1 / 22

Network Security 2

Network Security 2. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Lesson 8.3 Configure Transparent Firewall Mode. Transparent Firewall Mode Overview. Transparent vs. Routed Firewall.

acavazos
Download Presentation

Network Security 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

  2. Module 8 – PIX Security Appliance Contexts, Failover, and Management Lesson8.3 Configure Transparent Firewall Mode

  3. Transparent Firewall Mode Overview

  4. Transparent vs. Routed Firewall • The security appliance can run in two firewall settings: • Routed: Based on IP address • Transparent: Based on MAC address 10.0.1.0VLAN 100 VLAN 10010.0.1.0 10.0.2.0VLAN 200 VLAN 20010.0.1.0 Transparent Mode Routed Mode

  5. Transparent Firewall Benefits • Easily integrated and maintained in the existing network: • IP readdressing not necessary • No NAT to configure • No IP routing to troubleshoot VLAN 10010.0.1.0 Layer 2 Device VLAN 20010.0.1.0 Transparent Mode

  6. Transparent Firewall Guidelines Internet • Layer 3 traffic must be explicitly permitted. • Each directly connected network must be on the same subnet. • A management IP address is required for each context, even if you do not intend to use Telnet to the context. • The management IP address must be on the same subnet as the connected network. • Do not specify the security appliance management IP address as the default gateway for connected devices. • Devices need to specify the router on the other side of the security appliance as the default gateway. • Each interface must be a different VLAN interface. 10.0.1.10 VLAN 10010.0.1.0 Transparent Mode Management IP Address10.0.1.1 VLAN 20010.0.1.0 IP–10.0.1.4 Gateway – 10.0.1.10 IP–10.0.1.3 Gateway – 10.0.1.10

  7. Transparent Firewall Unsupported Features • The following features are not supported in transparent firewall mode: • NAT • Dynamic routing protocols • IPv6 • DHCP relay • QoS • Multicast • VPN termination for through traffic VLAN 10010.0.1.0 VLAN 20010.0.1.0 Transparent Mode

  8. Enabling Transparent Firewall Mode

  9. Viewing the Current Firewall Mode VLAN 10010.0.1.0 10.0.1.0VLAN 100 ? VLAN 20010.0.1.0 10.0.2.0VLAN 200 Transparent Mode Routed Mode ciscoasa# • show firewall • Shows the current firewall mode asa1# show firewall Firewall mode: Transparent

  10. Enabling Transparent Firewall Mode vs. Routed Mode VLAN 10010.0.1.0 10.0.1.0VLAN 100 • Changes the mode to transparent • Requires use of the no firewall transparent command to return to routed mode VLAN 20010.0.1.0 10.0.2.0VLAN 200 Transparent Mode Routed Mode ciscoasa(config)# • firewall transparent asa1(config)# firewall transparent Switched to transparent mode

  11. Assigning the Management IP Address ciscoasa(config)# • ip address ip_address [mask] [standby ip_address] • Sets the IP address for an interface (in routed mode) or for the management address (transparent mode). • For routed mode, enter this command in interface configuration mode. • In transparent mode, enter this command in global configuration mode. asa1(config)# ip address 10.0.1.1 255.255.255.0 asa1(config)# show ip address Management System IP Address: ip address 10.0.1.1 255.255.255.0 Management Current IP Address: ip address 10.0.1.1 255.255.255.0

  12. Configure ACLs VLAN 10010.0.1.0 VLAN 20010.0.1.0 Internet 10.0.1.11 • Determines which traffic should be allowed through the firewall 10.0.1.2 ciscoasa(config)# • access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sipsmask | interface ifc_name | object-group network_obj_grp_id | any} [operatorport [port] | object-group service_obj_grp_id] {host dip | dipdmask | interface ifc_name | object-group network_obj_grp_id | any} [operatorport [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name] • Security levels are supported in transparent mode; therefore, traffic from a higher security level interface to a lower security level interface will pass without an ACL, just as it does in routed mode. asa1(config)# access-list ACLIN permit icmp 10.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0 asa1(config)# access-group ACLIN in interface inside asa1(config)# access-group ACLIN in interface outside

  13. Treatment of non-IP packets: The transparent firewall introduces a new type of ACL: the Ethertype ACL. With Ethertype ACLs, an administrator can allow specific non-IP packets through the firewall. Ethertype ACLS VLAN 10010.0.1.0 VLAN 20010.0.1.0 IPX Traffic ciscoasa(config)# • access-list id ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number} asa1(config)# access-list ETHER ethertype permit ipx asa1(config)# access-group ETHER in interface inside asa1(config)# access-group ETHER in interface outside

  14. ARP Inspection ciscoasa(config)# • arp interface_name ip_address mac_address [alias] • ARP inspection checks all ARP packets against static ARP entries and blocks mismatched packets. • This feature prevents ARP spoofing. • A static ARP entry maps a MAC address to an IP address and identifies the interface through which the host is reached. asa1(config)# arp outside 10.0.1.1 0009.7cbe.2100 ciscoasa(config)# • arp-inspection interface_name enable [flood | no-flood] asa1(config)# arp-inspection outside enable arp inspection enabled on outside

  15. Monitoring and Maintaining Transparent Firewall Mode

  16. MAC Address Table • The MAC address table is used to find the outgoing interface based on the destination MAC address. • Built dynamically; contents learned from source MAC addresses • No flooding if MAC address not found VLAN 10010.0.1.0 VLAN 20010.0.1.0 Interface MAC Address Type Time Left -------------------------------------------------------- outside 0009.7cbe.2100 dynamic 10 - inside 0010.7cbe.6101 dynamic 10 - 0010.7cbe.6101 0009.7cbe.2100

  17. Disabling MAC Address Learning VLAN 10010.0.1.0 VLAN 20010.0.1.0 Interface MAC Address Type Time Left -------------------------------------------------------- outside 0009.7cbe.2100 dynamic 10 - inside 0010.7cbe.6101 dynamic 10 - 0010.7cbe.6101 0009.7cbe.2100 ciscoasa(config)# • mac-learn interface_name disable • Disables MAC address learning for an interface • (To re-enable MAC address learning, use the no form of this command. • By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table.) asa1(config)# mac-learn outside disable Disabling learning on outside

  18. Adding a Static MAC Address VLAN 20010.0.1.0 VLAN 10010.0.1.0 Interface MAC Address Type Time Left -------------------------------------------------------- outside 0009.7cbe.2100 static - inside 0010.7cbe.6101 static - 0010.7cbe.6101 0009.7cbe.2100 ciscoasa(config)# • mac-address-table static interface_name mac_address • Adds a static entry to the MAC address table • Guards against MAC spoofing (Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. ) asa1(config)# mac-address-table static inside 0010.7cbe.6101 Added <0010.7cbe.6101> to the bridge table

  19. Viewing the MAC Address Table • Displays the MAC address table ciscoasa# • show mac-address-table [interface_name | count | static] asa1# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------ inside 0010.7cbe.6101 static inside 0008.e3bc.5ee0 dynamic 5

  20. debug Commands • Debug Support • debug arp-inspection: To the track code path of ARP forwarding and ARP inspection module in transparent firewall • debug mac-address-table: To track the insertions, deletions, or updates to the bridge table that is maintained for the transparent firewall. asa1# debug arp-inspection asa1# debug mac-address-table

  21. Summary • A transparent firewall is a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices. • The security appliance connects the same network on its inside and outside ports but uses different VLANs on the inside and outside. • Layer 2 monitoring and maintenance is performed by customizing the MAC address table.

More Related