A firewall controls incoming and outgoing network traffic by analyzing data packets and determining whether to allow or block them based on security rules. It establishes a barrier between internal trusted networks and external untrusted networks like the Internet. Stateful inspection firewalls check layer 3 and 4 information in IP packets and store it in a state table to compare against for all traffic flows. The Cisco ASA evolved from the PIX firewall and is an adaptive security appliance that provides firewall, VPN, and network security functions through a variety of appliance models and software versions.
1. • A firewall is a software or hardware-based network security system that
controls the incoming and outgoing network traffic by analyzing the data
packets and determining whether they should be allowed through or not,
based on a rule set.
• A firewall establishes a barrier between a trusted, secure internal network
and another network (e.g., the Internet) that is not assumed to be secure
and trusted.
What is a FIREWALL?
2. STATEFUL INSPECTION
Introduced in 1994 by Gill Schwed in the FireWall-1
product and changed the way traffic inspection occurs.
Check Layer 3/Layer 4 information within an IP packet
and stores the information in a separate table referred
to as the “STATE TABLE” of the firewall.
All traffic flows through the firewall will be
compared/inspected against “STATE TABLE” entries.
3.
4. History of Cisco’s ASA
Private Internet eXchange (PIX) was developed in 1994 and was renamed
as the ASA (Adaptive Security Appliance) when Cisco acquired it in 2005
and declared PIX EoL in 2008.
The disadvantages for PIX are that VPN cannot be terminated on a PIX
and we could not add an external modules. Needed to rely on a
separate external device called a Concentrator which has also reached
its End of Life. PIX version 8.0 supports VPN termination without
concentrators.
Ran a proprietary OS called Finese OS (Fast InterNEt Server Executive).
The ASA runs an OS version of 8.0/8.2/8.3/8.4/8.5/8.6/8.7/9.0/9.1
etc. It runs on the Adaptive Security Algorithm and hence is named so.
14. The ASA 5510, 5520, and 5540 chassis have one SSM slot that can be
populated with one of the following:
1. Four-port Gigabit Ethernet SSM: This module adds four additional
physical firewall interfaces, as either 101100/1000 RJ45 or small form-
factor pluggable (SFP) based ports.
2. Advanced Inspection and Prevention (AlP) SSM: This module adds inline
network IPS capabilities to the ASAs security suite.
3. Content Security and Control (CSC) SSM: This module adds
comprehensive content control and antivirus services to the ASAs
security suite.
15. AIP SSM
Advanced inspection and prevention security service module //for IPS
feature
Provides protection against viruses, spyware, spam and other unwanted
traffic by scanning the FTP, HTTP and SMTP packets
16. CSC SSM
Content security and control security service module //for Content
security feature
Inspection for HTTP and SMTP viruses and worms using Trend micro
based software.
Provides Anti-X Features.
17.
18.
19. ASA OS Versions:
Older Version::
Version 7.0,Version 7.1,Version 7.2
Version 8.0,Version 8.1,Version 8.2
Newer Version::
Version 8.3,Version 8.4,Version 8.5,Version 8.6,Version
8.7
Version 9.0,Version 9.1,Version 9.2
21. A license key, which is partly based on the serial number of the appliance, is used
to unlock features of the operating system. Since the serial number of the
appliance is used for the license key, you cannot take a key from one appliance
and use it on a different appliance. License keys can be used to unlock the following
features on some of the appliances:
■ Number of connections allowed in the state table
■ Number of interfaces that can be used
■ Amount of RAM that can be used
■ Encryption algorithms that can be used: DES, 3DES, and/or AES
■ Number of IPSec/L2TP VPN sessions supported
■ Number of SSL VPN sessions supported
■ Number of users that the appliance supports
■ Number of VLANs that can be used
■ Whether failover is supported
■ Number of contexts supported