The ASA/PIX Security Appliance is a multifunctional device that includes the following:
These services make the Cisco ASA/PIX Security Appliance an excellent solution for defense-in-depth deployment in any network environment. Authentication, Authorization, and AccountingFor simplicity within this book, you use the ASA/PIX Security Appliance local database to implement authentication. Because the local database is used, this type of username password verification is called local authentication. Although not used in this book, the ASA/PIX Security Appliance is capable of an authentication method called authentication, authorization, and accounting (AAA). The security appliance, used in conjunction with the Cisco ACS, performs AAA. The ASA/PIX Security Appliance forwards username password requests to the ACS server to be accepted or rejected. If a request is accepted by the authentication server, the user is granted the request. If a request is rejected, the user is denied access to the command or access to the device. Authentication is the process of confirming (before allowing access) usernames and passwords to ensure that the person who is logging on to a network device has the correct credentials. The common methods that the ASA/PIX Security Appliance supports for authentication are as follows:
Authorization is a method of controlling what users can do after they have been authenticated. Authorization can control specific events, including commands that are entered or services that are requested by a user. Accounting is reporting provided by the ACS server and tracks user logins to the ASA/PIX Security Appliance or other devices protected by the ACS server. Accounting records include fields such as the time a user logs on, the username and the IP address from which the user logged on, and the command a user executed (or attempted) while on a device. Two main protocols are used within AAA: RADIUS and TACACS+. Both protocols are excellent for simple username and password authentication. TACACS+ is the protocol of choice if you plan to use authorization. It enables an administrator to control down to a command level what a user can do when logged on to a device protected by an AAA server. Perimeter SecurityThe perimeter of the ASA/PIX Security Appliance is the outside interface. The outside interface is the side of the security appliance that is connected to the Internet, and it is considered insecure because you have no control over traffic or events on the outside. The inside of the security appliance is the side connected to your network and is considered the secure interface. Perimeter security entails four main functions:
NOTE You will deploy all of these perimeter defenses when you configure the ASA/PIX Security Appliance with ASDM. Traffic FilteringTraffic filtering on the ASA/PIX Security Appliance is done using access control lists. NOTE ASDM combines access control lists and the associated interface and calls them access rules. These lists are applied to the security appliance network interfaces and define what traffic is allowed to traverse the security appliance. By default, all traffic is allowed from the inside of the security appliance to all the other interfaces. The security appliance recognizes a flow originated by an inside host and lets return traffic back through; the concept is sometime referred to as stateful firewalling. If a new connection is attempted from the outside of your security appliance to the inside, however, two things must happen:
Denial-of-Service MitigationDoS or distributed denial-of-service (DDoS) attacks at one time were the most popular and easiest attacks to launch on the Internet. DoS attacks overload a network to a point where the network becomes unusable. Recently, the number of DoS attacks has subsided, partly because more effective technology now stops these attacks but also partly because hackers now consider DoS attacks as being poor form and only done by those who cannot do something more sophisticated. However, DoS attacks can still be crippling. The ASA/PIX Security Appliance mitigates against various types of DoS attacks by deploying different technologies:
In general, these technologies use various techniques to recognize whether traffic is valid and silently drop invalid traffic to free up internal resources before the attack traffic can bring the network down. You use these techniques later in the step-by-step portion of this book. Security Appliance Device Access ProtectionIf attackers obtain management access to your security appliance, they can do several things to weaken your protection:
Locking down your security appliance from attackers is a critical part of securing your network. You use ASDM to perform the following lockdown steps:
Limit Access to Network DevicesOne of the fundamental and most valuable uses of a security appliance is to ensure that traffic sourced from the outside is allowed only to the devices that you've defined for public access. These services are defined on the ASA/PIX Security Appliance using a combination of functions called static network access translation (NAT) and access control. NAT defines a link between a device on the inside of your network and an Internet address that you advertise on the outside of your security appliance. You should use NAT in combination with an access list defining what traffic is allowed to this public address. Some services that you might want to advertise are as follows:
In Chapter 5, "Deploying Secure Internet Connectivity," you configure web and mail servers to be exposed on the Internet and filter appropriate traffic using access rules. Note that these devices with public addresses are the network assets that attackers will scan and attack. Generally, attacks launched from the outside can target only Internet devices such as those described previously. However, after hackers have control of one of your public servers, they've established a presence on your network. Their next step is to try to exploit other nonpublic devices inside your network. It is considered best practice to place your public servers on an interface other than your inside interface. This ensures that if hackers compromise a public server, they are not yet on the inside of your network and still have a considerable amount of work to do to get there. These interfaces are often called demilitarized zone (DMZ) interfaces. CAUTION If you are exposing resources such as web servers or mail servers from your network, you must not use a security appliance that has only two interfaces. If you do, you must put your public servers on the inside network, which in turn exposes your internal network to an unreasonably high risk of attack. |