Author: Ben

Preface

In September and November journal, we have introduced the following issues:

1. Stateful and Stateless Firewall
2. Security context or Virtual Firewall
3. Transparent or Layer 2 Firewall
4. How to configure Cisco ASA/PIX Firewall
5. Virtual Firewall application
6. Transparent Firewall application

If you have no these journals for your reference, please refer to the same documents on GeeGo website:

• Introduction to Cisco PIX/ASA Firewall (PART I)
• Introduction to Cisco PIX/ASA Firewall (PART II)

Network security is the major tendency of IT industry in the future and its market is too enormous to be evaluated. I’d served as senior network security consultant of Cisco Systems in Asia Pacific for nine years. So it is can be said I have comprehensive concept toward the future tendency of network security. For example, the global sales volume of Cisco network security manufacturers is increasing in 100% annual growth. Cisco Systems also actively incorporates the small and medium sized companies in network security field in order to consolidate its future market share and provide a comprehensive network security resolution.

As a result, I always tell my students that earning network security certification is definitely a secure investment if you want to have your own stage in such competitive IT industry. I also recommend every student to strive towards Cisco Systems certification such as CCNP, CCSP, CCIE and CCIE Security.

Equipment:

1. Cisco PIX/ASA Firewall

Software and kernel:

1. Cisco PIX or ASA 5500, firmware v7.21, management application ASDM 5.21
2. Cisco 3524 Switch

Essential knowledge:

1. VLAN protocol 802.1Q
2. Routing and Firewall basis
3. Cisco IOS operation

How to utilize ADSM to configure and manage ASA/PIX

In Part I and Part II, we have developed six virtual Transparent Firewalls which are named as admin, geego1, geego2, geego3, geego4 and geego5.

No we will use Cisco ASA/PIX management application ADSM to manage all security contexts. First, we will configure admin Firewall.

To change between different security contexts or switch from system context to security contexts, we have to run “changeto context” to enter in one security context. Prompt will be changed as “”. The following figure shows we have entered in the security context named as ‘admin’.

After entering in security context, it’s equivalent to entering in one Firewall because it’s configured as transparent security context which has no IP address. Thus, we will proceed with the following steps to achieve our management objective.

1. Configure network interface security level and Firewall attribute, e.g. inside, outside, DMZ and security level.
First, configure names and security levels to every network interface in admin context. In Cisco Firewall devices, name external NIC as ‘outside’ while name internal NIC as ‘inside’. Besides, security level range is 0-100, in which the smaller number refers to lower security and vice versa. Low security level cannot be connected to high one so the default behavior is that connection cannot be developed from outside to inside interface.

2. Configure management IP address
Transparent Firewall refers to two separate LANs, in which they have to be in the same network fragment in terms of IP protocol while they must be two separate VLANs in the perspective of LAN. For example, we allocate two network interfaces, which are Ethernet 0/3.6 and Ethernet 0/3.66 respectively, for admin context. Then we further allocate VLAN ID 6 and VLAN ID 66 for Ethernet 0/3.6 and Ethernet 0/3.66 respectively.

Thus, Firewall management IP address also has to be configured in the same LAN. For convenience, all LANs are configured to 192.168..0/24, e.g. admin context whose interface is inside and VLAN ID is 6 is located in 192.168.6.0/24. Firewall management IP address is 192.168.6.100.

3. Start internal web server
In ASA/PIX configuration, we have to start the internal web server and manage it via IE browser. Please run ‘http’ in config mode. Details are shown as follows.

4. Connect to ADSM for managing ASA/PIX
Start IE browser. Connect to Firewall management IP address 192.168.6.100 via https. We choose ASDM installation in our host for the convenience of future management.

When it appears ADSM Launcher, enter Firewall management IP address in “Device IP Address/Name” and click “OK”.

After entering in ADSM, the following configurations are all proceeding in ADSM. In admin context, we can freely switch to other contexts for additional configuration but we can only see the specific context configuration if we connect to other contexts. Thus, in small and medium sized enterprises, MIS employees can release permission of Firewall management to MIS engineer of each department.

For example, GeeGo Education has five departments: Personnel, engineering, R&D, Finance and General Management, in which each one has its independent MIS engineer. In addition, we have configured five Transparent Firewalls currently. Thus, we can make each department possess one independent Transparent Firewall for flexibility in security policy. Next, we will allocate geego1 for R&D department for further configuration.

Combine Firewall with IPS

Cisco ASA 5510 series are all allocated for one module slot named as SSM (Security Service Module) for additional security integration. Two types of SSM are presented as follows:
1.Full-functional IPS, equivalent to Cisco IPS 4200 series
2.Anti-X technology (Anti-virus, Anti-spyware, Anti-spam, Anti-phishing, URL filtering/blocking) provided by Trend Micro

Besides, ASA per se already has full functions of Cisco VPN Concentrator 3000 series (SSLVPN) and PIX Firewall. See the following figure:

Here we will combine ASA 5510 with AIP-SSM (Advanced Inspection and Prevention Security Services Module), which is a complete intrusion prevent system in Cisco IPS 4200 series.

There is one IPS icon on the left side of ASDM. After finishing IP address configuration, now we can start AIP-SSM in ASDM.

In fact, all Cisco IPS 4200 series are configured as transparent so AIP-SSM per se is also in transparent mode. The traffic between AIP-SSM and ASA is connected by an internal Gigabit Ethernet. So we need ACL to divert ASA data flow to AIP-SSM. The necessary configuration is demonstrated as follows:

After finishing configuration, all ASA data flows will be examined by Firewall. Non-filtered packets will be diverted to AIP-SSM for intrusive prevention in achieving the objective of united threat management.

Lab in enterprise environment

R&D Department in GeeGo Education is allocated for one virtual Transparent Firewall whose management IP address is 192.168.10.100. Thus, the engineer of R&D Department can connect to ADSM via ADSM Launcher and then enter in its allocated virtual Transparent Firewall. The apparent difference from admin context is that we cannot freely switch to other contexts. See the following figure:

Next, based on the configuration above, please direct ASA data flow into AIP-SSM in geego1 context. Then start MSN Messenger in protected LAN (VLAN 10). So we can observe all MSN Messenger connecting status in IDM (IPS Device Manager) of AIP-SSM.

We can also clearly see transmission content from every detected item for MIS engineer’s reference. Thus, MIS engineer can utilize PIX and IPS in ASA to implement data flow processing based on security policy regulated by his department. Besides, we can also develop site-to-site IPSec or SSL VPN via ASA to connect with other departments in ensuring data integrity and security. This is exactly the ideal objective of UTM.

Conclusion

In terms of the general network security deployment, Firewall is usually deployed in front of IPS because Firewall’s efficiency is much better than IPS. In the perspective of OSI model, on the other hand, all packets need to be processed by decapsulation and encapsulation when passing through every network device. For example, switch decapsulates packets in OSI Layer 2 (Data Link Layer) to detect the MAC address and then packets are encapsulated to be transmitted. Next, router decapsulates the received packets in OSI Layer 3 (Network Layer) to realize IP address and then proceeds with encapsulation. This duplicated decapsulation-encapsulation behavior really wastes hardware resources very much. Thus, if the same physical device is only doing switch function, the efficiency is twenty degrees better than the one doing router function.

Firewall is mostly applied in OSI Layer 4 (Transport Layer) whereas IPS only detects OSI Layer 7 (Application Layer), in which IPS efficiency is much far away from Firewall. Thus, in our network security deployment, we usually use Firewall first to filter most abnormal packets and then make a specific examination via IPS. This operation principle is exactly identical to the design of Cisco ASA integrated network security device. As we have realized so far, only Cisco ASA has such comprehensive technology on information security integration.