Anda di halaman 1dari 2

ASA

-> Stateful Firewall Filtering


- Supports application level inspection (non standard)
-> Supports both IPsec and SSL VPNs
-> Supports IPS
-> Content Filtering (virus, spyware,spam,etc)
=====================================================================
-- Stateful Firewall-o Track traffic (trust to untrust)
o Create an entry in state table
o Track Traffic from untrested to trusted
- Permit, if an entry exists in the state table
- Deny, if no entry exists in the state tabel
======================================================================
--ASA Traffic Inspection-o Modular Policy Framework (MPF) uses inspection engine
o Configuration using 3 steps :
- Class Map, Policy Map, Service Policy
o MPF controls...
- What traffic is inspected (Class Map)
1. Basic layer 3 or 4 inspection (Std Apps)
2. App layer inspection (non-std), HTTP SMPT,DNS, SIP,etc
- Different for each appliacation
- How traffic is inspected (Policy Map)
1. Connection limits, QoS paramters,etc.
- Direction of Inspection
1. Inside, Outside, DMZ
ps. Uses ACLs as exceptions to MPF Inspection (no engine)
=======================================================================
ASA MPF vs IOS Zone Base Policy FW
1. ASA is less flexible
2. But, better inspection and performance
3. Not a promblem, but need to take to the account
-----------------------------------------------------------------------========================================================================
--Mode of Operation--

o Routed Firewall
- Different subnets and VLANs
o Transparent Firewall
- Same subnet but different VLANs
- Traffic is bridged between interfaces
- Using CAM table
- no VPN termination, same as Multiple context ASA
p.s. Multiple Context and Transparent FW stops dynamic routing and VPN
==========================================================================
--ASA VPN Termination-o Support both IPsec and SSL VPN Termination