Firewall functional overview, Security policy overview – Cisco ASA 5505 User Manual

Page 94

Advertising
background image

1-24

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

Firewall Functional Overview

Firewall Functional Overview

Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.

When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the ASA lets you configure many interfaces with varied security
policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired,
these terms are used in a general sense only.

This section includes the following topics:

Security Policy Overview, page 1-24

Firewall Mode Overview, page 1-27

Stateful Inspection Overview, page 1-27

Security Policy Overview

A security policy determines which traffic is allowed to pass through the firewall to access another
network. By default, the ASA allows traffic to flow freely from an inside network (higher security level)
to an outside network (lower security level). You can apply actions to traffic to customize the security
policy. This section includes the following topics:

Permitting or Denying Traffic with Access Lists, page 1-25

Applying NAT, page 1-25

Protecting from IP Fragments, page 1-25

Using AAA for Through Traffic, page 1-25

Applying HTTP, HTTPS, or FTP Filtering, page 1-25

Applying Application Inspection, page 1-25

Sending Traffic to the IPS Module, page 1-26

General Features

Password Encryption
Visibility

You can show password encryption in a security context.

We modified the following command: show password encryption.

Table 1-7

New Features for ASA Version 8.4(1) (continued)

Feature

Description

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals