Cisco CCIE Security 350-701- Cisco ASA Firewall

1. Cisco Statefull Firewalls – IOS – ASA

In the previous section we discussed about some of the vendors offering the firewall services. Like we got Sonic Wall Watch card, palo Alto, Juniper, and here, our main focus will be on Cisco. Now, Cisco also offers the firewall services. Generally most of the firewall supports statefoot, typically referred as straightforward firewalls, but they may add some additional benefits depending upon the platforms, depending upon the additional modules, what you add, or adding some specific services into that. So we can use a Cisco in a firewall either. We can use a dedicated firewall. It’s a dedicated firewall platform specially designed for firewall services. So mostly this ASAP stands for Adaptive Security Appliance. It has inbuilt security policies and security levels.

And based on this inbuilt security policies and security levels, we can actually configure based on this default security policies, the traffic between the land and the internet or from internet to land is either allowed or denied based on the default policies. So we can add some our own dedicated policies or we can even modify the existing segregated policies as per our requirements. So probably scalable device, we can use a dedicated firewall or we have another option in Cisco where we can use the Cisco ibz router and we can configure with some features like CBAC or zone based firewall. So CBAC is something not used in today’s networks, context based access control, it’s a way to deny the traffic coming from the internet and allow the traffic going on from the land to the internet and return traffic should go just like a straightforward packet filtering kind of things.

But CBAC is something we don’t use in today’s networks and also we are not going to cover in this silvers anyway. So in today’s network we use some feature called zone based policy firewall or simply called as zone based firewall, which is going to replace the CBAC where we can configure IBASE router to do most of the firewall jobs, not a completed dedicated firewall jobs, but most of the firewall jobs. Like we can configure some security policies, we can do some inspections, we can also do some other things like URL filtering, it depends on the ibis and the platform what we use. So mostly we’ll be covering this two things like initially in the next section we’ll talk about ASF firewalls more in detail, more in depth.

2. ASA Supported Features _ PART1

Okay. Cisco ASAP features. Now in this video, we’ll see what are the different features Cisco as a firewall offers. We’ll talk about some overview of all these features, and again, depends upon the platform you select, depending upon the modules you add, or maybe some kind of services you enable, some features may support, may not support. It actually varies. But all these features specifically supported in the Cisco ASA file firewalls. And the firewall ranges from small office, home office to large enterprises, even for the service orders or even for the data centers. So basically the first thing is Cisco ASA offers a proprietary operating system. It’s a separate OS used specifically on works only on the Cisco ASA platforms.

And almost all the firewalls, even Cisco supports stateful packet inspection like we already discussed in the previous sessions. What is stateful packet inspection? It’s a method of allowing the connections traffic initiated from the lamp should be sent outside to the Internet and also make sure that the return traffic should come back. The user sitting here is trying to send a request to@yahoo. com so I want the request should go to the Yahoo server on the Internet, and the return traffic should come back. At the same time, I want to ensure that the traffic which is initiated on the outside network should not be allowed inside, because on the Internet there may be some attacker trying to initiate or spoof the traffic as if he is a valid user. That should be denied. So as a firewalls, have a capability to monitor the state of the active sessions.

And based on that, it can differentiate the traffic which is going out or returning, whether it is reading traffic, because it will add some session entries, and based on the session entries, it will check whether that particular packet is a part of the existing session or not. If it is a part of the existing session, it is going to allow or else it will deny the traffic. So as I discussed already in detail in the previous section, stateful packet filtering is going to keep a track of source, address, port numbers, sequence number and flags and other things. So apart from that, ASA firewalls also supports something called application. Every inspection, an application every inspection is like, let’s say I’m going to configure my ASA to allow the traffic, 50 traffic should be allowed and it should be returned back.

Or maybe I want to deny, let’s say I want to deny FTP traffic should not go from my land to the Internet, or maybe from Internet to land, whatever it is. But again, in general, in general when you configure some ACLs, when we do some kind of filtering, FTP means by default it runs on port number 2021. This is the default port numbers it uses. But there is a possibility that the FTP traffic may be initiated by on different port numbers other than the default. Now, if the inspection is happening at the layer three and the layer four. It’s going to only identify based on this information, not based on the other ports. So the ASA supports something called deep packet inspection where it can do the inspection and application level at the layer seven, where it is going to identify the applications and ensures that whatever the port numbers they run, it doesn’t matter.

So it’s going to inspect the FTP traffic and if you want to deny, we can actually deny the FTP traffic. So the main advantage of the ASA is it’s going to negotiate the connections to dynamically assign source and port numbers. Also it’s going to identify and filter the traffic. The security appliance securely opens and close the negotiated port connections. And if you want to allow for the varied users, it’s going to allow the connections to pass through the firewall.Now additionally, other features like we can also configure Nat network address translation. We’ll talk about more on this how to configure in a subreddit section called Nat on ASA Firewalls. And also we can configure some DSCP where I can make this firewall to act as a DHCP server to assign the IP addresses to all the clients. Of course, practically we use dedicated Microsoft or the Linux servers to do this job in legal scenarios.

So also we can do routing. Now, routing supported in the Asus routing is actually required. We can run all the routing protocols like Rap EHRP OSP of static or default routings. So technically you must run the routing because let’s say this is my lamp and I connect to my ASA and this is my head office, and this head office is actually connecting to my branch offices. And I want to make sure that all the branch offices here, they should go through the head office in order to access internet, because I’m going to configure all the security policies and the firewall is configured in the head office. So I’m not implementing a separate firewalls on each and every branch office. The user sitting here is trying to access something on the Internet. It must go to the my head office and that is possible with the help of some kind of routing protocol.

So here this as is also a layer three device and it also must enable the routing. And the head office is going to route to the ASA, and the ASA conference with the default route, maybe route the packet to the internet and the packet when it is coming back. Now the ASA firewall should know how to route the pack back to the source, which means this ASA must have a route inside the routing table to route back to the back to the actual source. So if you don’t do the routing, then the ASA may not have the capability to route the packet. So that’s not going to work. So definitely, just like a router, ASA supports layer three interfaces and we can do routing, configure any of the protocols, whatever the protocols we are using in our network.

So we can also configure ASA for triple S support like we did in the previous sections on the router. We can configure authentication, authorization and accounting where if any user is trying to access the ASA remotely, I want this user may be initiating a telnet or SSH connections. I want this user must be authenticated. And also I can also configure some policies where I can tell this ASA can be configured as AAAA client and we can authenticate, we can authorize either by doing locally or we can also configure some external servers to do that. So triple A concept already we covered a little bit more in detail in the previous sections. Now. Apart from that, ASA also supports VPNs virtual private networks. We’ll talk about VPNs more in detail in the separate VPN section. Anyway, just a basic overview of the VPNs. Like VPNs allows you to connect your sites.

Let’s say I got two branch offices, head office, one in US, maybe one in Japan here or maybe in India, let’s say. And I want to connect these two sites. Instead of using a dedicated van connection, we can use the existing internet or any other service portal network or any other transport technologies. And we can establish virtually a private connection between these two points. So VPN support is something done on specific routers. Routers supports VPN mostly. We can also configure the VPNs on the ASA firewalls. We can configure a side to side VPNs connecting two sites. Or we can also configure a user sitting in a home is trying to connect to the device, which is my VPN gateway. This can be an ASA firewall to access the resources in the land. So we called it has remote access VPNs like SSL, VPN, these kind of options.

3. ASA Supported Features _ PART2

Now Cisco as a firewall also supports some other features like security context, also called as virtual firewalls. It’s a method where we can make, we can use a one single security appliance with multiple virtual firewalls or context. So let’s say, let’s take an example. You’re working for some It solution company or maybe you’re working for a service portal and you got some multiple customers. You got a customer A and the customer B and the customers C and customers D. And your job is to provide some firewall services to this customer which includes inside your security. And you want to make sure that you want to secure these users before they access the internet. So technically, you need to have a separate ASA firewall for each customer. So what I’m going to do is I’m going to use one physical appliance security ASA. So it’s going to be one physical platform, physical appliance, security appliance, and then I’m going to create some virtual context.

We call it as context one, context two, context three or context ABCD and will connect to individual context before they actually connect to the internet. Now each context almost worked like having a separate dedicated firewall. So every context or every virtual firewall have a separate security policies. Every firewall have separate security policies. Apart from that, it looks like a separate firewall in general. So again, how many contexts we can create, it all depends upon the license and the hardware platforms we use. So that is what we call a security context like service for offering the firewall services to multiple customers. So every context has its own resources, interfaces, routing policies, nat and access policies completely isolated from each other. Now apart from that, we can also configure an ASA firewall with some high availability features.

Now in high availability like let’s say I’m connecting my network to an ASA firewall and this as a firewall is connecting to internet. And on this as a firewall, I’m going to configure all my security policies and based on this security policies, all the traffic will be filtered. So it’s working fine. So let’s say, what if this firewall fails, if there is a hardware issue or maybe some kind of connective tissue or whatever it is. So it’s going to be a single point of failure, which means the traffic, if you want the users to be able to access Internet, you just remove the firewall. But again, it is not secure. So what I can do is I can configure two firewalls. Just like we have HSRP concept in routers similar to that one, we can configure two SF firewalls connecting to a network, let’s say through a switch.

And then we got some two ISP connections we didn’t connections connecting to internet or maybe two connections from generally two different ISP connections. And we can configure these two firewalls to exchange a complete state table. And logically they work like one dedicated firewall and we can configure either an active standby setup like one firewall will be like a primary and forward the traffic. Other is just like a backup and if the primary fails, the backup will take up the role and it will synchronize a complete state table everything. Or we can also configure something like Active Active where both will be actively forwarding the traffic or both will actively do the inspection with the security policies. Nowadays we actually also configured with some kind of clustering. Clustering is like we are combining these two firewalls.

Logically it looks like one firewall and this way we can actually share the load at the same time we can have some kind of agency. So ASA provides these options. Depending upon the platforms and license, these features may vary. We can use active standby or active active or active ASA clustering options. Now, clustering is something commonly used in the new platforms in the new IVs portions where we can use a multiple ASAS logically looks like one physical ASA. So we got four ASAS clustered to work like a one ASAP, just like kind of load balancing, it provides some very high performance and more throughput and also it will do some kind of load sharing and if any one of the ASAP fails, it will provide you some availability, same like your active standby ASA firewalls. Now, some other options like we can also configure the ASA as a transparent firewall. Like let’s say you want to do some kind of inspection at the layer too.

We can configure the ASA, we can connect the ASA in the land and we can do some kind of inspection of the traffic which is moving between a VLAN to VLAN at the layer two level. So, physical interfaces now in this case, the physical interfaces will work as a layer two because we don’t assign any IP address here. So it’s more like ASA at the layer two. So we call this feature as a transparent firewall feature. Default ASA works in the router mode, routed mode, but we can convert into the transparent mode with some configurations. So provides some security services at the layer two. That is one of the additional feature. If you want, we can also do that and most of the configuration goes in terms of modular policy framework. So here we have some default security policies and we can also create some additional security policies by using the hierarchy what is nothing but class maps.

Class maps generally used to match the traffic and policy maps is going to tell what action you want to take and then we apply to the specific interface or an inside interface or globally on all interfaces we can apply it. Now, class map this modular policy framework, this actually gives a more flexibility for us to match specific traffic and configure some security policies in a more better way compared to ACLs or any other options. So we still use ACLs for the basic policies but for the most of the advanced inspections we use this hierarchy. So, I already covered this in the control plane policing topic, the actual hierarchy, how it goes, probably the next concepts are also we’ll also see some kind of default inspection policies and verifying. Now, again, the good thing about the ASA is we can manage the ASA either by using a command line interface, just like a routers, or we can also configure something called ASDM.

And we can manage the device via Gy, because when we do some advanced configurations or advanced policies like VPNs or remote access VPNs, or if you are trying to configure some other inspections, there’s a lot of configuration you need to do. And practically doing it via command line, it’s really not feasible for the normal users. And it’s not easy to memorize each and every command. So with GUI we can actually see the options and we can manage in a more better way where we can simply go to the configuration option and we can select what feature you want to configure, we can change the IP addresses, we can change the status, we can do routing, we can do almost everything via GUI. So by using something called ASDM adaptive security device manager now, finally, the Firewalls, mostly the new Firewalls, especially from ASA X series platforms, we’ll talk about platforms in detail later.

They support most of the next generation Firewalls. Firewall services, like they do support identity based user control, where we can configure security policies based on the user accounts or some tax. So I covered this more in detail in the next generation Firewalls overview. Like almost all the vendor supports, most of the vendor supports this, even the ASA supports on selected platforms. Again, not on all the platforms. We can do some URL filtering specific sites and also we can do something called application visibility and control where we may want to allow the Facebook but not some kind of video or audio chats or you want to allow Skype, but you want to allow only chat but not the video conferencing, not the desktop sharing kind of things. We can drop or we can discard those specific applications and we can configure the rules based on that micro applications. And also most of this nextgeneration Firewalls, they support something called Firepower Services.

Now, with this Firepower Services we can do advanced malware protection where it will detect most of the known or unknown malware, scan the contents to provide protection against known or unknown malwares. Again, next generation IPS features and other things. So, the Cisco ASA Firewalls supports most of these features in all the platforms. And there are some features or specific to specific platforms, especially this next generation Firepower services are supported in most of the ASA X series platforms. We’ll talk about that. And maybe user based authentication may support in some platforms it varies. But every platform supports almost all these features except one or two features in general and the scalability wise depends upon the license like if you are going with virtual firewalls, how many it supports it depends upon the platform as well as the license and the failure.

4. ASS Compare Models

Next thing we’ll see which Cisco ASAP model you need to select. Now Cisco ASA family consists of different models depending upon the features and the capabilities. Like Cisco offers some ASA based on some small office home office products on the Internet edge. And if you’re using the ASA Firewalls in the Enterprise data centers, then we have a separate range of products. Use this URL to open up the link here. So if you go to the Cisco website, you can just search in the Google for Cisco ASA Firewalls, compare models, you’ll find the link or you can use the link what I’m using in the PBD. Now, we got three different ranges. One for small office, home office. Now this is specifically used in small office and Home office connections like Cisco ASF files we can use in Cisco’s combined.

Straightforward fine inspection. You can see all the features here. If you just scroll down, you can see the different platforms. Now the main platforms you have a normal ASF Firewalls. Like here you can see with the base license and the advanced Security Plus license. Now basically the license is like it defines what are the additional features it supports. Once you upgrade to some kind of licensing and there’s normal ASA Firewalls and you have a Cisco ASA X series platforms. Now, most of these X series supports your next generation Firewall features. Like if you try to see it, there is a next generation throughput and you can see it is not supported here. But whereas if you’re using some kind of X series and the throughput of the next generation, it varies, again, depends upon the platforms.

Like an Xgeneration Firewall means it supports some application, visibility, control, userBased and also advanced malware protection, including some other Firepower services with an extended IPS. So those all features are supported. If you scroll down, you will see the different features. Now depending upon the requirement or the throughput, you can select the product. Like you can add some specific cards for the basic IPS throughput the VPN supports for side to side or remote side VPNs and also the number of VLANs. You can see availability, support like active active active standby features now, these features varies depending upon the platforms you select. Now you need to decide which security features you want to implement in your network and what is the actual throughput you require or how much amount. What is the throughput for your statewide packet inspection or for IPS, or for next generation Firewalls.

Based on that, you need to select the platform. So if you’re working for a small office, Home office, then you will be selecting any one of these modes depending upon the feature set, what you want to implement.So if you want to set up for Internet Ads, so typically you have a specific platforms. Like I said, x series supports next generation Firewalls. The same feature list you will see here also and the throughput will vary depends upon the platforms. And if you are setting up for the additional enterprise data centers, then we have a specific platforms like double for eight, five series with different cards, these are the Astral cards support and we got some other additional modules we can add in general. Likewise, these are the specific models which supports and most of them are Cisco ASA. And apart from the Cisco ASA also have other models with firepower services.

Now, the basic difference is like in these models, whatever I listed here, we can add some next generation firewall features as a specific software feature or maybe some kind of hardware feature by adding some modules depends upon the platforms, but they don’t have inbuilt in built fire services. So we can use some other platforms like Cisco ASA Firewalls with some firepower services. Now they support something like application visibility control, nextgeneration IPS, advanced malware protection, and URL filtering options. And you can see the list of desktop platforms supported with Firepower services. Now, Firepower services are actually threat focused next generation firewalls designed for advanced threat and malware predictions. So Cisco acquired Source Fire, acquired a source fire company and release with some firepower services.

That’s the name Cisco uses for this advanced threat and malware predictions. Again, the capabilities varies, depends upon the models. What you select, you can see if you just click on compare models, you can see, you can actually see you need to select I think. So probably you can select of these models, you can just simply add and compare. You can add to compare and you can actually see the details by clicking on that product here. You can also go to the data sheets and literature. This will give some more detailed information like the data sheets will give some more detail information about this product where you can open up any of these product data shades to see what are the actual features they support. And also you can also see some of the other features like you can see Cisco Firepower Management Center where we can manage the firepower services and also the benefits, what are the features and benefits with the firepower services with a specific platform and the different models capabilities.

You can also see more detailed information in the data sheets and you can see these are tables which gives more detailed information about the individual products, individual models from Cisco ASA. And additionally you can see what are the variations in that like plot platform or support compatibility things and also some ordering information relating to that.