Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1111
2
Network Security 2
Module 8 – PIX Security Appliance Contexts, Failover, and Management
3
Learning Objectives
8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode
8.2 Configure PIX Security Appliance Failover
8.3 Configure Transparent Firewall Mode
8.4 PIX Security Appliance Management
4
Module 8 – PIX Security Appliance Contexts, Failover, and Management
8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode
5
Security Contexts
6
Common Uses for Security Contexts
7
Multiple Contexts Example
8
Context Configuration Files
9
Packet Classification
10
Backing up the Single Mode Configuration
11
Admin Context
12
Enabling Multiple Context Mode
13
Adding a Context
14
Removing a Context
15
Changing the Admin Context
16
Changing Between Contexts
17
Viewing Context Information
18
Module 8 – PIX Security Appliance Contexts, Failover, and Management
8.2 Configure PIX Security Appliance Failover
19
Hardware Failover
20
Hardware and Stateful Failover
21
Failover Requirements
22
Types of Failover Cabling
23
Serial Cable – Active/Standby Failover
24
LAN-Based Failover
• Provides long-distance failover functionality
• Uses an Ethernet cable rather than the serial failover cable
• Requires a dedicated LAN interface, but the same interface can be used for stateful failover
• Requires a dedicated switch, hub, or VLAN
• Uses message encryption and authentication to secure failover transmissions
25
Active/Active Failover
26
Active/Active Failover
27
Failover Tests
Hello packets are exchanged every 15 seconds.
When a failure occurs the PIX performs the following tests:
• Link Up/Down
• Network activity
• ARP
• Broadcast ping
28
Failover Configuration
• Attach a network cable for each interface
• Connect the failover cable
• Configure the failover parameters
• Power on the secondary PIX
29
Module 8 – PIX Security Appliance Contexts, Failover, and Management
8.3 Configure Transparent Firewall Mode
30
Transparent Versus Routed Firewall
31
Transparent Firewall Benefits
Easily integrated and maintained in existing network:
• IP readdressing not necessary.
• No NAT to configure.
• No IP routing to troubleshoot.
32
Transparent Firewall Guidelines
• Layer 3 traffic must be explicitly permitted.
• Each directly connected network must be on the same subnet.
• A management IP address is required for each context, even if you do not intend to use Telnet to the context.
• The management IP address must be on the same subnet as the connected network.
• Do not specify the PIX management IP address as the default gateway for connected devices.
• Devices need to specify the router on the other side of the PIX as the default gateway.
• Each interface must be a different VLAN interface
33
Unsupported Features
The following features are not supported in transparent firewall mode:
• NAT• Dynamic routing protocols• IPv6• DHCP relay• Quality of Service• Multicast• VPN termination for through
traffic
34
View the Current Firewall Mode
35
Enable Transparent Firewall Mode
36
Assigning the Management IP Address
37
Configure ACLs
38
Ethertype ACLs
39
ARP Inspection
40
MAC Address Table
41
Disable MAC Address Learning
42
Adding a Static MAC Address
43
Viewing the MAC Address Table
44
debug Commands
45
Module 8 – PIX Security Appliance Contexts, Failover, and Management
8.4 PIX Security Appliance Management
46
Configure Telnet Access
Default timeout is 5 minutes
47
SSH Connections to the PIX
SSH connections to the PIX Security Appliance:
• Provide secure remote access.
• Provide strong authentication and encryption.
• Require RSA key pairs for the PIX.
• Require AES or 3DES activation keys.
• Allow up to five SSH clients to simultaneously access the PIX console.
• Use the Telnet password for local authentication.
48
SSH Connections
49
Command authorization Overview
The purpose of command authorization is to securely and efficiently administer the PIX Security Appliance. It has the following types:
• Enable-level command authorization with passwords
• Command authorization using the local user database
• Command authorization using ACS
50
Create and Password Protect Privilege Levels
51
Configuring Command Authorization
52
Viewing Command Authorization Configuration
53
Lockout
54
Password Recovery ASA
55
Viewing Directory Contents
56
Viewing File Contents
57
Directory Management
58
Copying Files
59
Installing Software
60
File Backup
61
Viewing Version Information
62
Image Upgrade
63
Entering a New Activation Key
64
Upgrading the Image and Activation Key
Complete the following steps to upgrade the image and the activation key at the same time:
• Step 1: Install the new image.
• Step 2: Reboot the system.
• Step 3: Update the activation key.
• Step 4: Reboot the system.
65
Troubleshooting the Activation Key Upgrade