Part 3 of 3 in the Cisco CCNA Security (640-554) series will teach you how to identify, lockdown, and secure vulnerabilities in a small to medium enterprise branch network. This course will also help you to enhance your skills in developing security infrastructure, recognizing threats, and mitigating security threats. This course is ideal for network administrators or aspiring network administrators who wish to build a stronger foundation of advanced security concepts.
Joe is a seasoned Cisco professional with over 15 years of experience, supporting Fortune 500 Companies in deploying routing, switching, unified communications, security, and data center technologies.
Section Introduction Transcripts
Section Introduction Transcripts
Firewall Fundamentals Becoming a certified and experienced security engineer, particularly in the Cisco world, requires you to actually have knowledge and experience along an entire host of disciplines within the security subject. One of the things we want to do is move from more of a general type of outlook as we have so far, talking about access lists and routing protocols and security features on routers and switches, specifically into the broader concept now of talking about firewalls. We're actually going to spend several lessons on firewalls because of their critical importance to the overall perimeter security of an enterprise network. We actually want to start by talking about the basics, the fundamentals of what firewalls are, what they do, and how they function.
Cisco ASA 5500 Firewalls The second basic type of firewall in the Cisco suite of security products is the ASA 5500, which is the successor to the original PIX, Private Internet Exchange, that dominated the landscape for a number of years. It operates quite a bit in contrast to the Cisco IOS-Based Firewall, and really is the going-forward platform for protecting the interior of a network. Let's take a little bit of a closer look at all of what's involved in the ASA 5500 platform. First, we want to understand and have an appreciation for the type of features and functionality that come with the ASA 5500. We've talked about general principles and features in firewalls, but here let's drill down into specifics. Now as you would expect, a firewall is essentially a packet filter, and so the ASA does do packet filtering with security rules that are configured in the platform itself. Obviously this is using the old familiar permit and deny statements in terms of the rules, and it involves Access-Lists on the ASA. They are named only, there are no numbered Access-Lists, but you do have the options of standard and extended access-lists. Now a word about Masks. In Cisco routers, you actually have a great deal of exposure, as far as Access-Lists are concerned, to wildcard masks, which are mathematical inverses of subnet masks. On the ASA, when you're using the command line especially, you're going to be using standard network masks, not wildcard masks, so let the cheering begin. Another important feature of Cisco ASA Firewalls, and we've talked about it at length, is stateful inspection and filtering. Again, you have the traditional permit and deny statements, but you also have the State Table, so it understands the state of the connections that are returning back into the firewall, and we talked a lot about this in Basic Firewalls and IOS-Based Firewalls. You have stateful filtering, this is where you're doing traffic inspection, you're building dynamic entries for permitting return traffic, and then of course you have the State Table which drives all of these different things.