Cisco ASA

Cisco ASA : All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

3.55 (9 ratings by Goodreads)
By (author)  , By (author) 

List price: US$79.99

Currently unavailable

We can notify you when this item is back in stock

Add to wishlist

AbeBooks may have this title (opens in new window).

Try AbeBooks


Identify, mitigate, and respond to network attacksUnderstand the evolution of security technologies that make up the unified ASA device and how to install the ASA hardware Examine firewall solutions including network access control, IP routing, AAA, application inspection, virtual firewalls, transparent (Layer 2) firewalls, failover and redundancy, and QoS Evaluate Intrusion Prevention System (IPS) solutions including IPS integration and Adaptive Inspection and Prevention Security Services Module (AIP-SSM) configuration Deploy VPN solutions including site-to-site IPsec VPNs, remote- access VPNs, and Public Key Infrastructure (PKI) Learn to manage firewall, IPS, and VPN solutions with Adaptive Security Device Manager (ASDM)Achieving maximum network security is a challenge for most organizations. Cisco (R) ASA, a new unified security device that combines firewall, network antivirus, intrusion prevention, and virtual private network (VPN) capabilities, provides proactive threat defense that stops attacks before they spread through the network. This new family of adaptive security appliances also controls network activity and application traffic and delivers flexible VPN connectivity. The result is a powerful multifunction network security device that provides the security breadth and depth for protecting your entire network, while reducing the high deployment and operations costs and complexities associated with managing multiple point products. Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance is a practitioner's guide to planning, deploying, and troubleshooting a comprehensive security plan with Cisco ASA. The book provides valuable insight and deployment examples and demonstrates how adaptive identification and mitigation services on Cisco ASA provide a sophisticated security solution for both large and small network environments. The book contains many useful sample configurations, proven design scenarios, and discussions of debugs that help you understand how to get the most out of Cisco ASA in your own network. "I have found this book really highlights the practical aspects needed for building real-world security. It offers the insider's guidance needed to plan, implement, configure, and troubleshoot the Cisco ASA in customer environments and demonstrates the potential and power of Self-Defending Networks."-Jayshree Ullal, Sr. Vice President, Security Technologies Group, Cisco Systems (R) This security book is part of the Cisco Press (R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
show more

Product details

  • Paperback | 840 pages
  • 182.88 x 226.06 x 43.18mm | 1,338.09g
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587052091
  • 9781587052095
  • 1,668,046

Table of contents

Foreword Introduction Part I Product OverviewChapter 1 Introduction to Network SecurityFirewall TechnologiesNetwork FirewallsPacket-Filtering TechniquesApplication ProxiesNetwork Address TranslationPort Address TranslationStatic TranslationStateful Inspection FirewallsPersonal FirewallsIntrusion Detection and Prevention TechnologiesNetwork-Based Intrusion Detection and Prevention SystemsPattern Matching and Stateful Pattern-Matching RecognitionProtocol AnalysisHeuristic-Based AnalysisAnomaly-Based AnalysisHost-Based Intrusion Detection SystemsNetwork-Based AttacksDoS AttacksTCP SYN Flood Attacksland.c AttacksSmurf AttacksDDoS AttacksSession HijackingVirtual Private NetworksUnderstanding IPSecInternet Key ExchangeIKE Phase 1IKE Phase 2IPSec ProtocolsAuthentication HeaderEncapsulation Security PayloadIPSec ModesTransport ModeTunnel ModeSummaryChapter 2 Product HistoryCisco Firewall ProductsCisco PIX FirewallsCisco FWSMCisco IOS FirewallCisco IDS ProductsCisco VPN ProductsCisco ASA All-in-One SolutionFirewall ServicesIPS ServicesVPN ServicesSummaryChapter 3 Hardware Overview Cisco ASA 5510 ModelCisco ASA 5520 ModelCisco ASA 5540 ModelAIP-SSM ModulesSummaryPart II Firewall SolutionChapter 4 Initial Setup and System MaintenanceAccessing the Cisco ASA AppliancesEstablishing a Console ConnectionCommand-Line InterfaceManaging LicensesInitial SetupSetting Up the Device NameConfiguring an InterfaceConfiguring a SubinterfaceConfiguring a Management InterfaceDHCP ServicesIP Version 6IPv6 HeaderConfiguring IPv6IP Address AssignmentSetting Up the System ClockManual Clock Adjustment Using clock setAutomatic Clock Adjustment Using the Network Time ProtocolTime Zones and Daylight Savings TimeConfiguration ManagementRunning ConfigurationStartup ConfigurationRemoving the Device ConfigurationRemote System ManagementTelnetSecure ShellSystem MaintenanceSoftware InstallationImage Upgrade via the Cisco ASA CLIImage Recovery Using ROMMONPassword Recovery ProcessDisabling the Password Recovery ProcessSystem MonitoringSystem LoggingEnabling LoggingLogging TypesAdditional Syslog ParametersSimple Network Management ProtocolConfiguring SNMPSNMP MonitoringCPU and Memory MonitoringSummaryChapter 5 Network Access ControlPacket FilteringTypes of ACLsStandard ACLsExtended ACLsIPv6 ACLsEtherType ACLsWebVPN ACLsComparing ACL FeaturesConfiguring Packet FilteringStep 1: Set Up an ACLStep 2: Apply an ACL to an InterfaceStep 3: Set Up an IPv6 ACL (Optional)Advanced ACL FeaturesObject GroupingObject TypesObject Grouping and ACLsStandard ACLsTime-Based ACLsAbsolutePeriodicDownloadable ACLsICMP FilteringContent and URL FilteringContent FilteringActiveX FilteringJava FilteringConfiguring Content FilteringURL FilteringConfiguring URL FilteringDeployment Scenarios Using ACLsUsing ACLs to Filter Inbound and Outbound TrafficEnabling Content Filtering Using WebsenseMonitoring Network Access ControlMonitoring ACLsMonitoring Content FilteringUnderstanding Address TranslationNetwork Address TranslationPort Address TranslationPacket Flow SequenceConfiguring Address TranslationStatic NATDynamic Network Address TranslationStatic Port Address TranslationDynamic Port Address TranslationPolicy NAT/PATBypassing Address TranslationIdentity NATNAT ExemptionNAT Order of OperationIntegrating ACLs and NATDNS DoctoringMonitoring Address TranslationsSummaryChapter 6 IP RoutingConfiguring Static RoutesRIP Configuring RIPVerifying the ConfigurationTroubleshooting RIP Scenario 1: RIP Version MismatchScenario 2: RIP Authentication MismatchScenario 3: Multicast or Broadcast Packets BlockedScenario 4: Correct Configuration and BehaviorOSPFConfiguring OSPFEnabling OSPFVirtual LinksConfiguring OSPF AuthenticationConfiguring the Cisco ASA as an ASBRStub Areas and NSSAsABR Type 3 LSA FilteringOSPF neighbor Command and Dynamic Routing over VPNTroubleshooting OSPFUseful Troubleshooting CommandsMismatched AreasOSPF Authentication MismatchTroubleshooting Virtual Link ProblemsIP MulticastIGMPIP Multicast RoutingConfiguring Multicast RoutingEnabling Multicast RoutingStatically Assigning an IGMP GroupLimiting IGMP StatesIGMP Query TimeoutDefining the IGMP VersionConfiguring Rendezvous PointsConfiguring Threshold for SPT SwitchoverFiltering RP Register MessagesPIM Designated Router PriorityPIM Hello Message IntervalConfiguring a Static Multicast RouteTroubleshooting IP Multicast Routingshow Commandsdebug CommandsDeployment ScenariosDeploying OSPFDeploying IP MulticastSummaryChapter 7 Authentication, Authorization, and Accounting (AAA)AAA Protocols and Services Supported by Cisco ASARADIUSTACACS+RSA SecurIDMicrosoft Windows NTActive Directory and KerberosLightweight Directory Access ProtocolDefining an Authentication ServerConfiguring Authentication of Administrative SessionsAuthenticating Telnet ConnectionsAuthenticating SSH ConnectionsAuthenticating Serial Console ConnectionsAuthenticating Cisco ASDM ConnectionsAuthenticating Firewall Sessions (Cut-Through Proxy Feature)Authentication TimeoutsCustomizing Authentication PromptsConfiguring AuthorizationCommand AuthorizationConfiguring Downloadable ACLsConfiguring AccountingRADIUS AccountingTACACS+ AccountingDeployment ScenariosDeploying Authentication, Command Authorization, and Accounting for Administrative SessionsDeploying Cut-Through Proxy AuthenticationTroubleshooting AAATroubleshooting Administrative Connections to Cisco ASATroubleshooting Firewall Sessions (Cut-Through Proxy)Summary Chapter 8 Application InspectionEnabling Application Inspection Using the Modular Policy FrameworkSelective InspectionComputer Telephony Interface Quick Buffer Encoding InspectionDomain Name SystemExtended Simple Mail Transfer ProtocolFile Transfer ProtocolGeneral Packet Radio Service Tunneling ProtocolGTPv0GTPv1Configuring GTP InspectionH.323H.323 Protocol SuiteH.323 Version CompatibilityEnabling H.323 InspectionDirect Call Signaling and Gatekeeper Routed Control SignalingT.38HTTPEnabling HTTP Inspectionstrict-httpcontent-lengthcontent-type-verificationmax-header-lengthmax-uri-lengthport-misuserequest-methodtransfer-encoding typeICMPILSMGCPNetBIOSPPTPSun RPCRSHRTSPSIPSkinnySNMPSQL*NetTFTPXDMCPDeployment ScenariosESMTPHTTPFTPSummaryChapter 9 Security ContextsArchitectural OverviewSystem Execution SpaceAdmin ContextCustomer ContextPacket Flow in Multiple ModePacket ClassificationPacket Forwarding Between ContextsConfiguration of Security ContextsStep 1: Enabling Multiple Security Contexts GloballyStep 2: Setting Up the System Execution SpaceStep 3: Specifying a Configuration URLStep 4: Allocating the InterfacesStep 5: Configuring an Admin ContextStep 6: Configuring a Customer ContextStep 7: Managing the Security Contexts (Optional)Deployment ScenariosVirtual Firewall Using Two Customer ContextsVirtual Firewall Using a Shared InterfaceMonitoring and Troubleshooting the Security ContextsMonitoringTroubleshootingSummaryChapter 10 Transparent FirewallsArchitectural OverviewSingle-Mode Transparent FirewallPacket Flow in an SMTFMultimode Transparent FirewallPacket Flow in an MMTFTransparent Firewalls and VPNsConfiguration of Transparent FirewallConfiguration GuidelinesConfiguration StepsStep 1: Enabling Transparent FirewallsStep 2: Setting Up InterfacesStep 3: Configuring an IP AddressStep 4: Configuring Interface ACLsStep 5: Adding Static L2F Table Entries (Optional)Step 6: Enabling ARP Inspection (Optional)Step 7: Modifying L2F Table Parameters (optional)Deployment ScenariosSMTF DeploymentMMTF Deployment with Security ContextsMonitoring and Troubleshooting the Transparent FirewallMonitoringTroubleshootingSummaryChapter 11 Failover and RedundancyArchitectural OverviewConditions that Trigger FailoverFailover Interface TestsStateful FailoverHardware and Software RequirementsTypes of FailoverActive/Standby FailoverActive/Active FailoverAsymmetric RoutingFailover ConfigurationActive/Standby Failover ConfigurationStep 1: Select the Failover LinkStep 2: Assign Failover IP AddressesStep 3: Set the Failover Key (Optional)Step 4: Designating the Primary Cisco ASAStep 5: Enable Stateful Failover (Optional)Step 6: Enable Failover GloballyStep 7: Configure Failover on the Secondary Cisco ASAActive/Active Failover ConfigurationStep 1: Select the Failover LinkStep 2: Assign Failover Interface IP AddressesStep 3: Set Failover KeyStep 4: Designate the Primary Cisco ASAStep 5: Enable Stateful FailoverStep 6: Set Up Failover GroupsStep 7: Assign Failover Group MembershipStep 8: Assign Interface IP AddressesStep 9: Set Up Asymmetric Routing (Optional)Step 10: Enable Failover GloballyStep 11: Configure Failover on the Secondary Cisco ASAOptional Failover CommandsSpecifying Failover MAC AddressesConfiguring Interface PolicyManaging Failover TimersMonitoring Failover InterfacesZero-Downtime Software UpgradeDeployment ScenariosActive/Standby Failover in Single ModeActive/Active Failover in Multiple Security ContextsMonitoring and Troubleshooting FailoversMonitoringTroubleshootingSummaryChapter 12 Quality of ServiceArchitectural OverviewTraffic PolicingTraffic PrioritizationPacket Flow SequencePacket ClassificationIP Precedence FieldIP DSCP FieldIP Access Control ListIP FlowVPN Tunnel GroupQoS and VPN TunnelsConfiguring Quality of ServiceStep 1: Set Up a Class MapStep 2: Configure a Policy MapStep 3: Apply the Policy Map on the InterfaceStep 4: Tune the Priority Queue (Optional)QoS Deployment ScenariosQoS for VoIP TrafficQoS for the Remote-Access VPN TunnelsMonitoring QoSSummaryPart III Intrusion Prevention System (IPS) SolutionChapter 13 Intrusion Prevention System IntegrationAdaptive Inspection Prevention Security Services Module Overview (AIP-SSM)AIP-SSM ManagementInline Versus Promiscuous ModeDirecting Traffic to the AIP-SSMAIP-SSM Module Software RecoveryAdditional IPS FeaturesIP AuditShunningSummaryChapter 14 Configuring and Troubleshooting Cisco IPS Software via CLICisco IPS Software ArchitectureMainAppSensorAppNetwork Access ControllerAuthenticationAppcipsWebserverLogAppEventStoreTransactionSourceIntroduction to the CIPS 5.x Command-Line InterfaceLogging In to the AIP-SSM via the CLICLI Command ModesInitializing the AIP-SSMUser AdministrationUser Account Roles and LevelsAdministrator AccountOperator AccountViewer AccountService AccountAdding and Deleting Users by Using the CLICreating UsersDeleting UsersChanging PasswordsAIP-SSM MaintenanceAdding Trusted HostsSSH Known Host ListTLS Known Host ListUpgrading the CIPS Software and Signatures via the CLIOne-Time UpgradesScheduled UpgradesDisplaying Software Version and Configuration InformationBacking Up Your ConfigurationDisplaying and Clearing EventsDisplaying and Clearing StatisticsAdvanced Features and ConfigurationIPS TuningDisabling and Retiring IPS SignaturesCustom SignaturesIP LoggingAutomatic LoggingManual Logging of Specific Host TrafficConfiguring Blocking (Shunning)SummaryPart IV Virtual Private Network (VPN) SolutionChapter 15 Site-to-Site IPSec VPNsPreconfiguration ChecklistConfiguration StepsStep 1: Enable ISAKMPStep 2: Create the ISAKMP PolicyStep 3: Set the Tunnel TypeStep 4: Configure ISAKMP Preshared KeysStep 5: Define the IPSec PolicyStep 6: Specify Interesting TrafficStep 7: Configure a Crypto MapStep 8: Apply the Crypto Map to an InterfaceStep 9: Configuring Traffic FilteringStep 10: Bypassing NAT (Optional)Advanced FeaturesOSPF Updates over IPSecReverse Route InjectionNAT TraversalTunnel Default GatewayOptional Commands Perfect Forward SecrecySecurity Association LifetimesPhase 1 ModeConnection TypeInheritanceISAKMP KeepalivesDeployment ScenariosSingle Site-to-Site Tunnel Configuration Using NAT-TFully Meshed Topology with RRIMonitoring and Troubleshooting Site-to-Site IPSec VPNsMonitoring Site-to-Site VPNsTroubleshooting Site-to-Site VPNsISAKMP Proposal UnacceptableMismatched Preshared keysIncompatible IPSec Transform SetMismatched Proxy IdentitiesSummaryChapter 16 Remote Access VPNCisco IPSec Remote Access VPN SolutionConfiguration StepsStep 1: Enable ISAKMPStep 2: Create the ISAKMP PolicyStep 3: Configure Remote-Access AttributesStep 4: Define the Tunnel TypeStep 5: Configure ISAKMP Preshared KeysStep 6: Configure User AuthenticationStep 7: Assign an IP AddressStep 8: Define the IPSec PolicyStep 9: Set Up a Dynamic Crypto MapStep 10: Configure the Crypto MapStep 11: Apply the Crypto Map to an InterfaceStep 12: Configure Traffic FilteringStep 13: Set Up a Tunnel Default Gateway (Optional)Step 14: Bypass NAT (Optional)Step 15: Set Up Split Tunneling (Optional)Cisco VPN Client ConfigurationSoftware-Based VPN ClientsHardware-Based VPN ClientsAdvanced Cisco IPSec VPN FeaturesTransparent TunnelingNAT TraversalIPSec over TCPIPSec over UDPIPSec HairpinningVPN Load-BalancingClient Auto-UpdateClient FirewallingPersonal Firewall CheckCentral Protection PolicyHardware based Easy VPN Client FeaturesInteractive Hardware Client AuthenticationIndividual User AuthenticationCisco IP Phone BypassLeap BypassHardware Client Network Extension ModeDeployment Scenarios of Cisco IPSec VPNIPSec Hairpinning with Easy VPN and FirewallingLoad-Balancing and Site-to-Site IntegrationMonitoring and Troubleshooting Cisco Remote Access VPNMonitoring Cisco Remote Access IPSec VPNsTroubleshooting Cisco IPSec VPN ClientsCisco WebVPN SolutionConfiguration StepsStep 1: Enable the HTTP ServiceStep 2: Enable WebVPN on the InterfaceStep 3: Configure WebVPN Look and FeelStep 4: Configure WebVPN Group AttributesStep 5: Configure User AuthenticationAdvanced WebVPN FeaturesPort ForwardingConfiguring URL ManglingE-Mail ProxyAuthentication Methods for E-Mail ProxyIdentifying E-Mail Servers for E-Mail ProxiesDelimitersWindows File SharingWebVPN Access ListsDeployment Scenarios of WebVPNWebVPN with External AuthenticationWebVPN with E-Mail ProxiesMonitoring and Troubleshooting WebVPNMonitoring WebVPNTroubleshooting WebVPNSSL NegotiationsWebVPN Data CaptureE-Mail Proxy IssuesSummaryChapter 17 Public Key Infrastructure (PKI)Introduction to PKICertificatesCertificate AuthorityCertificate Revocation ListSimple Certificate Enrollment ProtocolEnrolling the Cisco ASA to a CA Using SCEPGenerating the RSA Key PairConfiguring a TrustpointManual (Cut-and-Paste) EnrollmentConfiguration for Manual EnrollmentObtaining the CA CertificateGenerating the ID Certificate Request and Importing the ID CertificateConfiguring CRL OptionsConfiguring IPSec Site-to-Site Tunnels Using CertificatesConfiguring the Cisco ASA to Accept Remote-Access VPN Clients Using CertificatesEnrolling the Cisco VPN ClientConfiguring the Cisco ASATroubleshooting PKITime and Date MismatchSCEP Enrollment ProblemsCRL Retrieval ProblemsSummaryPart V Adaptive Security DeviceManagerChapter 18 Introduction to ASDMSetting Up ASDMUploading ASDMSetting Up Cisco ASAAccessing ASDMInitial SetupStartup WizardFunctional ScreensConfiguration ScreenMonitoring ScreenInterface ManagementSystem ClockConfiguration ManagementRemote System ManagementTelnetSSHSSL (ASDM)System MaintenanceSoftware InstallationFile ManagementSystem MonitoringSystem LoggingSNMPSummaryChapter 19 Firewall Management Using ASDMAccess Control ListsAddress TranslationRouting ProtocolsRIPOSPFMulticastAAAApplication InspectionSecurity ContextsTransparent FirewallsFailoverQoSSummaryChapter 20 IPS Management Using ASDMAccessing the IPS Device Management Console from ASDMConfiguring Basic AIP-SSM SettingsLicensingVerifying Network SettingsAdding Allowed HostsConfiguring NTPAdding UsersAdvanced IPS Configuration and Monitoring Using ASDMDisabling and Enabling SignaturesConfiguring BlockingCreating Custom SignaturesCreating Event Action FiltersInstalling Signature Updates and Software Service PacksConfiguring Auto-UpdateSummaryChapter 21 VPN Management Using ASDMSite-to-Site VPN Setup Using Preshared KeysSite-to-Site VPN Setup Using PKICisco Remote-Access IPSec VPN SetupWebVPNVPN MonitoringSummaryChapter 22 Case StudiesCase Study 1: Deploying the Cisco ASA at Branch Offices and Small BusinessesBranch OfficesSmall Business PartnersCase Study 2: Large Enterprise Firewall, VPN, and IPS DeploymentInternet Edge and DMZFiltering WebsitesRemote Access VPN ClusterApplication InspectionIPSCase Study 3: Data Center Security with Cisco ASASummaryIndex
show more

About Omar Santos

Jazib Frahim, CCIE (R) No. 5459, is a senior network security engineer in the Worldwide Security Services Practice of Advanced Services for Network Security at Cisco. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. Omar Santos is a senior network security engineer in the Worldwide Security Services Practice of Advanced Services for Network Security at Cisco. He has more than 12 years of experience in secure data communications.
show more

Rating details

9 ratings
3.55 out of 5 stars
5 22% (2)
4 22% (2)
3 44% (4)
2 11% (1)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X