Generally, a Firewall protects your computer from intrusion (scanning or attack) by hackers or script kiddies while it is connected to the Internet. A firewall examines electronic data coming in to, or out of, a computer (or network - computers joined together by wires or wireless connection) and compares it to rules it has been given. If that data matches the rules which say it is OK, it will let the data pass. If it doesn't, it blocks the data. To be simple, just think of a Firewall as a piece of software (or hardware for those with more computers) that keeps the bad guys out and let the good ones in. It stops hackers and script kiddies from gaining access to your computer and the information on it.
There are many people who still use the internet without thinking twice about protecting themselves when online. Most of these people are home or small business users who never give it a second thought, or just don't understand enough about the risks to worry. Using the internet without a firewall can be explained quite easily - You wouldn't leave your house or office unlocked, or with the windows and doors wide open so that anyone can walk in and look around, or even steal your items, but using the internet isn't much different than that. If you are online without a firewall you are leaving it wide open to attack, and intruders and thieves could view or steal your information.
So for people who use the internet, no matter it is a home, or an enterprise, a firewall is an essential hardware or software to help to protect your privacy and data on your computer by stopping hackers from gaining control of your system.
A firewall also prevents confidential information on your system from being sent without your permission. This could be your passwords, bank details and other personal information.
About Personal Firewall & Hardware Firewall
A Personal Firewall (also known as a desktop firewall, or Software firewall) is installed on each computer that is connected to the internet and monitors (and blocks, where necessary) internet traffic. It is used to help protect a single Internet-connected computer from intruders. Personal firewall protection is useful for users with "always-on" connections such as DSL, cable modem or dial-up connections.
Hardware firewall's can be purchased as a stand-alone product but more recently hardware firewall's are typically found in broadband routers, and should be considered an important part of your system and network set-up, especially for anyone on a broadband connection. Hardware firewalls can be effective with little or no configuration, and they can protect every machine on a local network. Most hardware firewalls will have a minimum of four network ports to connect other computers, but for larger networks, business networking firewall solutions are available.
Software and Hardware Firewall
The differences between a software and hardware firewall are vast, and the best protection for your computer and network is to use both, as each offers different but much-needed security features and benefits. Updating your firewall and your operating system is essential to maintaining optimal protection, as is testing your firewall to ensure it is connected and working correctly.
Intro of Most Popular CISCO Firewall Hardware: About Cisco ASA 5500 Series
Designed as a core component of the Cisco Self-Defending Network, the Cisco ASA 5500 Series provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexibleVPN connectivity. The result is a powerful multifunction network security appliance family that provides the security breadth and depth for protecting home office, branch office, small and medium-sized business, and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security.
In the networking industry there's Cisco and then there's everyone else. But in LAN switching it's even more so.
If we posed the question to IT pros: What's more reliable, your phone network or data network? Most would now tell us that it's a dumb question, they're the same network.
That transition over the past decade makes the LAN ultra-critical for companies today, just as critical as keeping the lights on and the coffee flowing. So it's not at all surprising that in our recent IT Pro Ranking, 444 IT professionals, who either use, have used, or have evaluated the products and vendors we asked about, placed product reliability and product performance as their two most important factors for evaluating LAN vendors and products.
In fact, those two factors rated so high in importance, and Cisco did so well against them, the story almost begins and ends there. Of our 11 criteria, Cisco rated a 4.0 (out of 5) or better on four of the criteria, while no other vendor did that well on more than two. Others making our survey (getting at least 50 responses to our poll) included: Brocade, HP, Juniper, Dell, and Netgear.
Cisco also got the lowest score in our survey, scoring a 3.0 for acquisition cost, whereas no other vendor scored below a 3.2. Operation cost was second lowest for Cisco at 3.5. Meanwhile, HP scored 3.9 and 3.8 on those criteria respectively, Dell came in at 4.1 and 3.8, and Netgear registered 4.2 and 3.0. But cost is not the primary concern for network architects and Cisco knows it. It also knows that when it sets prices, others will move theirs accordingly. No matter what Cisco did with its prices, others will set theirs lower.
Such is the nature of a mature market with reasonable margins and market share leader the likes of Cisco. And lead it does. In our survey, 85% of respondents said they have used or evaluated Cisco products. HP ranks a distant second with 33%, then Dell and Netgear at 22%, Juniper at 20%, and Brocade at 12%. Included in our survey, but not getting enough responses to qualify for inclusion were: Avaya, IBM, Alcatel-Lucent, Extreme, Enterasys, NEC, Arista, and Force 10, all of which had less than 8% reporting use.
In our standard overall weighted score, Cisco ended up with 77%, followed by a three-way tie between HP, Juniper, and Brocade, all at 73%. Dell and Netgear followed with 71% and 70% respectively. The nature of our survey methodology tends to bunch vendors together when we calculate the aggregate score. High-function products are offset by their high prices, while low-function products are boosted by their typically lower prices.
Along with our standardized 11-point rating system, we also asked about 15 features specific to LAN switching. When we asked product users to rate these criteria, cost per port, management software, port density, dynamic port configuration, and pre-port security were deemed most important while layer 2 encryption, proprietary features in advance of standards, and 40-Gbps or 100-Gbps uplinks turned as least important. Here again, in aggregated scores, Cisco came out on top with 75%, then Brocade at 71%, HP and 70%, Juniper at 69%, Dell at 68%, and Netgear at 63%.
All this seems like great news for Cisco, and at least for the moment it is. As report author Mike Fratto points out, the Catalyst 6500 is the product of choice for many LAN architects. But eventually, it too will run out of steam. But when Cisco execs spend a sleepless night worrying about how to maintain their enviable market share and profit margins, they don't worry about any of the vendors I've mentioned here, at least not individually. The company they worry about is Broadcom.
Broadcom now produces a broad range of high-performance chips that let equipment manufacturers build high-density switches with relatively few parts, including its StrataXGS chips, which supports 100-Gbps Ethernet for carriers and 40-Gbps Ethernet for the enterprise. The system-on-a-chip design can support 64 10-Gbps ports and supports relevant standards from DCB to TRILL to OpenFlow. In other words, Cisco has to count on the attractiveness of some pretty esoteric features in its own silicon to beat out any vendor who decides to spin out a switch based on Broadcom's chips.
Users who take the time to make careful side by side comparison between products built on Cisco's own silicon and those built on Broadcom's may not find much of a difference--at least in the features that matter most to them.
This being a mature product category, we weren't all that surprised to see that 60% of responden7ts saying that they had no interest in replacing or adding new LAN switch vendors. That's good news for Cisco. But when we asked that 60% what it would take to get them to reconsider, the top response by a good margin was substantial capital cost savings.
For vendors looking to unseat Cisco as the king of the hill, the task is still daunting. Many will read the survey results and find that it doesn't match the reality of current product offerings. And while that may be true, our survey represents the perceptions of actual product users and as such, it's going to be tough sell to an audience who're pretty much saying, "We'd consider changing vendors if you were giving the stuff away."
Cisco is at the forefront of embracing the consumerization of IT - here's how.
It’s painfully obvious that the consumerization of IT isn’t going away. You hear it in the news, from manufacturers, and the loudest voice of all – your end-users.
Most likely, helpdesk requests about configuring, updating or using consumer devices has eked their way into your top 10 most common calls list. (A personal favorite, though not a top 10: “How do I get that bird game on here?”)
Beyond the onslaught of “How do I set up my work email account on my iPhone?” requests, there are major implications to the consumerization of IT in the workplace – above all, security. Do you have a plan in place for when a senior executive’s iPad gets stolen, along with classified company information? Or when a sales rep connects their tablet to the network and unknowingly places bugs in the CRM?
Back in 2009, Chris Christiansen of IDC was interviewed for Cisco’s Fact or Fiction video series. Christiansen said that while consumer devices aren’t specifically designed for use in the workplace, most IT operations would eventually have to accommodate them. He went so far as to say that it could be a career limiting move to forbid consumer devices in the workplace completely – particularly if you’re dealing with a senior level executive.
In 2010, Cisco began pushing borderless security to enable enterprise IT to deal with the onslaught of consumer devices in the workplace and the security concerns that came with them.
That same year, Cisco also introduced the Cius tablet – which meant enterprise IT could not only have the security measures in place for dealing with consumer devices, but could also provide the devices themselves. (The verdict is still out on how well the Cius will satisfy both end-users and IT.)
And just a month ago, Cisco general manager Tom Gillis named virtualization as the solution to security issues brought on by the consumerization of IT.
Cisco appears to be one of the players at the forefront of dealing with the implications of consumer devices in the workplace. All along, Cisco has made a point to pronounce this shift as not only unavoidable, but something to embrace. (Perhaps Cisco realizes that like social media in the workplace, you’re better off creating a policy to accommodate consumer devices rather than deny their use completely.) How are they extending the digital olive branch?
They are starting on their own shores. Cisco has been pioneering consumerization in their network for years. In doing so they can speak from experience and bring solutions to market that make sense. Introducing AnyConnect into their security offering is one such solution. Having a client that can interface with Symbian OS-based Nokia dual-mode phones, Windows Mobile Operating System devices, Apple iPhones, Android phones, Apple iPads, Cisco Cius tablets, and Windows, Mac, and Linux desktops and laptops was vital to allowing a BYOD (bring you own device) policy at Cisco. So what is the solution?
Cisco’s AnyConnect allows its users to connect from anywhere, on any device. It’s also always on, meaning that you don’t have to continue to log in if you are disconnected. The session is automatically re-established. Not only that, but AnyConnect will establish a tunnel in the best way based on how you are connecting and from where. Trying to webconference in from a high latency location? The client will utilize protocols like Datagram Transport Layer Security (DTLS), which is designed to handle higher latency traffic. What about under the hood?
The AnyConnect client establishes a secure tunnel into the network through Cisco ASA 5500’s that work in tandem with Cisco IOS to handle authentication and access to Cisco’s network. In addition to authentication, the client checks that the device is registered and conforms to security standards. What if a device doesn’t measure up? It’s not allowed on the network. What about lost or stolen devices? Cisco IT can remotely terminate the VPN sessions and no longer allow the device on the network.
The only question now is; will other organizations follow suit, or continue to keep their heads buried in the sand?
Cisco 3900 Series Integrated Services Routers (ISR), designed to power the next phase of branch-office evolution, offers unparalleled total cost of ownership savings and network agility through the intelligent integration of security, wireless, and application services.
As a popular Cisco router item, Cisco 3900 series offers an upgradable motherboard which allows owners to update hardware as more powerful options become available without having to purchase a new router. Cisco also appeals to environmentally conscious consumers with their EngeryWise dual power supplies, which lower electricity costs and support essential redundancy requirements. It is occasionally necessary to reset this powerful networking device, restoring it to factory default settings.
About “3945 router password recovery”
I understand that the password has to be changed the first time we login to Cisco 3945 router but i failed to do that and it’s not allowing me to connect using default username/password.
Can someone help me in getting this addressed??” ---From vnirmal112
Answers from others
“You can but you don't have to change the password the first time you login to the 3900. Are you trying to connect using the console port or telnet?”
“Logged onto router via console...was about to configure a new router...I got a clear message saying that i cannot login next time if i don’t change password, which i saw after logging off only :-(...”
“I am running 12.4.24. If you have another flash card, you can put a different IOS on it and boot it with that and see if you can get in. The other thing you can do is to try the password recovery and see if you can get in that way. Did you ever assign any passwords to it?”
Also frustrated with this Cisco 3900 resetting? Instructions help you reset Cisco 3900 series in detail
1. Enter "config-register 0x2102" from the router's command prompt window. This gives you access to global configuration mode.
2. Enter "show version." The response should read:
router# configure terminal
router (config) #config-register 0x2102
router (config) #end
Repeat the "show version" command.
The response should now read "will be 0x2102 at next reload."
3. Enter the command "write erase." This will erase the current start-up configuration.
4. Reload the software by entering the "reload" command. Do not save when prompted.
The system display should read:
System configuration has been modified. Save? (yes/no): n
Proceed with reload? (confirm)
Confirm that you want the reload to proceed.
5. Wait for the reload. The dialog box will read:---System Configuration Dialog---
Would you like to enter the initial configuration dialog? (yes/no)
The router has been reset.
1. Enter the command "config-register 0x2142."
The response should read:
Router (config)#config-register 0x2142
Repeat the "show version command."
The response should now read "will be 0x2142 at next reload."
2. Reload the software by entering the "reload" command. Do not save when prompted. The system should read:
System configuration has been modified. Save? (Yes/no): n
Proceed with reload? (Confirm)
Confirm that you want the reload to proceed.
3. Wait for the reload. The dialog box will read:
---System Configuration Dialog---
Would you like to enter the initial configuration dialog? (Yes/no) Enter "no."
4. Change the configuration register setting to 0x2102. Enter "config-register 0x2102." Enter "write memory." This will overwrite the running configuration.
5. Enter the "reload" command. The system configuration dialog will appear again. The router is reset.
Cisco 3845 routers provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements. The Cisco 3845 router features a console port, auxiliary port, dual Universal Serial Bus (USB) ports, four high-speed WAN interface card (HWIC) slots, two 10/100/1000 Gigabit Ethernet RJ45 ports, four Enhanced Network Module (ENM) slots, small form factor pluggable (SFP), power inlets, and Compact Flash (CF) drive.
Cisco 3845 supports two internal advanced integration modules (AIMs) 1, and two Ethernet connections. Figure 5 shows the front panel and Figure 6 shows the rear panel. The front panel consists of 7 LEDs: CF LED, PVDM0 LED, PVDM1 LED, PVDM2 LED, PVDM3 LED, AIM0 LED, and AIM1 LED. The back panel consists of 6 LEDs: SYS LED, ACT LED, SYS PWR1 LED, AUX PWR1 LED, SYS PWR2 LED, and AUX PWR2 LED.
Q: How I can configure the cards for Slots 0/0, 0/1, 0/2, 0/3?
How to Configure Cisco 3845? To follow step here
Using 3487 out of 491512 bytes
! Last configuration change at 13:23:09 PCTime Mon Nov 9 2009 by cisco
! NVRAM config last updated at 13:23:10 PCTime Mon Nov 9 2009 by cisco
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
! card type command needed for slot/vwic-slot 0/0
! card type command needed for slot/vwic-slot 0/1
! card type command needed for slot/vwic-slot 0/2
! card type command needed for slot/vwic-slot 0/3
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$KG3Z$oYVvBSpD//tgRXSsPcO7V.
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip tcp synwait-time 10
no ip bootp server
ip domain name oxnardad.org
ip ssh time-out 60
ip ssh authentication-retries 2
crypto pki trustpoint TP-self-signed-3416983991
crypto pki certificate chain TP-self-signed-3416983991
certificate self-signed 01 nvram:IOS-Self-Sig#3104.cer
username vlaguna privilege 15 secret 5 $1$PukE$4.mxdXURqELD/42ERYz1s1
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
ip address 172.20.1.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no mop enabled
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no mop enabled
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
logging trap debugging
no cdp run
banner exec ^C
% Password expiration warning.
Cisco Router and Security Device Manager (SDM) are installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
IOS adds in proxy features to forward web traffic to cloud web security offering
Cisco launched this feature to the market at Interop. In a nutshell, it provides IOS routers with intelligent, identity aware, traffic redirection to the Cisco ScanSafe web security cloud offering. ScanSafe provides the following web security features as a cloud service:
- URL Filtering
- Zero-day malware prevention
- Protection against Phishing attacks
- Granular Reporting with a multi-tenant design
- 100% uptime over the last 8+ years
- Heuristic Malware identification
Here is a graphical look at how each web request is processed in the cloud:
This means that http and https traffic will be redirected from the router to the ScanSafe cloud where it will be filtered according to your policy settings. In addition to the redirection of traffic, the ISR G2 will also provide identity (group and user based) to ScanSafe for granular policy selection. Identity can be obtained using multiple methods (AD, web auth, etc) but Active Directory will probably be the most popular. The router encrypts all identity info before it is sent to the cloud.
This type of feature will allow companies to securely stop back-hauling web traffic from remote site VPNs to the central site and back out again. It also allows for a common web security policy across remote sites, central sites, and even remote hosts with the AnyConnect ScanSafe integration. Sending web traffic directly to the Internet results in performance and user satisfaction improvements and decreased bandwidth requirements for HQ. Here is a simple graphic to illustrate this intelligent redirection of web traffic.
Now on to how you configure this on the router/Cisco routers.
First configure Identity on the router. This example will focus on active directory
Ldap server ad-server
transport port 3268
bind authenticate root-dn cn=scansafe,cn=users,dc=test,dc=localdomain password 7 4424A34232
search‐filter user‐object‐type top
Next, create an ldap group
Aaa group server ldap ad-servers
Now Define ip admission control:
Aaa authentication login cs-aaa group ad-servers
Aaa authorization network cs-aaa group ad-servers
Aaa accounting network cs-aaa none
Ip admission virtual-ip 18.104.22.168
Ip admission name csauth ntlm
Ip admission name csauth order ntlm
Ip admission name csauth method-list authentication cs-aaa authorization cs-aaa accounting cs-aaa
Ip http server
Ip admission csauth
Now that we have identity configured we move on to configuring the scansafe redirection commands:
parameter-map type content-scan global
server scansafe primary ipv4 22.214.171.124 port http 8080 https 8080
server scansafe secondary ipv4 126.96.36.199 port http 8080 https 8080
license 0 source interface GigabitEthernet0/0
timeout server 30 user-group ciscogroup username ciscouser
logging server scansafe on-failure block-all
Turn on content scanning on the external interface:
ip address 188.8.131.52 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip virtual-reassembly out
To whitelist sites you create a parameter map like the following example:
parameter-map type regex site_param
parameter-map type regex browser_param
whitelist header user-agent regex browser_param
whitelist header host regex site_param
Supported Cisco ISR G2 Platforms and requirements include
-19xx, 29xx, 39xx
-Security feature license or higher is required
-Valid Cisco ScanSafe license
Cisco will release the IOS code end of this month. It will be 15.2(1)T. You can find more information at these links.
I know cisco is a pioneer in networking products. Do all enterprises use cisco products? Does Cisco have a real Competitor? Who are they? And how far? ---Q FROM Cisco learning home
As we known, Cisco is the worldwide leader in networking that transforms how people connect, communicate and collaborate, which is the best choice for headquarter and all kinds of offices, industries and enterprises. Although Cisco doesn’t get a big applause from consumer market, it also shares a large market in networking solution and network hardware. Just like one Chinese saying: “Lose dead camel a ratio a horse greatly”, and so, does Cisco have a real competitor? And here we can read some points from Cisco fans and Cisco users:
“Define competitor. Yes, there are other companies who offer network equipment. Juniper, Extreme Networks, HP even has some gear out there as does Dell. However, when it comes down to full spectrum solutions, it's tough to beat Cisco. Juniper is working on building more market base though, and they have some features in JunOS that are arguably nicer than IOS. However, their slice of the market isn't as large as Cisco's is.” ---Travis
"However, when it comes down to full spectrum solutions, it's tough to beat Cisco. Juniper is working on building more market base though, and they have some features in JunOS that are arguably nicer than IOS. However, their slice of the market isn't as large as Cisco's is. Would it be easy work with devices from other vendors? Being a cisco professional do we have to learn the corresponding OS? Also, because we learnt cisco IOS, of-course we will recommend cisco devices. Which is a plus for cisco?” ---KARTHICK KUMARAGURU
“I am certified in Cisco products and practices. Through various jobs I have worked on Cisco, F5, Packeteer, Citrix, Riverbed, Juniper and Avaya equipment. Most enterprise networks will find a network appliance from another vendor on it in some form or fashion, if not several. The larger the scale of the deployment, I've noticed, the more specialized equipment you deploy, due to economy of scale.” ---Daniel
“The competitors that come to win my business are usually Allied Telysen, HP & Foundry, who just recently got bought out by someone... I don't remember who. Dell used to, but they have just become a Cisco reseller themselves so that will be interesting. I looked at Dell switches a few years ago and they stunk!
We were a HP shop at one point in time and decided to move to cisco, just for sheer performance. One thing I really like about Cisco switches is the switching in hardware, not in software approach. There is a noticeable performance difference. I also have some networks that have HP gear and I am trunking vlans across a mixed HP and Cisco environment.
The thing that keeps me using Cisco gear is.... Features! Every time a vendor gives their spill, I ask if they have certain features that I am currently using. If the answer is no, then they have just answered their own question.” ---Jared
“Quick question, my company just deployed Riverbed....in your experience, how does Riverbed match up to Cisco's WAN acceleration products? Jared, we also use to have Dell switches....they were indeed horrible.....not to say that ports don't go bad on Cisco switches, because obviously they do, BUT they always use to go bad on the Dell ones.” ---SKeemz
“Skeemz- I haven't used Cisco's WAN accerlation products much - but I am really impressed with Riverbed and their RIOS. It's a locked down Linux shell and it really gives you a lot of control and visibility within the device, especially with logging. They have some bright folks working over there and with their new partnership with HP - I think they are going to really have some interesting gear coming out soon. Riverbed has very granular control policies, their GUI is intuitive and quick, and their boxes are fairly stout, especially the bigger ones. I think their RAID rebuild function when a drive dies is a little questionable but overall I like their product. I've worked on more or less their entire enterprise product line and can't think of a box I wouldn't recommend to someone.” ---Micheal
Right, what Cisco fans said tell us that Cisco owns a good reputation, trust by its better networking solutions and powerful Cisco network equipment. Have you felt it?
Notes: If you need to know some info of Cisco’s main hardware types such as Cisco routers, Cisco switches, Cisco firewall, Cisco modules and cards, etc. you can visit a very popular leading Cisco supplier---router-switch.com to see more…
Gigenet utilizes Cisco's firewall services module (FWSM) to provide instant firewall activation and simple management through a secure web interface.
High Performance, High Scalability,
- Gbps throughput per module
- 100,000 connections per second
- 1,000,000 concurrent connections
- Single port or VLAN spanning
Best-In Class Features
- Time-tested Cisco PIX operating system
- PIX Device Manager GUI
- Transparent Layer(2) Firewalls
- Rich stateful inspection for web, VOIP
The Cisco firewall services module is designed to recognize and filter the following types of traffic:
- Core services: HTTP, FTP, ESMTP, DNS, ICMP, TCP, UDP
- Voice over IP (VoIP) / Unified Communication services: SIP, SCCP, H.323, RTSP, TAPI/JTAP, GTP
- Application/operating system services: LDAP/ILS, SunRPC, XDMCP, TFTP
More about Cisco ASA 5500 Series Adaptive Security Appliances
There are six main models in the ASA range, from the basic 5505 branch office model up to the 5580 datacenter versions; a full comparison is available on the Cisco website here: Cisco ASA 5500 Series Adaptive Security Appliances
Although this article will concentrate on the 5505 and 5510 models the basic feature set is in fact fairly consistent across the range, the main differences being in the maximum traffic throughput handled by each model and the number/type of interfaces.
At the most basic level the ASA is a transparent or routed firewall/NAT device, this means it is designed to sit between your LAN and the Internet; one interface (normally known as "outside") will be connected to your Internet access device and one or more interfaces (e.g. "inside" and "DMZ") will connect to your internal networks. This enables the ASA to inspect and control all traffic passing between your network and the Internet, exactly what it does with that traffic is the clever bit.
The ASA5510 is intended to be a single device solution to your Internet security requirements and with its 300Mbps throughput and 9,000 firewall connections per second capacity will be suitable for most office deployments. The key features will be covered in more detail later but in brief these are; firewall/NAT, SSL/IPsec VPN, content security and intrusion prevention. It has five 10/100Mbps ports, by default these provide one outside (Internet) interface, one management and three internal network interfaces but they are fully reconfigurable and also support vLANing for further network subdivision if required. Functionality can be upgraded via a Security Services Module port which provides support for additional Content Security and Intrusion Prevention features.
The ASA5505 is intended for small or branch office and teleworker deployments, often in conjunction with a 5510 or higher model at the head office to which it will establish a secure VPN, whilst providing full security for other Internet traffic. The device has 8 10/100Mbps Ethernet ports, including 2 with Power over Ethernet support suitable for PoE devices such as IP phones or cameras, so it can be used as single unit solution for the smaller office. Key differences compared to the 5510 are the reduced support for VPN connections (only 10 but upgradeable to 25 with license), only 3 vLANs (25 with Security Plus license) and only a slot for the optional Security Services Card so there is no option for the advanced Content Security services.
All ASA models include a fully featured policy based firewall and routing engine which allows you complete control of which traffic you allow in and out of your network. Layer 2/3 firewalling allows you to specify which hosts are allowed access through the ASA and also to perform Network Address Translation to map internal hosts to public IP addresses. Layer 7 firewall goes several steps further and also allows you to define access policies based on application and protocol type, providing extremely granular control over Internet access and protection against advanced types of network attack. Unlike many competitor's firewalls the ASA's policy and interface based approach to access control gives you complete control over traffic leaving your network as well as incoming, for example allowing you to restrict Instant Messaging use to only your approved client application. Deep packet inspection goes beyond simply analysing the protocol and port of the attempted connection to discover the application behind it making it virtually impossible for users to circumvent company IT policies.
SSL & IPsec VPN
Even the ASA 5505 includes full support for IPsec and SSL VPN endpoints, providing highly encrypted tunnels for office to office and remote user to office connections. The basic license for all ASAs allows IPsec VPN connections up to the maximum supported on each model but only includes two SSL VPN licenses, to allow for testing before deployment. The 5505 will support up to 25 simultaneous VPN connections, whilst the 5510 supports a maximum of 250 - these can be any combination of IPsec or SSL, and site to site or remote client types.
IPsec VPNs are commonly deployed between Cisco VPN devices for site to site connections, or initiated by client software on the remote worker's computer. Included with all ASA license bundles is the Cisco AnyConnect VPN client, with versions available for all major operating systems; Windows 2000 up to Windows 7, Mac OS X (10.4/5), Linux Intel kernel 2.6.x and even Windows Mobile 5.0/6.0/6.1 . Cisco AnyConnect provides several improvements over the basic IPsec functionality built into those operating systems, key features are:
- DTLS protocol support to help minimize latency for applications such as VoIP
- Support for SSL tunneling to ensure connectivity even through restrictive proxies and firewalls (if web browsing is possible then so is a VPN connection)
- Advanced encryption and wide range of authentication protocols, including two factor smartcard/token based
- Flexible IP tunneling for consistent user experience with features such as connection retention, ensuring the mobile user retains connectivity through disconnections, reboots and standby/hibernation.
Cisco ASA Firewalls: 5505, 5510, 5520, 5540, 5580, the full Cisco PIX Firewall family, FWSM, CSM, Cisco VPN Routers etc.
Cisco VPN: VPN 3000 Series Concentrators, VPN blades, Site-to-Site VPN, Remote Access VPN, Cisco SSL VPN etc.
Cisco IPS: 4200 series, IDSM-2 blade, Cisco IOS IPS, Shunning, IPS Manager, IDM, AIP-SSM, HIPS (CSA) etc.
Cisco MARS: MARS 20, MARS 50, MARS 100, integration with IPS and CSA, reports, queries, local / global set ups etc.
Identity Management: Cisco ACS, RADIUS, TACACS+, 802.1x, LDAP, OTP, RSA, certificates, biometrics etc.
Router & Switch Security: Access-Lists, VLAN maps, TCP Intercept, Lock-and-Key, Anti Spoofing, CBAC, IOS Firewall etc.
Network Admission Control (NAC): In-band, out-of-band, clean access client, ACS integration, 3rd. party integration etc.
The Cisco 2821 router comes equipped with a software-based firewall. To configure the firewall on a Cisco 2821, you must be familiar with Cisco's security-based commands to restrict access across the network. Administrative privileges and terminal emulation software are necessary to complete this task.
Things You'll Need
- Terminal emulation software
- RS-232 serial cable
- Cisco router with IOS firewall
Instructions to Configure a Firewall on Cisco 2821 Router
1. Connect the router directly to the administrator workstation using an RS-232 cable.
2. Use the router's installation CD to install and open the terminal emulation software. If you prefer to use a third-party emulation software, that is acceptable.
3. Turn on the router and the initial boot sequence will begin. If the router has been previously configured, a prompt with the username will appear, otherwise, the prompt will appear as "Router>."
4. Type "enable" and press "Enter." Type in the router's password when the password prompt appears.
5. Type "conf t" and press "Enter." This will put the router into global configuration mode. The prompt will change to "Router (config) #."
6. Type "ip inspect?" and press "Enter." If the router is configured with the Cisco IOS software, a list of commands will appear that are specifically designed for configuring your router. If the computer displays "% Unrecognized Command," then you will need to download and install the Cisco IOS software (see Resources).
7. Use the list of available commands to configure your router. For examples of router configurations, navigate your browser to the Cisco website (see Resources).
8. Type "CNTL/Z" and press "Enter" once the configuration process is complete. This will return the terminal emulation software back to privileged mode.
9. Type "show ip route" and press "Enter." A list of all neighboring IP addresses will be displayed, indicating that the configuration is complete and the router is communicating with known workstations.
10. Type "show running-config" and press "Enter." Your new running configuration will display.
11. Type "copy running-config startup-config" and press "Enter." This will copy your current configuration to your start-up configuration and save it to the router's memory.
Tips & Warnings
- If you have never configured a router, this task can become frustrating in a hurry. If you are not sure of your ability to configure your router, it is best to contact a qualified network administrator to help you.
Generally speaking, the Cisco switches are the best in the market. Versatile, reliable, flexible and powerful, the Cisco switch product line (such as the 2960, Cisco 3560, Cisco 3750, 4500, 6500, etc.) offer unparalleled performance and features.
Although a Cisco switch is a much simpler network device compared with other devices (e.g. routers and firewalls), many people have difficulties in configuring a Cisco Catalyst Switch. Unlike other lower class switch vendors (which are plug-and-play), the Cisco switch needs some initial basic configuration in order to enable management, security and some other important features.
How to configure a Cisco switch from scratch? Basic steps help you finish the Cisco switch configuration.
STEP1: Connect to the device via console
Use a terminal emulation software such as PuTTY and connect to the console of the switch. You will get the initial command prompt “Switch>”
Type “enable” and hit enter. You will get into privileged mode (“Switch#”)
Now, get into Global Configuration Mode:
Switch# configure terminal
STEP2: Set up a hostname for the particular switch to distinguish it in the network
Switch(config)# hostname access-switch1
STEP3: Configure an administration password (enable secret password)
access-switch1(config)# enable secret somestrongpass
STEP4: Configure a password for Telnet access
access-switch1(config)# line vty 0 15
access-switch1(config-line)# password strongtelnetpass
STEP5: Define which IP addresses are allowed to access the switch via Telnet
access-switch1(config)# ip access-list standard TELNET-ACCESS
access-switch1(config-std-nacl)# permit 10.1.1.100
access-switch1(config-std-nacl)# permit 10.1.1.101
!Apply the access list to Telnet VTY Lines
access-switch1(config)# line vty 0 15
access-switch1(config-line)# access-class TELNET-ACCESS in
STEP6: Assign IP address to the switch for management
!Management IP is assigned to Vlan 1 by default
access-switch1(config)# interface vlan 1
access-switch1(config-if)# ip address 10.1.1.200 255.255.255.0
STEP7: Assign default gateway to the switch
access-switch1(config)# ip default-gateway 10.1.1.254
STEP8: Disable unneeded ports on the switch
! This step is optional but enhances security
! Assume that we have a 48-port switch and we don’t need ports 25 to 48
access-switch1(config)# interface range fe 0/25-48
STEP9: Save the configuration
The above are some steps that can be followed for basic set-up of Cisco switches. Of course there are more things you can configure (such as SNMP servers, NTP, AAA etc) but those depend on the requirements of each particular network.