350 likes | 479 Views
Network Security 2. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Lesson 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode. Security Context Overview. Virtualization.
E N D
Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management
Module 8 – PIX Security Appliance Contexts, Failover, and Management Lesson 8.1 Configure a PIX Security Appliance to Perform in Multiple Context Mode
Virtualization • You can partition a single security appliance into multiple virtual firewalls, known as security contexts. • Each context has its own configuration that identifies the security policy, interfaces, and almost all the options you can configure on a standalone firewall. • The system administrator adds and manages contexts by configuring them in the system configuration, which identifies basic settings for the security appliance. • When the system needs to access network resources, it uses one of the contexts that is designated as the admin context. Security Appliance Security Context A Security Context B Security Context C
Common Uses for Security Contexts • You might want to use multiple security contexts in the following situations: • When a service provider wants to sell firewall services to many customers • When a large enterprise or a college campus wants to keep departments completely separate • When an enterprise wants to provide distinct security policies to different departments • When a network requires more than one firewall Security Appliance Security Context A Company A Security Context B Company B Security Context C Company C
Service Provider–Managed Security Appliance with Multiple Contexts Service Provider Customer Internet VFW1 • Same service that is available with multiple security appliances • Now available in smaller, more manageable package VFW2 VFW3 VFW4
Context Configuration Files • Context configuration files have the following characteristics: • Each context has its own configuration file. • The security appliance also includes a system configuration that identifies basic settings for the security appliance, including a list of contexts. Security Appliance System Config Security Context Admin Security Context Admin Config Security Context B Security Context B Config Security Context C Security Context C Config
Packet Classification Security Appliance • Each packet that enters the security appliance must be classified so that the appliance can determine to which context to send a packet. • The appliance checks for the following: • Unique interfaces • MAC addresses • NAT configuration • The appliance uses the characteristic that is unique and not shared across contexts. • Routed mode allows shared interfaces • Transparent mode does not allow shared interfaces. Security Context A 000C.F142.4CDA 192.168.0.1 Security Context B 000C.F142.4CDC 192.168.0.1 Security Context C 000C.F142.4CDB 192.168.0.1
Resource Management • Limits the use of resources per context • Prevents one or more contexts from using too many resources and causing other contexts to be denied the use of resources • Enables you to configure limits for the following resources: • ASDM connections • Connections • Hosts • SSH sessions • Telnet sessions • Xlate objects • Application inspections (rate only) • Syslogs per second (rate only) SSH sessions limited to one for Context 2 Security Appliance Context 1 SSH SSH session 2 session 1 Internet Context 2 X
Class Silver (some limits set) Class Bronze (some limits set) Class Gold (all limits set) The Default Resource Class Default Class Context D Context A Context C Context B
Configuring Resource Management • Creates a name for a resource class and enters configuration mode for the class ciscoasa(config)# • class name ciscoasa(config-class)# • limit-resource {{all 0} | {rate resource_name value} | {resource_name value[%]}} • Specifies a resource limit for a class asa1(config)# class MEDIUM-RESOURCE-SET asa1(config-class)# limit-resource ASDM 4 asa1(config-calss)# limit-resource conns 20% • Limits the MEDIUM-RESOURCE-SET class to four ASDM sessions and 20 percent of the system connection limit asa1(config)# context TEST asa1(config-ctx)# member MEDIUM-RESOURCE-SET • Assigns the Test context to the Medium-Resource-Set class
Backing Up the Single-Mode Configuration • When you convert from single mode to multiple mode, the running configuration is converted into two files: • New startup configuration that comprises the system configuration • Admin.cfg that comprises the admin context • The original running configuration is saved as old_running.cfg (in disk). Security Appliance Multimode System Configuration Security ApplianceSingle Mode Security Context Admin RunningConfiguration Admin Configuration old_running.cfg Configuration
The Admin Context • The admin context has the following characteristics: • The system execution space has no traffic-passing interfaces, • Uses the policies and interfaces of the admin context to communicate with other devices. • Used to fetch configurations for other contexts and send system-level syslogs. • Users logged in to the admin context are able to change to the system context and create new contexts. • Aside from its significance to the system, it could be used as a regular context. Security Appliance Multimode System Configuration Security Context Admin Admin Configuration Security Context A Security Context B
Enabling and Disabling MultipleContext Mode • Selects the context mode as follows: • multiple: Sets multiple context mode (mode with security contexts) • single: Sets single context mode (mode without security contexts) • noconfirm: Sets the mode without prompting you for confirmation ciscoasa(config)# • mode {single | multiple} [noconfirm] • Before you convert from multiple mode to single mode, copy the backup version of the original running configuration to the current startup configuration. asa1(config)# mode multiple
Viewing the Current Context Mode ciscoasa# • show mode • Shows the current firewall mode asa1# show mode Firewall mode: multiple The flash mode is the SAME as the running mode.
Adding a Context ciscoasa(config)# • context name • Adds or modifies a context • The name is a case-sensitive string up to 32 characters long. • “System” and “Null” (in uppercase or lowercase letters) are reserved names and cannot be used. asa1(config)# context CONTEXT1 Creating context ‘CONTEXT1'... Done. (4) asa1(config-ctx)#
Config Context Submode: Allocating Interfaces ciscoasa(config-ctx)# • allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible] • Allocates interfaces to a security context • Interfaces must initially be enabled in system configuration mode before being allocated to a context. • Initially the context created will not have access to any interfaces. asa1(config-ctx)# allocate-interface gigabitethernet0/1 asa1(config-ctx)# allocate-interface gigabitethernet1/1.100 int1
Assigning Context-Specific MAC Addresses to an Interface • Automatically generates MAC addresses for shared interfaces in contexts ciscoasa(config)# • mac-address auto SecurityAppliance • Enables the security appliance to easily classify packets into the appropriate context Security Context A 000C.F142.4CDA 192.168.0.1 g0/1 SecurityContext B 000C.F142.4CDC 192.168.0.1 ciscoasa/CONTEXT1(config-if)# mac-address mac_address [standby mac_address] • Assigns a different MAC address for each context to a single interface asa1/CONTEXTA(config-if)# mac-address 000C.F142.4CDA
Configuration of Contexts • Each context has its own configuration file, which is specified using the config-url command. • Until the config-urlcommand has been entered, the context is not operational. • The config-url command accepts the following URL types: • disk0/flash: Configurations stored on the flash file system of the device • disk1: Configurations stored on the compact flash memory card of the device • tftp: TFTP server-based configurations • ftp: FTP server-based configurations • https: Webserver-based configurations (read-only)
Config Context Submode: Designating the Configuration File • Identifies the URL from which the system downloads the context configuration • When adding a context URL, system immediately loads the context so that it is running. • If system cannot retrieve the context configuration file, it creates a blank context. ciscoasa(config-ctx)# • config-url url asa1(config-ctx)# config-url disk0:/CONTEXT3.cfg asa1(config-ctx)# show run … context CONTEXT3 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/1 config-url disk0:/CONTEXT3.cfg …
Assigning Resources to Contexts • Assigns a context to a resource class ciscoasa(config-ctx)# • member class_name asa1(config)# class MEDIUM-RESOURCE-SET asa1(config-class)# limit-resource ASDM 4 asa1(config-class)# limit-resource conns 20% asa1(config-class)# exit asa1(config)# context CONTEXT1 asa1(config-ctx)# member MEDIUM-RESOURCE-SET • As a member of class MEDIUM-RESOURCE-SET, CONTEXT1 has the following limits: • ASDM sessions: Four • Connections: 20%
Saving Context Configurations • After the context has been activated, it is configured much the same as any security appliance standalone device, as follows: • Once in a context, you can enter the configuration mode to modify the context configuration. • The startup configuration for a context resides where the config-url command specifies. • The location of the startup configuration cannot be changed from within the context. • Commands such as write mem and copy run start manipulate the configuration location specified by the config-url command. • You can use the write memory all command to save all context configurations, including the system configuration, at the same time.
Removing a Security Context ciscoasa(config)# • no context name • You can only remove a context by editing the system configuration. • You cannot remove the current admin context unless you remove all contexts. • A reboot is not required when creating or removing a context. asa1(config)# no context CONTEXT3 WARNING: Removing context ‘CONTEXT3' Proceed with removing the context? [confirm] ciscoasa(config)# • clear configure context • Removes all contexts, including the administrative context.
Changing the Admin Context ciscoasa(config)# • admin-context name • Sets any context as the admin context asa1(config)# admin-context CONTEXT2 asa1(config)# show run … admin-context CONTEXT2 context CONTEXT2 allocate-interface GigabitEthernet0/0 allocate-interface GigabitEthernet0/1 allocate-interface GigabitEthernet0/3 config-url disk0:/CONTEXT2.cfg …
Changing Between Contexts ciscoasa# • changeto {system | context name} • Changes the environment to the system execution space or to the context specified asa1# changeto context CONTEXT1 asa1/CONTEXT1# • Changes the environment to Context 1 asa1/CONTEXT1# changeto system asa1# • Changes the environment to the system execution space
Viewing Context Information ciscoasa# • show context [name | detail | count] • Displays contexts and context information • An asterisk (*) designates an admin context. asa1# show context Context Name Interfaces URL *admin GigabitEthernet0/0 disk0:/admin.cfg GigabitEthernet0/1 CONTEXT1 GigabitEthernet0/0 disk0:/CONTEXT1.cfg GigabitEthernet0/2 CONTEXT2 GigabitEthernet0/0 disk0:/CONTEXT2.cfg GigabitEthernet0/3 Total active Security Contexts: 3…
Viewing Context Information (Cont.) ciscoasa# • show context [name | detail | count] • The detail option shows additional information. • The count option shows the total number of contexts. asa1# show context detail Context "admin", has been created, but initial ACL rules not complete Config URL: disk0:/admin.cfg Real Interfaces: GigabitEthernet0/0, GigabitEthernet0/1 Mapped Interfaces: GigabitEthernet0/0, GigabitEthernet0/1 Flags: 0x00000013, ID: 1 …
Summary • Virtual firewalls allow you to separate the security appliance into multiple independent firewalls called security contexts. • Packets can be classified by: • Unique interfaces • MAC addresses • NAT configuration • You can assign a different MAC address to each context that uses a shared interface. • You can configure resource management to limit the use of resources per context. • Security contexts can be managed and configured independently.