CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Summary

The "Foundation Summary" provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.

CiscoWorks Management Center for Firewalls (Firewall MC) enables you to manage multiple firewalls across your network. The Firewall MC software operates on top of CiscoWorks Common Services (Version 2.2) that provide basic functionality such as user authentication. Some of the features of Firewall MC include the following:

• Web-based interface for configuring and managing multiple firewalls

• Configuration hierarchy and user interface to facilitate configuration of firewall settings

• Support for PIX Firewall Version 6.0 and later

• Ability to import configurations from existing firewalls

• Ability to support dynamically addressed PIX Firewalls

• Support for up to 1000 PIX Firewalls

• SSL protocol support for client communications to CiscoWorks

• Support for workflow and audit trails

Firewall MC supports the following firewall platforms:

• PIX 501

• PIX 506/506E

• PIX 515/515E

• PIX 525

• PIX 535

• FWSM

To manage firewalls using Firewall MC, you must configure the firewall to allow HTTP access from the Firewall MC. The Firewall MC interface is divided into the following major configuration tabs:

• Devices Enables you to import device configurations and define device groups to be managed by the system

• Configuration Enables you to change the operational configuration of the devices managed by the system

• Deployment Enables you to generate configuration files, manage firewall configuration files, and submit or manage new jobs

• Reports Enables you to generate reports, view scheduled reports, and view reports

• Admin Enables you to configure system settings
  

The basic user task flow for using Firewall MC involves the following steps:

You must define the firewalls that Firewall MC will manage. Device management falls into the following categories:

• Managing groups

• Importing devices

• Managing devices

After importing the device to be managed, you must perform various configuration tasks. Configuration tasks using the Firewall MC fall into the following topics:

• Configuring device settings

• Defining access rules

• Defining translation rules

• Creating building blocks

• Generating and viewing configuration information

Some of the device settings that you can configure through Firewall MC include the following:

• PIX operating system version

• Interfaces

• Fail over

• Routing

• PIX Firewall administration

• Logging

• Servers and services

• Advanced security

• Firewall MC controls

• Configuring access and translation rules

Access rules define your network security policy by controlling the flow of network traffic through your firewalls. The three types of access rules are as follows:

• Firewall rules

• AAA rules

• Web filter rules

Translation rules define the translation of private IP addresses to public IP address and fall into the following three categories:

• Static translation rules

• Dynamic translation rules

• Translation exception rules (NAT 0 ACL)

To optimize your configuration, you can define building blocks that can then be used when defining other items (such as access and translation rules). You can configure the following types of building blocks:

• Network objects

• Service definitions

• Service groups

• AAA server groups

• Address translation pools

Firewall MC supports the following types of reports:

• Activity Report

• Configuration Differences report

• Device Setting Report

After making configuration changes, you need to deploy those changes to your managed firewalls. By default these changes are deployed to your managed firewalls as soon as you save your configuration changes. If you enable workflow, however, then updating configurations involves the following three steps:

Using workflow, configuration changes become activities, and deploying those activities become jobs. You can require approval for activities, jobs, or both.

The AUS enables you to maintain current images efficiently on your managed firewalls. Like Firewall MC, the AUS runs on top of CiscoWorks Common Services. AUS supports the following types of images:

• PIX Firewall software images

• PDM software images

• PIX configuration files

Some of the major features provided by AUS (Version 1.0) include the following:

• Web-based interface for maintaining multiple PIX Firewalls

• Support for PIX Firewall operating system 6.0 and later

• Support for dynamically addressed PIX Firewalls

• Support for up to 1000 PIX Firewalls

AUS Version 1.1 added new functionality including the following major features:

• Installation on Solaris

• Additional report formats

• Support for configuration files

PIX Firewall software images and PDM software images can be directly added to the AUS. PIX configuration files must be deployed from Firewall MC to be added to the AUS.

The configuration tasks in the AUS (Version 1.0) are broken down into the following five major categories:

• Devices Displays summary information about devices

• Images Provides information about PIX Firewall software images, PDM images, and configuration files and allows you to add and delete PIX Firewall software images and PDM images

• Assignments Allows you to view and change device-to-image assignments and image-to-device assignments

• Reports Displays reports

• Admin Enables you to perform administrative tasks, such as configuring NAT settings and changing your database password