Feb 08,2010 by alperen
 You can have PIX Firewall system messages sent to the
defined SNMP management unit instead of, or in addition to, a Syslog server. Use
the configuration mode logging history
command to set the message level. This command is the SNMP ... [full story]
|
Feb 08,2010 by alperen
 Use the show snmp-server command to
display the current SNMP configuration:Pix(config)# show snmp-server snmp-server host inside 192.168.1.3 snmp-server host dmz 192.168.2.3 snmp-server location Building 19-67B snmp-server contact Network Security snmp-server community MySNMP snmp-server enable traps Pix(config)#
The clear snmp-server command ... [full story]
|
Feb 08,2010 by alperen
 Use the configuration mode snmp-server enable
traps command to enable or disable sending log messages as SNMP trap
notifications. Use the no form of the command to turn off the feature. The
syntax is
Pix(config)# snmp-server enable traps Pix(config)# no
snmp-server ... [full story]
|
Feb 08,2010 by alperen
 The SNMP community string is a shared “secret” among the
SNMP management station and the SNMP network agents being managed. This is
called a community key because it can be used to define a
data-exchanging group of agent and management ... [full story]
|
Feb 08,2010 by alperen
 Use the configuration mode snmp-server host
command to define the interface and the IP address of the SNMP management
station(s) to which traps will be sent and/or from which the SNMP polls
(requests) will be accepted. By default, both the ... [full story]
|
Feb 08,2010 by alperen
 You can use the configuration mode snmp-server
{contact | location} command to identify the PIX Firewall system
administrator and the unit location. Each item can be up to 127 characters and
is case sensitive. Spaces are allowed, but multiple spaces ... [full story]
|
Feb 08,2010 by alperen
 The PIX Firewall, like its router and switch cousins, is
considered an SNMP agent or SNMP server that collects data in MIB form. The
management station is often a UNIX or Windows network host running the SNMP
program that receives ... [full story]
|
Feb 08,2010 by alperen
 Simple Network Management Protocol (SNMP) is an Internet standard
application-layer protocol developed to exchange management data between network
devices. SNMP-compliant devices, called agents, collect
data about themselves and store that data in Management Information Bases
(MIBs). These MIBs are sent ... [full story]
|
Feb 08,2010 by alperen
 The shun command enables a dynamic
response to an attacking host by dropping any defined connections and preventing
new connections. An administrator or a Cisco Secure IDS device can instruct the
PIX Firewall to shun the source of traffic when ... [full story]
|
Feb 08,2010 by alperen
 Intrusion Detection
The Cisco Secure PIX Firewall, like the Cisco Secure IOS
Firewall covered in Chapter 7, added intrusion-detection technology to extend the
Cisco Secure IDS technology. IDS sensor incorporation into the firewall is ideal
for locations requiring additional security between ... [full story]
|
Feb 08,2010 by alperen
 Attack
Guards
The PIX Firewall offers a family of features to defend the
device and protected networks from attack. The PIX application-inspection
capabilities and IDS features work together to provide services similar to those
covered in Chapters
6 (IDS) and 7 ... [full story]
|
Feb 06,2010 by alperen
 This section looks at PIX Firewall support for secure use of
the following additional important protocols and applications.
Configurable Proxy Ping (ICMP)
The configurable proxy pinging feature, covered in Chapter 18, allows
controlling ICMP access to the PIX Firewall interfaces. While ICMP ... [full story]
|
Feb 06,2010 by alperen
 The next three topics—FTP, SMTP, and VoIP—are included as
examples of the application-inspection features and fixup
commands. The Cisco site has more details and examples for any of the other
supported protocols or applications.
FTP
The default application inspection for FTP sessions ... [full story]
|
Feb 06,2010 by alperen
 Some fixup protocols support multiple applications, while
other applications benefit from application inspection without having a fixup
protocol for Configuration options. Features provided often include extending
NAT capabilities to IP addresses embedded within the data payload, including
adjusting related checksum ... [full story]
|
Feb 06,2010 by alperen
 Application inspection is frequently referred to as fixup because the fixup protocol command
can be used to configure the application inspection for many of the supported
protocols. Note, other protocols are supported that don’t support configuration.
The show fixup command ... [full story]
|
Feb 06,2010 by alperen
 The PIX Firewall ASA performs stateful application
inspection to provide secure use of external applications and services. In some
cases, this involves monitoring for and defending against threatening traffic
patterns or activity. In other cases, application inspection is used to ... [full story]
|
Feb 06,2010 by alperen
 The PIX Firewall offers a number of advanced features to
support the many protocols available on the Internet, while maintaining a safe
internal environment. Some of these features are configurable using skills
already covered or by using the fixup protocol ... [full story]
|
Feb 06,2010 by alperen
 Firewall
Privilege Levels
Use the configuration mode privilege command to set user-defined privilege levels for
specified PIX Firewall commands. This command is modeled after the Cisco IOS
privilege command feature. The structure of this command makes it easy to set
different ... [full story]
|
Feb 06,2010 by alperen
 Beginning with PIX Firewall software v6.2, the PIX Firewall
devices support command-level authorization. This is user-defined command
privilege levels (0 to 15) for PIX Firewall CLI commands, similar to the
privilege levels supported on Cisco routers (Chapter 2) and switches. ... [full story]
|
Feb 06,2010 by alperen
 After designating at least one authentication server with
the aaa-server command, it’s time to define the AAA services
to be used by the PIX Firewall. The help aaa command displays
the syntax and use for the aaa authentication, aaa authorization, ... [full story]
|
Feb 06,2010 by alperen
 PIX Firewall software v6.2 introduced the concept of the
local user authentication database, common in router configurations to the PIX
Firewall family. Like its router relatives, the local PIX Firewall user
authentication database consists of the users entered with the ... [full story]
|
Feb 06,2010 by alperen
 Use the configuration mode aaa-server commands to specify AAA server groups. AAA server
groups are defined by a tag name. If the first authentication server defined in
the group fails, AAA fails over to the next server in the tag ... [full story]
|
Feb 06,2010 by alperen
 The PIX Firewall serial console port allows a single
administrator to configure the unit, but it requires close proximity to the
device. This close proximity requirement, or limiting access to a single
administrator, can severely limit the flexibility on an ... [full story]
|
Feb 06,2010 by alperen
 Chapter 20: Advanced PIX Firewall Features
Overview
In this chapter, you
will learn how to:
Work with remote access using Telnet, HTTP, and SSH
features
Use authentication, authorization, and accounting
Apply advanced protocol handling
Understand attack guards
Recognize Intrusion detection
Use shunning
Manage SNMP services
Many of the advanced ... [full story]
|
Feb 06,2010 by alperen
 Chapter Review
Questions
1.
Return traffic from an internal user going out on the
Internet requires which of the following?
Static address translation
Enabling access control entry
Authenticated access
None of the above
2.
In assigning a security level to a DMZ interface, which
would be the ... [full story]
|
Feb 06,2010 by alperen
 This chapter looked at some of those features and commands
required to allow data to pass efficiently through the firewall. The Adaptive
Security Algorithm (ASA) was addressed to understand better how the PIX Firewall
determines which traffic patterns to allow ... [full story]
|
Feb 06,2010 by alperen
 Routing represents a multifaceted problem for the PIX Firewall.
First, the PIX Firewall is an inline security filter, not a router, and
therefore uses static routes to direct traffic out of the interfaces. This
nonrouter strategy is reinforced because the ... [full story]
|
Feb 04,2010 by alperen
 Conduit
Statements
The conduit command can be used to create
an exception to the PIX Firewall ASA that prevents traffic originating on a
lower-level security traffic interface from passing to higher- level areas. The
most obvious example would be allowing outside ... [full story]
|
Feb 04,2010 by alperen
 Object
Grouping
The concept of grouping or forming groups isn’t new to
network or even human interaction. Groups can be given special privileges or
restrictions, and those privileges or restrictions then apply to all members of
the group. In the networking ... [full story]
|
Feb 04,2010 by alperen
 Content
Filtering
Content filtering features allow administrators to block certain
types of web related features or content that may be deemed a threat to the
network or inappropriate to the workplace. For example, ActiveX objects and Java
applets can represent security ... [full story]
|
|