Exploring the Navigation Bar
The navigation bar provides access to the main areas of ASDM.
Figure 4-10 shows the contents of the
bar. The navigation bar contains three buttons that enable you to do the bulk of
the work for configuring and monitoring the ASA/PIX Security Appliance:
-
Home
-
Configuration
-
Monitoring
The remaining buttons are used for navigating ASDM, saving
files, and obtaining help:
-
Back
-
Forward
-
Search
-
Refresh
-
Save
-
Help
Table 4-2 provides an
overview of each item on the navigation bar. A more detailed explanation is
provided in the section following the table.
Table 4-2. Navigation Bar Overview
|
Navigation Icon |
Summary |
|
Home |
This is the default screen seen when ASDM launches. It
primarily contains status and device information of the security appliance and
ASDM. |
|
Configuration |
This is the main portion of ASDM. It contains all the
configuration options for the ASA/PIX Security Appliance. |
|
Monitoring |
The Monitoring icon offers options to monitor many of the
security appliance features and functions. This includes graphing and table
views. |
|
Back arrow |
This allows backward navigation through previously viewed ASDM
screens. |
|
Forward arrow |
This allows forward navigation through previously viewed ASDM
screens. |
|
Search |
This icon finds the ASDM panel that matches user-entered search
criteria. |
|
Refresh |
The Refresh icon reloads the current ASA/PIX configuration to
the ASDM application. This icon turns red when ASDM is not in sync with the
ASA/PIX Security Appliance configuration. |
|
Save |
This icon saves any changes made through ASDM to the ASA/PIX
Security Appliance running configuration. A copy of the running-config is saved
to Flash memory. |
|
Help |
This contains context-sensitive
help. |
Many items within these navigation bar icons contain
configuration panels and information to help troubleshoot or configure the
ASA/PIX Security Appliance. Detailed information about each navigation icon
follows.
Home Navigation Icon
The Home navigation icon displays real-time information about
the ASA/PIX Security Appliance. (See Figure
4-11.)
In the upper-left corner, there are two tabs under Device
Information. One tab is labeled Licensing and displays pertinent information
about the license that is installed in the ASA/PIX Security Appliance. The other
is labeled General and displays information about the ASA/PIX Security
Appliance, such as the following:
-
ASA/PIX version
-
Device type
-
Memory information
-
ASDM version
Below the Device Information section is a panel called VPN
Status, which displays information about VPN tunnels.
Below the VPN Status section is a panel called System Resource
Status. This panel displays information about the ASA/PIX Security Appliance CPU
and memory usage.
At the bottom of the screen is a panel that displays the latest
ASDM syslog messages. ASDM gives you the option on the right side of this panel
to configure filters for syslog messages, enabling you to see only the messages
that you consider important for your network.
In the upper-right corner of the Home navigation icon screen,
the Interface Statistics panel displays. This panel shows the following:
If you click the interface, the input and output traffic
statistics for that interface display just under the Interface Statistics
panel.
Below the Interface Statistics panel is the Traffic Status
panel. This panel displays, in graph form, the UDP, TCP, and total connections
per second.
Below the Traffic Status panel is a second panel that displays
traffic usage on the outside interface. This graph can prove helpful in
determining whether a denial-of-service (DoS) attack is being launched against
the outside interface of the security appliance or whether an excessive amount
of traffic is being serviced by the security appliance.
Configuration Icon
The Configuration section of ASDM contains most of the
functions needed to configure and control the features of your security
appliance. Eight features are listed under the Configuration icon. (See Figure 4-12.)
The following features are available under the Configuration
icon:
-
Interfaces
-
Security policies
-
NAT
-
VPN
-
Routing
-
Building blocks
-
Device administration
-
Properties
Although this list of features represents a comprehensive set
of tasks that need to be accomplished to fully configure the ASA/PIX Security
Appliance, most deployments can be done using the defaults already configured as
part of ASDM. Many of these features are optional depending on your networking
requirements. For instance, routing, VPN, and building blocks might not be
required in many small business network deployments.
This chapter touches on each of these features so that you
learn the capabilities of the ASA/PIX version 7 operating system and ASDM.
However, the configurations deployed in this book follow the defense-in-depth
model and are covered in the following chapters:
Interfaces
The Interface panel, shown in Figure 4-13, enables you to control the features of the
hardware interfaces on your ASA/PIX Security Appliance.
This panel enables you to configure the network and security
characteristics, as well as enable or disable the hardware interfaces.
Security Policy
The Security Policy panel, shown in Figure 4-14, has four subpanels:
-
Access Rules
-
AAA Rules
-
Filter Rules
-
Service Policy Rules
To add, delete, modify, or move elements in any of the panels
within the Security Policy feature (see Figure 4-14), you have three options. You can either
right-click the panel and use the pop-up screen, use the icons across the top of
the current panel, or use the pull-down menu labeled Rules.
-
Access Rules— These rules
enable you to decide what traffic will be allowed to traverse your security
appliance. By default, most traffic sourced from the inside interface of the
security appliance is allowed to go to the outside interface and return back to
the inside. By default, all traffic sourced from the outside is blocked from
going to your inside network. If you are hosting any network services, such as
web servers or mail servers, on the inside of your network, you must create an
access list to let that traffic through the security appliance.
The traffic flow on an ASA/PIX Security Appliance is defined by
a value called a security level. By default,
traffic flows freely from an interface with a high security level to an
interface with a lower security level. For example, the inside interface has a
security level of 100, and an outside interface has a security level of 0.
Therefore, by default, traffic can flow from the inside to the outside without
any configuration.
Note
Defining access rules is a must
for any security appliance deployment. Configuring inbound network services is
addressed in Chapter 6.
-
AAA Rules— These rules enable
you to authenticate traffic coming from the outside of your security appliance
or going into your security appliance. You can define a AAA server to
authenticate users, or you can use this panel to define local users. The only
traffic that can be authenticated is traffic that uses a protocol that has the
capability to accept a username and password. The ASA/PIX Security Appliance
supports four such applications:
- - HTTP— Web
traffic
- - HTTPS— Encrypted web
traffic
- - Telnet— Text-based
terminal traffic
- - FTP— File Transfer
Protocol
Authentication rules can also be activated or deactivated based
on the time of day or day of week. For example, you can limit users to access
only these services from 8 A.M. to 5 P.M., Monday through Friday. In addition, you can
limit authentication rules to certain IP addresses, users, or service
groups.
-
Filter Rules— Many virus,
worms, and spyware can be spread using malicious code embedded inside of web
traffic. To help prevent this spread, these filter rules look deep into packets
and can filter out ActiveX and Java applets that might cause malware to spread
to the inside hosts on your network through day-to-day web browsing. You can use
this filter panel to create an exclusion rule that allows or disallows ActiveX
or Java from specific sites.
Another powerful feature of the ASA/PIX Security Appliance is
URL filtering. You can implement URL filtering using the filter rules. Using a
third-party vendor such as WebSense, you have the ability to control which
websites your users can access from the inside of your network. The software
packages are easy to use; often with just a single click you can filter out all
known porn sites, hacker sites, sport sites, or file-sharing sites. URL
filtering can also catch URL attacks such as a Unicode attack which, when
crafted correctly and sent to a vulnerable system, can execute the DOS command
prompt.
Caution
In some of the 50 states, deploying URL filtering is a freedom
of information issue versus the right of an employer to protect company assets.
You might want to get legal advice if you suspect this is an issue in your
state.
-
Service Policy Rules— Like
filtering rules, these rules also look deeply into packets to determine whether
the packet is valid and should be passed through the security appliance. Service
policy rules classify traffic by protocol or sets of protocols and then apply
rules to allow or reject content based on configurations that you have
previously defined. This is discussed further in Chapter 8.
The subpanels within the service policy rules enable you to
classify your traffic and then apply rules to that traffic. Consider inbound web
traffic as an example, but remember that this is just an example, and it is not
necessarily recommended to use this policy on your security appliance. Service
policy rules enable you to create a policy that resets a connection if an
outside user is trying to send a URL longer then the largest URL you have on
your web server. This policy could mitigate several attacks such as a hacker
trying to manually send a SQL request to access unauthorized data or trying to
send a large URL to overflow the buffer of your web server.
Policy rules give you several other options to mitigate attacks
or recover bandwidth used by unauthorized activity, including the following:
-
- Stop certain types of traffic that is not adhering to the RFC
specifications.
-
- Stop certain types of files from being transferred within a
protocol such as HTTP or SMTP (mail). Often attackers send files compressed in
formats such as Zip GZip to evade signature recognition used by most antivirus
vendors.
-
- Stop certain types of peer-to-peer (P2P) network file-sharing
programs that can take up unauthorized bandwidth and transfer files into your
environment of which you have no control.
-
- Stop instant messaging.
-
- Stop tunneling of protocols within other protocols,
especially port HTTP.
-
- Enforce maximum number of connections allowed to a certain
port to prevent CPU overload during peak usage or DoS attacks.
-
- Randomize TCP sequence numbers on a per-protocol basis to
reduce the possibility of TCP hijacking.
-
- Apply quality of service to certain data flows or
protocols.
Click the Show Detail option
button at the bottom of the Security Policy panel to see which protocols are
inspected by default. To see the details of each inspection, browse through the
Edit panel's Traffic Classification, Traffic Match, and Rule Action tabs. In the
Rule Action panel, click the Configure button
to see a detailed inspection for each protocol.
NAT
Figure 4-15 shows the
NAT panel, which has four main functions, as described in the list that follows.
NAT is a feature that allows private addresses to be translated and routed to
the Internet, as discussed in detail in Chapter 5. The options exist to add, delete, modify,
or move any elements in any of the panels within the NAT panel. You can either
right-click the panel and use the pop-up screen, use the icons across the top of
the current panel, or use the pull-down menu labeled Rules.
-
Enables Traffic to Traverse the
Security Appliance Without Address Translation— Checking this box will
allow traffic to traverse back and forth through the security appliance without
using address translation. The only time you should consider doing this is if
all the addresses behind your security appliance are publicly routed Internet
addresses.
-
Translation Rules— This panel
enables you to set up address translations that will allow you to use private
Internet addresses on the inside of your security appliance while still
accessing public Internet devices. The most common form of NAT used is port
address translation, also called PAT. If you use PAT, the addresses from inside
your security appliance assume the outside interfaces' IP addresses before they
are routed to the Internet. Because all Internet devices know how to return
traffic to your security appliance, the security appliance will know what to do
when the traffic comes back to it. The security appliance will just check its
NAT tables and be able to recognize the true source of the packet and send it
back to the host on the inside of your network.
For the purposes in this book, PAT is used for inside hosts,
and static NAT is used for public servers. In Chapters 5 and 6, PAT and NAT are deployed to allow Internet
access.
Note
NAT is a complex subject. For an in-depth discussion on
implementing NAT, go the Cisco website and access the URL http://www.cisco.com/go/nat. Even though this link is for
Cisco IOS, the concepts are the same for the ASA/PIX Security
Appliance.
-
Translation Exemption Rules—
This panel enables you to exclude certain traffic from NAT translation, which is
sometimes required in complex VPN deployments.
-
Manage Pools— NAT pools are
addresses allocated for use by NAT on a per-interface basis on the ASA/PIX
Security Appliance.
Sections
Comments (3 posted)
Syndication
