Well, we had all heard the rumors that it was coming down the line, and today Cisco decided to make it official just ahead of Cisco Live. Something very interesting thing about this update -no doubt as a result of really listening to the community's voice in regards to the things that threaten the enterprise most these days- is that they've added a heavy emphasis on Bring Your Own Device (BYOD) over wireless threats. With the addition of a Wireless Lan Controller (WLC) and at least a single AP, along with the Identity Services Engine (ISE). For those of you who may not be familiar with the ISE, this is basically an evolution of a few devices combined into one - it is sort of a mix of the ACS, NAC Appliance and NAC Profiler. However, it is NOT a replacement for the ACS, namely because it does not do TACACS+, instead only supporting RADIUS for 802.1x and NAC. This is the reason that Cisco decided to leave ACS server in there - but upgrading it to v5.x (most likely 5.3). Also, if you happen to not have any experience with wireless technologies in general - you're in luck! INE is releasing our 20-hour CCNA Wireless class later today, which covers Lightweight Access Points (LWAP) being controlled by WLCs, and those WLCs being controlled by higher-up Wireless Control System (WCS). In fact, since I've mentioned the WCS, it's quite interesting that Cisco (in sort of a nonchalant way) mentions that the ASA firewalls may be configured by "Cisco Prime Tools". If you aren't familiar with Cisco Prime, it is basically the new branding of Cisco's network management as a whole. LMS would now fall under Prime, something called Prime NCS (evolution of Cisco's WCS), and Prime Tools fall under the new Prime branding.
The first portion of INE's new CCIE Security Advanced Technologies Class for the 3.0 blueprint is now available in both streaming and download formats. Subscribers to the All Access Pass already have access to this new course, and can upgrade to the download version for $159. Non-subscribers can purchase the standalone download for $299, or subscribe to the AAP for just $159 per month. Customers who have access to previous versions of the CCIE Security ATC will get access to the new streaming version at no extra charge.
The current release of the class contains the first 18 hours of videos. New videos will be posted incrementally over the next few weeks, to bring the final runtime somewhere between 40 and 60 hours. Specifically the following topics are covered in this first portion of the release:
INE is proud to announce the upcoming release of our new CCIE Security Advanced Technologies Class and CCIE Security 5-Day Bootcamp. The 5-Day Bootcamp will be available in streaming and download format starting this weekend, followed shortly by the Advanced Technologies class. Both of these video series are included with the All Access Pass subscriptions, or can be purchased as standalone downloads. Samples of both classes are available below.
Change is in the air. I've noticed that over the last several weeks, we've had at least five security CCIE candidates pass who used INE's security products as part of their study plan. What these students have done is use a combination of our version 3 and version 5 products. Congratulations to all those who passed!
After returning from vacation, Bob (the optimistic firewall technician) decided that he wanted to take some time and get a little bit more familiar with firewall configuration. He was able to get permission to use some spare equipment for practice.
It was a dark, cold night in late December, and Bob, (the optimistic firewall technician), had a single ASA to deploy before going home for the holidays. The requirements for the firewall were simple. Bob read them slowly as follows:
- R1 should be able to ping the server "Radio.INE.com" by name.
- PC should be able to ping the server "Radio.INE.com" by name.
Bob also read the background information to see if this was something he could finish before leaving the office. Bob read the following:
In this blog post we are going to review and compare the ways in which IOS and ASA Easy VPN servers perform ezVPN attribute authorization via RADIUS. The information on these procedure is scattered among the documentation and technology examples, so I thought it would be helpful to put the things together.
To begin with, let’s establish some sort of equivalence between the IOS and ASA terminology. Even though ASA inherited most of it’s VPN configuration concepts from the VPN3000 platform it is still possible to find similarities between the IOS and the ASA configurations. Recall that IOS ezVPN configuration defines local ezVPN group policy by means of the crypto isakmp client configuration group command. This could be viewed as a rough equivalent to the ASA’s group-policy type internal command, though the ASA’s command scope is much broader. IOS ISAKMP profiles could be viewed as an equivalent to the ASA’s tunnel-group command defining a connection profile.
General Logic Overview
When establishing a VPN tunnel, ASA firewall matches tunnel-group names based on the following criteria list:
Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as traffic inspection, QoS etc. to the traffic transiting the firewall. MPF has many similarities to MQC (Modular QoS CLI) syntax found in Cisco IOS, but there are some major differences in the flow of operations, even though many commands look the same. The following post assumes basic understanding of ASA firewall and its configuration. It covers the basic logic of the MPF, but does not go over all firewall features in depth.