Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

2-17

Cisco ASDM User Guide

OL-16647-01

Chapter 2 Introduction to the Security Appliance

Firewall Functional Overview

• Applying Application Inspection, page 2-17

• Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 2-18

• Sending Traffic to the Content Security and Control Security Services Module, page 2-18

• Applying QoS Policies, page 2-18

• Applying Connection Limits and TCP Normalization, page 2-18

Permitting or Denying Traffic with Access Lists

You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.

For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.

Applying NAT

Some of the benefits of NAT include the following:

• You can use private addresses on your inside networks. Private addresses are not routable on the

Internet.

• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a

host.

• NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protecting from IP Fragments

The security appliance provides IP fragment protection. This feature performs full reassembly of all

ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the

security appliance. Fragments that fail the security check are dropped and logged. Virtual reassembly

cannot be disabled.

Using AAA for Through Traffic

You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.

The security appliance also sends accounting information to a RADIUS or TACACS+ server.

Applying HTTP, HTTPS, or FTP Filtering

Although you can use access lists to prevent outbound access to specific websites or FTP servers,

configuring and managing web usage this way is not practical because of the size and dynamic nature of

the Internet. We recommend that you use the security appliance in conjunction with a separate server

running one of the following Internet filtering products:

• Websense Enterprise

• Secure Computing SmartFilter

Applying Application Inspection

Inspection engines are required for services that embed IP addressing information in the user data packet

or that open secondary channels on dynamically assigned ports. These protocols require the security

appliance to do a deep packet inspection.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-16647-01 Network Router User Manual