WIXLIB

Firewall DeploymentBRKSEC-2020BRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Session Objectives & HousekeepingAt the end of the session, you should have: Knowledge of common firewall deployment scenarios including firewallvirtualization using latest code Understanding of how the firewall processes packets Special features that augment firewall services ―Best Practice‖ suggestions for optimizing your firewall deployment New for Cisco Live 2012—90 minute sessions so we will move fast There will be time left at the end for Q&A -I will also be available after thesession to answer more questions Note: Session will NOT cover IPS, VPN, IOS Firewall, FWSM or VSG Note: Pricing will NOT be discussedBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Related Sessions BRKSEC - 1006v – Network Segmentation For Security BRKSEC – 2021 – Firewall Architectures BRKSEC – 2205 – Security and Virtualization in the Data Center BRKSEC – 3020 – Troubleshooting Firewalls BRKSEC – 3021 – Maximizing Firewall Performance BRKVIR – 2011 – Deploying Services in a Virtualized EnvironmentBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public4

Agenda Firewall Specifications & Versions Firewall Deployment Modes Firewall Policy Advanced Firewall Features Q&ABRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

The ASA Product FamilyHardware PlatformsBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Cisco Firewall – What is It? Adaptive Security Appliance (ASA) – hardened firewall appliance, proprietary OS,may have expansion slots for service modules, or may be integrated into main board.Ethernet and fiber ports on box.‒ does not run IOS but has a similar look and feel FireWall Services Module (FWSM) – line card in Catalyst 6500 that provides firewallservices (EoS/EoL Announced Feb 2012) ASA SM – Next Gen line card for Catalyst 6500, no physical interfaces, runs ASAcode image (unlike FWSM above) ASA1000V Virtual/Cloud Firewall – Virtualization-edge ASA that runs withNexus1000v and a standard ASA code base – discussed but not detailed in thissession IOS Device running a firewall feature set in software (IOS-FW) – configuration is inIOS - not covered in this sessionBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

ASA 5585-X SSP60Cisco ASA Firewalls(20-40 Gbps, 350K conn/s10Gb IPS, 10K VPN)ASA 5585-X SSP40(10-20 Gbps, 240K conn/s5Gb IPS, 10K VPN)ASA 5585-X SSP20(5-10 Gbps, 125K conn/s3Gb IPS, 5K VPN)ASA 5585-X SSP10(2-4 Gbps, 50K conn/s1.5Gb IPS, 5K VPN)ASA 5555-XASA 5545-XASA 5525-XASA 5512/15-X(1-1.2Gbps, 15K conn/s)(400 Mb IPS, 250 VPN)(1-2Gbps, 20K conn/s)(600 Mb IPS, 750 VPN)ASA CX-20(2-4Gbps,50K conn/s)(1.5Gb IPS, 5K VPN)(1-3Gbps, 30K conn/s)(900 Mb IPS, 2.5K VPN)(5 Gbps, 120K conn/s)ASA SMASA CX-10(16-20 Gbps,300K conn/s)(2 Gbps, 40K conn/s)ASA 5540(650 Mbps, 25K conn/s)(450 Mbps, 12K conn/s) (650 Mb IPS, 2.5K VPN)ASA5510ASA 5505 (300 Mbps, 9K conn/s) (450Mb IPS, 750VPN)(150 Mbps, 4K conn/s)(250Mb IPS, 250 VPN)ASA 5520ASA 5550(1.2 Gbps, 36K conn/s)(no IPS, 5K VPNFWSM (EOL)(5.5 Gbps,100K conn/s)VSGASA 1000v(650 Mbps,25K conn/s,2.5K VPN)SOHO/TeleworkerBRKSEC-2020Branch OfficeInternet Edge 2012 Cisco and/or its affiliates. All rights reserved.CampusCisco PublicData Center

Cisco ASA 5585 Chassis2RU 19in Rack-Mountable Chassis that supports 2 Full-Slot Modules 1 Full and 2 Half-Slot Modules Same chassis for all ASA 5585 products Weighs 62Lbs with 2 modules and 2power suppliesSlot-12 Full Sized Modules available: ASA SSP required in Slot 0 IPS/ASA/CX SSP optional in Slot 1BRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Slot-0Cisco Public

ASA 5585-X with ASA CX (Context-Aware) Context-Aware Firewall* Active/Passive Authentication Application Visibility andControl Reputation Filtering URL Filtering SSL Decryption Secure Mobility SSP-10 and SSP-20 at FCS* More detail in Context-Aware Firewall SectionBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

ASA 5500-X PlatformHard Drive Slots(provided for future expansion; harddrive currently not being shipped)6 GEports8 GEportsASA 5512-XASA 5515-XASA 5525-XASA 5545-XASA 5555-X1 RU – 64-bitAppliancesBRKSEC-2020Redundant PowerSupplies1 Expansion Slot6-port GE or 6-port SFP 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

ASA Services Module (ASA SM)Next Generation FWSM Integrated ASA Firewall into the Cat 6k Leverages architecture of the 5585-X Integrates two advanced Nitrox Crypto accelerators No physical interfaces – Uses existing VLANs‒ VLANs are redirected to inspection engine Standard ASA code base to maintain feature parity* Allows firewall scaling to meet increased traffic demands in larger DataCenter/Campus networks* More info in Software Versions SectionBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

ASA SM Supported Hardware WS-C6500-E: 3, 4, 6 or 9 slotchassis WS-C6509-VE: 9 slotchassis WS-C6513-E: 13 slot chassis 7600 PlannedBRKSEC-2020Supervisor Cards VS-S720-10G-3C VS-S720-10G-3CXL WS-SUP720-3B WS-SUP720-3BXL WS-SUP2T 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

ASA SM Deployment ASA SM only works in 6500-E chassis, will not boot up in non-E chassis due toairflow requirement Design based on whether ASA SM sits in front of or behind a Switched VirtualInterface (SVI)‒ This is achieved via assigning specific VLANs to be firewalled (similar to FWSM) Autostate on the Catalyst alerts the ASA SM when a physical port in a specificVLAN goes down‒ Speeds up failover time significantly, as ASA SM will bypass interface monitoring Migration Tool on Cisco.com for FWSM ASA replacementBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

ASA Software VersionsBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

ASA Software Versioning Older ASA Software versions (8.0x – 8.2x) still supported on legacy hardware Current ASA Features are based upon ASA 8.4x code base‒ 64-bit (on supported hardware)‒ Simplified and Enhanced NAT model‒ Simplified Access Control model (Real-IP)‒ Identity Firewall (AD Agent)‒ Context Aware Firewall Policy‒ Secure Mobility / BYOD Specific ASA code versions required for specific hardware‒ Legacy hardware may require a memory upgrade ASA code convergence into a single version (9.x)BRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public22

Mapping ASA Software Versions toASA HardwareASA 5585-X SSP60ASA 5585-X SSP40ASA 5585-X SSP20ASA 5585-X SSP10ASA 5555-XASA CX-20ASA 5545-XASA SMASA CX-10ASA 5525-XASA 5512/15-XASA 5540ASA 5520ASA 5505ASA 5510ASA 5550FWSM (EOL)VSGSOHO/TeleworkerBranch OfficeInternet EdgeCampus* Intended ASA Code Convergence for all ASA platformsBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco PublicASA 1000vData Center

ASA 8.4.2 Base Features OverviewIn addition to previous ASA features: 8.4x is now 64-bit on supported platforms‒ Increases ASA platform limits for connections and VLANs‒ 5500-X / 5585-X platform(s) require SMP image Port Channel and Bridge-Group enhancements for easier deploymentsStateful failover of EIGRP and OSPFAll licenses are shared between HA pairs (from 8.3)Native Identity Firewall Support to AD AgentResource Mapping to FQDN for access rulesIPv6 Inspection with service policyIncreased NAT/PAT capabilities‒ Identity NAT configurable proxy ARP and route lookup‒ PAT pool and round robin address assignment Additional SNMP traps, Log Viewer enhancements on ASDM, TCP Ping, WhoIs lookups and more formanageability and troubleshooting See 8.4x Release Notes for a complete asa84/release/notes/asarn84.htmlBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Current ASA Version Deltas 8.4.3 enables extended PAT pool options‒ Round Robin pool allocation using same IP address‒ Flat range of PAT ports, PAT pools and extended PAT for a PAT pool‒ Configurable PAT xlate timeout 8.4.5 enables policy redirection to CX Module for Context-Aware Firewall 8.5.x allows mixed-mode deployment for ASA SM installations‒ More detail later in this session 8.6.x is SMP version of 8.4.x for 5500-X mid-range appliances 8.7.x provides base ASA feature-set for ASA1000V Virtual/Cloud Firewall‒ Demo Link: http://www.youtube.com/watch?v 5Vwo6n5tXaoBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public26

Firewall Deployment ModesBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Firewall Design – Modes of Operation Routed Mode is the traditional mode of the firewall. Two or more interfaces thatseparate L3 domains Transparent Mode is where the firewall acts as a bridge functioning mostly atL2 Multi-context mode involves the use of virtual firewalls, which can be eitherrouted or transparent mode Mixed mode is the concept of using virtualization to combine routed andtransparent mode virtual firewalls‒ Mixed mode is only supported on the FWSM and ASA SM until ASA 9.0releaseBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Firewall - Routed Mode109.2.1.0 /24 Traditional mode of the firewall(layer 3 hop) Separates two L3 domains109.2.1.1 Often a NAT boundary Policy is applied to flows asthey transit the firewall10.1.1.110.1.1.0 /24BRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Firewall – Transparent Mode Operates at layer 2,transparent to the networkTransparent Firewall Mode Drops into existing networkswithout re-addressing or redesign Simplifies internal firewalling &network segmentationExisting NetworkBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Why Deploy Transparent Mode? Routing protocols can establish adjacencies through the firewall Protocols such as HSRP, VRRP, GLBP can cross the firewall Multicast streams can traverse the firewall Non-IP traffic can be allowed (IPX, MPLS, BPDUs) Deploy where IP address schemes can not be modified NO dynamic routing protocol support (on the FW itself) or VPN support NO QoS or DHCP Relay support More caveats and gotchas, refer to the Cisco.com docs for detailsBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

How Does Transparent Mode Work? Often used in Data Center/Campus deployment in Core/Aggregation layer Firewall functions like a bridge (―bump in the wire‖) at L2, only ARP packetspass without an explicit ACL (does not pass Cisco Discovery Protocol) Same subnet exists on inside and outside of ASA Different VLANs on inside and outside No need to change the network design to introduce Firewall Access Control(ACL) NAT is supported in Transparent Firewall, requires 8.0.2 on the ASABRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Transparent Mode Requirements A management IP is required for both management and fortraffic to pass through the transparent firewall IP address MUST be on same subnet If management by IP is required with L3 routing, assign 2nd IPaddress to Management Interface add route to defaultgateway – overlapping IP is okay Set default gateways of hosts to L3 on far side of firewall, NOTthe management IP of firewall Up to 32 interfaces are supported per virtual context(4 per BVI x8) For specifics reference the ASA Configuration Guide asa84/configuration/guide/mode fw.htmlBRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public

Transparent Mode Configuration10.1.1.0 /24 - vlan 10Management IP10.1.1.100firewall transparenthostname ciscoasa!interface GigabitEthernet0/0nameif outsidesecurity-level 0!interface GigabitEthernet0/1nameif insidesecurity-level 100!ip address 10.1.1.100 255.255.255.010.1.1.0 /24 – vlan 20BRKSEC-2020 2012 Cisco and/or its affiliates. All rights reserved.Cisco Public