Lesson 8 Flashcards
The Cisco _____________ is borrowed from IOS to make it easier to implement flexible policies on the security appliances. One or more policies can be applied to traffic flowing through the appliance.
Modular Policy Framework ( MPF)
- Control what traffic is added to the connection table to allow returning traffic back to the source, as well as examine the payloads of inspected applications for connection, translation, and security issues
Inspection of connections
- Limit the number of completed and half - open connections on a per - group, per - user, or per - host basis
Connection restriction s
- Implement low - latency queuing to prioritize high - priority traffic, like voice, over normal data traffic .
Traffic prioritization
- You can rate-limit traffic in both the inbound and outbound directions to control excessive bandwidth needs of applications
Traffic policing
- With the AIP-SSM (Advanced Inspection and Prevention Security Services Module) card installed in an ASA, you can define policies to copy packets to or to redirect packets into the AIP - SSM card to look for and prevent attacks.
Intrusion prevention system (IPS)
- With the CSC-SSM card (Content Security and Control ) installed in an ASA, you can define policies to have traffic redirected through the card to look for viruses, malware, spyware, phishing, and other types of issues with Web , FTP, and email applications.
Anti - X
The MPF Process
START
Identify traffic to be subject to the policy. Includes IP addresses and transport protocol port numbers
Create the policy, which specifies the action that permits, denies, or otherwise manipulates the traffic and/or the way it’s handled
Activate the policy by activating it on an interface
class-map
policy-map
service-policy
Template used to identify a traffic flow by using the match command. A traffic flow is a set of traffic that is identifiable by its packet content. The class - map identifies the traffic that you want to associate one or more policies to
class-map
Used to associate one or more actions with a class of traffic. Consists of a list of policies which reference a class map.
policy-map
Used to enable a set of policies on an interface or all interfaces.
service-policy
Supported class maps:
Layer 3/4
Inspection (Layer 7)
Regular expressions (“ftp://” )
Management
When using class maps, you are required to use _________ to identify the devices and or services, like a particular FTP server.
a Layer 3/4 class map
Includes all default application inspection traffic, which is about a 1 ½ dozen protocols such as ftp, rpc , ils , and so on
default-inspection-traffic
Matches on the specified ____ values in the IP header used for QoS.
DSCP
Matches on the specified TOS values in the IP header used for QoS and in DSCP .
precedence
Matches on a particular site - to - site connection or on a WebVPN or IPSec remote access group.
tunnel - group
Further qualifies the matching process when the configured policy is policing: eg, rate - limiting remote access users on a per - destination basis.
flow
The ASA Firewall listens to the entire FTP transfer conversation on the FTP - control port.
Active - mode FTP
it automatically allows the corresponding inbound connection.
____. When it’s time to open a data session, instead of sending the PORT command to the server, the client sends a ___ command to the server.
If the FTP server supports Passive mode, it opens a random port of its own and responds with a ____ command to the client , which includes the number of the TCP port it just opened .
Passive-Mode FTP
PASV
PORT
When more than one policy is associated with the class map, the policies are enforced in the following order :
Connection limits, connection timeouts, and TCP sequence number randomization – CSC card (Content Security and Control) – Stateful and application inspection – IPS card – Input policing – Output policing – Priority queuing
Configuring a Traffic Class
fw1( config )# class - map CLASS_ALL
fw1( config - cmap )# match port tcp eq http
fw1(config - cmap )# match access-list INBOUND-MPF
fw1( config - cmap )# exit
Associating a Traffic Class with an Action
fw1( config )# policy-map INT_POL fw1( config-pmap )# fw1( config-pmap )# class COMM fw1( config-pmap-c)# set connection conn - max 800
Applies the policy map to the outside interface
fw1( config )# service-policy INT_POL interface outside
The security appliance configuration contains a preconfigured ________ that enables inspection of certain applications on all interfaces
policy map ( global_policy )
default Inspection policy names:
class-map
policy-map
inspection_default
global_policy
