Cisco ASA 5505 Configuration Manual page 77

Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the adaptive security appliance lets you configure many interfaces with
varied security policies, including many inside interfaces, many DMZs, and even many outside
interfaces if desired, these terms are used in a general sense only.
This section includes the following topics:
•
•
•
Security Policy Overview
A security policy determines which traffic is allowed to pass through the firewall to access another
network. By default, the adaptive security appliance allows traffic to flow freely from an inside network
(higher security level) to an outside network (lower security level). You can apply actions to traffic to
customize the security policy. This section includes the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
•
OL-20339-01
Security Policy Overview, page 1-15
Firewall Mode Overview, page 1-18
Stateful Inspection Overview, page 1-18
Permitting or Denying Traffic with Access Rules, page 1-16
Applying NAT, page 1-16
Protecting from IP Fragments, page 1-16
Using AAA for Through Traffic, page 1-16
Applying HTTP, HTTPS, or FTP Filtering, page 1-16
Applying Application Inspection, page 1-16
Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-16
Sending Traffic to the Content Security and Control Security Services Module, page 1-17
Applying QoS Policies, page 1-17
Applying Connection Limits and TCP Normalization, page 1-17
Enabling Threat Detection, page 1-17
Enabling the Botnet Traffic Filter, page 1-17
Configuring Cisco Unified Communications, page 1-18
Cisco ASA 5500 Series Configuration Guide using ASDM
Firewall Functional Overview
1-15