Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
107 Cards in this Set
- Front
- Back
next-generation firewall (NGFW) |
devices that deliver integrated threat defense across the entire attack continuum. combine proven ASA firewalls with Sourcefire threat and advanced malware protection in a single device. |
|
choice of ASA model depends on an organization’s requirements |
throughput, maximum connections per second budget. |
|
ASA 5505 / Security Plus |
up to 150 Mbps |
|
ASA 5506-X / Security Plus |
750 Mbps |
|
ASA 5512-X / Security Plus |
1 Gbps |
|
ASA 5515-X |
1.2 Gbps |
|
ASA 5525-X |
2 Gbps |
|
ASA 5545-X |
3 Gbps |
|
ASA 5555-X |
4 Gbps |
|
ASA 5585-X SSP10 |
4 Gbps |
|
ASA 5585-X SSP20 |
10 Gbps |
|
ASA 5585-X SSP40 |
20 Gbps |
|
ASA 5585-X SSP60 |
40 Gbps |
|
ASA Service Module |
20 Gbps |
|
Cisco Adaptive Security Virtual Appliance (ASAv) |
brings the power of ASA appliances to the virtual domain. operates as a VM using the server’s interfaces to process traffic does not support clustering and multiple contexts. |
|
Cisco ASAv5 |
This appliance requires up to 2 GB of memory and delivers up to 100 Mbps of throughput. |
|
Cisco ASAv10 |
This appliance requires up to 2 GB of memory and delivers up to 1 Gbps of throughput. |
|
Cisco ASAv30 |
This appliance requires up to 8 GB of memory and delivers up to 2 Gbps of throughput. |
|
ASA software combines |
firewall, VPN concentrator, and intrusion prevention functionality into one software image. |
|
ASA virtualization |
Each virtual device is called a security context. Each context is an independent device, has its own security policy, interfaces, and administrators. |
|
features that are supported in multiple context modes, |
routing tables, firewall features, IPS management. |
|
features that aren't supported in multiple context modes, |
VPN dynamic routing protocols. |
|
High availability with failover |
Both platforms must be identical in software, licensing, memory, and interfaces, including the Security Services Module (SSM) |
|
Identity firewall |
Identity-based security policies can be interleaved without restriction between traditional IP address-based rules. hese services enhance the existing access control and security policy mechanisms by allowing users, or groups, to be specified in place of source IP addresses. |
|
Threat control and containment services |
IPS capability is available using the Advanced Inspection and Prevention (AIP) modules. Antimalware capabilities can be deployed by Content Security and Control (CSC) module. |
|
Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM) Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC) |
deliver protection against tens of thousands of known exploits. They also protect against millions of other unknown exploit variants using specialized IPS detection engines and thousands of signatures |
|
Outside network |
etwork/zone that is outside the protection of the firewall |
|
Inside network |
Network/zone that is protected and behind the firewall |
|
DMZ |
Demilitarized zone that allows both inside and outside users access to protected network resources |
|
Cisco ISRs can provide firewall features by using either |
Zone-Based Policy Firewall (ZPF) context-based access control (CBAC) feature. |
|
security levels enable the ASA to implement security policies. |
inside users can access outside networks based on certain addresses, by requiring authentication or authorization, or by coordinating with an external URL filtering server. |
|
two firewall modes of operation available on ASA devices |
Routed Mode Transparent Mode |
|
Routed Mode |
Two or more interfaces separate Layer 3 networks, the ASA is considered to be a router hop in the network and can perform NAT between connected networks. supports multiple interfaces Each interface is on a different subnet and requires an IP address on that subnet. ASA applies policy to flows as they transit the firewall |
|
Transparent Mode |
Often referred to as a “bump in the wire,” or a “stealth firewall” because the ASA functions like a Layer 2 device and is not considered a router hop useful to simplify a network configuration, or when the existing IP addressing cannot be altered. no support for dynamic routing protocols, VPNs, QoS, or DHCP Relay. |
|
Most ASA appliances come pre-installed with either a |
Base license Security Plus license. |
|
How many permanent license keys can be installed? |
1 after it is installed it is referred to as a running license |
|
ASA 5505 |
default DRAM memory is 256 MB (upgradable to 512 MB) default internal flash memory is 128 MB |
|
ASA 5505 failover configuration |
must be identical models with the same hardware configuration, the same number and types of interfaces, and the same amount of RAM. |
|
ASA 5505 status led |
flashing green = booting and power-up tests are running solid green = system tests passed and system operational.
solid amber = system tests have failed |
|
ASA 5505 active led |
Green = Cisco ASA is active. |
|
ASA 5505 VPN led |
Solid green = one or more VPN tunnels are active. |
|
ASA 5505 SSC led |
solid green = SSC card is present in the ssc slot. |
|
ASA 5505 Speed and link activity leds |
solid green speed indicator LED = 100 Mb/s speed indicator LED is off = 10 Mb/s link activity indicator LED is on = network link is established ink activity indicator LED is blinking = network activity |
|
security level numbers range |
(untrustworthy) to 100 (very trustworthy). |
|
Each operational interface must have |
name security level |
|
When traffic moves from an interface with a higher security level to an interface with a lower security level, it is considered |
outband traffic |
|
traffic moving from an interface with a lower security level to an interface with a higher security level is considered |
inbound traffic |
|
Network access |
If communication is enabled for interfaces with the same security level, there is an implicit permit for traffic between the interfaces. |
|
Inspection Engine |
When interfaces have the same security level, the ASA inspects traffic in either direction. |
|
Application Filtering |
HTTP(S) and FTP filtering applies only for outbound connections, from a higher level to a lower level. Same security level can be filtered both ways. |
|
Outgoing traffic is ___________ by default |
allowed |
|
Incoming traffic is ____________ by default |
denied |
|
Return traffic, originating on the inside network and returning via the outside interface, would be |
allowed |
|
ASA 5505 is commonly used as an edge security device. |
can be deployed to interconnect and protect several workstations, network printers, and IP phones. |
|
ASA can be configured using these three methods |
manually using CLI
Interactively using the CLI setup initialization wizard using the ASDM startup wizard |
|
To change the master passphrase, |
config-key password-encryption |
|
Logical VLAN interfaces |
hese interfaces are configured with the Layer 3 information including a name, security level, and IP address. |
|
Physical switch ports |
These are Layer 2 switch ports which are assigned to the logical VLAN interfaces. |
|
An SVI requires |
a name, an interface security level, and an IP address. |
|
An ASA 5505 with a Base license does not allow ________ fully functioning VLAN interfaces to be created. |
three |
|
a third “limited” VLAN interface can be created if it is first configured with the _____________ command. |
no forward interface vlan |
|
the no forward interface vlan number command must be entered before the nameif command is entered on the third interface |
The number argument specifies the VLAN ID to which this VLAN interface cannot initiate traffic. |
|
The IP address of an interface can be configured using one of the following options: |
Manually DHCP PPPoE |
|
An SVI requires a |
name interface security level IP address. |
|
show dhcpd state |
Displays the current DHCP state for inside and outside interfaces. |
|
show dhcpd binding |
Displays the current DHCP bindings of inside users. |
|
show dhcpd statistics |
Displays the current DHCP statistics. |
|
Network object |
Contains a single IP address and subnet mask. |
|
Network objects can be of three types: |
host subnet range |
|
Service object |
Contains a protocol and optional source and/or destination port. |
|
To erase all network objects, use |
clear config object network |
|
To erase all service objects, use |
clear config object service |
|
The following guidelines and limitations apply to object groups: |
Objects and object groups share the same name space. Object groups must have unique names. An object group cannot be removed or emptied if it is used in a command. The ASA does not support IPv6 nested object groups. |
|
Object Group Network |
A network-based object group specifies a list of IP host, subnet, or network addresses. |
|
Object group Service |
A service-based object group is used to group TCP, UDP, or TCP and UDP ports into an object. |
|
Object Group security |
used in features that support Cisco TrustSec by including the group in an extended ACL, which in turn can be used in an access rule. |
|
Object Group ICMP-Type |
groups the necessary types required to meet an organization’s security needs, such as to create an object group called ECHO to group echo and echo-reply. |
|
A ____________ cannot be used to implement NAT. A __________ is required to implement NAT. |
network object group network object |
|
ASA ACLs differ from IOS ACLs in that they |
use a network mask named instead of numbered. |
|
Through-traffic filtering |
Traffic that is passing through the security appliance from one interface to another interface. |
|
To-the-box-traffic filtering |
Also known as a management access rule, to-the-box-traffic filtering applies to traffic that terminates on the ASA. Introduced in version 8.0 to filter traffic destined for the control plane of the ASA. |
|
To allow connectivity between interfaces with the same security levels, |
cmd same-security-traffic permit inter-interface |
|
To enable traffic to enter and exit the same interface, such as when encrypted traffic enters an interface and is then routed out the same interface unencrypted |
cmd same-security-traffic permit intra-interface |
|
Standard access list |
ASA standard ACLs are used to identify the destination IP addresses. They are typically only used for OSPF routes and can be used in a route map for OSPF redistribution. |
|
EtherType access list |
An EtherType ACL can be configured only if the security appliance is running in transparent mode. |
|
Webtype access list |
Used in a configuration that supports filtering for clientless SSL VPN. |
|
IPv6 access list |
Used to determine which IPv6 traffic to block and which traffic to forward at router interfaces. |
|
Use the _________________ privileged EXEC command to display the syntax for all of the ACLs supported on an ASA platform. |
help access-list |
|
Dynamic NAT |
This is a many-to-many translation. |
|
Dynamic PAT |
This is a many-to-one translation. This is also known as NAT overloads. cmd nat (inside,outside) dynamic interface |
|
Static NAT |
This is a one-to-one translation. Usually an outside address mapping to an internal server. |
|
Policy NAT |
Policy-based NAT is based on a set of rules. |
|
Outside NAT |
This method is used when traffic from a lower-security interface that is destined for a host on the higher-security interface must be translated. |
|
Inside NAT |
The typical NAT deployment method is when a host from a higher-security interface has traffic destined for a lower-security interface and the ASA translates the internal host address into a global address. ASA restores the original Inside IP address for return traffic |
|
Bidirectional NAT |
Indicates that both inside NAT and outside NAT are used together. |
|
Twice-NAT |
identifies both the source and destination address in a single rule (natcommand). Twice-NAT is used when configuring remote-access IPsec and SSL VPNs. |
|
To configure network object dynamic NAT, two network objects are required: |
A network object identifying the pool of public IP addresses into which internal addresses are translated. The second network object identifies the internal addresses to be translated and then binds the two objects together |
|
Modular Policy Framework (MPF) configuration |
defines a set of rules for applying firewall features, such as traffic inspection and QoS, to the traffic that traverses the ASA. |
|
Class maps |
configured to identify Layer 3/4 traffic. |
|
The maximum number of policy maps is |
64 |
|
The configuration includes a default Layer 3/4 policy map that the ASA uses in the default global policy. It is called |
global_policy and performs an inspection on the default inspection traffic. |
|
There can only be ______ global policy. |
one |
|
three most common commands available in policy map configuration mode: |
set connection - Sets connection values. inspect - Provides protocol inspection servers. police - Sets rate limits for traffic in this class. |
|
To activate a policy map globally on all interfaces or on a targeted interface, use the ____________ command. |
service-policy policy-map-name [ global | interface intf ] |
|
To alter the global policy, an administrator needs to |
either edit the default policy or disable the default policy and apply a new policy. |
|
Use the _______________ command in global configuration mode to remove all service policies. |
clear configure service-policy |
|
The ________________ command clears the service policy statistics. |
clear service-policy |