Shulou(Shulou.com)06/01 Report--

Principle of firewall

Principle and basic configuration of ASA

Firewall manufacturer: (domestic: Shanshi, Tianrongxin, Shenzhou Digital, Shenxin, Feita, Huawei Firewall; abroad: cisco-asa,Juniper, alo alto,mcafee)

Cisco:PIX-- "ASA (V8.4) -" next Generation Firewall (NGFP next-generation fire power)

Asa with firepower service

Www.cisco.com

Www.huawei.com

Firewall Management:

Command line-- telnet/ssh

Web interface-- http/https

Asa--asdm: security device Manager

WSA--web firewall

ESA-- Mail Firewall

NG--FMC:firepower manage center

Future security market:

IOT IOE:Internet of

Hardware and SOFTware Firewall

Software Firewall: IOS

Hardware firewall: PIX,ASA, firewall module

Interface name

Physical name

Logical name: used for

GNS3 installation:

1. Follow the steps to install the software:

two。 Change the language

Restart the software

3. Add Devic

Same as above, select QEMU

Tips: the path should be all English, and the parameters should not be changed by default.

Install the ASA simulator under the GNS3 environment, and after startup

To delete the preconfigured Startup profile

Ciscosa >

Ciscosa > enable

Password:

Ciscosa#write erase (clear preconfigured)

The Initrd and kernel index files are as follows

Pop-up command box at startup

Don't turn it off, minimize processing.

After Asa restart

Select no,interactive (interactive) prompts (reminder, prompt)

Enter accidentally and exit with ctrl+z

ASA Firewall:

Function:

It is used to isolate tail fiber traffic in the network.

Principle:

Distinguish different areas (internal, external, demilitarized zones) by security level (0-100)

By default, high-level traffic can go to a lower level, and vice versa (temporarily), and the same level of priority cannot communicate.

Deployment:

Where traffic isolation is needed at the network boundary or inside the network.

Classic deployment model:

ISP--FW--GW--CORE-ROUTER--core switch

ISP--GW-outside-FW-inside-CORE-ROUTER--core switch

DMZ (server)

ISP--GW-outside-FW--FW--CORE-ROUTER--core switch DMZ (server) configuration: interfaces of firewalls with different types of names:

A) physical name

B) logical name: used to describe the security zone included in the inside

i. If you do not configure a logical name, then the port cannot be used (such as the configured IP address)

C) how to configure the port logical name:

I. ASA#configure terminal

ii. ASA (config) # interface gi 0

iii. ASA (config-gi0) nameif XX security level defaults to 0

iv. Configure IP address: ip address X.x.x.x 255.255.255.0

v. Detection: show interface ip brief;show running-configuration interface 1DB 0

vi. Show route View routing tabl

vii. Show conn view the conn table

Tips: in a topology network with a firewall, you cannot use the ping command to test, but you can use telnet to test (the internal network can telnet the external network, but not the external network)

Clear configure all clears all running configurations in global configuration mode

When the logical name is configured as inside, the security level defaults to 100 percent. The default security level is 0.

Default forwarding direction of ASA traffic

Allow outbound: from high security level to low security level

No entry: from a low security level to a high security level

The way ASA handles traffic internally (this is why "ping" is not feasible)

1. Asa devices are only interested in TCP and UDP traffic. Other protocol traffic is discarded by default.

2. When traffic is sent from a low-level port, it is directly discarded if it is sent to a high-level port.

3. When traffic is received from a high-level port, it can be sent to a low-level port

A) first match the packet to the local routing table of the ASA (match forwarding, otherwise discard)

B) then form a forwarding entry in the core worksheet (conn table) local to ASA

4. Check the conn table when traffic changes from low priority to high security level.

How ASA works: stateful firewalls maintain a connection table called the CONN table (filtering of control traffic)

By default, AS provides stateful connections to TCP and UDP protocols, while icmp protocols are non-stateful

Analogy NAT working process

Key information in the Conn table (quintuple):

Source IP address

Destination IP address

Ip Protocol (TCP/UDP)

Ip protocol information (tcp/ UDP port number, TCP serial number, tcp control bit)

Configuration:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.