SNAF - Securing Networks with ASA Fundamentals |
|
|---|---|
| Course Code: | SNAF |
| Course Duration: | 5 days |
| Course Price: | 4000.00 |
| Availability: | |
This five-day instructor-led lab-intensive course takes a task-oriented approach to provide students with the knowledge and skills to configure, operate and manage the Cisco Adaptive Security Appliance (ASA) product family.
This courses teaches students how to use Cisco ASA and PIX Security Appliance software to protect network systems from intrusions and security threats. This course provides students with a practical understanding of configurations performed via Adaptive Security Device Manager (ASDM) rather than previous versions of the CLI.
After completing this course participants can register to sit the (SNAF) 642-524 exam.
* Functions of the three types of firewalls used to secure today's computer networks
* Technology and features of Cisco security appliances
* How Cisco ASAs and Cisco PIX Security Appliances protect network devices from attacks and why each is an appropriate choice
* Bootstrap the security appliance, prepare the security appliance for configuration via the Cisco Adaptive Security Device Manager (ASDM), and launch and navigate ASDM
* Perform essential security appliance configuration using ASDM and the CLI
* Configure dynamic and static address translations using ASDM
* Configure switching and routing using ASDM
* Use ASDM to configure ACLs, filter malicious active codes, and filter URLs that meet the requirements of the security policy
* Troubleshoot with the packet tracer
* Use ASDM to configure object groups that meet the requirements of the security policy
* Use ASDM to configure AAA to meet the requirements of the security policy
* Configure a modular policy that supports the security policy using ASDM
* Use ASDM to configure protocol inspection to meet security policy requirements
* Configure threat detection to meet security policy requirements using ASDM and the CLI
* Using ASDM, configure the security appliance to support a site-to-site VPN that meets policy requirements
* Using ASDM, configure the security appliance to provide secure connectivity using remote access VPNs
* Configure the security appliance to run in transparent firewall mode
* Enable, configure, and manage multiple contexts to meet security policy requirements
* Select and configure the type of failover that best suits the network topology
* Monitor and manage an installed security appliance
1. Introduction
* Functions of the three types of firewalls that are used to secure modern computer networks
* Technology and features of Cisco security appliances
2. Cisco Adaptive Security Appliance and PIX Security Appliance Families
* Cisco ASA models
* Cisco ASA licensing options
3. Getting Started with Cisco Security Appliances
* Four main access modes
* Security appliance file management system and security levels
* ASDM requirements and capabilities
* Use the CLI to configure and verify basic network settings, and prepare the security appliance for configuration via ASDM
* Verify security appliance configuration and licensing via ASDM
4. Essential Security Appliance Configuration
* Configure a security appliance for basic network connectivity
* Verify the initial configuration
* Set the clock and synchronize the time on security appliances
* Configure the security appliance to send syslog messages to a syslog server
5. Translations and Connection Limits
* Function of TCP and UDP protocols within the security appliance
* Function of static and dynamic translations
* Configure dynamic and static address translations
* Set connection limits
6. ACLs and Content Filtering
* Configure the basic and extended functions of ACLs
* Configure active code filtering (ActiveX and Java applets)
* Configure the security appliance for URL filtering
* Use the packet tracer for troubleshooting
7. Object Grouping
* Advantages
* Configure object groups and use them in ACLs
8. Switching and Routing on Security Appliances
* Configure logical interfaces and VLANs
* Configure static routes and static route tracking
* Dynamic routing capabilities of Cisco security appliances
* Configure passive RIP routing
9. AAA for Cut-Through Proxy
* Define and compare AAA
* Install and configure Cisco Secure ACS
* Configure the local user database
* Define and configure cut-through proxy authentication
* Define and configure user authorization using downloadable ACLs
* Define and configure accounting
10. Cisco Modular Policy Framework
* Configure the Modular Policy Framework feature
* Functions of class and policy maps
* Functionality of service policies
* Use ASDM to configure a service policy rule
11. Advanced Protocol Handling
* Need for advanced protocol handling
* Configure advanced protocol handling
* How the security appliance inspects common network applications
* Issues with multimedia applications and how multimedia call control and audio sessions are supported
12. Threat Detection and Statistics
* Configure basic and scanning threat detection
* View and understand threat detection statistics
13. Site-to-Site VPNs
* Configure Site-to-Site VPNs using Pre-Shared Keys
* How security appliances enable a secure VPN
* Know the steps and commands needed to configure security appliance IPsec support
* Configure a VPN between security appliances
14. Remote Access VPNs
* Cisco Easy VPN
* Cisco VPN Client
* Configure an IPsec Remote Access VPN
* Configure Users and Groups
15. SSL VPN
* SSL VPN and its purpose
* Use the SSL VPN Wizard to configure a basic, clientless SSL VPN connection
* Configure SSL VPN policies
* Verify SSL VPN operations
* Customize the clientless SSL VPN portal
16. Transparent Firewall Mode
* Purpose of transparent firewall mode
* How data traverses a security appliance in transparent mode
* Configure and enable transparent firewall mode
* Monitor and maintain transparent firewall mode
17. Security Contexts
* Purpose of security contexts
* Enable and disable multiple context mode
* Configure and manage a security context
18. Failover
* Difference between hardware and stateful failover
* Difference between active/standby and active/active failover
* Security appliance failover hardware requirements
* Configure redundant interfaces
* How active/standby and active/active failover works
* Security appliance roles of primary, secondary, active, and standby
* Configure active/standby cable-based and LAN-based failover
* Configure active/active failover
* Use remote command execution
19. Managing Security Appliances
* Configure Telnet and SSH access to the security appliance
* Configure command authorization
* Recover security appliance passwords using general password recovery procedures
* Use TFTP to install and upgrade the software image on the security appliance
Labs
Lab 1: Preparing the ASA for Administration
The goal of this lab is to prepare the ASA for remote administration by both SSH and HTTPS/ASDM. You will find the ASA currently has an unusable configuration. You will have to access it via its physical console port and reset the configuration back to factory defaults. You will use the setup dialog to configure the inside interface and enable ASDM access via HTTP. You will also enable SSH from the CLI. You will test SSH access from the Admin PC. You will also install and configure ASDM on the Admin PC and test initial access with ASDM. Actions performed will include:
* Access the ASA Console Port
* Clearing an Existing Configuration
* Taking Inventory of the ASA
* The Setup Dialog
* Enable SSH
* Set Up ASDM
* Verify the ASA Configuration
Lab 2: Essential Security Appliance Configuration
In this lab, you will configure many of the basic settings on the ASA. You will configure the inside, outside, and DMZ interfaces, and you will configure authenticated NTP support and Syslog support. You will then use different scenarios and features to test the behavior of the ASA with this simple configuration in place. Actions performed will include:
* Execute the Startup Wizard
* ASDM Device Setup
* Configure Syslog
* Test and Verify the ASA's Configuration
* The Packet Capture Wizard
* Verify the ASA Configuration
Lab 3: Translations and Connections
In this lab, you will work with configuring address translations through the ASA. You will begin by experimenting with nat 0 and no nat-control to understand the differences between the two. Next, you will implement a temporary PAT configuration. You will then move on to configure Dynamic NAT, NAT Exemption, and Static NAT as appropriate for the lab topology. At each step along the way, you will test and verify the results of the configuration, both on the host systems that are communicating as well as on the ASA. During this lab, you will learn how to configure and monitor address translation and you will see the difference between the ASA's translation table and its connection table. Actions performed will include:
* Examine NAT Control and NAT 0
* Configure PAT
* Configure Dynamic NAT and NAT Exemption
* Configure Static NAT
* Verify the ASA Configuration
Lab 4: Configuring ACLs and Object Groups
In this lab, you will configure access policy through the ASA. The policy will allow access to the public services running on the DMZ Server from the outside. It will also be very restrictive on what connections are allowed to originate from the DMZ Server. Policy from the internal network will be unrestricted. While configuring and testing policy, you will also be introduced to Object Groups, the Packet Tracer, and ICMP Inspection. Actions performed will include:
* Configure Inbound HTTP Access
* Complete Inbound Policy using Object Groups
* Configure Policy from the DMZ
* Verify the ASA Configuration
Lab 5: AAA and Cut Through Proxy
Cut Through Proxy is a feature on the security appliance that allows access control to be based on a user instead of an IP address. That is, instead of using statically defined ACLs that key off expected user IP addresses, when the ASA sees matching traffic from a new IP address, it can intercept the connection and challenge for a username and password. If the user is authorized, connections are allowed. This can be extended one step further where downloadable ACLs provided by the AAA server very precisely define the access control for that particular user. You will explore AAA and the Cut Through Proxy feature in this lab exercise. Actions performed will include:
* Configure ACS and ASA Communication
* Exclusive - Configure ACS Integration with Active Directory
* Cut Through Authentication
* User Authentication Timeouts
* Virtual Telnet Server
* Downloadable ACLs
* Per User Override
* AAA Accounting
* Verify the ASA Configuration
Lab 6: Modular Policy Framework and Advanced Protocol Handling
In this lab you will work with the Modular Policy Framework (MPF) in various ways. First, you will inspect the current global policy and see how class maps, policy maps, and service policy are built into a hierarchy. Then you will use the MPF to apply DOS protection to the DMZ interface, testing the feature with an attempted SYN Flood attack. You will implement QoS features, limiting bandwidth used by the DMZ interface, insuring traffic to and from the inside network is not starved by DMZ access. You will finish by experimenting with FTP inspection. With FTP inspection turned on, if the FTP control channel is allowed, so are all the associated dynamically negotiated data connections. When FTP inspection is turned off, if the FTP data connections are not allowed by the static policy in place, the data connections will not be allowed. Actions performed will include:
* Examine the Current Policy
* Exclusive - DOS Protection with MPF
* Exclusive - Quality of Service with MPF
* FTP Protocol Inspection
* Verify the ASA Configuration
Lab 7: Threat Detection
By default the ASA monitors the rate of dropped packets and security events due to a number of reasons including (but not limited to) DoS attack, ACL drop, Conn limit, ICMP attack, and SYN attack. When the ASA detects a threat, it sends a Syslog message to inform of its occurrence. In this lab, you will work with Basic Threat Detection. You will verify that it is enabled by default, and you will see how to enable and view additional threat detection statistics. Actions performed will include:
* Basic Threat Detection
* Threat Detection Statistics
* Verify the ASA Configuration
Lab 8: Site-to-Site VPN
In this lab you will work with creating and testing a site-to-site VPN using the ASDM VPN Wizard. You will begin by verifying that without a VPN, there is no connectivity between the local network and Site 1. You will then proceed to create and test a site-to-site VPN to Site 1 using the VPN Wizard. Lastly, you will experiment with ways to limit access through the tunnel for those users connecting from Site 1. Actions performed will include:
* Verify Current Environment
* ASDM VPN Wizard
* Verify the Resulting Configuration
* Test and Verify the VPN Tunnel
* Exclusive - Enforce Access Policy from Site 1
* Verify the ASA Configuration
Lab 9: Remote Access VPN
In this lab you will once again use the VPN Wizard. This time it will be used to enable Remote Access VPN. Since completion of the link requires a client, you will also configure the VPN software client to initiate the connection. After testing and verifying the Remote Access VPN, you will implement split tunneling in order to allow Remote Access VPN clients to access Internet resources without using the tunnel. Lastly, you will work with Hairpin VPN, an alternative to split tunnel, to allow Remote Access VPN users to access the Internet. Actions performed will include:
* Prepare the ASA for Remote Access VPN
* Prepare the Cisco VPN Client
* Test and Verify Remote Access VPN
* Update the NAT Configuration
* Exclusive - Allow Internet Access via Split Tunneling
* Exclusive - Allow Internet Access via Hairpin
* Verify the ASA Configuration
Lab 10: Clientless SSL VPN
In this lab you will run the SSL VPN Wizard to configure ASA to allow access to the Web VPN. Once the SSL VPN is up and running, you will explore the features it provides. You will then create different policies for different groups of users. General users will have fewer privileges with the clientless VPN than administrative users. Actions performed will include:
* SSL VPN Wizard
* Test Clientless SSL VPN
* Define a Group Policy for General Users
* Test the Policy for General Users
* Exclusive - Provide Greater Customization for the AdminPolicy
* Exclusive - Test the Admin Customization and OnScreen Keyboard
* Monitor SSL VPN Connections
* Verify the ASA Configuration
Lab 11: Transparent Mode Firewall & Security Contexts
In this lab, you will configure and test two features which first appeared in version 7.0 of the Security Appliance OS: Transparent firewalling and security contexts.
Transparent firewall mode is designed for two primary reasons: 1) an organization wants to add a firewall to an existing network without requiring re-addressing, and 2) an organization operates a multiprotocol network, including non-IP traffic, and wants to allow that traffic through the firewall without requiring GRE tunneling. In this lab, the transparent firewall will be inserted between the routing interfaces of the L3-Switch and the PC systems. The transparent firewall can then provide firewalling services without modifying the L3-Switch or PC configurations.
Security contexts were designed to allow a single physical firewall to perform jobs that generally require multiple firewalls. A limitation of transparent firewall mode on the security appliance is that only two interfaces are allowed. Obviously, dedicating a single physical firewall with more than two physical interfaces (and the ability to support multiple VLANs off each of its physical interfaces) is quite limiting. Hence using security contexts with transparent firewalling allows a single physical firewall to provide transparent firewalling to multiple IP subnets. Actions performed will include:
* Understand the Updated Topology
* Access the Security Appliance Console
* Configure Transparent Firewall Mode
* Configure Interfaces and the Management IP Address
* Exclusive - Configure the Switching Fabric
* Test Connectivity through the Security Appliance
* Prepare the ASA for and Launch ASDM
* Define and Test Inbound Policy with ASDM
* Understand the Updated Scenario
* Exclusive - Enable Multiple Context Mode
* Exclusive - Multiple Context Mode from ASDM
* Exclusive - Create and Configure a New Context
* Exclusive - Update the Switching Fabric
* Exclusive - Verify Functionality of the New Context
* Verify the ASA Configuration
Lab 12: Active/Standby Failover
In this lab, two pods are linked together. The Primary Pod's ASA will be configured as the primary ASA for failover and the Secondary Pod's ASA will be configured as the secondary ASA for failover. Stateful failover will also be enabled. Once configured, the failover status will be confirmed and tested. After a successful test, the failover status will be returned to its initial state. Actions performed will include:
* Understand the Updated Topology
* High Availability and Scalability Wizard
* Exclusive - Configure the Failover Prompt
* Verify Failover Status
* Test Failover Operation
* Return to a Normal State
* Verify the ASA Configuration
Lab 13: Active/Active Failover
In this lab, two pods are linked together. The Primary and Secondary Pod's ASA will be configured for failover using two contexts each assigned to different failover groups. Stateful failover will be enabled, and preemption will be configured so that different ASAs will be active for each failover group. Once configured, the failover status will be confirmed and tested. After a successful test, the failover status will be returned to its initial state. Actions performed will include:
* Understand the Updated Topology
* High Availability and Scalability Wizard
* Exclusive - Demonstrate Configuration Replication and Failover Exec
* Verify Failover Status
* Exclusive - Enable Preemption
* Test Failover Operation
* Return to a Normal State
* Verify the ASA Configuration
Lab 14: Managing the Security Appliance
You will begin this lab by experimenting with the configuration of Authentication, Authorization, and Accounting. You will configure various methods of AAA including using the Local ASA database as well as scaling the solution by using Cisco Secure ACS. Next, you will perform an upgrade including the ASA OS as well as ASDM. Lastly, you will perform a password recovery on the ASA. Actions performed will include:
* Connect to the ASA via SSH
* Configure Commands at a New Privilege Level
* Configure Command Authorization for LOCAL Users
* Exclusive - Configure Command Authorization using TACACS+
* Exclusive - Configure Command Accounting
* View the AAA Configuration from ASDM
* Perform a "System Upgrade"
* Exclusive - Perform a Password Recovery
* Verify the ASA Configuration
This course is primarily intended for students responsible for configuring Cisco IOS software. This course is also suitable for people responsible for maintaining their organisations networks and security systems.
Before attending this course, students must be:
• Certified as a CCNA or have the equivalent knowledge
• Have experience in configuring Cisco Internetwork Operating System (IOS) software
• Have a basic knowledge of the Windows operating system
• Have a familiarity with the networking and security terms and concepts as learnt through prerequisite training
• ICND2 - Interconnecting Cisco Network Devices 2
• IINS - Implementing Cisco IOS Network Security