1 / 35

Network Security 2

Network Security 2. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Lesson 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode. Security Context Overview. Virtualization.

mbeau
Download Presentation

Network Security 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

  2. Module 8 – PIX Security Appliance Contexts, Failover, and Management Lesson 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode

  3. Security Context Overview

  4. Virtualization • You can partition a single security appliance into multiple virtual firewalls, known as security contexts. • Each context has its own configuration that identifies the security policy, interfaces, and almost all the options you can configure on a standalone firewall. • The system administrator adds and manages contexts by configuring them in the system configuration, which identifies basic settings for the security appliance. • When the system needs to access network resources, it uses one of the contexts that is designated as the admin context. Security Appliance Security Context A Security Context B Security Context C

  5. Common Uses for Security Contexts • You might want to use multiple security contexts in the following situations: • When a service provider wants to sell firewall services to many customers • When a large enterprise or a college campus wants to keep departments completely separate • When an enterprise wants to provide distinct security policies to different departments • When a network requires more than one firewall Security Appliance Security Context A Company A Security Context B Company B Security Context C Company C

  6. Service Provider–Managed Security Appliance with Multiple Contexts Service Provider Customer Internet VFW1 • Same service that is available with multiple security appliances • Now available in smaller, more manageable package VFW2 VFW3 VFW4

  7. Context Configuration Files • Context configuration files have the following characteristics: • Each context has its own configuration file. • The security appliance also includes a system configuration that identifies basic settings for the security appliance, including a list of contexts. Security Appliance System Config Security Context Admin Security Context Admin Config Security Context B Security Context B Config Security Context C Security Context C Config

  8. Packet Classification Security Appliance • Each packet that enters the security appliance must be classified so that the appliance can determine to which context to send a packet. • The appliance checks for the following: • Unique interfaces • MAC addresses • NAT configuration • The appliance uses the characteristic that is unique and not shared across contexts. • Routed mode allows shared interfaces • Transparent mode does not allow shared interfaces. Security Context A 000C.F142.4CDA 192.168.0.1 Security Context B 000C.F142.4CDC 192.168.0.1 Security Context C 000C.F142.4CDB 192.168.0.1

  9. Resource Management

  10. Resource Management • Limits the use of resources per context • Prevents one or more contexts from using too many resources and causing other contexts to be denied the use of resources • Enables you to configure limits for the following resources: • ASDM connections • Connections • Hosts • SSH sessions • Telnet sessions • Xlate objects • Application inspections (rate only) • Syslogs per second (rate only) SSH sessions limited to one for Context 2 Security Appliance Context 1 SSH SSH session 2 session 1 Internet Context 2 X

  11. Class Silver (some limits set) Class Bronze (some limits set) Class Gold (all limits set) The Default Resource Class Default Class Context D Context A Context C Context B

  12. Configuring Resource Management • Creates a name for a resource class and enters configuration mode for the class ciscoasa(config)# • class name ciscoasa(config-class)# • limit-resource {{all 0} | {rate resource_name value} | {resource_name value[%]}} • Specifies a resource limit for a class asa1(config)# class MEDIUM-RESOURCE-SET asa1(config-class)# limit-resource ASDM 4 asa1(config-calss)# limit-resource conns 20% • Limits the MEDIUM-RESOURCE-SET class to four ASDM sessions and 20 percent of the system connection limit asa1(config)# context TEST asa1(config-ctx)# member MEDIUM-RESOURCE-SET • Assigns the Test context to the Medium-Resource-Set class

  13. Enabling Multiple Context Mode

  14. Backing Up the Single-Mode Configuration • When you convert from single mode to multiple mode, the running configuration is converted into two files: • New startup configuration that comprises the system configuration • Admin.cfg that comprises the admin context • The original running configuration is saved as old_running.cfg (in disk). Security Appliance Multimode System Configuration Security ApplianceSingle Mode Security Context Admin RunningConfiguration Admin Configuration old_running.cfg Configuration

  15. The Admin Context • The admin context has the following characteristics: • The system execution space has no traffic-passing interfaces, • Uses the policies and interfaces of the admin context to communicate with other devices. • Used to fetch configurations for other contexts and send system-level syslogs. • Users logged in to the admin context are able to change to the system context and create new contexts. • Aside from its significance to the system, it could be used as a regular context. Security Appliance Multimode System Configuration Security Context Admin Admin Configuration Security Context A Security Context B

  16. Enabling and Disabling MultipleContext Mode • Selects the context mode as follows: • multiple: Sets multiple context mode (mode with security contexts) • single: Sets single context mode (mode without security contexts) • noconfirm: Sets the mode without prompting you for confirmation ciscoasa(config)# • mode {single | multiple} [noconfirm] • Before you convert from multiple mode to single mode, copy the backup version of the original running configuration to the current startup configuration. asa1(config)# mode multiple

  17. Viewing the Current Context Mode ciscoasa# • show mode • Shows the current firewall mode asa1# show mode Firewall mode: multiple The flash mode is the SAME as the running mode.

  18. Configuring a Security Context

  19. Adding a Context ciscoasa(config)# • context name • Adds or modifies a context • The name is a case-sensitive string up to 32 characters long. • “System” and “Null” (in uppercase or lowercase letters) are reserved names and cannot be used. asa1(config)# context CONTEXT1 Creating context ‘CONTEXT1'... Done. (4) asa1(config-ctx)#

  20. Config Context Submode: Allocating Interfaces ciscoasa(config-ctx)# • allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible] • Allocates interfaces to a security context • Interfaces must initially be enabled in system configuration mode before being allocated to a context. • Initially the context created will not have access to any interfaces. asa1(config-ctx)# allocate-interface gigabitethernet0/1 asa1(config-ctx)# allocate-interface gigabitethernet1/1.100 int1

  21. Assigning Context-Specific MAC Addresses to an Interface • Automatically generates MAC addresses for shared interfaces in contexts ciscoasa(config)# • mac-address auto SecurityAppliance • Enables the security appliance to easily classify packets into the appropriate context Security Context A 000C.F142.4CDA 192.168.0.1 g0/1 SecurityContext B 000C.F142.4CDC 192.168.0.1 ciscoasa/CONTEXT1(config-if)# mac-address mac_address [standby mac_address] • Assigns a different MAC address for each context to a single interface asa1/CONTEXTA(config-if)# mac-address 000C.F142.4CDA

  22. Configuration of Contexts • Each context has its own configuration file, which is specified using the config-url command. • Until the config-urlcommand has been entered, the context is not operational. • The config-url command accepts the following URL types: • disk0/flash: Configurations stored on the flash file system of the device • disk1: Configurations stored on the compact flash memory card of the device • tftp: TFTP server-based configurations • ftp: FTP server-based configurations • https: Webserver-based configurations (read-only)

  23. Config Context Submode: Designating the Configuration File • Identifies the URL from which the system downloads the context configuration • When adding a context URL, system immediately loads the context so that it is running. • If system cannot retrieve the context configuration file, it creates a blank context. ciscoasa(config-ctx)# • config-url url asa1(config-ctx)# config-url disk0:/CONTEXT3.cfg asa1(config-ctx)# show run … context CONTEXT3 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/1 config-url disk0:/CONTEXT3.cfg …

  24. Assigning Resources to Contexts • Assigns a context to a resource class ciscoasa(config-ctx)# • member class_name asa1(config)# class MEDIUM-RESOURCE-SET asa1(config-class)# limit-resource ASDM 4 asa1(config-class)# limit-resource conns 20% asa1(config-class)# exit asa1(config)# context CONTEXT1 asa1(config-ctx)# member MEDIUM-RESOURCE-SET • As a member of class MEDIUM-RESOURCE-SET, CONTEXT1 has the following limits: • ASDM sessions: Four • Connections: 20%

  25. Saving Context Configurations • After the context has been activated, it is configured much the same as any security appliance standalone device, as follows: • Once in a context, you can enter the configuration mode to modify the context configuration. • The startup configuration for a context resides where the config-url command specifies. • The location of the startup configuration cannot be changed from within the context. • Commands such as write mem and copy run start manipulate the configuration location specified by the config-url command. • You can use the write memory all command to save all context configurations, including the system configuration, at the same time.

  26. Managing Security Contexts

  27. Removing a Security Context ciscoasa(config)# • no context name • You can only remove a context by editing the system configuration. • You cannot remove the current admin context unless you remove all contexts. • A reboot is not required when creating or removing a context. asa1(config)# no context CONTEXT3 WARNING: Removing context ‘CONTEXT3' Proceed with removing the context? [confirm] ciscoasa(config)# • clear configure context • Removes all contexts, including the administrative context.

  28. Changing the Admin Context ciscoasa(config)# • admin-context name • Sets any context as the admin context asa1(config)# admin-context CONTEXT2 asa1(config)# show run … admin-context CONTEXT2 context CONTEXT2 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/1 allocate-interface GigabitEthernet0/3 config-url disk0:/CONTEXT2.cfg …

  29. Changing Between Contexts ciscoasa# • changeto {system | context name} • Changes the environment to the system execution space or to the context specified asa1# changeto context CONTEXT1 asa1/CONTEXT1# • Changes the environment to Context 1 asa1/CONTEXT1# changeto system asa1# • Changes the environment to the system execution space

  30. Viewing Context Information ciscoasa# • show context [name | detail | count] • Displays contexts and context information • An asterisk (*) designates an admin context. asa1# show context Context Name Interfaces URL *admin GigabitEthernet0/0 disk0:/admin.cfg GigabitEthernet0/1 CONTEXT1 GigabitEthernet0/0 disk0:/CONTEXT1.cfg GigabitEthernet0/2 CONTEXT2 GigabitEthernet0/0 disk0:/CONTEXT2.cfg GigabitEthernet0/3 Total active Security Contexts: 3…

  31. Viewing Context Information (Cont.) ciscoasa# • show context [name | detail | count] • The detail option shows additional information. • The count option shows the total number of contexts. asa1# show context detail Context "admin", has been created, but initial ACL rules not complete Config URL: disk0:/admin.cfg Real Interfaces: GigabitEthernet0/0, GigabitEthernet0/1 Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/1 Flags: 0x00000013, ID: 1 …

  32. Summary

  33. Summary • Virtual firewalls allow you to separate the security appliance into multiple independent firewalls called security contexts. • Packets can be classified by: • Unique interfaces • MAC addresses • NAT configuration • You can assign a different MAC address to each context that uses a shared interface. • You can configure resource management to limit the use of resources per context. • Security contexts can be managed and configured independently.

  34. Q and A

More Related