Professional Documents
Culture Documents
Prepared by
Bhuvan Systems and Networking Team
1
Standard Operating Procedure for Network Devices
Security
1 Classificati Restricted
on
Distributio
2 BHUVAN/ G&WGSG
n
Document
3 Issue- (b) Revision: 0
(a) Issue:
Report
4 SOP Document
Type
5 Report No
8 Project BHUVAN
Affiliation
10 NRSC
of authors
Originating
12 NRSC
unit
Sponsor(s)
13 Name: Nil
Type:
Date of
14 ...
Initiation
Date of
15 ...
Publication
2
Standard Operating Procedure for Network Devices
Table of Contents
1. Firewalls
List of Figures
3
Standard Operating Procedure for Network Devices
1. Firewall
1.1. Purpose: This standard defines the essential rules regarding the
management and maintenance of firewalls at Bhuvan cell and it applies to all
firewalls controlled by Bhuvan Networking Team.
1.2. Scope:
1.3. Make:
1.3.1. Benefits:
Blocks many types of outside attacks from reaching your internal network.
May block many types of malicious attacks from your internal network to the
campus network and/or the Internet community.
Monitors and logs apparent source and origination of such attacks.
Allows for regulation of network traffic between private and public networks.
1.3.2. Risks:
4
Standard Operating Procedure for Network Devices
1.5. IP address: * . * .* .*
To connect to Cisco ASA firewall, and setup initial configuration, use a blue serial
console cable , that came in the package with Your device. Connect the serial
port of console cable to your RS232 DB9 serial port on your PC and the other
end of the cable (RJ45) connect to the console port on the ASA.
5
Standard Operating Procedure for Network Devices
On succesfull connection You should see ASA command line CLI prompt. On the PC
connected to th ASA, launch a web browser. In the Address field, enter the
following (default) URL: https://192.168.1.1/admin and Run start up Wizard
6
Standard Operating Procedure for Network Devices
Detailed Step:
S.N Command Purpose
O.
Ste interface vlan Adds a VLAN interface, where the number is between 1 and
p1 number 4090.
Ste (Optional for the Allows this interface to be the third VLAN by limiting it from
p2 Base license) initiating contact to one other VLAN.
7
Standard Operating Procedure for Network Devices
Detailed Step:
S.N Command Purpose
o.
Ste interface Specifies the switch port you want to configure, where port is 0
p 1 ethernet0/ port through 7.
hostname(config
)# interface
ethernet0/1.
i. switchport Identifies one or more VLANs that you can assign to the trunk
trunk allowed port, where the vlan_range (with VLANs between 1 and 4090)
vlan vlan_range can be identified in one of the following ways:
You can include the native VLAN in this command, but it is not
required; the native VLAN is passed whether it is included in this
command or not.
ii. switchport Assigns a native VLAN to the trunk, where the vlan_id is a single
trunk native VLAN ID between 1 and 4090.
vlan vlan_id
Packets on the native VLAN are not modified when sent over the
hostname(config trunk. For example, if a port has VLANs 2, 3 and 4 assigned to it,
-if)# switchport and VLAN 2 is the native VLAN, then packets on VLAN 2 that
trunk native egress the port are not modified with an 802.1Q header. Frames
vlan 10 which ingress (enter) this port and have no 802.1Q header are
put into VLAN 2.
Each port can only have one native VLAN, but every port can
have either the same or a different native VLAN.
8
Standard Operating Procedure for Network Devices
Ste switchport Makes this switch port a trunk port. To restore this port to access
p 3 mode trunk mode, enter the switchport mode access command.
hostname(config
-if)# switchport
mode trunk
Ste (Optional) Prevents the switch port from communicating with other
p4 protected switch ports on the same VLAN.
switchport
protected You might want to prevent switch ports from communicating with
each other if the devices on those switch ports are primarily
hostname(config accessed from other VLANs, you do not need to allow intra-VLAN
-if)# switchport access, and you want to isolate the devices from each other in
protected case of infection or other security breach. For example, if you
have a DMZ that hosts three web servers, you can isolate the
web servers from each other if you apply the switchport
protected command to each switch port. The inside and outside
networks can both communicate with all three web servers, and
vice versa, but the web servers cannot communicate with each
other.
Ste (Optional) Sets the speed. The auto setting is the default. If you set the
p5 speed to anything other than auto on PoE ports Ethernet 0/6 or
speed { auto | 0/7, then Cisco IP phones and Cisco wireless access points that
10 | 100 } do not support IEEE 802.3af will not be detected and supplied
with power.
hostname(config
-if)# speed 100
Ste (Optional) Sets the duplex. The auto setting is the default. If you set the
p6 duplex to anything other than auto on PoE ports Ethernet 0/6 or
duplex { auto | 0/7, then Cisco IP phones and Cisco wireless access points that
full | half } do not support IEEE 802.3af will not be detected and supplied
with power.
hostname(config
-if)# duplex full
Ste no shutdown Enables the switch port. To disable the switch port, enter the
p7 shutdown command.
hostname(config
-if)# no
shutdown
9
Standard Operating Procedure for Network Devices
The above steps are the absolutely necessary steps you need to configure for
making the appliance operational.
4. The following example allows all hosts to communicate between the inside and hr
networks but only specific hosts to access the outside network
5. The following sample access list allows common EtherTypes originating on the
inside interface:
6. The following example allows some EtherTypes through the ASA, but it denies all
others:
10
Standard Operating Procedure for Network Devices
7. The following example denies traffic with EtherType 0x1256 but allows all others
on both interfaces:
8. The following example uses object groups to permit specific traffic on the inside
interface:
interface : The interface command identifies either the hardware interface or the
Switch Virtual Interface (VLAN interface) that will be configured. Once in interface
configuration mode, you can assign physical interfaces to switch ports and enable
them (turn them on) or you can assign names and security levels to VLAN
interfaces.
nameif: The nameif command gives the interface a name and assigns a security
level. Typical names are outside, inside, or DMZ.
11
Standard Operating Procedure for Network Devices
Object network : it states that this particular object will be based on IP addresses. The
subnet 192.168.106.0 255.255.255.0 command states that net-192.168.106 will affect any
IP address beginning with 192.168.106.
The following guidelines and limitations apply to permitting or denying network access:
For the ASA 5550 ASA, for maximum throughput, be sure to balance your traffic
over the two interface slots; for example, assign the inside interface to slot 1 and
the outside interface to slot 0.
If you are using failover, do not use this procedure to name interfaces that you are
reserving for failover and Stateful Failover communications.
In transparent firewall mode, do not set the IP address for each interface, but
rather set it for the whole ASA or context. The exception is for the Management
0/0 or 0/1 management-only interface, which does not pass through traffic.
You use access lists to control network access in both routed and transparent
firewall modes
For connectionless protocols, you need to apply the access list to the source
and destination interfaces if you want traffic to pass in both directions.
To show the running config access-group command displays the current access
list bound to the interfaces.
The clear configure access-group command removes all the access lists from
the interfaces.
12
Standard Operating Procedure for Network Devices
Here are some useful commands that help track the packet flow details at different
stages in the process:
copy startup- Merges the startup configuration with the running configuration.
config running-
config
reload Reloads the ASA, which loads the startup configuration and discards
the running configuration.
clear configure Loads the startup configuration and discards the running
all configuration without requiring a reload.
copy startup-
config running-
config
Command Purpose
Command Purpose
13
Standard Operating Procedure for Network Devices
show arp
Displays the address routing protocols
14
Standard Operating Procedure for Network Devices
Fig(4).
Troubleshooting
Connectivity Through the Firewall
Router
Make:
15
Standard Operating Procedure for Network Devices
Software version: s
IP: address:
Steps to connect:
1. xx
2. xxx
IDS/IPS
Make:
Model:
Software version:
16
Standard Operating Procedure for Network Devices
IP: address:
Steps to connect:
1. xx
2. xxx
Load balancer
Make:
Software version:
IP: address:
17
Standard Operating Procedure for Network Devices
Steps to connect:
1. xx
2. xxx
Storage configuration
18
Standard Operating Procedure for Network Devices
Network diagram:
19