Home » Cisco Manuals » Bridges & Routers » Cisco 7604 » Manual Viewer

Cisco 7604 Configuration Guide - Page 218

Certificate Scalability, About Key Pairs

Add to My Manuals
Save this manual to your list of manuals

Page 218 highlights

Public Key Cryptography Chapter 12 Configuring Certificates Obtaining the public key of a sender is normally handled out-of-band or through an operation performed at installation. For example, most web browsers are configured with the root certificates of several CAs by default. For VPN, the IKE protocol, a component of IPSec, can use digital signatures to authenticate peer devices before setting up security associations. Certificate Scalability Without digital certificates, you must manually configure each IPSec peer for every peer with which it communicates, and every new peer you add to a network would then require a configuration change on every peer with which you need it to communicate securely. When you use digital certificates, each peer is enrolled with a CA. When two peers try to communicate, they exchange certificates and digitally sign data to authenticate each other. When a new peer is added to the network, you enroll that peer with a CA and no other peers need modification. When the new peer tries an IPSec connection, certificates are automatically exchanged and the peer can be authenticated. With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and performing some public key cryptography. Each peer sends its unique certificate that was issued by the CA. This process works because each certificate encapsulates the public key for the associated peer, each certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating authority. This is called IKE with an RSA signature. The peer can continue sending its certificate for multiple IPSec sessions, and to multiple IPSec peers, until the certificate expires. When its certificate expires, the peer administrator must obtain a new one from the CA. CAs can also revoke certificates for peers that no longer participate in IPSec. Revoked certificates are not recognized as valid by other peers. Revoked certificates are listed in a CRL, which each peer may check before accepting a certificate from another peer. Some CAs have an RA as part of their implementation. An RA is a server that acts as a proxy for the CA so that CA functions can continue when the CA is unavailable. About Key Pairs Key pairs are RSA keys, which can be used for SSH or SSL connections, have the following characteristics: • For the purposes of generating keys, the maximum key modulus for RSA keys is 2048 bits. The default size is 1024 bits. Many SSL connections using identity certificates with RSA key pairs that exceed 1024 bits can cause a high CPU usage on the FWSM and rejected clientless logins. • For signature operations, the supported maximum key size is 4096 bits. • You can generate a general-purpose RSA key pair, used for both signing and encryption, or you can generate separate RSA key pairs for each purpose. Separate signing and encryption keys help reduce exposure of the keys. This is because SSL uses a key for encryption but not signing, while IKE uses a key for signing but not encryption. 12-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01

Section	Page
About This Guide	27
Audience	27
Objectives	27
Document Conventions	27
Related Documentation	28
Obtaining Documentation and Submitting a Service Request	29
Quick Start Steps	31
Routed Firewall Minimum Configuration Steps	31
Transparent Firewall Minimum Configuration Steps	32
Getting Started and General Information	35
Introduction to the Firewall Services Module	37
New Features	38
Security Policy Overview	39
Permitting or Denying Traffic with Access Lists	40
Applying NAT	40
Protecting from IP Fragments	40
Using AAA for Through Traffic	40
Applying Internet Filtering	40
Applying Application Inspection	41
Applying Connection Limits	41
How the Firewall Services Module Works with the Switch	41
Using the MSFC	42
Firewall Mode Overview	43
Stateful Inspection Overview	44
Security Context Overview	45
Configuring the Switch for the Firewall Services Module	47
Switch Overview	47
Verifying the Module Installation	48
Assigning VLANs to the Firewall Services Module	48
VLAN Guidelines	49
Assigning VLANs to the FWSM	49
Adding Switched Virtual Interfaces to the MSFC	50
SVI Overview	51
Configuring SVIs	53
Customizing the FWSM Internal Interface	54
Configuring the Switch for Failover	55
Assigning VLANs to the Secondary Firewall Services Module	55
Adding a Trunk Between a Primary Switch and Secondary Switch	55
Ensuring Compatibility with Transparent Firewall Mode	55
Enabling Autostate Messaging for Rapid Link Failure Detection	55
Managing the Firewall Services Module Boot Partitions	56
Flash Memory Overview	56
Setting the Default Boot Partition	56
Resetting the FWSM or Booting from a Specific Partition	57
Connecting to the Firewall Services Module and Managing the Configuration	59
Connecting to the Firewall Services Module	59
Logging in to the FWSM	59
Logging out of the FWSM	60
Managing the Configuration	61
Saving Configuration Changes	61
Saving Configuration Changes in Single Context Mode	61
Saving Configuration Changes in Multiple Context Mode	61
Copying the Startup Configuration to the Running Configuration	63
Viewing the Configuration	63
Clearing and Removing Configuration Settings	63
Creating Text Configuration Files Offline	64
Configuring Security Contexts	65
Security Context Overview	65
Common Uses for Security Contexts	66
Unsupported Features	66
Context Configuration Files	66
Context Configurations	66
System Configuration	66
Admin Context Configuration	67
How the FWSM Classifies Packets	67
Valid Classifier Criteria	67
Invalid Classifier Criteria	68
Classification Examples	69
Sharing Interfaces Between Contexts	71
NAT and Origination of Traffic	72
Sharing an Outside Interface	72
Sharing an Inside Interface	72
Management Access to Security Contexts	73
System Administrator Access	73
Context Administrator Access	74
Enabling or Disabling Multiple Context Mode	74
Backing Up the Single Mode Configuration	74
Enabling Multiple Context Mode	74
Restoring Single Context Mode	75
Managing Memory for Rules	75
About Memory Partitions	76
Default Rule Allocation	76
Setting the Number of Memory Partitions	77
Changing the Memory Partition Size	78
Reallocating Rules Between Features for a Specific Memory Partition	83
Configuring Resource Management	85
Classes and Class Members Overview	86
Resource Limits	86
Default Class	87
Class Members	88
Configuring a Class	88
Configuring a Security Context	91
Changing Between Contexts and the System Execution Space	95
Managing Security Contexts	96
Removing a Security Context	96
Changing the Admin Context	97
Changing the Security Context URL	97
Reloading a Security Context	98
Reloading by Clearing the Configuration	98
Reloading by Removing and Readding the Context	99
Monitoring Security Contexts	99
Viewing Context Information	99
Viewing Resource Allocation	100
Viewing Resource Usage	103
Monitoring SYN Attacks in Contexts	104
Configuring the Firewall Mode	107
Routed Mode Overview	107
IP Routing Support	107
How Data Moves Through the FWSM in Routed Firewall Mode	108
An Inside User Visits a Web Server	108
An Outside User Visits a Web Server on the DMZ	109
An Inside User Visits a Web Server on the DMZ	110
An Outside User Attempts to Access an Inside Host	111
A DMZ User Attempts to Access an Inside Host	112
Transparent Mode Overview	113
Transparent Firewall Network	113
Bridge Groups	113
Management Interface	114
Allowing Layer 3 Traffic	114
Allowed MAC Addresses	114
Passing Traffic Not Allowed in Routed Mode	114
MAC Address vs. Route Lookups	115
Using the Transparent Firewall in Your Network	115
Transparent Firewall Guidelines	116
Unsupported Features in Transparent Mode	117
How Data Moves Through the Transparent Firewall	118
An Inside User Visits a Web Server	119
An Inside User Visits a Web Server Using NAT	120
An Outside User Visits a Web Server on the Inside Network	121
An Outside User Attempts to Access an Inside Host	122
Setting Transparent or Routed Firewall Mode	123
Configuring Interface Parameters	125
Security Level Overview	125
Configuring Interfaces for Routed Firewall Mode	126
Guidelines and Limitations	126
Configuring an Interface	127
Configuring Interfaces for Transparent Firewall Mode	128
Information About Interfaces in Transparent Mode	128
Information About Bridge Groups	128
Information About Device Management	128
Guidelines and Limitations	129
Configuring Transparent Firewall Interfaces for Through Traffic	130
Assigning an IP Address to a Bridge Group	130
Adding a Management Interface	131
Allowing Communication Between Interfaces on the Same Security Level	134
Configuring Inter-Interface Communication	134
Configuring Intra-Interface Communication	135
Turning Off and Turning On Interfaces	136
Configuring Basic Settings	137
Changing the Passwords	137
Changing the Login Password	137
Changing the Enable Password	138
Changing the Maintenance Software Passwords	138
Setting the Hostname	139
Setting the Domain Name	140
Setting the Prompt	140
Configuring a Login Banner	141
Configuring IP Routing and DHCP Services	143
How Routing Behaves Within FWSM	143
Egress Interface Selection Process	143
Next Hop Selection Process	144
Configuring Static and Default Routes	144
Configuring a Static Route	145
Configuring a Default Route	146
Monitoring a Static or Default Route	147
Defining a Route Map	147
Configuring BGP Stub Routing	148
BGP Stub Limitations	149
Configuring BGP Stub Routing	149
Monitoring BGP Stub Routing	150
Restarting the BGP Stub Routing Process	151
Configuring OSPF	151
OSPF Overview	151
Enabling OSPF	152
Redistributing Routes Between OSPF Processes	153
Configuring OSPF Interface Parameters	154
Configuring OSPF Area Parameters	156
Configuring OSPF NSSA	157
Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor	158
Configuring Route Summarization Between OSPF Areas	159
Configuring Route Summarization when Redistributing Routes into OSPF	159
Generating a Default Route	160
Configuring Route Calculation Timers	160
Logging Neighbors Going Up or Down	161
Displaying OSPF Update Packet Pacing	161
Monitoring OSPF	162
Restarting the OSPF Process	163
Configuring RIP	163
RIP Overview	163
Enabling RIP	163
Configuring EIGRP	164
EIGRP Routing Overview	164
Enabling and Configuring EIGRP Routing	165
Enabling and Configuring EIGRP Stub Routing	166
Enabling EIGRP Authentication	167
Defining an EIGRP Neighbor	168
Redistributing Routes Into EIGRP	168
Configuring the EIGRP Hello Interval and Hold Time	169
Disabling Automatic Route Summarization	169
Configuring Summary Aggregate Addresses	170
Disabling EIGRP Split Horizon	170
Changing the Interface Delay Value	171
Monitoring EIGRP	171
Disabling Neighbor Change and Warning Message Logging	172
Configuring Asymmetric Routing Support	172
Adding Interfaces to ASR Groups	173
Asymmetric Routing Support Example	173
Configuring Route Health Injection	174
Route Health Injection Overview	174
RHI Guidelines	175
Enabling RHI	175
Configuring DHCP	177
Configuring a DHCP Server	177
Enabling the DHCP Server	177
Configuring DHCP Options	179
Using Cisco IP Phones with a DHCP Server	180
Configuring DHCP Relay Services	181
DHCP Relay Overview	181
Configuring the DHCP Relay Agent	181
Preserving DHCP Option 82	183
Verifying the DHCP Relay Configuration	183
Configuring Multicast Routing	185
Multicast Routing Overview	185
Enabling Multicast Routing	186
Configuring IGMP Features	186
Disabling IGMP on an Interface	187
Configuring Group Membership	187
Configuring a Statically Joined Group	187
Controlling Access to Multicast Groups	188
Limiting the Number of IGMP States on an Interface	188
Modifying the Query Interval and Query Timeout	188
Changing the Query Response Time	189
Changing the IGMP Version	189
Configuring Stub Multicast Routing	189
Configuring a Static Multicast Route	190
Configuring PIM Features	190
Disabling PIM on an Interface	190
Configuring a Static Rendezvous Point Address	191
Configuring the Designated Router Priority	191
Filtering PIM Register Messages	191
Configuring PIM Message Intervals	192
For More Information About Multicast Routing	192
Configuring IPv6	193
IPv6-Enabled Commands	193
Configuring IPv6 on an Interface	194
Configuring a Dual IP Stack on an Interface	196
Configuring IPv6 Duplicate Address Detection	196
Configuring IPv6 Default and Static Routes	197
Configuring IPv6 Access Lists	197
Configuring IPv6 Neighbor Discovery	198
Configuring Neighbor Solicitation Messages	198
Configuring the Neighbor Solicitation Message Interval	199
Configuring the Neighbor Reachable Time	199
Configuring Router Advertisement Messages	200
Configuring the Router Advertisement Transmission Interval	201
Configuring the Router Lifetime Value	201
Configuring the IPv6 Prefix	201
Suppressing Router Advertisement Messages	202
Configuring a Static IPv6 Neighbor	202
Verifying the IPv6 Configuration	202
Viewing IPv6 Interface Settings	202
Viewing IPv6 Routes	203
Configuring AAA Servers and the Local Database	205
AAA Overview	205
About Authentication	206
About Authorization	206
About Accounting	206
AAA Server and Local Database Support	207
Summary of Support	207
RADIUS Server Support	208
Authentication Methods	208
Attribute Support	208
RADIUS Authorization Functions	208
TACACS+ Server Support	208
SDI Server Support	209
SDI Version Support	209
Two-step Authentication Process	209
SDI Primary and Replica Servers	209
NT Server Support	209
Kerberos Server Support	210
LDAP Server Support	210
Local Database Support	210
User Profiles	210
Fallback Support	210
Configuring the Local Database	211
Identifying AAA Server Groups and Servers	213
Configuring Certificates	217
Public Key Cryptography	217
About Public Key Cryptography	217
Certificate Scalability	218
About Key Pairs	218
About Trustpoints	219
About Revocation Checking	219
Certificate Configuration	219
Preparing for Certificates	220
Generating Key Pairs	220
Removing Key Pairs	221
Establishing AAA Authentication	221
Verifying Configurations for Specified Settings	222
Exporting and Importing Keypairs and Certificates	223
Exporting a Keypair and Certificate	223
Importing a Keypair and Certificate	223
Linking Certificates to a Trustpoint	225
Configuration Example: Cut-Through-Proxy Authentication	225
Identifying Traffic with Access Lists	227
Access List Overview	227
Access List Types	228
Access Control Entry Order	228
Access List Implicit Deny	229
IP Addresses Used for Access Lists When You Use NAT	229
Access List Commitment	231
Maximum Number of ACEs	232
Adding an Extended Access List	232
Extended Access List Overview	232
Allowing Broadcast and Multicast Traffic through the Transparent Firewall	233
Adding an Extended ACE	233
Adding an EtherType Access List	235
Supported EtherTypes	235
Apply Access Lists in Both Directions	235
Implicit Deny at the End of an Access List Does Not Affect IP or ARP Traffic	235
Using Extended and EtherType Access Lists on the Same Interface	236
Allowing MPLS	236
Adding an EtherType ACE	236
Adding a Standard Access List	237
Simplifying Access Lists with Object Grouping	237
How Object Grouping Works	237
Adding Object Groups	238
Adding a Protocol Object Group	238
Adding a Network Object Group	239
Adding a Service Object Group	240
Adding an ICMP Type Object Group	240
Nesting Object Groups	241
Using Object Groups with an Access List	242
Displaying Object Groups	243
Removing Object Groups	243
Adding Remarks to Access Lists	244
Access List Group Optimization	244
How Access List Group Optimization Works	244
Configuring Access List Group Optimization	246
Scheduling Extended Access List Activation	250
Adding a Time Range	250
Applying the Time Range to an ACE	251
Logging Access List Activity	251
Access List Logging Overview	251
Configuring Logging for an ACE	252
Managing Deny Flows	253
Configuring Failover	255
Understanding Failover	255
Failover System Requirements	256
Software Requirements	256
License Requirements	256
Failover and State Links	256
Failover Link	256
State Link	257
Intra- and Inter-Chassis Module Placement	257
Intra-Chassis Failover	257
Inter-Chassis Failover	258
Transparent Firewall Requirements	261
Active/Standby and Active/Active Failover	262
Active/Standby Failover	262
Active/Active Failover	266
Determining Which Type of Failover to Use	271
Regular and Stateful Failover	271
Regular Failover	272
Stateful Failover	272
Failover Health Monitoring	273
Unit Health Monitoring	273
Interface Monitoring	273
Rapid Link Failure Detection	274
Configuring Failover	274
Failover Configuration Limitations	275
Using Active/Standby Failover	275
Prerequisites	275
Configuring Active/Standby Failover	275
Configuring Optional Active/Standby Failover Settings	278
Using Active/Active Failover	280
Prerequisites	280
Configuring Active/Active Failover	280
Configuring Optional Active/Active Failover Settings	283
Configuring Failover Communication Authentication/Encryption	285
Verifying the Failover Configuration	285
Viewing Failover Status	285
Viewing Monitored Interfaces	293
Viewing the Failover Configuration	293
Testing the Failover Functionality	293
Controlling and Monitoring Failover	294
Forcing Failover	294
Disabling Failover	295
Disabling Configuration Synchronization	295
Restoring a Failed Unit or Failover Group	295
Monitoring Failover	296
Failover System Log Messages	296
Debug Messages	296
SNMP	296
Configuring the Security Policy	297
Permitting or Denying Network Access	299
Inbound and Outbound Access List Overview	299
Applying an Access List to an Interface	302
Configuring NAT	305
NAT Overview	305
Introduction to NAT	306
NAT in Routed Mode	306
NAT in Transparent Mode	307
NAT Control	309
NAT Types	310
Dynamic NAT	310
PAT	312
Static NAT	312
Static PAT	313
Bypassing NAT when NAT Control is Enabled	314
Policy NAT	314
NAT Session (Xlate) Creation	317
NAT and PAT Global Pool Usage	318
NAT and Same Security Level Interfaces	318
Order of NAT Commands Used to Match Real Addresses	319
Maximum Number of NAT Statements	319
Mapped Address Guidelines	319
DNS and NAT	320
Configuring NAT Control	322
Configuring Xlate Bypass	323
Using Dynamic NAT and PAT	323
Dynamic NAT and PAT Implementation	324
Configuring Dynamic NAT or PAT	330
Using Static NAT	333
Using Static PAT	335
Bypassing NAT	337
Configuring Identity NAT	338
Configuring Static Identity NAT	338
Configuring NAT Exemption	340
NAT Examples	341
Overlapping Networks	342
Redirecting Ports	343
Applying AAA for Network Access	345
AAA Performance	345
Configuring Authentication for Network Access	345
Authentication Overview	346
One-Time Authentication	346
Applications Required to Receive an Authentication Challenge	346
FWSM Authentication Prompts	346
Static PAT and HTTP	347
Authenticating Directly with the FWSM	347
Enabling Network Access Authentication	347
Configuring Custom Login Prompts	349
Enabling Secure Authentication of Web Clients	350
Disabling Authentication Challenge per Protocol	352
Configuring Authorization for Network Access	353
Configuring TACACS+ Authorization	353
Configuring RADIUS Authorization	354
Configuring a RADIUS Server to Download Per-User Access Control Lists	354
Configuring a RADIUS Server to Download Per-User Access Control List Names	356
Configuring Accounting for Network Access	357
Using MAC Addresses to Exempt Traffic from Authentication and Authorization	358
Applying Filtering Services	361
Filtering Overview	361
Filtering ActiveX Objects	361
ActiveX Filtering Overview	362
Enabling ActiveX Filtering	362
Filtering Java Applets	363
Filtering URLs and FTP Requests with an External Server	364
URL Filtering Overview	364
Identifying the Filtering Server	364
Buffering the Content Server Response	366
Caching Server Addresses	366
Filtering HTTP URLs	367
Configuring HTTP Filtering	367
Enabling Filtering of Long HTTP URLs	367
Truncating Long HTTP URLs	368
Exempting Traffic from Filtering	368
Filtering HTTPS URLs	368
Filtering FTP Requests	369
Viewing Filtering Statistics and Configuration	369
Viewing Filtering Server Statistics	370
Viewing Buffer Configuration and Statistics	370
Viewing Caching Statistics	371
Viewing Filtering Performance Statistics	371
Viewing Filtering Configuration	371
Configuring ARP Inspection and Bridging Parameters	373
Configuring ARP Inspection	373
ARP Inspection Overview	373
Adding a Static ARP Entry	374
Enabling ARP Inspection	374
Customizing the MAC Address Table	375
MAC Address Table Overview	375
Adding a Static MAC Address	375
Setting the MAC Address Timeout	375
Disabling MAC Address Learning	376
Viewing the MAC Address Table	376
Using Modular Policy Framework	377
Information About Modular Policy Framework	377
Modular Policy Framework Supported Features	377
Modular Policy Framework Configuration Overview	378
Default Global Policy	379
Identifying Traffic (Layer 3/4 Class Map)	380
Default Class Maps	380
Maximum Class Maps	380
Creating a Layer 3/4 Class Map for Through Traffic	381
Configuring Special Actions for Application Inspections (Inspection Policy Map)	382
Inspection Policy Map Overview	383
Defining Actions in an Inspection Policy Map	383
Identifying Traffic in an Inspection Class Map	386

Match case Limit results 1 per page

12-2

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

OL-20748-01

Chapter 12

Configuring Certificates

Public Key Cryptography

Obtaining the public key of a sender is normally handled out-of-band or through an operation performed

at installation. For example, most web browsers are configured with the root certificates of several CAs

by default. For VPN, the IKE protocol, a component of IPSec, can use digital signatures to authenticate

peer devices before setting up security associations.

Certificate Scalability

Without digital certificates, you must manually configure each IPSec peer for every peer with which it

communicates, and every new peer you add to a network would then require a configuration change on

every peer with which you need it to communicate securely.

When you use digital certificates, each peer is enrolled with a CA. When two peers try to communicate,

they exchange certificates and digitally sign data to authenticate each other. When a new peer is added

to the network, you enroll that peer with a CA and no other peers need modification. When the new peer

tries an IPSec connection, certificates are automatically exchanged and the peer can be authenticated.

With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and

performing some public key cryptography. Each peer sends its unique certificate that was issued by the

CA. This process works because each certificate encapsulates the public key for the associated peer, each

certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating

authority. This is called IKE with an RSA signature.

The peer can continue sending its certificate for multiple IPSec sessions, and to multiple IPSec peers,

until the certificate expires. When its certificate expires, the peer administrator must obtain a new one

from the CA.

CAs can also revoke certificates for peers that no longer participate in IPSec. Revoked certificates are

not recognized as valid by other peers. Revoked certificates are listed in a CRL, which each peer may

check before accepting a certificate from another peer.

Some CAs have an RA as part of their implementation. An RA is a server that acts as a proxy for the CA

so that CA functions can continue when the CA is unavailable.

About Key Pairs

Key pairs are RSA keys, which can be used for SSH or SSL connections, have the following

characteristics:

•

For the purposes of generating keys, the maximum key modulus for RSA keys is 2048 bits. The

default size is 1024 bits. Many SSL connections using identity certificates with RSA key pairs that

exceed 1024 bits can cause a high CPU usage on the FWSM and rejected clientless logins.

•

For signature operations, the supported maximum key size is 4096 bits.

•

You can generate a general-purpose RSA key pair, used for both signing and encryption, or you can

generate separate RSA key pairs for each purpose.

Separate signing and encryption keys help reduce exposure of the keys. This is because SSL uses a

key for encryption but not signing, while IKE uses a key for signing but not encryption.