Embed Size (px)
Citation preview
Firewall DeploymentEric Kostlan – Technical Marketing Engineer
BRKSEC-2020
Session Objectives
Upon successful completion of this session, the attendee will be able to:
• Compare and contrast the Cisco firewall solutions
• Determine which firewall solution is appropriate for which use case
• Describe how resilience is provided through high availability and clustering
• Utilize traditional and next-generation firewall features to provide effective network security
Related Sessions (Thursday)
BRKSEC-2032 - FP NGIPS Deployment and Operationalisation Thursday 10 Mar 2:30 PM - 4:00 PM – 207Mark Pretty, Consulting Systems Engineer, Cisco
BRKSEC-3010 - Firepower 9300 Deep Dive Thursday 10 Mar 4:30 PM - 6:00 PM – 207Andrew Ossipov, Principal Engineer, Cisco
BRKSEC-2763 - ASA and FirePOWER in ACI Thursday 10 Mar 4:30 PM - 6:00 PM – 208Goran Saradzic, Technical Marketing Engineer, Cisco
Related Sessions (Friday)
BRKSEC-3032 - Advanced - ASA Clustering Deep DiveFriday 11 Mar 8:45 AM - 10:45 AM – 104Andrew Ossipov, Principal Engineer, Cisco
BRKSEC-3055 - Troubleshooting: ASA Firepower NGFW Friday 11 Mar 2:00 PM - 4:00 PM – 104Prapanch Ramamoorthy, Engineer, Technical Services, Cisco
• Cisco Product Family
• Firewall Technologies
• Firewall Deployment Modes
• Use Case
• Firewall Deployment at the Edge
• Firewall Deployment in the Data Centre
• Conclusion
Agenda
Cisco Firewall Product Family
The Cisco Firewall Zoo
• Adaptive Security Appliance (ASA) – hardened firewall appliance, proprietary OS, Ethernet and fibre ports on box. (1G/10G)
• ASA SM – Next Gen line card for Catalyst 6500, no physical interfaces, runs ASA code image
• Adaptive Security Virtual Appliance Firewall (ASAv) – Virtual ASA that runs with a full ASA code base, not dependent upon Nexus1000v
• ASA with FirePOWER Services – ASA firewall appliance which integrates a full installation of FirePOWER NGFW, NGIPS, AMP and Contextual Services
• VSG – Virtual Security Gateway – Zone-based Virtual firewall dependent upon Nexus1000v Switch – mentioned but not detailed in this session
• Cisco Firepower NGFW with Firepower Thread Defense (FTD)NGFW
Cisco IPS and Firewall Offerings
• Traditional ASA
• Firepower appliances
• Acquisition of Sourcefire was October, 2013
• ASA with Firepower Services
• Product integration with separate management solutions and program space
• Feature complete for both ASA and Firepower
• Cisco Sourcefire NGFW with Firepower Threat Defense (FTD)
• Unified management and program space (not packet copy)
• Feature parity with Firepower
• ASA features being phased in
Cisco NGFW and ASA Product Family
Perf
orm
an
ce a
nd
Scala
bil
ity
ASA 5506WASA 5506-XASA 5506H ASA 5508-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
ASA 5585-X Series(SSP 10, 20, 40, 60)
ASA 5516-X
SMB & Distributed
Enterprise
Commercial &
Enterprise
Data Centre, High Performance
Computing, Service Provider
FP 9300
FP 4100 Series(4110, 4120, 4140)
Security ModulesEmbedded packet/flow classifier (Smart NIC) and crypto hardware
CPUs with a total of 24 or 36 physical cores (48 or 72 with hyperthreading)
Standalone or clustered within (up to 240Gbps) and across (1Tbps+) chassis
SupervisorApplication deployment and orchestration
Network attachment (10GE/40GE) and traffic distribution
Clustering base layer for ASA Firewall or Cisco NGFW
Firepower 9300 Overview
1
3
2
Fixed 8x SFP+ (10G) fixed ports
Security Engine
Modular system2x Network Modules (NetMod) slots
2x 2.5” SSD Slots
Firepower 4100 Series Front View
1 3 5 7
Power LED
Console
Mgmt
USB
Locater
SSD
SYS LEDs SSD1 SSD2
NetMod 1 (Slot) NetMod 2 (Slot)
2 4 6 8
Network Modules and Transceivers Support
All external network modules require fiber or copper transceivers
Fail To Wire Network Modules provide hardware bypass functionality
1GE optical SFP support
1GE copper SFP support
10 GE optical SFP+
10 GE optical SFP-S
10 GE Twinax Support
Support for both Single Mode and Multi Mode optical cable
40 GE QSFP Support
4x10 GE breakouts for each 40 GE port
Support for both Single Mode and Multi Mode optical cable
Support for direct-attach copper cable
8x1
0G
E
4x4
0G
E
Industrial Security Appliance (ISA)
• Software
• Firewall: ASA
• IPS: Firepower Services
• Identify and block threats
• Generic
• OT protocol specific
• OT application specific
• Application Visibility and Control
• Protocols
• Applications
• Individual commands
Firewall Deployment Modes
Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or
more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts
22
10.1.1.0/24
192.168.1.0/24
192.168.1.1
10.1.1.1
IP:192.168.1.100GW: 192.168.1.1
NAT
DRP
192.168.1.0/24
192.168.1.1
IP:192.168.1.100GW: 192.168.1.1
Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or
more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts
• Transparent Mode is where the firewall acts as a bridge functioning at L2
• Transparent mode firewall offers some unique benefits in the DC
• Transparent deployment is tightly integrated with our ‘best practice’ data Centre designs
23
VLAN192
VLAN1920
Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or
more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts
• Transparent Mode is where the firewall acts as a bridge functioning at L2
• Transparent mode firewall offers some unique benefits in the DC
• Transparent deployment is tightly integrated with our ‘best practice’ data Centre designs
• Multi-context Mode involves the use of virtualized firewalls called security contexts, which can be either routed or transparent mode
24
Separate Policies Separate Control PlaneSeparate Data PlaneDedicated Interfaces
Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or
more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts
• Transparent Mode is where the firewall acts as a bridge functioning at L2
• Transparent mode firewall offers some unique benefits in the DC
• Transparent deployment is tightly integrated with our ‘best practice’ data Centre designs
• Multi-context Mode involves the use of security contexts, which can be either routed or transparent mode
• Mixed (Multi-context) Mode combine routed and transparent mode virtualized firewalls on the same chassis or cluster of chassis
25
Separate Policies Separate Control PlaneSeparate Data PlaneDedicated Interfaces
ASA Traffic Zones
• Assign multiple logical interfaces to a Traffic Zone
• Load-balances connections to multiple ISPs, using 6-tuple
• Return traffic matched to the connection entry fromany interface in a zone
• All zone interfaces must be at the same security level
• Seamless connection switchover to another egress interface in the same zone on failure
• Enables Layer 3 Massively Scalable Data Centre (MSFC) spine-and-leaf model
• Only supported in routed mode firewall
outside1 outside2
inside 1 inside 2
In Zone
Out Zone
http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html
NGFW (FTD) Device Deployment Modes
• Routed or transparent mode configured with setup dialog
• Changing between these modes requires re-registering with FMC
• Policies will be re-deployed
• Routed
• Layer 3 firewall
• Most typical deployment for edge
• Transparent
• Layer 2 firewall
NGFW (FTD) Security Zones
• True zone based firewall
• Security zones are collections of interfaces or sub-interfaces
• Policy rules can apply to source and/or destination security zones.
• Security levels are not used
Optional Interface Modes
• By default, all interfaces are firewall interfaces
• Optionally, specific interfaces can extracted for use as IDS or IPS
• IDS Mode
• Inline Tap
• Passive
• IPS Mode
• Inline
Mix and Match Interface Modes
Routed or TransparentA
B
C
D
F
G
H
I
Inline Pair 1
Inline Pair 2Inline Set
E J
Policy TablesPassive
Interfaces
Inline Tap
Failover and Clustering
ASA Failover Active-Standby
• All features are supported when using A/S including SSLVPN and NGFW/NGIPS
• Both ASAs in pair must be identical in software, memory and interfaces (including SSM/SSP modules) and mode
• Not recommended to share the state and failover link
• Use a dedicated link for each if possible
• Long distance LAN failover is supported if latency is less than 100 ms
Primary
ASA
(active)
Backup
ASA
(standby)
Failover
State
How Failover Works
Primary
ASA
(active)
Secondary
ASA
(standby)
Failover
State
HELLO HELLO
Failover link passes Hellos between active
and standby units every 15 seconds
(tunable from 200msec-15 seconds)
How Failover Works
Primary
ASA
(active)
Secondary
ASA
(standby)
Failover
StateHELLO
HELLO
HELLO
After three missed hellos, local unit sends
hellos over all interfaces to check health of its
peer - Whether a failover occurs depends on
the responses received
If no Response…
How Failover Works
Backup
ASA
(standby)
Failover
State
If no Response…
Secondary
ASA
(active)
Local Unit
Becomes Active
ASA Failover Active-Active
• Active-Active is 2 reciprocal pairs of Active-Standby Virtual Firewalls
• Requires Virtualisation (Multi-Context) which (may) require additional licensing
• Virtualisation does not yet support SSLVPN/Remote Access VPN
• No load-balancing or load-sharing support
• Not true Active/Active flow
• True Active/Active flow accomplished with ASA Clustering
• Subnet/VLAN can only be active on one node at a time
CTX1
(Active)
Failover
State
CTX2
(Active)
CTX2
(Standby)CTX1
(Standby)
VLAN10
VLAN20
VLAN30
VLAN40
Scaling Provided by Clustering• Up to 16 ASAs-X
• For ASA 5586-X• FW MAX Throughput: 640 Gbps• Firepower IPS 440 Byte
Throughput: 96 Gbps
• Each Sourcefire Sensor is anindependent instance• ASAs share connection state
information• Sourcefire Sensors do not share
signature state information
• State-sharing between firewalls for symmetry and high availability• Every session has a Owner Ownership managed by
Director node• ASA provides traffic symmetry to Firepower module
Asymmetric Traffic• Depending on the Access Switch
running vPC, either upstream link could be used to send the return traffic.
• This is one easy way asymmetry can get introduced.
• Deploying Security Devices that do not integrate into modern designs gets very difficult.
• These problems get more complicated when moving to distributed dataCentres.
• One requirement for inserting security services into this deployment is that it has to handle that traffic will be asymmetric
N7K
Access
vPC
Core
DC Servers
vPC Peer-link
Outside
Cluster mode
39
• Spanned Etherchannel Mode
• ASA interfaces are grouped in EtherChannel. LACP must be used in conjunction.
• ASA share a system IP and MAC, and together they act as a single logical link. Switch use ECLB to balance load to each ASA.
• Each interface also has its own private MAC address which is used in LACP auto negotiation if enabled.
• Individual Mode
• ASA interfaces on each ASA have its own IP and MAC
• Upstream router can use PBR or ECMP to balance packets to individual units
*New Versions of ASA Code have exceeded this limitation with cLACP and ASA Clustering
EtherChannel Basics
• EtherChannel LAG (IEEE standard is 802.3ad) allows up to 16 physical Ethernet links to be combined into one logical link. 8 links can be active and forwarding data*
• Ports must be of same capabilities: duplex, speed, type, etc.
• Benefits of EtherChannel are increasing scale, load-balancing and HA
• Load balancing is performed via a Load-Balancing Hashing Algorithm – Cisco default is src-dst IP
• Recommended Hash is either default or src-dst ip-l4-port
• EtherChannel uses LACP (Link Aggregation Control Protocol)
• Static LAG can be used, but should be aware of potential traffic black holes this may cause
LACP Load Balance
src-dst-IP (hash)
Virtual Port Channel
• vPC (like VSS) is known as Multi-Chassis EtherChannel
• Common in the Data Centre
• Allow multiple devices to share multiple interfaces
• STP is active, but does not impact throughputbecause all links are active. There are no STP blocked ports
• A vPC Peer Link is used on Nexus 5K/6K/7K devices to instantiate the vPC domain and allow sharing
• Peer Link synchronizes state between vPC peers VPC PEER LINK
LACP Load Balance
src-dst-IP (hash)
10G
10G
20G
EtherChannel on the ASA
42
• Supports 802.3ad and LACP/cLACP standards
• Direct support for vPC/VSS - CVD
• No issues with traffic normalization or asymmetry
• Up to 8 active and 8 standby links*
• 100Mb, 1Gb, 10Gb are all supported – must match
• Supported in all modes (transparent, routed, multi-context)
• Configurable hash algorithm (default is src/dest IP)
• SHOULD match the peer device for most deterministic flows
• Redundant interface feature and LAG on ASA are mutually exclusive
• Not supported on 4GE SSM (5540/50) or 5505
• ASA 9.2+ cluster allows 32 port active EtherChannel
*Non-clustered ASA allows 16 active and 16 standby links supported with cLACP
vPC
vPC
ASA Cluster with FirePOWER Services Module for NGIPS
ASA Cluster
1. ASA appliances with FirePOWER
services modules are deployed as a
Spanned Etherchannel cluster to
represent a single logical device.
2. Cluster member that gets the first
packet for a connection assumes full
processing ownership for all
associated packets.
3. Clustering automatically redirects
asymmetrically received packets to
connection owner for full processing.
4. Local FirePOWER module has full
visibility into the flow due to localized
processing.
vPC
vPC
ASA Cluster with FirePOWER Appliances for NGIPS
ASA Cluster
1. ASA appliances are deployed as a
Spanned Etherchannel cluster to
represent a single logical device
operating in multiple-context mode.
2. An in-line FirePOWER appliance
attaches to each ASA cluster member
in a context sandwich.
3. Clustering automatically redirects
asymmetrically received packets to ASA
connection owner for full processing.
4. Local FirePOWER appliance has full
visibility into the flow due to localized
processing. Optional EEM script on the
switch speeds up failure detection.
Cluster Between Data Centres
45
• Best practice maximum latency needs to be a RTT of 20 ms
• Can be spanned etherchannel modeor individual mode
*New Versions of ASA Code have exceeded this limitation with cLACP and ASA Clustering
Use Case
CLINET (clinet.com)
• CLINET (clinet.com) is a fictional company created for understanding use cases in ASA Firewall deployment
• Company requirements and configuration examples are based upon real-life customer conversations and deployments
• Only designs we have fully certified in the Validated Design Lab
• Cisco Validated Design (CVD) approved configuration(s)DesignZone: http://www.cisco.com/go/designzoneVMDC (Data Centre CVD): http://www.cisco.com/go/vmdc New Data Centre Security CVDs: http://www.cisco.com/go/designzonesecuredc
Cisco LIVE Information Networking Company
Deploy Redundant ASA(s) in
Routed Mode for Edge/DMZ
Note: Storage architecture not depicted in this layout, nor will it be discussed
Deploy Virtual ASA
(ASAv) in Virtual
environment (hypervisor)
Deploy Clustered ASA(s): in Routed
Mode for PCI and Transparent Mode for
Data Centre / Access Fabric
CLINET (clinet.com) Network Topology
Edge Aggregation
VDC
Edge
Aggregation
ISP-A ISP-B
DMZ Network(2)
(Public Web/DB)
VPC VPC
G0/0G0/1
T0/6 T0/7
G0/4
G0/5
G0/2
G0/3
Edge Routers
running HSRP –
FHRP address is
128.107.1.1
1
1
FW deployed in L3 ‘routed’ mode,
with NAT and ACLs – Routing
protocol will be used on inside -
2
2
Inside Interface
using
EtherChannel
4
4
Active/Standby HA
will be used at the
edge
7
7
Two DMZ Zones will be created:
1- Web Public (www, DNS, smtp)
2- Partner Intranet (wwwin, Oracle
link)
VLAN 150
Public Web DMZ – 10.200.1.0/24
VLAN 151
Partner Intranet– 10.100.100.0/24
Web/App/dB (Oracle) 172.16.25.250
6
6
Outside and DMZ
using Redundant
Interfaces
3
3
3
VLAN 2
Diversion
network
for
Scanning
VLAN
120
Inside
Network
‘Trusted
Zone”
5
Use-case specific Internal Zones:
VL2 – Security Diversion network for
scanning questionable traffic
VL120 – Primary Internal Zone - services the
primary internal network
VL1299 – Isolated Internal DMZ for BYOD /
contractor / unknown – Internet access only
5
VLAN
1299 DMZ
Zone for
contractor
/ BYOD
unknown
clinet.com Edge ASA Deployment Details
clinet.com ASN 65345
IP Range 128.107.1.0/24
ASA Cluster
ASA Clustering is used for scale
and HA – Leverages cLACP for
Data Plane (EtherChannel)
3
3
clinet.com DC AGG ASA Deployment Details • General Requirements
Data Centre
Core
(Routed)
Data Centre
AggregationPCI Zone
Core VDC
PCI VDC Aggregation
VDC
Virtual Access /
Compute Networks
cLACP
OSPF Routed Core
Use-case specific Internal
Zones from Edge
Aggregation into core
VLAN 2
Diversion
network
for
Scanning
VLAN 120
Inside
Network
‘Trusted
Zone”
VLAN
1299 DMZ
Zone for
contractor /
BYOD
unknown
1
1 1
DC Core is routed using OSPF.
Routing will remain in place (on
DC Switches). ASA must be
deployed without disrupting
current L3 architecture
4
4
PCI-CTX (Routed)
ASA FW deployed in ‘mode-multi’
mixed-mode system. Will have both
L3 and L2 contexts to solve use case
VLAN 1299 DMZ BYOD
BYOD-CTX
(Transparent)
VLAN 201 Oracle dB1
PTNR-CTX
(Transparent)
BYOD/Unknown DMZ and
Partner Oracle Access
controlled by ASA vFW
2
2
2
2
2
Virtual ASA deployed within
hypervisor to protect East/West
Traffic Flows
5
cLACP
ASA Cluster
clinet.com Data Centre Compute ASAv Deployment • General Requirements
Data Centre
Core
(Routed)
Data Centre
AggregationPCI Zone
Core VDC
PCI VDC Aggregation
VDC
Virtual Access /
Compute Networks
cLACP
OSPF Routed Core
VLAN 2
Diversion
network
for
Scanning
VLAN 120
Inside
Network
‘Trusted
Zone”
VLAN
1299 DMZ
Zone for
contractor /
BYOD
unknown
PCI-CTX (Routed)
VLAN 1299 DMZ BYOD
BYOD-CTX
(Transparent)
VLAN 201 Oracle dB1
VLAN 445 AD, exch, etc.
PTNR-CTX
(Transparent)
Virtual ASA deployed within
hypervisor to protect East/West
Traffic Flows
cLACP
CLINET Upgrading to NGFW and NGIPS
• Internet Edge
• Application Visibility and Control (AVC)
• Intrusion Prevention (IPS)
• Advance Malware Protection (AMP)
• Data Centre
• Focus on IPS
• AMP if you are allowing uploads of files
• Applications should be known
• Layer 1, 2 or 3 may be appropriate
• Compute
• Virtual NGFW and NGIPS are available, if required
Which Next Generation Features to Deploy Were
Next Generation Features and Performance
Category FP 4110 FP 4120 FP 4140
Large Packet Firewall (1500 byte UDP) 20Gbps 40Gbps 60Gbps
Firewall Throughput 10Gbps 20Gbps 30Gbps
NGFW - FW+AVC Perf. (440byte) 4 – 6 Gbps 6 – 8 Gbps 10 -15 Gbps
NGFW - FW+AVC+IPS Perf.(440byte) 2 – 4 Gbps 3 – 6 Gbps 6-12 Gbps
NGFW - FW+AVC+IPS+AMP Perf. (440byte) 2 Gbps 2.5Gbps 5Gbps
NGFW - FW+AVC+IPS+AMP+URL Perf. (440byte) 2 Gbps 2.5Gbps 5Gbps
NGFW - Enable Logging Impact (Max %) 15% 15% 15%
Standalone NGIPS Perf. - No FW/AVC (440byte) -“balanced” base policy, no tuning
4 Gbps 8.5Gbps 12Gbps
Firewall Deployment at the Edge
Implement HA
– Active-Standby
– HSRP
Determine Next Generation Capabilities
– IPS
– AVC
– URL Filtering
– AMP
Configure traditional Firewall Capabilities
– NAT
– ACL
– Routing
ASA Deployment Checklist (Edge)
1
4
2
6
7
8
9
3
5
NAT on the ASA or NGFW (FTD)
• Single translation rule table
• Access Lists reference the internal (real) IP address and not the global
• Manual NAT (Twice NAT)
• Allows for bi-directional translation
• Allows to specify both Source and Destination NAT within a single line
• More flexibility in creating NAT rules (one-to-one, one-to-many, many-to-many, many-to-one)
• Automatic NAT (Auto NAT or Object-based)
• Single rule per object
• Useful for less complex scenarios
56
NAT Processing Semantics
• Rules are processed in order (like ACEs inside of an ACL) – caching of those rules’ IDs inside Data Plane structures assures of this
• Rule ID is used to change it’s place inside the list
• Manual NAT rules are always processed first
• Within Manual NAT rules list, only the order matters – it doesn’t take into account dynamic/static nature of the statement
• Auto NAT rules are processed next
• Auto NAT Rule ordering is predefined based on the following order of precedence: • static over dynamic
• longest prefix
• lower numeric (start from 1st octet)
• lexicographic ordering of object-names
57
Virtual Access /
Compute
Edge Agg
VDC
Edge
Aggregation
ISP-A ISP-B
DMZ Network(2)
(Public Web/DB)
G0/0G0/1 G0/2
G0/3
0VLAN 150 – 10.150.1.0/24 .100 .110 .250
VLAN 151 – 10.151.100.0/24 .200 .20150
VLAN 2
10.2.1.0/24
VLAN 120
10.120.1.0/24
VLAN 1299
10.255.255.0/24
100
49
25
T0/6T0/7
Data Centre
FHRP 128.107.1.1
VLAN 201 Oracle 172.16.25.250
VLAN 445 AD, exch, 10.245.10.0/24 .245 .250
Web DNS SMTP/OWA
Web SQL
AD Exchange
Oracle dB1
Outside Network
128.107.1.0/24
1
1
Diversion and BYOD are specific
subnets and will require
dedicated NAT rules. Inside
serves the entire DC via many
subnets, thus NAT rules will be
more generic
22
VL1299 BYOD/Unknown
Subnet only uses the
Internet
3
3
Public DNS Server is used in all
use cases; internal DNS servers
use .110 for recursive queries.
4
4 VL150 Public DMZ serves data
only to Internet. SMTP/OWA
server must communicate with
AD & Exchange in DC VL445
5
5
VL151 Partner DMZ serves web
intranet data to Partners. Web
.200 uses SQL Data .201 to
populate fields. SQL .201
leverages the back-end Oracle
dB in VLAN201. Partner Web
uses public DNS but public DMZ
does not need any access to
partner DMZ
6
6
6
VL201 and VL445 contain the server
resources used by the DMZ
networks. These resources need to
be available using real identities
7
7
7
7
Edge NAT Use Case Requirements
Access Control Lists
• Like Cisco IOS, ACLs are processed from top down, sequentially with an implicit deny all at the bottom
• A criteria match will cause the ACL to be exited
• ACLs can be enabled/disabled based ontime ranges
• ACLs are made up of Access Control Entries (ACE)
• Remarks can be added per ACE or ACL
• ACE may include objects such as user/group, SGT, etc.
• ASA references the Real-IP in ACLs
59
Virtual Access /
Compute
Edge Agg
VDC
Edge
Aggregation
ISP-A ISP-B
DMZ Network(2)
(Public Web/DB)
G0/0G0/1 G0/2
G0/3
0VLAN 150 – 10.150.1.0/24 .100 .110 .250
VLAN 151 – 10.151.100.0/24 .200 .20150
VLAN 2
10.2.1.0/24
VLAN 120
10.120.1.0/24
VLAN 1299
10.255.255.0/24
100
49
25
T0/6T0/7
Data Centre
FHRP 128.107.1.1
VLAN 201 Oracle 172.16.25.250
VLAN 445 AD, exch, 10.245.10.0/24 .245 .250
Web DNS SMTP/OWA
Web SQL
AD Exchange
Oracle dB1
Outside Network
128.107.1.0/24
1
1
Diversion and BYOD networks
are outbound only
Inside Network is outbound only
but will need to use the PubDMZ
22
VL1299 BYOD/Unknown
Subnet only uses the
Internet
3
3
Public DNS Server is used in all
use cases; internal DNS servers
use .110 for recursive queries.
4
4 VL150 Public DMZ serves data
only to Internet. SMTP/OWA
server must communicate with
AD & Exchange in DC VL445
5
5
VL151 Partner DMZ serves web
intranet data to Partners. Web
.200 uses SQL Data .201 to
populate fields. SQL .201
leverages the back-end Oracle
dB in VLAN201. Partner Web
uses public DNS but public DMZ
does not need any access to
partner DMZ
6
6
6
VL201 and VL445 contain the server
resources used by the DMZ
networks. These resources need to
be available using real identities
7
7
7
7
Edge ACL Use Case Requirements
Dynamic Routing on ASA and NGFW (FTD)
• Static routing including policy based routing (PBR)
• Dynamic routing
• RIP
• OSPF
• EIGRP
• BGP
• Multicast routing
• NGFW does not yet have parity with ASA for dynamic routing
• No PBR
• No EIGRP
• No Multicast routing
61
Firewall Deployment in the Data Centre
Specific Items for ASA in the Data Centre
– Verify deployment mode –routed or transparent or both (mode multi)
– Create Virtualized Firewalls where applicable Multi-context Firewall common, especially for Multi-
tenancy
– Transparent Mode Firewalls Deploying Transparent Mode
How Transparent Mode Works
– Comparing Virtual and Physical Firewall Deployments for the DC based upon requirements
Implement Clustering
– Clustering Basics
– Clustering deployment in the clinet.com Data Centre
Deploying ASAv (Virtual ASA)
– ESXi Deployment
ASA Deployment Checklist (Data Centre)
1
3
2
4
5
6
7
Security Contexts
64
• Multiple virtual firewalls in one physical ASA chassis (or Cluster)
• Meets network separation/ stateful filtering requirement(s) for regulatory compliance / multi-tenant use-cases
• Each virtualized firewall is considered a separate “context”
• Each context has a separate Control Plane, Data Plane, dedicated config memory space and dedicated interfaces• Interfaces are not shared amongst contexts
• Physical interfaces are mapped to contexts and each context maps to a configuration
• Each context implements a unique, self-contained policy
• Maximum number of virtualized firewalls in one physical appliance is 250 (licensed feature)• Up to 250 contexts in an ASA Cluster
System Context:
Physical ports assigned
65
• All virtualized firewall configurations must define a System context and an Admin context
Admin Context:
Remote root access and
access to all contexts
Security
Contexts
CTX 1
CTX 2
CTX 3
Admin
System
• There is no policy inheritance between contexts
Security Context Configuration
• Limits
• ASA physical limit of 1024 total interfaces/VLANs
• Each transparent mode context is allowed 250 totalbridge groups each with up to 4 interfaces (VLANs)per context or transparent mode Firewall
• Each routed-mode context is allowed up to themaximum number of remaining interfaces (of 1024)
• Restrictions
• Remote Access VPN is not yet supported (S2S is supported)
• MAC addresses for virtual interfaces are automatically set to physical interface MAC
• Admin context can be used for traffic, but grants privileges of whomever manages the Admin context to all other contexts, use with caution
66
1024 Int.
Total
250 BVI
4 Int.
max max
max max
Up to
1000
Up to
1024
Up to
1024
ASA Multi-Context Mode Limits and Restrictions
Benefits of Transparent Mode
• Very popular architecture in data Centre environments
• Existing Nexus/DC Network Fabric does not need to be modified to employ L2 Firewall!
• Simple as changing host(s) VLAN ID
• Firewall does not need to run routing protocols / become a segment gateway
• Firewalls are more suited to flow-based inspection (not packet forwarding like a router)
• Routing protocols can establish adjacencies through the firewall
• Protocols such as HSRP, VRRP, GLBP can cross the firewall
• Multicast streams can traverse the firewall
• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
• (CVD) most internal DC zoning scenarios recommend Transparent FW (L2) deployed versus Routed Firewall (L3)
• L3 Use-cases still valid, especially in Multi-tenant and Secure Enclave architectures
Transparent Mode Firewall
• Firewall functions like a bridge (“bump in the wire”) at L2
• Only ARP packets pass without an explicit ACL
• Full policy functionality is included, NAT, ACLs, Service Policy, NGFW/NGIPS, etc.
• Same subnet exists on all interfaces in the bridge-group
• Different VLANs on inside and outsideinterfaces
• Focus on specific ‘use-case’ when deploying transparent mode
Cisco ASAv
Get multiple-hypervisor support with traditional network interaction modes using any virtual switch.
Hyper-V
Hyper-V Manager and
PowerShell deployments
Generation 1 guests
VMware
vSphere client, ovftool, and
vCentre OVF Config Dialog
VMware ESXi 5.x, 6.x, Fusion
E1000
Public Cloud
Amazon Web Services
AMI in the marketplace
Day 0 and Any Virtual Switch
vSwitch or dvSwitch
Cisco® AVS
Cisco Nexus® 1000V
(no vPath) Open vSwitch
Cisco® ACI Integration
KVM
Cisco ASAv qcow2 image
KVM 1.0 Virtio driver
AmazonWeb Services
KVM
Microsoft
Windows
VMware
Fusion Azure MarketplaceMicrosoft
Azure
Next Generation Virtual Offerings
• vNGIPS
• Operates at layer 1 with inline pairs and inline pair sets
• Supported on ESXi
• vNGIPS for AWS
• Operates at layer 3
• vNGFW (FTD)
• Operates at ether layer 2 or layer 3 depending on firewall mode
• Operates at layer 1 with inline pairs and inline pair sets
Conclusion
Session Summary
You should now be able to:
• Compare and contrast the Cisco firewall solutions
• Determine which firewall solution is appropriate for which use case
• Describe how resilience is provided through high availability and clustering
• Utilize traditional and next-generation firewall features to provide effective network security
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2016 T-Shirt!Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco Live
Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected in the World of Solutions
on Friday 11 March 12:00pm - 2:00pm
Learn online with Cisco Live!
Visit us online after the conference for full
access to session videos and
presentations. www.CiscoLiveAPAC.com
Thank you
