ccna book pdf todd lammle

ccna book pdf todd lammle.9.1.1.1 ASA Firewall OverviewThe IOS router firewall solution is suitable for deployment in small branch offices and for administrators with experience using CiscoIOS. However, IOS firewall solutions do not scale well and often do not meet the needs of large enterprises.The ASA is a standalone firewall appliance that is a key component of the Cisco SecureX architecture. The ASA is available in multiple models ranging from the basic 5505 branch office model to the 5585 data center version. All offer advanced stateful firewall and VPN capabilities. The biggest differences between models are: the maximum data throughput each model handles, and the number and type of interfaces. The sheer number of models of Cisco ASA devices allows for a wide range of user needs and network sizes. The choice of ASA model depends on the needs of the enterprise, such as things like maximum throughput, maximum number of connections per second, and budget.Note: Recently, Cisco introduced the ASA 5500-X series of firewalls. The "-X" suffix indicates the ASA appliance's ability to run next-generation security services, which include Cisco ApplicationVisibilityandControl (AVC), Cisco Web Security Essentials (WSE), and Cisco Web Security Essentials (WSE). SecurityEssentials (WSE), and Intrusion Prevention System (IPS ). o For more information, see cisco.com.ASA software integrates the firewall, VPN concentrator, and intrusion prevention functions into a single software image. Previously, these functions were provided in three different appliances, each with its own software and hardware. Combining these features into one software image significantly improves the performance of the application.Other advanced ASA features are shown below.ASA Virtualization: A single ASA can be partitioned into multiple virtual devices. Each virtual device is called a security context. o Each context is a separate device with its own security policy, interface, and manager. Multiple contexts are like having multiple independent devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management features. There are some features that are not supported, including VPN and dynamic routing protocols.High availability with failover: Two identical ASAs can be paired into an active/backup failover configuration to provide device redundancy. The software, licensing, memory, and interfaces, including the Security Service Module (SSM), must be the same for both ASAs. In this example, ASA-1 is the preferred active device for forwarding traffic' traffic leaving the PC-A is taken using the right-hand path of ASA-1. ASA-1 and ASA2 monitor each other using the LAN failover link. If ASA-1 fails. then ASA-2 immediately assumes the role of the preferred device and the status switches to active.Identity Firewall: The ASA can provide optional fine-grained access control based on the association of IP addresses to Windows Active Directory login information. For example, when a client attempts to access a server resource, it must first authenticate using a firewall service based on Microsoft Active Directoryidentity. Existing access control and security policy mechanisms can be enhanced by specifying users or groups (rather than source ID addresses). Identity-based security policies can be crossed with traditional IP address-based rules without restriction.Threat Control and Suppression Services: All ASA models support basic IPS features. However, advanced IPS features can only be provided by specialized hardware modules integrated in the ASA architecture. IPS features are provided through the use of an advanced detection and defense module, while anti-malware features can be deployed integrated with the Content Security and Control (CSC) module. The Cisco Advanced Detection and Defense Security Services Module (AIP.SSM) and the Cisco High Level Detection and Defense Security Services Card (AIP-SSC) provide protection against tens of thousands of known vulnerabilities. They can also protect against hundreds of potentially unknown vulnerabilities and variants using a dedicated IPS detection engine and thousands of features. Cisco IPS Services provides feature set updates through a global intelligence team that works 24 hours a day to ensure protection against the latest threats.