Cisco ASA

Cisco ASA : All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

3.62 (8 ratings by Goodreads)
By (author)  , By (author) 

List price: US$80.01

Currently unavailable

We can notify you when this item is back in stock

Add to wishlist

AbeBooks may have this title (opens in new window).

Try AbeBooks


Identify, mitigate, and respond to network attacks *Understand the evolution of security technologies that make up the unified ASA device and how to install the ASA hardware *Examine firewall solutions including network access control, IP routing, AAA, application inspection, virtual firewalls, transparent (Layer 2) firewalls, failover and redundancy, and QoS *Evaluate Intrusion Prevention System (IPS) solutions including IPS integration and Adaptive Inspection and Prevention Security Services Module (AIP-SSM) configuration *Deploy VPN solutions including site-to-site IPsec VPNs, remote- access VPNs, and Public Key Infrastructure (PKI) *Learn to manage firewall, IPS, and VPN solutions with Adaptive Security Device Manager (ASDM) Achieving maximum network security is a challenge for most organizations. Cisco(R) ASA, a new unified security device that combines firewall, network antivirus, intrusion prevention, and virtual private network (VPN) capabilities, provides proactive threat defense that stops attacks before they spread through the network. This new family of adaptive security appliances also controls network activity and application traffic and delivers flexible VPN connectivity. The result is a powerful multifunction network security device that provides the security breadth and depth for protecting your entire network, while reducing the high deployment and operations costs and complexities associated with managing multiple point products. Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance is a practitioner's guide to planning, deploying, and troubleshooting a comprehensive security plan with Cisco ASA. The book provides valuable insight and deployment examples and demonstrates how adaptive identification and mitigation services on Cisco ASA provide a sophisticated security solution for both large and small network environments. The book contains many useful sample configurations, proven design scenarios, and discussions of debugs that help you understand how to get the most out of Cisco ASA in your own network. "I have found this book really highlights the practical aspects needed for building real-world security. It offers the insider's guidance needed to plan, implement, configure, and troubleshoot the Cisco ASA in customer environments and demonstrates the potential and power of Self-Defending Networks." --Jayshree Ullal, Sr. Vice President, Security Technologies Group, Cisco Systems(R) This security book is part of the Cisco Press(R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending more

Product details

  • Paperback | 840 pages
  • 182.88 x 226.06 x 43.18mm | 1,338.09g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587052091
  • 9781587052095
  • 1,555,027

About Jazib Frahim

Jazib Frahim, CCIE No. 5459 (Routing and Switching, Security), is a technical leader in the Security and VPN Solutions Group of the Technical Assistance Center at Cisco Systems. He has written numerous Cisco online documentations and participated as an active member on Cisco's online forum (NetPro). Omar Santos is a senior engineer in the Security and VPN Solutions TAC Group at Cisco. He has more than 10 years of experience in secure data communications and has worked in complex implementations with the US Marine Corps and DoD. He has written many Cisco online technical documents and configuration guidelines and delivered numerous technical more

Table of contents

Foreword Introduction Part I Product Overview Chapter 1 Introduction to Network Security Firewall Technologies Network Firewalls Packet-Filtering Techniques Application Proxies Network Address Translation Port Address Translation Static Translation Stateful Inspection Firewalls Personal Firewalls Intrusion Detection and Prevention Technologies Network-Based Intrusion Detection and Prevention Systems Pattern Matching and Stateful Pattern-Matching Recognition Protocol Analysis Heuristic-Based Analysis Anomaly-Based Analysis Host-Based Intrusion Detection Systems Network-Based Attacks DoS Attacks TCP SYN Flood Attacks land.c Attacks Smurf Attacks DDoS Attacks Session Hijacking Virtual Private Networks Understanding IPSec Internet Key Exchange IKE Phase 1 IKE Phase 2 IPSec Protocols Authentication Header Encapsulation Security Payload IPSec Modes Transport Mode Tunnel Mode Summary Chapter 2 Product History Cisco Firewall Products Cisco PIX Firewalls Cisco FWSM Cisco IOS Firewall Cisco IDS Products Cisco VPN Products Cisco ASA All-in-One Solution Firewall Services IPS Services VPN Services Summary Chapter 3 Hardware Overview Cisco ASA 5510 Model Cisco ASA 5520 Model Cisco ASA 5540 Model AIP-SSM Modules Summary Part II Firewall Solution Chapter 4 Initial Setup and System Maintenance Accessing the Cisco ASA Appliances Establishing a Console Connection Command-Line Interface Managing Licenses Initial Setup Setting Up the Device Name Configuring an Interface Configuring a Subinterface Configuring a Management Interface DHCP Services IP Version 6 IPv6 Header Configuring IPv6 IP Address Assignment Setting Up the System Clock Manual Clock Adjustment Using clock set Automatic Clock Adjustment Using the Network Time Protocol Time Zones and Daylight Savings Time Configuration Management Running Configuration Startup Configuration Removing the Device Configuration Remote System Management Telnet Secure Shell System Maintenance Software Installation Image Upgrade via the Cisco ASA CLI Image Recovery Using ROMMON Password Recovery Process Disabling the Password Recovery Process System Monitoring System Logging Enabling Logging Logging Types Additional Syslog Parameters Simple Network Management Protocol Configuring SNMP SNMP Monitoring CPU and Memory Monitoring Summary Chapter 5 Network Access Control Packet Filtering Types of ACLs Standard ACLs Extended ACLs IPv6 ACLs EtherType ACLs WebVPN ACLs Comparing ACL Features Configuring Packet Filtering Step 1: Set Up an ACL Step 2: Apply an ACL to an Interface Step 3: Set Up an IPv6 ACL (Optional) Advanced ACL Features Object Grouping Object Types Object Grouping and ACLs Standard ACLs Time-Based ACLs Absolute Periodic Downloadable ACLs ICMP Filtering Content and URL Filtering Content Filtering ActiveX Filtering Java Filtering Configuring Content Filtering URL Filtering Configuring URL Filtering Deployment Scenarios Using ACLs Using ACLs to Filter Inbound and Outbound Traffic Enabling Content Filtering Using Websense Monitoring Network Access Control Monitoring ACLs Monitoring Content Filtering Understanding Address Translation Network Address Translation Port Address Translation Packet Flow Sequence Configuring Address Translation Static NAT Dynamic Network Address Translation Static Port Address Translation Dynamic Port Address Translation Policy NAT/PAT Bypassing Address Translation Identity NAT NAT Exemption NAT Order of Operation Integrating ACLs and NAT DNS Doctoring Monitoring Address Translations Summary Chapter 6 IP Routing Configuring Static Routes RIP Configuring RIP Verifying the Configuration Troubleshooting RIP Scenario 1: RIP Version Mismatch Scenario 2: RIP Authentication Mismatch Scenario 3: Multicast or Broadcast Packets Blocked Scenario 4: Correct Configuration and Behavior OSPF Configuring OSPF Enabling OSPF Virtual Links Configuring OSPF Authentication Configuring the Cisco ASA as an ASBR Stub Areas and NSSAs ABR Type 3 LSA Filtering OSPF neighbor Command and Dynamic Routing over VPN Troubleshooting OSPF Useful Troubleshooting Commands Mismatched Areas OSPF Authentication Mismatch Troubleshooting Virtual Link Problems IP Multicast IGMP IP Multicast Routing Configuring Multicast Routing Enabling Multicast Routing Statically Assigning an IGMP Group Limiting IGMP States IGMP Query Timeout Defining the IGMP Version Configuring Rendezvous Points Configuring Threshold for SPT Switchover Filtering RP Register Messages PIM Designated Router Priority PIM Hello Message Interval Configuring a Static Multicast Route Troubleshooting IP Multicast Routing show Commands debug Commands Deployment Scenarios Deploying OSPF Deploying IP Multicast Summary Chapter 7 Authentication, Authorization, and Accounting (AAA) AAA Protocols and Services Supported by Cisco ASA RADIUS TACACS+ RSA SecurID Microsoft Windows NT Active Directory and Kerberos Lightweight Directory Access Protocol Defining an Authentication Server Configuring Authentication of Administrative Sessions Authenticating Telnet Connections Authenticating SSH Connections Authenticating Serial Console Connections Authenticating Cisco ASDM Connections Authenticating Firewall Sessions (Cut-Through Proxy Feature) Authentication Timeouts Customizing Authentication Prompts Configuring Authorization Command Authorization Configuring Downloadable ACLs Configuring Accounting RADIUS Accounting TACACS+ Accounting Deployment Scenarios Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions Deploying Cut-Through Proxy Authentication Troubleshooting AAA Troubleshooting Administrative Connections to Cisco ASA Troubleshooting Firewall Sessions (Cut-Through Proxy) Summary Chapter 8 Application Inspection Enabling Application Inspection Using the Modular Policy Framework Selective Inspection Computer Telephony Interface Quick Buffer Encoding Inspection Domain Name System Extended Simple Mail Transfer Protocol File Transfer Protocol General Packet Radio Service Tunneling Protocol GTPv0 GTPv1 Configuring GTP Inspection H.323 H.323 Protocol Suite H.323 Version Compatibility Enabling H.323 Inspection Direct Call Signaling and Gatekeeper Routed Control Signaling T.38 HTTP Enabling HTTP Inspection strict-http content-length content-type-verification max-header-length max-uri-length port-misuse request-method transfer-encoding type ICMP ILS MGCP NetBIOS PPTP Sun RPC RSH RTSP SIP Skinny SNMP SQL*Net TFTP XDMCP Deployment Scenarios ESMTP HTTP FTP Summary Chapter 9 Security Contexts Architectural Overview System Execution Space Admin Context Customer Context Packet Flow in Multiple Mode Packet Classification Packet Forwarding Between Contexts Configuration of Security Contexts Step 1: Enabling Multiple Security Contexts Globally Step 2: Setting Up the System Execution Space Step 3: Specifying a Configuration URL Step 4: Allocating the Interfaces Step 5: Configuring an Admin Context Step 6: Configuring a Customer Context Step 7: Managing the Security Contexts (Optional) Deployment Scenarios Virtual Firewall Using Two Customer Contexts Virtual Firewall Using a Shared Interface Monitoring and Troubleshooting the Security Contexts Monitoring Troubleshooting Summary Chapter 10 Transparent Firewalls Architectural Overview Single-Mode Transparent Firewall Packet Flow in an SMTF Multimode Transparent Firewall Packet Flow in an MMTF Transparent Firewalls and VPNs Configuration of Transparent Firewall Configuration Guidelines Configuration Steps Step 1: Enabling Transparent Firewalls Step 2: Setting Up Interfaces Step 3: Configuring an IP Address Step 4: Configuring Interface ACLs Step 5: Adding Static L2F Table Entries (Optional) Step 6: Enabling ARP Inspection (Optional) Step 7: Modifying L2F Table Parameters (optional) Deployment Scenarios SMTF Deployment MMTF Deployment with Security Contexts Monitoring and Troubleshooting the Transparent Firewall Monitoring Troubleshooting Summary Chapter 11 Failover and Redundancy Architectural Overview Conditions that Trigger Failover Failover Interface Tests Stateful Failover Hardware and Software Requirements Types of Failover Active/Standby Failover Active/Active Failover Asymmetric Routing Failover Configuration Active/Standby Failover Configuration Step 1: Select the Failover Link Step 2: Assign Failover IP Addresses Step 3: Set the Failover Key (Optional) Step 4: Designating the Primary Cisco ASA Step 5: Enable Stateful Failover (Optional) Step 6: Enable Failover Globally Step 7: Configure Failover on the Secondary Cisco ASA Active/Active Failover Configuration Step 1: Select the Failover Link Step 2: Assign Failover Interface IP Addresses Step 3: Set Failover Key Step 4: Designate the Primary Cisco ASA Step 5: Enable Stateful Failover Step 6: Set Up Failover Groups Step 7: Assign Failover Group Membership Step 8: Assign Interface IP Addresses Step 9: Set Up Asymmetric Routing (Optional) Step 10: Enable Failover Globally Step 11: Configure Failover on the Secondary Cisco ASA Optional Failover Commands Specifying Failover MAC Addresses Configuring Interface Policy Managing Failover Timers Monitoring Failover Interfaces Zero-Downtime Software Upgrade Deployment Scenarios Active/Standby Failover in Single Mode Active/Active Failover in Multiple Security Contexts Monitoring and Troubleshooting Failovers Monitoring Troubleshooting Summary Chapter 12 Quality of Service Architectural Overview Traffic Policing Traffic Prioritization Packet Flow Sequence Packet Classification IP Precedence Field IP DSCP Field IP Access Control List IP Flow VPN Tunnel Group QoS and VPN Tunnels Configuring Quality of Service Step 1: Set Up a Class Map Step 2: Configure a Policy Map Step 3: Apply the Policy Map on the Interface Step 4: Tune the Priority Queue (Optional) QoS Deployment Scenarios QoS for VoIP Traffic QoS for the Remote-Access VPN Tunnels Monitoring QoS Summary Part III Intrusion Prevention System (IPS) Solution Chapter 13 Intrusion Prevention System Integration Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM) AIP-SSM Management Inline Versus Promiscuous Mode Directing Traffic to the AIP-SSM AIP-SSM Module Software Recovery Additional IPS Features IP Audit Shunning Summary Chapter 14 Configuring and Troubleshooting Cisco IPS Software via CLI Cisco IPS Software Architecture MainApp SensorApp Network Access Controller AuthenticationApp cipsWebserver LogApp EventStore TransactionSource Introduction to the CIPS 5.x Command-Line Interface Logging In to the AIP-SSM via the CLI CLI Command Modes Initializing the AIP-SSM User Administration User Account Roles and Levels Administrator Account Operator Account Viewer Account Service Account Adding and Deleting Users by Using the CLI Creating Users Deleting Users Changing Passwords AIP-SSM Maintenance Adding Trusted Hosts SSH Known Host List TLS Known Host List Upgrading the CIPS Software and Signatures via the CLI One-Time Upgrades Scheduled Upgrades Displaying Software Version and Configuration Information Backing Up Your Configuration Displaying and Clearing Events Displaying and Clearing Statistics Advanced Features and Configuration IPS Tuning Disabling and Retiring IPS Signatures Custom Signatures IP Logging Automatic Logging Manual Logging of Specific Host Traffic Configuring Blocking (Shunning) Summary Part IV Virtual Private Network (VPN) Solution Chapter 15 Site-to-Site IPSec VPNs Preconfiguration Checklist Configuration Steps Step 1: Enable ISAKMP Step 2: Create the ISAKMP Policy Step 3: Set the Tunnel Type Step 4: Configure ISAKMP Preshared Keys Step 5: Define the IPSec Policy Step 6: Specify Interesting Traffic Step 7: Configure a Crypto Map Step 8: Apply the Crypto Map to an Interface Step 9: Configuring Traffic Filtering Step 10: Bypassing NAT (Optional) Advanced Features OSPF Updates over IPSec Reverse Route Injection NAT Traversal Tunnel Default Gateway Optional Commands Perfect Forward Secrecy Security Association Lifetimes Phase 1 Mode Connection Type Inheritance ISAKMP Keepalives Deployment Scenarios Single Site-to-Site Tunnel Configuration Using NAT-T Fully Meshed Topology with RRI Monitoring and Troubleshooting Site-to-Site IPSec VPNs Monitoring Site-to-Site VPNs Troubleshooting Site-to-Site VPNs ISAKMP Proposal Unacceptable Mismatched Preshared keys Incompatible IPSec Transform Set Mismatched Proxy Identities Summary Chapter 16 Remote Access VPN Cisco IPSec Remote Access VPN Solution Configuration Steps Step 1: Enable ISAKMP Step 2: Create the ISAKMP Policy Step 3: Configure Remote-Access Attributes Step 4: Define the Tunnel Type Step 5: Configure ISAKMP Preshared Keys Step 6: Configure User Authentication Step 7: Assign an IP Address Step 8: Define the IPSec Policy Step 9: Set Up a Dynamic Crypto Map Step 10: Configure the Crypto Map Step 11: Apply the Crypto Map to an Interface Step 12: Configure Traffic Filtering Step 13: Set Up a Tunnel Default Gateway (Optional) Step 14: Bypass NAT (Optional) Step 15: Set Up Split Tunneling (Optional) Cisco VPN Client Configuration Software-Based VPN Clients Hardware-Based VPN Clients Advanced Cisco IPSec VPN Features Transparent Tunneling NAT Traversal IPSec over TCP IPSec over UDP IPSec Hairpinning VPN Load-Balancing Client Auto-Update Client Firewalling Personal Firewall Check Central Protection Policy Hardware based Easy VPN Client Features Interactive Hardware Client Authentication Individual User Authentication Cisco IP Phone Bypass Leap Bypass Hardware Client Network Extension Mode Deployment Scenarios of Cisco IPSec VPN IPSec Hairpinning with Easy VPN and Firewalling Load-Balancing and Site-to-Site Integration Monitoring and Troubleshooting Cisco Remote Access VPN Monitoring Cisco Remote Access IPSec VPNs Troubleshooting Cisco IPSec VPN Clients Cisco WebVPN Solution Configuration Steps Step 1: Enable the HTTP Service Step 2: Enable WebVPN on the Interface Step 3: Configure WebVPN Look and Feel Step 4: Configure WebVPN Group Attributes Step 5: Configure User Authentication Advanced WebVPN Features Port Forwarding Configuring URL Mangling E-Mail Proxy Authentication Methods for E-Mail Proxy Identifying E-Mail Servers for E-Mail Proxies Delimiters Windows File Sharing WebVPN Access Lists Deployment Scenarios of WebVPN WebVPN with External Authentication WebVPN with E-Mail Proxies Monitoring and Troubleshooting WebVPN Monitoring WebVPN Troubleshooting WebVPN SSL Negotiations WebVPN Data Capture E-Mail Proxy Issues Summary Chapter 17 Public Key Infrastructure (PKI) Introduction to PKI Certificates Certificate Authority Certificate Revocation List Simple Certificate Enrollment Protocol Enrolling the Cisco ASA to a CA Using SCEP Generating the RSA Key Pair Configuring a Trustpoint Manual (Cut-and-Paste) Enrollment Configuration for Manual Enrollment Obtaining the CA Certificate Generating the ID Certificate Request and Importing the ID Certificate Configuring CRL Options Configuring IPSec Site-to-Site Tunnels Using Certificates Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates Enrolling the Cisco VPN Client Configuring the Cisco ASA Troubleshooting PKI Time and Date Mismatch SCEP Enrollment Problems CRL Retrieval Problems Summary Part V Adaptive Security Devicea!Manager Chapter 18 Introduction to ASDM Setting Up ASDM Uploading ASDM Setting Up Cisco ASA Accessing ASDM Initial Setup Startup Wizard Functional Screens Configuration Screen Monitoring Screen Interface Management System Clock Configuration Management Remote System Management Telnet SSH SSL (ASDM) System Maintenance Software Installation File Management System Monitoring System Logging SNMP Summary Chapter 19 Firewall Management Using ASDM Access Control Lists Address Translation Routing Protocols RIP OSPF Multicast AAA Application Inspection Security Contexts Transparent Firewalls Failover QoS Summary Chapter 20 IPS Management Using ASDM Accessing the IPS Device Management Console from ASDM Configuring Basic AIP-SSM Settings Licensing Verifying Network Settings Adding Allowed Hosts Configuring NTP Adding Users Advanced IPS Configuration and Monitoring Using ASDM Disabling and Enabling Signatures Configuring Blocking Creating Custom Signatures Creating Event Action Filters Installing Signature Updates and Software Service Packs Configuring Auto-Update Summary Chapter 21 VPN Management Using ASDM Site-to-Site VPN Setup Using Preshared Keys Site-to-Site VPN Setup Using PKI Cisco Remote-Access IPSec VPN Setup WebVPN VPN Monitoring Summary Chapter 22 Case Studies Case Study 1: Deploying the Cisco ASA at Branch Offices and Small Businesses Branch Offices Small Business Partners Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment Internet Edge and DMZ Filtering Websites Remote Access VPN Cluster Application Inspection IPS Case Study 3: Data Center Security with Cisco ASA Summary Indexshow more

Rating details

8 ratings
3.62 out of 5 stars
5 25% (2)
4 25% (2)
3 38% (3)
2 12% (1)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X