internetwork without private addresses, but it's rarely done.

As packets are forwarded to the outside, NAT overwrites the internal network address in the source address field with a full IP address. This is done from a pool of registered IP addresses made available to NAT, which then assigns them to outbound connections as they're established. NAT maps the inside local address to the pool address, deletes the mapping when the connection is terminated, and reuses the pool address for the next outbound connection that comes along. As you can see at the top of Figure 7-8, NAT translation takes place on a one-to-one basis. Therefore, although NAT hides internal addresses, it does not conserve address space.

image from book
Figure 7-8: Internal host addresses can be translated one-to-one or to a global address

The bottom of Figure 7-8 shows that NAT can also be configured to use just one registered address for all internal hosts making outside connections. This function is called Port Address Translation (PAT), which differs from NAT by translating to one global outside address instead of to individual outside addresses. PAT provides additional security by making it impossible for hackers to identify individual hosts inside a private internetwork because everybody appears to be coming from the same host address. Beyond enhancing security, PAT also conserves address space.

Address translation is an example of the value of context-based session tracking. Without the ability to keep track of which session each packet belongs to, it wouldn't be possible to dynamically assign and map internal addresses to the public addresses.

Proxy Servers

A proxy server is an application that acts as an intermediary between two end systems. Proxy servers operate at the application layer (layer 7) of the firewall, where both ends of a connection are forced to conduct the session through the proxy. They do this by creating and running a process on the firewall that mirrors a service as if it were running on the end host. As Figure 7-9 illustrates, a proxy server essentially turns a two-party session into a four-party session, with the middle two processes emulating the two real hosts. Because they operate at layer 7, proxy servers are also referred to as applicationlayer firewalls.

image from book
Figure 7-9: Proxy-server technology is the basis for advanced firewalls

A proxy service must be run for each type of Internet application the firewall will support-a Simple Mail Transport Protocol (SMTP) proxy for e-mail, an HTTP proxy for Web services, and so on. In a sense, proxy servers are one-way arrangements running from one side of the network to the other. In other words, if an internal user wants to access a Web site on the Internet, the packets making up that request are processed through the HTTP server before being forwarded to the Web site. Packets returned from the Web site, in turn, are processed through the HTTP server before being forwarded back to the internal user host. As with NAT, the packets go to the external Web server carrying the IP address of the HTTP server instead of the internal host address. Figure 7-9 depicts a firewall running several proxy servers at once.

Because proxy servers centralize all activity for an application into a single server, they present the ideal opportunity to perform a variety of useful functions. Having the application running right on the firewall presents the opportunity to inspect packets for much more than just source/destination addresses and port numbers. This is why nearly all modern firewalls incorporate some form of proxy-server architecture. For example, inbound packets headed to a server set up strictly to disburse information (say, an FTP server) can be inspected to see if they contain any write commands (such as the PUT command). In this way, the proxy server could allow only connections containing read commands.

Proxy server is another technology possible only in context-based firewalls. For example, if a firewall supports thousands of simultaneous Web connections, it must, of course, sort out to which session each of the millions of incoming packets with port number 80 (HTTP) belong.

Dual-Home Configurations

A dual-homed firewall configuration is typically implemented with the ability to route traffic turned off between the network interface cards, without inspecting it. A dualhomed configuration forces all traffic to go through a proxy service before it can be routed out another interface, which is why proxy-server firewalls use dual-homed configurations, as depicted on the left side of Figure 7-10. Another use of dual homing is when you want users on two networks-say, the R&D and Sales departments-to access a single resource but don't want any traffic routed between them. Then any routing capabilities between the two interfaces would be disabled. The configuration on the right in Figure 7-10 shows this.

image from book
Figure 7-10: Dual-homed configurations turn off routing services within the device

Using a dual-homed configuration this way doesn't create a firewall gateway, per se, because inbound traffic isn't headed anywhere beyond the server. It's just an easy way to have one server take care of two departments that shouldn't exchange traffic. It's also a way of making sure traffic isn't exchanged, because routing services are turned off inside the router.

Event Logging and Notification

Record keeping is an important part of a firewall's overall role. When a packet is denied entry by a firewall, the event is duly recorded into a file called syslog (industry shorthand for system log) or to a proprietary logging system based on the firewall manufacturer. Most firewalls can be configured to upload log information to a logging server elsewhere on the network, where it can be analyzed against the enterprise's security policy.

Firewalls can also be configured to generate alert messages if specified thresholds are surpassed. In more sophisticated network operations, these alerts are immediately directed to a manned console so that the network team can respond to the event by any number of measures (usually shutting down the network interface where the apparent security breach is taking place).

The IOS Firewall Feature Set

The IOS Firewall is a value-added option to the Cisco IOS software. It is purchased as a so-called IOS feature set (feature sets are covered in Chapter 4). IOS Firewall is used to turn a standard Cisco router into a fairly robust firewall by adding several security functions over and above the basic traffic filtering of standard IOS software:

  • Context-Based Access Control (CBAC) An advanced form of traffic filtering that examines application-layer (layer 7) information, such as HTTP, to learn about the state of TCP or UDP connections.

  • Address Translation (PAT and NAT) Disguises internal IP addresses by inserting disguised source addresses on packets sent outside the firewall. PAT and NAT hide internal network topology from hackers.

  • Security server support The router can be configured as a client to TACACS+, RADIUS, or Kerberos security servers, where user names and passwords can be stored in such a server's user authentication database.

  • Denial-of-Service attack detection Detects the traffic patterns characteristic of so-called Denial-of-Service (DoS) attacks and sends alert messages. (Denial-of-Service attacks attempt to deny service by overwhelming a network with service requests, such as illegal e-mail commands or infinite e-mails.)

  • Network-Based Application Recognition (NBAR) Recognizes many different applications and can use special services based on them.

  • Java blocking The ability to selectively block Java messages from a network. (Java applets are downloadable self-operating programs, and applets can be programmed to harm any host system unfortunate enough to execute them.)

  • Encryption The ability to make a packet's contents incomprehensible to all systems except those provided with a cipher (key) to decrypt it.

  • Neighbor router authentication A command by which a router can force a neighboring router to authenticate its identity or to block all packets routed from it.

  • Security alerts and event logging Messages alerting network administration of a security problem, and the logging of all security events for later collation and analysis.

  • VPN and QoS support Provides tunneling and QoS (Quality of Service) features to secure VPNs. This feature provides encrypted tunnels on the router while ensuring strong security, service-level validation, intrusion detection, and advanced bandwidth management.

  • Audit trail Allows you a number of features for detailed tracking. It records the time stamp, source host, destination host, ports, duration, and total number of bytes transmitted for detailed reporting. It is configurable based on applications and features.

  • Dynamic port mapping Permits CBAC-based applications to be run on nonstandard ports. This allows network administrators to customize access control for selected applications and services.

  • Firewall management Firewalls are configured with a user-friendly interface that provides step-by-step help through network design, addressing, and IOS Firewall security policy configuration.

  • Integration with Cisco IOS software This feature set seamlessly interacts with Cisco IOS features, integrating security policy features.

  • Policy-based multi-interface support User access can be controlled based on IP address and interface. Access is determined by the security policy.

  • Redundancy/failover Automatically routes traffic to a secondary router in the event of failure.

  • Time-based access lists Security policy can be established based on time of day and day of the week.

  • Intrusion Prevention System An inline detection system that responds to suspicious activity. The router can be configured to log the event, send a message to the system administrator, or deny access to the IP address of the attacker.

  • Authentication Proxy Security policies can be established on a per-user basis.

How Context-Based Access Control Works

Context-Based Access Control is a set of IOS commands that can be used to inspect packets much more closely than normal access lists. CBAC works by tracking outside connections initiated from inside the firewall. CBAC identifies sessions by tracking source/destination IP addresses and source/destination port numbers gleaned from the packets. When a response returns from the session's remote host in the form of inbound traffic, CBAC determines the session to which the inbound packets belong. CBAC, in this way, maintains a dynamic list of ongoing sessions and is able to juggle security exceptions on a moment-by-moment basis. This dynamic list, called the state table, tracks the state of valid sessions through to termination. The CBAC state table maintains itself by deleting sessions when concluded by users or dropping them after a maximum allowable period of inactivity called a timeout. Timeout values are specified by the network administrator for each transport protocol. depicts the CBAC process.

image from book
Figure 7-11: CBAC creates temporary openings based on connection status

CBAC uses the state table to make dynamic entries and deletions to the access list of the interface. Source/destination address or port numbers normally blocked by the access list are momentarily allowed, but only for a session CBAC knows to be a valid session initiated from inside the firewall security perimeter. CBAC creates openings in the firewall as necessary to permit returning traffic. Once the session shuts down, the access list's prohibition is put back in effect until another session calls from the CBAC state table, asking for a temporary exception of its own.

If it seems as if the router would be overwhelmed by the sheer complexity of it all-remember that state tables and access lists are managed on a per-interface basis. Each interface on a Cisco router running IOS Firewall has its own access list, inspection rules, and valid sessions. Good firewall configuration design can cut down a big part of the complexity you must deal with by grouping similar traffic types or sources onto specific network interfaces.

Major IOS Firewall Functions

IOS Firewall selectively enforces security rules based on the context of each session. To pull this off, IOS Firewall must inspect packets much more closely than simple access lists do. For this reason, the IOS Firewall software is granular in its application of inspection rules. Granular here means inspection rules are applied much more selectively than the "all-or-nothing" permit/deny scheme used in access lists. This makes the firewall more flexible and a tougher security barrier to crack. We won't delve into IOS Firewall inspection features too deeply since this is a beginner's book, but a quick review will illustrate how firewall technology works at the packet inspection level:

  • SMTP inspection Many of the worst virus attacks inject themselves into secured internetworks through e-mail. Beyond just inspecting each packet for the SMTP port number, IOS Firewall inspects SMTP packets for illegal commands. Any SMTP packet containing a command other than the 12 legal SMTP commands will be discarded as subversive.

  • Java inspection Some network security policies prohibit downloading Java applets from outside networks because of their potential destructive power. A security policy mandating that all internal users disable Java in their Web browsers is unenforceable. IOS Firewall allows you to block incoming Java applets at the firewall and also to designate a list of trusted (friendly) external sites from which downloaded Java applets will not be blocked (or you could permit applets from all sites except sites explicitly defined as hostile).

  • H.323 inspection NetMeeting is a premier H.323 protocol application that requires use of a second channel (session) in addition to the H.323 channel maintained in the CBAC state table. IOS Firewall can be configured to inspect for a generic TCP channel in addition to the H.323 channel to allow NetMeeting connections to operate through the firewall.

  • RPC inspection The IOS Firewall RPC (Remote Procedure Call) inspection command accepts the entry of program numbers. For example, if the program number for NFS (Network File System Protocol) is specified in an RPC command, then NFS traffic may operate through that firewall interface.

Configuring IOS Firewall

Address translation is configured in IOS Firewall using the nat and pat commands. Typically, the first step of configuring IOS Firewall is to set up translations so as to mask internal IP addresses from the outside world. Example configurations for NAT and PAT (Port Address Translation) are given in the next part of this chapter, which covers the PIX Firewall.

Context-based security is configured in the IOS Firewall by creating inspection rules. Inspection rules (also called rule sets) are applied to access lists governing specific firewall network interfaces. Configuring IOS Firewall, then, is done mostly using two variations of two commands:

  • access-list A command used to define the basic access rules for the interface

  • ip inspect A command used to define what CBAC will look for at the interface

The access list specifies which normal rules apply to traffic entering the interface, and is used to tell the interface which network applications (port numbers) are prohibited, which destination addresses are blocked, and so on. CBAC inspection rules dynamically modify the access list as necessary to create temporary openings in the IOS firewall for valid sessions. CBAC defines a valid session as any TCP or UDP connection that matches its access-list criteria.

In addition to creating temporary openings in the firewall, CBAC applies inspection rules to detect various kinds of network attacks and generate alert messages, which are usually sent to the network management console.

Note 

One of the best-known Denial-of-Service attacks is SYNflood, so named for the SYN bit used to initiate a three-way handshake used to set up TCP connections. SYNflood attacks try to drown the target network in a flood of connection attempts-thereby denying legitimate hosts network service. A command called ip inspect tcp synwait-time is used by the network administrator to tell IOS Firewall how long an unrequited SYN bit is retained before being discarded. By not letting SYN bits pile up, the ip inspect tcp synwait-time command can be used to thwart this type of Denial-of-Service attack.

IOS Firewall can be configured one of two ways, depending on whether the firewall configuration includes a DMZ. Figure 7-12 depicts this. The configuration on the right of Figure 7-12 shows the access list pulled back to the inside of the firewall.

image from book
Figure 7-12: CBAC can be configured on either internal or external interfaces

Configuring CBAC on the internal interface relieves the firewall from having to create and delete context-based rule exceptions for traffic hitting the DMZ's Web (HTTP) server and DNS (Domain Name System) server. With this arrangement, CBAC can still selectively control access to HTTP and DNS services by internal users, but it doesn't have to worry about connections hitting the DMZ servers.

Note 

IOS Firewall is a version of Cisco IOS software, so normal IOS conventions apply. To configure IOS Firewall, you must first gain access to the router through Telnet, SSH, or the Web browser interface; enter Privileged Exec command mode; and then enter configuration mode, with the firewall(config-if)# prompt pointing to the interface to which the CBAC configuration will apply.

The first step in configuring the IOS Firewall interface is to create an access list. To define an access list, use the following command syntax:

 Firewall(config)# ip access-list standard access-list-name-or-number Firewall(config-std-nacl)# permit .... 

If a permit rule is matched, the packet is forwarded through the firewall. Deny rules are defined using the same syntax:

 Firewall(config)# ip access-list standard access-list-name-or-number Firewall(config-std-nacl)# deny .... 

If a deny rule is matched, the packet is dropped. Figure 7-13 shows an example access list 100. This access list will be applied to the Ethernet0 firewall interface. Access list 100 permits all traffic that should be CBAC-inspected. The last line of the access list is set up to deny unknown IP protocols that a hacker might attempt to use.

image from book
Figure 7-13: This access list sets up traffic on Ethernet0 for CABC inspection

The second step in configuring CBAC is to define a set of inspection rules with the ip inspect name command, using the following syntax:

 Firewall(config)# ip inspect name inspection-name protocol [timeout seconds] 

This command syntax tells IOS Firewall what to inspect packets for and the maximum period of inactivity allowed before closing any session that was created using the inspection rule. Timeout periods are important in CBAC configurations. If timeout limits are set too high, the state table could become bloated, which could hurt router performance and even security. On the other hand, if timeouts are set too low, users could become frustrated at having to frequently reset connections made to Internet hosts.

A set of inspection rules is created by using the same inspection-name in all the commands to be included in the set. The following code snippet shows an inspection rule set being built under the name Rulz. By sharing the name Rulz, the eight ip inspect name commands included in this set can be invoked in a single statement. Table 7-1 gives the keywords used for protocol inspection commands.

Table 7-1: Keywords in IOS Firewall's ip Inspect and Access-List Commands

Transport-Layer Protocols

Keyword

Terminal Control Protocol (TCP)

Tcp

User Datagram Protocol (UDP)

Udp

Internet Control Message Protocol (ICMP)

Icmp

Application-Layer Protocols

 

Application Firewall

appfw

CU-SeeMe

cuseeme

ESMTP

smtp

FTP

ftp

IMAP

imap

Java

http

H.323

h323

Microsoft NetShow

netshow

POP3

pop3

RealAudio

realaudio

RPC

rpc

SIP

sip

Simple Mail Transfer Protocol (SMTP)

smtp

Skinny Client Control Protocol (SCCP)

skinny

StreamWorks

streamworks

Structured Query Language*Net (SQL*Net)

sqlnet

TFTP

tftp

UNIX R commands (rlogin, rexec, rsh)

rcmd

VDOLive

vdolive

WORD

User-defined application name; use prefix-user

 Firewall(config)# ip inspect name Rulz ftp timeout 2000 Firewall(config)# ip inspect name Rulz smtp timeout 3000 Firewall(config)# ip inspect name Rulz tftp timeout 60 Firewall(config)# ip inspect name Rulz http java-list 99 timeout 3000 Firewall(config)# ip inspect name Rulz udp timeout 15 Firewall(config)# ip inspect name Rulz tcp timeout 2000 

The timeout limits in the preceding example allow TCP applications about three to five minutes to respond, and UDP applications a minute or less. This reflects the fact that UDP applications are more concerned with causing minimal network overhead than with session integrity. The timeouts set for TCP and UDP are overridden in sessions running an application protocol. For example, any TFTP backup session running through this firewall would have the 60-second timeout limit set for TFTP in force (preempting the 15-second limit set for UDP-only sessions).

While it's true that timeouts help conserve system resources, the primary reason for configuring them in a firewall is security. The less time you give a hacker's attack program to try to worm through the firewall's interface, the better your internetwork security is. However, timeouts can't be set at too tight of a tolerance, or legitimate users will have to make several attempts to connect. Like everything else in internetworking, timeout strategy is a balancing act.

Although the inspection set and the ACL don't have anything directly to do with each other, both are applied to the interface. So the last step in configuring an IOS Firewall interface is applying an inspection rule set to the access list. The ACL will then be modified by CBAC in accordance with the inspection set. The following snippet taken from the config file for firewall interface Ethernet0 shows the inspection set Rulz and access list 89. The rules have been applied to inspect and filter inbound traffic.

 interface Ethernet0   description Velte Extranet Gateway   ip address 209.78.124.12 255.255.255.248   ip broadcast address 209.78.124.1   ip inspect Rulz in   ip access-group 89 in 

Without inspection rules to modify access lists, IOS Firewall behavior would revert to that of a normal router running normal access lists.

IOS Firewall Session Management Features

By now, you've seen how important time is to firewalls. This is not unlike the head of security in a bank maintaining strict control over how long the safe door may stay open as people enter and leave it. For obvious reasons, the security chief would frown on employees loitering about the safe door.

The max-incomplete Session Commands Like the bank's security chief, network administrators fret over connections pending at the firewall's interfaces-especially the outside interfaces. These incomplete connections are called half-open sessions. A rising number of half-open sessions at the firewall may indicate that a Denial-of-Service (DoS) attack is under way. IOS Firewall has several commands, called TCP intercept commands that intercept DoS attacks before they can overwhelm a firewall's network interface.

IOS Firewall uses the ip inspect max-incomplete command to track and control halfopen sessions. For TCP, half-open means that a session has not yet reached the established state. (In fact, it's entered into the CBAC state table as a pending request to start a session.) A UDP session is deemed half-open when traffic is detected from one direction only. (Remember, UDP is a connectionless protocol.)

CBAC monitors half-open sessions both in absolute numbers and in relative trends. Once every minute, CBAC totals all types of half-open sessions and weighs the total against an allowable threshold specified in the config file (500 half-open requests is the default limit). Once the threshold is exceeded, CBAC begins deleting half-open requests from its state table. It will continue deleting them until it reaches a minimum threshold, whereupon operations are returned to normal. The following code snippet shows a typical configuration of the max-incomplete high command. It's a good practice to keep the high-low spread narrow so CBAC can make frequent use of this control feature.

 Firewall(config)# ip inspect max-incomplete high 1000 Firewall(config)# ip inspect max-incomplete low 900 

The inspect one-minute Commands The other command to control half-open sessions is the inspect one-minute command. Instead of acting on the number of existing half-open connections, the amount of new half-open sessions is what's measured. It works much like the max-incomplete command. Here's an example configuration (using the default values):

 Firewall(config)# ip inspect tcp one-minute high 900 Firewall(config)# ip inspect tcp one-minute low 400 

Other TCP Intercept Commands CBAC has other commands to thwart DoS attacks. As mentioned earlier, the ip inspect tcp synwait-time command controls SYNflood attacks by deleting connection requests with SYN bits that have been pending longer than a specified time limit. (The default is 30 seconds.) The ip inspect tcp finwait-time command similarly controls FINflood attacks. (FIN bits are exchanged when a TCP connection is ready to close; its default is five seconds.) The ip inspect tcp max-incomplete host command is used to specify threshold and timeout values for TCP host-specific DoS detection. It limits how many half-open sessions with the same host destination address are allowed and how long CBAC will continue deleting new connection requests from the host. (The defaults are 50 half-open sessions and 0 seconds.) Finally, generic protection is given by configuring the maximum idle times for connections with the ip inspect tcp idle-time and ip inspect udp idle-time commands (with default limits of 1 hour and 30 seconds, respectively).

Cisco Secure PIX Firewall

For a long time, Cisco Secure PIX Firewall was Cisco's premier product for firewall duties. As you'll see a little later, it's being displaced by Cisco's Adaptive Security Appliance (ASA)-but it looks like it might be quite awhile before the PIX is no longer. The IOS Firewall feature set is targeted at more price-sensitive customers or for duty in cordoning off access within enterprise networks. PIX was positioned by Cisco to compete head-to-head with the major firewall products on the market. PIX Firewall differs from IOS Firewall in these ways:

  • Integrated hardware/software PIX Firewall is an integrated package on a hardware platform purposely built for heavy-duty firewall service. It doesn't come as a separate software package.

  • Adaptive security algorithm Neither a packet filter nor an application proxy firewall, PIX implements a stateful inspection and cut-through architecture that delivers higher performance.

Note 

Cut-through processing is a technique allowing a connection (HTTP, FTP, or Telnet) to be authorized and permitted once at the application layer. Then all packets that follow it, for that session, are filtered at the network layer.

  • Integrated VPN option Virtual private networks are natively supported; however, a plug-in processor card optimally configures VPNs supporting the advanced Internet Protocol Security (IPSec) encryption and Internet Key Exchange (IKE) standards.

Network administrators are increasingly turning to purpose-built devices, such as Cisco Secure PIX Firewall to meet their network security needs. The electronics and software in the PIX firewall are tuned specifically to balance advanced security functionality with the need for high-throughput performance. PIX Firewall and dedicated products like it are called network appliances-the hip new term for devices built to serve a narrowly defined networking function. The most obvious advantage of using a firewall appliance is that the IOS software doesn't have to split its time between filtering and routing.

Beyond the appliance versus firewall-enabled router debate, Cisco is positioning PIX as a real-time embedded system against competitors' firewall appliances based on UNIX platforms. The argument is that UNIX-based firewall appliances must pay a price in performance and in security. The reasoning is that a general-purpose operating system kernel like UNIX not only has latencies and overheads inappropriate for firewall duty, but also has inherent security holes that hackers could use to break into the firewall itself.

PIX Firewall's Adaptive Security Algorithm

The Adaptive Security Algorithm is roughly equivalent to IOS Firewall's Context-Based Access Control. Both serve as the central engine for their respective firewall products. This is beneficial, because network administrators are familiar with the environment and its basic commands ( configure, debug, write, and so on). But ASA has a very different set of firewall-specific commands, and its architecture is radically different from that of IOS Firewall. ASA enables PIX Firewall to implement tighter security measures and to scale to higher-capacity gateway sizes.

Note 

What's an algorithm? The term makes it sound as if writing one would involve quantum physics with a dash of quadratic equations thrown in. But algorithms aren't anything mysterious. An algorithm is nothing more than a carefully crafted set of rules rigorously applied to a repetitive process that is logically able to handle variable conditions. Yes, some algorithms contain mathematical equations, but most don't. Computers make heavy use of algorithms because nearly everything in computing is repetitive and driven by variables.

The security-level Command The cliché is that the world is painted not in black and white, but in shades of gray. So, too, for the world of internetwork security, where the "good guys versus bad guys" model falls short, because almost everybody is regarded as suspect. The trend in truly powerful network security, then, is the capability to designate networks and hosts as a spectrum of security levels instead of merely as "inside" or "outside."

PIX Firewall's security-level command lets you specify relative security levels for interfaces both inside and outside of the firewall. Applying relative security levels on an interface-by-interface basis lets you draw a far more descriptive security map than you would be able to by defining all networks as either inside or outside.

To configure a firewall's interfaces with relative security levels, you enter a securitylevel command for each interface. Additionally, you must use the nameif command to identify the interface you wish to manage.

You can choose any value for a security level between 0 and 100, and no two interfaces on a PIX firewall may have the same level.

The common practice is to assign levels in tens, as shown in the following code snippet, which identifies eight interfaces in three security zones:

 firewall(config)# interface gigabitethernet0/0 firewall(config-if)# nameif inside firewall(config-if)# security-level 100 firewall(config-if)# ip address 10.1.10.10 255.255.255.0 firewall(config-if)# no shutdown firewall(config-if)# interface gigabitethernet0/1 firewall(config-if)# nameif outside firewall(config-if)# security-level 0 firewall(config-if)# ip address 10.1.20.10 255.255.255.0 firewall(config-if)# no shutdown 

The way security levels work is that, by default, all traffic from a higher security level is permitted to a lower security level. In this context, the application of rules is simplified, and traffic for a given host, for example, can use a security level lower than what was assigned to it. A connection being made from a higher level to a lower network is treated by the software as outbound; one headed from a lower-level interface to a higher level would be treated as inbound. This scheme enables the network administrator to apply rules on a much more granular basis.

Because each zone has its own security scale, the option exists to implement intrazone security checks. For example, access lists could apply restrictions on traffic flowing between hosts attached to the two DMZ networks. Some possible uses of security levels are depicted in Figure 7-14.

image from book
Figure 7-14: The security-level command draws a more detailed and powerful security map

As with the IOS firewall and other firewalls, packets may not traverse the PIX firewall without a connection and a state. The Adaptive Security Algorithm checks inbound packets using the following rules:

  • When moving between a higher security level and a lower security level, all outbound connections are permitted except those configured as denied in outbound access lists.

  • Static outbound connections can be configured using the static command, bypassing the dynamic translation pools created using the global and nat or pat commands.

PIX Firewall Translation Slots As with the IOS Firewall, address translation and session tracking are at the center of the architecture. But the PIX Firewall uses a more formal system to implement IP address translation. Instead of simply creating a new translation and dynamically entering it into a reflexive access list, like IOS Firewall, ASA assigns a slot to the new connection.

To help manage slot consumption, you can specify a slot limit when configuring interfaces with the nat command. In this way, network administrators can prevent individual network users from consuming too many translation slots.

Note 

Did you know that some applications use more than one connection at a time? For example, FTP takes two connections. A Web browser (which runs the HTTP application protocol) can take up to four or more connections, depending on whether it's in the process of loading a page or other objects, such as Java applets. So don't think of Internet connections in terms of something the user consciously decides to start and stop. Sessions are launching and quitting without our even knowing it. Microsoft Internet Explorer is said to consume up to 20 TCP connections per user!

We'll run through a simple PIX firewall configuration to showcase some of the commands. Whole books have been written about firewalls, so we'll only cover those commands that will help you understand basic PIX firewall operations. The PIX firewall runs a special version of IOS, so the usual IOS command conventions apply. Figure 7-15 shows a three-interface PIX configuration with one shield router, one inside shield router, and one DMZ server attached. The configuration incorporates global address translation, restrictions on outbound traffic, and an outbound static route with an inbound conduit.

image from book
Figure 7-15: This three-interface PIX firewall supports a static route with conduit

Note 

There are a lot of PIX firewalls out there that are configured in a similar manner to this-what we have here will give you a good idea of what's in use. Keep in mind that commands are updated, old ones removed, and new ones added as new software is introduced. Security software, in general, is updated frequently. Always refer to the documentation specific to your actual hardware and software setup.

The first step is to go into configure interface mode, pointing at each interface as it's being configured:

 Firewall. enable Password: ****** Firewall# config t Firewall(config)# 

Then, interface commands are used to give the interfaces security zones and levels:

 Firewall(config)# nameif ethernet0 outside security0 Firewall(config)# nameif ethernet1 Extranet security50 Firewall(config)# nameif ethernet2 inside security100 

Next, interface commands determine the Ethernet specification that the interfaces will operate (autosensing 10/100 Mbps):

 Firewall(config)# interface ethernet0 auto Firewall(config)# interface ethernet1 auto Firewall(config)#interface ethernet2 auto 

The interfaces must be identified with IP addresses and masks, which is done using ip address commands. Notice that the names you just gave to the interface (outside, Extranet, and inside) are put to use, and the private internal IP addresses are used for the Extranet and inside interfaces (10.1.5.1 and 10.1.10.57):

 Firewall(config)# ip address outside 209.98.208.45 255.255.255.240 Firewall(config)# ip address Extranet 10.1.5.1 255.255.255.0 Firewall(config)# ip address inside 10.1.10.57 255.255.255.0 

The nat command is used to let all users in two inside user groups make outbound connections using translated IP addresses. The number following the (inside) arguments of the two statements is a NAT ID number or NAT reference number (1 and 2), used to link groups to global address pools:

 Firewall(config)# nat (inside) 1 10.0.0.0 255.0.0.0 Firewall(config)# nat (inside) 2 10.0.0.0 255.0.0.0 

Statements using the global command create two global address pools. They're assigned to users by way of the NAT ID numbers (1 and 2 here). The middle statement is the PAT address pool. What's happening here is that the system is being told to assign NAT addresses and, when they're all in use, to begin applying the PAT global address to sessions. All connections assigned a PAT address will show a source address of 209.98.208.50:

 Firewall(Config)# global (outside) 1 209.98.208.46-209.98.208.49 netmask 255.255.255.240 Firewall(Config)# global (outside) 1 209.98.208.50 netmask 255.255.255.240 Firewall(Config)# global (outside) 2 209.98.210.1-209.98.210.254 netmask 255.255.255.240 

A static statement is used to create an externally visible IP address. An accompanying conduit statement permits a specified host or network-a business partner, for example-through the PIX firewall. The following example statement permits users on an outside host access through the firewall to server 10.1.60.1 through TCP connections for Web access. The eq 80 clause specifies that the TCP connection must be running (equal to) port 80-the port number for the HTTP application protocol. The any modifier lets any external host attach to 10.1.60.1:

 Firewall(config)# static (inside, outside) 209.98.208.51 10.1.60.1                   netmask 255.255.255.0 Firewall(config)# conduit permit tcp host 10.1.60.1 eq 80 any 

This statement using the outbound command creates an access list that permits an inside host Web access (port 80), but forbids it from downloading Java applets. PIX uses the outbound command to create access lists and the apply command to apply them. Notice that the port number for Java is represented by the text string java instead of a port number. Using names instead of numbers is possible for some newer application-layer protocols like Java. It's obviously a lot easier to remember names instead of a cryptic number. The outgoing_src option denies or permits an internal address the ability to start outbound connections using the services specified in the outbound command:

 Firewall(config)# outbound 10 permit 209.98.208.22 255.255.255.255 80 Firewall(config)# outbound 10 deny 209.98.208.22 255.255.255.255 java Firewall(config)# apply (Extranet) 10 outgoing_src 

There are many other commands to use when configuring a PIX firewall. Indeed, in most internetworking environments, there are several more that must be configured to get the firewall working properly. Properly configuring a PIX firewall with multiple servers, protocols, access lists, and shield routers would take days. The possible configurations are endless. But the simple statements we just went through demonstrate that configuring even a firewall-one of internetworking's most complex devices-isn't rocket science. It can get pretty deep, but doing it is just a matter of taking things one interface at a time, one command at time.

PIX OS 7.2 The latest version of the PIX Firewall OS software is version 7.2, and it offers a variety of improvements and upgrades over previous versions of the software. Some of its features include:

  • Application inspection and control Allows you more control and power over your inspection of packets, lessening the chance of attacks and affording you the ability to inspect packets for a number of services.

  • Remote access and site-to-site VPN VPN capabilities are enhanced in version 7.2 to include peer validation and improved security functions.

  • Network integration Networks are more easily connected, thanks to new integration capabilities. For example, PIX OS 7.2 introduces Point-to-Point Protocol over Ethernet (PPPoE) capabilities that more easily allow computers connected across an ISP using broadband connections. It also includes Dynamic DNS support and multicast routing enhancements.

  • Resiliency and scalability Reliability is bolstered with improvements to resiliency and scalability. Sub-second failover allows the detection and failover of a system in less than a second, while Standby ISP Support allows your network to failover to a backup ISP in the event the first ISP fails.

  • Management and serviceability Management is enhanced with such features as the traceroute command, which allows you to trace a packet's route to its destination, and the packet-tracer command, which allows you to examine the packet as it moves through the appliance. PIX OS 7.2 also includes improvements to its handling of IPv6 addressing.

There are many other major elements of firewall configuration. One example is configuring two firewalls-one as the primary gateway server and the other as a hot backup box to which traffic will go if the primary server fails (configured using the failover command). Another is configuring the firewall to integrate with a security server, such as TACACS+.

Makes and Models

Whatever the firewall need, Cisco offers its PIX line in five distinct flavors. At the low end of the scale is the Cisco Secure PIX Firewall 501. This model is aimed at the small office/home office market, and is equipped with a 133-MHz processor, Ethernet connections, and a scant 16 MB. On the other end of the spectrum is the big boy in firewalls. They should have named the Cisco Secure PIX Firewall 535 the Gigawall, because everything about this firewall screams "giga." Aimed at the enterprise and service-provider market, it boasts a 1-GB processor, 1 GB RAM, and Gigabit Ethernet connections.

As much as these firewalls seem to differ, they share the core functionality of the PIX Firewall, namely, its hardware and software integration, VPN functionality, and extensibility. Table 7-2 compares Cisco's line of Cisco Secure PIX Firewalls.

Table 7-2: Cisco's Line of Cisco Secure PIX Firewalls
 

Cisco Secure PIX Firewall 501

Cisco Secure PIX Firewall 506E

Cisco Secure PIX Firewall 515E

Cisco Secure PIX Firewall 525

Cisco Secure PIX Firewall 535

Market

Small office/home office

Remote office/branch office

Smallto mediumsized businesses and enterprises

Enterprise and service providers

Enterprise and service providers

Processor

133-MHz Intel Pentium

300-MHz Intel Pentium

433-MHz Intel Pentium

600-MHz Intel Pentium III

1-GHz Intel Pentium III

RAM

16 MB

32 MB

64 MB

Up to 256 MB

1 GB

Interfaces

Five-port, Fast Ethernet

Dualintegrated 10/100BaseT Fast Ethernet

Supports up to six 10/100 BaseT Fast Ethernet interfaces

Supports up to eight 10/100 BaseT Fast Ethernet or three Gigabit Ethernet interfaces

Supports up to 14 10/100 BaseT Fast Ethernet or nine Gigabit Ethernet interfaces

Connections

60-Mbps throughput; 7,500 concurrent connections;

100-Mbps throughput; 25,000 concurrent connections;

190-Mbps throughput; 130,000 concurrent connections;

330-Mbps throughput; 280,000 concurrent connections;

1.7-Gbps throughput; 500,000 concurrent connections;

 

10

25

2,000

2,000

2,000

 

simultaneous VPN tunnels

simultaneous VPN tunnels

simultaneous VPN tunnels

simultaneous VPN tunnels

simultaneous VPN tunnels

NIC Support

Fast Ethernet

Fast Ethernet

Fast Ethernet

Fast Ethernet, Gigabit Ethernet

Gigabit Ethernet, Fast Ethernet

Adaptive Security Appliances

While the PIX firewalls have been the core of Cisco's security tools, the new kid on the block is its Adaptive Security Appliance (ASA). The ASA is the main component in Cisco's Self-Defending Network.

The ASA is designed to secure an entire organization, no matter what its size. Additionally, it can secure a segment of a business, while still consolidating security mechanisms and reducing operating costs.

The Cisco ASA 5500 series provides network-based:

  • Worm and virus prevention

  • Spyware and adware prevention

  • Network-traffic inspection

  • Hacker prevention

  • Denial-of-service prevention

These features all come together with on-device security event correlation. Application security provides inspection and control for dynamically protected networked business applications. These services include the control of bandwidthintensive peer-to-peer services and instant messaging, URL access control, protection of core business applications, and a number of application-specific protections for VoIP and multimedia. The Cisco ASA appliances can act as hardware VPN clients, simplifying management, along with hardware-accelerated SSL and VPN services.

The ASAs are managed using the Cisco ASA Software 7.2 services. The latest release of the software includes 50 new security enhancements. Some of the most significant bolster application-layer firewall services and the integration of Cisco Network Admission Control (NAC) services.

Application-layer firewall services help protect applications, including Web, e-mail, VoIP, instant messaging, and Microsoft networking protocols. NAC includes assessing users and devices, verifying updates to security software and operating systems before they are granted network access.

There are five models in the ASA line, which are compared in Table 7-3.

Table 7-3: Cisco's Line of Cisco Adaptive Security Appliances

Feature

ASA 5505 Base/Security Plus

ASA 5510 Base/Security Plus

ASA 5520

ASA 5540

ASA 5550

Market

Small business, branch office, SOHO

Small business and small enterprise

Small enterprise

Medium enterprise

Large enterprise

Throughput

150 Mbps

300 Mbps

450 Mbps

650 Mbps

1.2 Gbps

Number of site-to-site and remote access connections

10/25

250

750

5,000

5,000

Number of SSL VPN connections

25

250

750

2,500

5,000

RAM

256 MB

256 MB

512 MB

1,024 MB

4,096 MB

Ports

Eight-port Fast Ethernet switch with two Power over Ethernet ports

Eight Fast Ethernet with one management port

Four Gigabit Ethernet ports, one management port

Four Gigabit Ethernet ports, one management port

Eight Gigabit Ethernet ports, one management port

Security features

Application layer security, layer 2 transparent firewalling, and IPSec

Application layer security, layer 2 transparent firewalling, and IPSec

Application layer security, layer 2 transparent firewalling, IPSec, VPN clustering, and load balancing

Application layer security, layer 2 transparent firewalling, IPSec, VPN clustering, and load balancing

Application layer security, layer 2 transparent firewalling, IPSec, VPN clustering, and load balancing

Anti-X (antivirus, antispyware, file blocking, antispam, antiphishing, and URL filtering) capable

No

Yes

Yes

Yes

No




Cisco. A Beginner's Guide
Cisco: A Beginners Guide, Fourth Edition
ISBN: 0072263830
EAN: 2147483647
Year: 2006
Pages: 102

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net