Network technologies and trends


September 26, 2016  4:43 AM

Cisco ASA FirePOWER Services and High Availability – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Arp, Cisco Firewall, Dynamic Routing, Failover, firewall, NAT, NetFlow, Routing, Syslog, TCP, UDP

The Cisco ASA Appliances offers failover in following states

  • Stateless failover
  • Stateful failover.

By default Cisco ASA Appliance performs stateless failover and in this mode of operation, the Active Unit  does the following

  • Synchronizes its configuration with the standby unit.
  • Maintains all Stateful flow information
  • Doesn’t synchronises Stateful flow with the  Standby Unit

The Stateless failover is not a viable option, especially when failover occurs as it has to re-establish all the connections. This state simply cannot provide the availability of the services without any disruption. However some hardware platforms like Cisco ASA 5505 are only capable of working in Stateless failover mode.

When Stateful failover is enabled on the Cisco ASA Active unit it is capable synchronizing  the following with Standby Unit

  • Stateful table for TCP & UDP connection
  • Routing table both static and dynamic learned routes
  • ARP table
  • Bridge-group MAC mapping table in the transparent mode.
  • Application Inspection data for certain applications like
    • Packet Data Protocol (PDP)
    • General Packet Radio Service (GPRS)
    • GPRS Tunnelling Protocol (GPT)
    • Session Initiation Protocol (SIP) signalling tables.
  • VPN Data structures like Security Associations (SA)

However Stateful failover is supported only for the Cisco ASA Software features, where as the Cisco ASA FirePOWER module need to track the connection state independently.  When failover occurs ASA FirePOWER flows are transferred to the new Active unit.  The ASA FirePOWER module in the new active unit is capable of inspecting the traffic only from that point as old inspection states are not transferred during the failover process.

September 24, 2016  6:31 PM

Cisco ASA FirePOWER Services and  High Availability – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Arp, Cisco Firewall, Dynamic Routing, Failover, firewall, NAT, Routing, Syslog, TCP, UDP

The Cisco ASA Appliance  with FirePOWER Services is capable of offering high availability using failover and clustering. When it comes to failover , the Cisco ASA supports following types

  • Active/Standby
  • Active/ Active

The Cisco ASA Appliance  with FirePOWER Services when deployed in Active/Standby failover mode it offers device level redundancy. However only one unit of ASA appliance remains in active mode , where as the other ASA Appliance of the failover pair remain in standby mode.

Figure 1.1- ASA Active Stanby Mode

Figure 1.1- ASA Active Stanby Mode

The ASA Appliance in Active mode is responsible  for the following

  • Active unit accepts all the configuration commands from the user and replicate the same with Standby Unit.
  • All transit traffic is processed.
  • Applies security policies , build and tear down connections .
  • Synchronises all the connection information like global pool addresses, translation table for NAT, TCP/UDP states, ARP table and many other details with the standby unit provided its configured in Stateful failover mode.
  • Forwards all the syslog messages and Netflow Secure Event Logging (NSEL) to the destined event or log collector.
  • Participates in building and maintaining dynamic routing adjacencies with peer routing device

The standby device is not capable of processing any traffic it receives , it simply drops all the transit traffic and only accepts the management connections. The  Standby ASA Appliance becomes fully active automatically, provided that the active ASA appliance becomes less operational healthy than its peer.

 


September 17, 2016  6:29 AM

Cisco Router Selector may be your next tool to select the right router

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Business, Cisco, Functional, Functional requirements, Network, Network design, router, SMB, tool, User experience, virtual

When it comes to designing a network one may need to think from many aspects, one such aspect happens to be the scalability. It’s been observed most of the SMBs rely purely on their team to choose the technology or the product. This fits true especially when they want to upgrade their old router with a new one. The challenge of selecting a right product with no design experience is quite hard and often it’s been observed most of the SMBs end up either buying a lower specs device or much high end device. To overcome this challenge for Cisco Routers,Cisco is ffering Cisco Router Selector to select a right router which fits the need of an Organization.

Figure 1.1 - Cisco Router Selector

By simply answering few questions one can identity the  right Cisco router one might require , currently the  Cisco Router Selector allows one to select Branch Routers and Network Edge Routers . The tool recommends the Cisco Edge router based  on the encryption throughput, is the router physical or virtual, which is fine for SMBs.

Figure 1.2 Router Selector model

It’s a good offering from Cisco, as one could have an idea of what they want buy, however this tool cannot replace the task of Network designers and architects as they design networks from many dimensions few of them are business need of the customer, functional requirements, technical requirements, user experience etc.


September 13, 2016  1:55 PM

What is Cisco FMW portal?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Checkpoint, Cisco, Cisco ASA, firewall, Juniper, Migration, Software

Migrating a Cisco ASA Firewall from older Cisco ASA platform to another Cisco ASA 5500 or 5500-X series platform or even from older ASA Version 7.2 (x), 8.0(x),8.1(x) or 8.2(x) to 9.1 (x) or 9.2(x) version, then one can rely on Cisco FWM portal. This web based portal provides a unified interface to migrate configuration conversions in secured manner to the desired Cisco ASA platform with very little effort.

Firewall migration tools either in form of a virtual machine or a web portal provides good review for the migration planned from one version to another or from one vendor to another. But it’s hard to completely rely on them as they might miss out few things. The Cisco FWM portal provides a good platform to plan the firewall migrations.

Cisco FMW portal

The Cisco FWM web portal is quite easy to navigate and does have a good online documentation as well to know how the portal works. Currently Cisco is offering migrations from one Cisco platform to another Cisco ASA platform and the conversion can be done from 7.2 (x), 8.0(x),8.1(x) or 8.2(x) to 9.1 (x) or 9.2(x) version

Cisco is supposed to offer migration for Juniper SRX Firewalls and Checkpoint Firewalls, however currently the its not offered, however Cisco claims this will be offered soon.

The migration process is quite easy, one simply needs to follow the instructions mentioned in the web portal to get the converted file . Based on experience, we recommend not to rely completely on the converted file as there will be few errors in conversion. However, it proves to be a good reference file one could have while planning the migration from one trial version of ASA software to another.


September 9, 2016  10:44 AM

What is Cisco Firepower Threat Defense (FTD)?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
application, ASA, BGP, Cisco, Decryption, EIGRP, filtering, firewall, Integration, ISE, malware, Multicast, OSPF, RIP, Routing, Software, SSL, Static Routing, URL, VPN

Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features. This seems to be a good approach taken by Cisco especially when most of the Next Generation Firewall Vendors are offering Next Generation Solutions on a single platform with unified image. Currently the Cisco Firepower Threat Defense (FTD) unified software image is available in the following releases

  • 6.0
  • 6.2

The Cisco Firepower Threat Defense (FTD) is capable of offering following Next-Generation Firewall Services

  • Stateful firewall Capabilities
  • Static and dynamic routing
    • Supports RIP, OSPF, BGP, Static Routing
  • Next-Generation Intrusion Prevention Systems (NGIPS)
  • URL Filtering
  • Application visibility and control (AVC)
  • Advance Malware Protection
  • ISE Integration
  • SSL Decryption
  • Captive Portal
  • Multi-Domain Management

Currently Cisco Firepower Threat Defense (FTD) unified software can be deployed on Cisco Firepower 4100 Series and the Firepower 9300 appliances as well the FTD can be also be deployed on Cisco Firepower Threat Defense (FTD) ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. However, the Cisco Firepower Threat Defense (FTD) unified software cannot be deployed on Cisco ASA 5505 and 5585-X Series appliances.

Some of the key features which Currently Cisco Firepower Threat Defense (FTD) lacks are as follows

  • VPN Function
  • Multi Context mode
  • EIGRP and Multicast
  • Does not support Cisco ASA 5505 & 5585-X Appliances

The lack of VPN function is a major drawback which Cisco needs to overcome in upcoming release of Cisco Firepower Threat Defense image. This certainly discourages the enterprise customers to adopt the Cisco Firepower Threat Defense unified image on their supported ASA 5500- Series platforms.


August 29, 2016  3:53 PM

Cisco ASA FirePOWER Services Licensing

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, detection, firewall, License, malware, URL

 

In order to have the full Next Generation Features enabled on the Cisco ASA FirePOWER Module one should ensure that they have appropriate licenses. Currently Cisco is offering follow licenses for Cisco ASA FirePOWER Services

License Types

 

License Type

 

Service Subscription need to be purchased

 

Granted Capabilities

 

Requires

 

Expire Capable?

 

Protection

 

TA

intrusion detection and prevention

file control

Security Intelligence filtering

 

none

 

no

 

Control

 

none (included with module)

 

user and application control

 

Protection

 

no

 

Malware

 

TAM, TAMC, or AMP

 

advanced malware protection (network-based malware detection and blocking)

 

Protection

 

yes

 

URL Filtering

 

TAC, TAMC, or URL

 

category and reputation-based URL filtering

 

Protection

 

yes

Protection License:

The protection License is used to perform intrusion detection and prevention, file control, and security intelligence filtering.

Control License:

The Control License is used to implement user and application control. The protection license allows one to create access control polices based on user id and application setting however those rules cannot have applied unless Control license is installed and enable it in the ASA FirePOWER Module.

Malware License:

The Malware License enables Advanced Malware Protection (AMP) in the Cisco ASA FirePOWER module. Basically with this license one detect and block malware potentially transmitted over the network.

URL Filtering License:

The URL Filtering License is used allow or block the traffic passing through the ASA Firewall based on URLs categories, individual URL or group of URLs. An access control policy is created for this action.

One can really mix and match these licenses in the Cisco ASA FirePOWER module based on the business need.


August 26, 2016  6:17 AM

Shadow Brokers group and Cisco exploit

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, NSA, Security, SNMP, Software, vulnerability

The recent claims by Shadow Brokers group to have stolen hacking tools which might belong to the National Security Agency (NSA) has drawn interest of major Security vendors.  Cisco did acknowledge that there is a vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) software, which could allow an authenticated remote attacker to cause a reload of the affected ASA or simply the attacker can execute the code remotely. The only prerequisite to exploit this vulnerability is to know SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3.

Following are the affected products

Cisco ASA 5500 Series Adaptive Security Appliances

Cisco ASA 5500-X Series Next-Generation Firewalls

Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Cisco ASA 1000V Cloud Firewall

Cisco Adaptive Security Virtual Appliance (ASAv)

Cisco Firepower 4100 Series

Cisco Firepower 9300 ASA Security Module

Cisco Firepower Threat Defense Software

Cisco Firewall Services Module (FWSM)

Cisco Industrial Security Appliance 3000

Cisco PIX Firewalls

Initially a work around was offered by Cisco is to ensure that only trusted users to have an SNMP access to Cisco Security Products using the snmp-server host command.

The following link provides step-by-step guidance on how SNMP is configured in the Cisco ASA:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/monitor-snmp.html

Well this falls under best practices and one should always follow the recommended best security practices. Those who are following the recommended best security practice are safe. It’s worth to revisit all the Cisco Security Appliance configuration and do a thorough review.

Cisco also released the new release of the software which overcomes this vulnerability,

Fixed Releases

Cisco ASA Major Release First Fixed Release
 7.2 Affected; migrate to 9.1.7(9) or later
 8.0 Affected; migrate to 9.1.7(9) or later
8.1 Affected; migrate to 9.1.7(9) or later
8.2 Affected; migrate to 9.1.7(9) or later
8.3 Affected; migrate to 9.1.7(9) or later
8.4 Affected; migrate to 9.1.7(9) or later
8.5 Affected; migrate to 9.1.7(9) or later
8.6 Affected; migrate to 9.1.7(9) or later
8.7 Affected; migrate to 9.1.7(9) or later
9.0 9.0.4(40)
9.1 9.1.7(9)
9.2 9.2.4(14)
9.3 9.3.3(10)
9.4 9.4.3(8) ETA 8/26/2016
9.5 9.5(3) ETA 8/30/2016
9.6 (FTD) 9.6.1(11) / FTD 6.0.1(2)
9.6 (ASA) 9.6.2

The new software fix issued by Cisco ensures that major software trails of the ASA are affected and it needs an upgrade to  9.x (ASA) trail, which means one should ensure the hardware they are using have enough memory. It’s better to contact Cisco TAC to seek their advice on how to proceed on the upgrade.


August 20, 2016  11:40 AM

Cisco ASA FirePOWER deployment options – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Decryption, Encryption, IPsec, Security, Security policies, Ssl vpn, traffic

Cisco ASA FirePOWER module can be configured in promiscuous monitor-only mode also known as passive mode. As the name suggests, in passive mode the Cisco ASA FirePOWER module does nothing to the traffic passes through it. Rather the ASA just forwards a copy of the packet to Cisco ASA FirePOWER module.

The below figure illustrates the complete order of operation of the Cisco ASA FirePOWER module in Promiscuous monitor-only (passive) mode

Figure 1.1 - ASA FirePOWER Passive Mode

Figure 1.1 – ASA FirePOWER Module in promiscuous monitor-only mode

Suppose Host A sent a traffic to host B, it will go through the following process

  1. Traffic sent from Host A is received by an Outside interface of the ASA Firewall
  2. Suppose IPsec or SSL VPN is configured them the incoming encrypted traffic is decrypted.
  3. Firewall policies are applied to the decrypted traffic.
  4. If the received traffic is complaint and allowed by the ASA policies them a copy traffic is sent to the ASA FirePOWER module. If the traffic is not complaint with security policies or it is malicious in nature, then the Cisco ASA FirePOWER module can be configured to send an alert to Network Security Administrator, however it cannot take any action to stop the malicious or non-complainant traffic.
  5. Suppose IPsec or SSL VPN is configured them the decrypted traffic is encrypted back
  6. The processed traffic is then forwarded to respective interface, in this case its an Inside interface.

One can see the real benefit of Cisco ASA FirePOWER module in Inline mode, as the Promiscuous monitor-only (passive) mode has no capability to take any action on an infected or non-complaint traffic. Rather it might be useful for POCs and even good for capacity planning for any new deployments.


August 19, 2016  5:55 PM

Cisco ASA FirePOWER deployment options – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Decryption, Encryption, Security policies

When it comes to deploying the Cisco ASA FirePOWER module, it can be configured in one of the following modes

  • Inline Mode
  • Promiscuous monitor-only (passive) mode

Inline Mode

In an inline mode, the traffic passes through the configured ASA firewall polices and then the traffic is sent to the ASA FirePOWER module for further action.

The below figure illustrates the complete order of operation of the Cisco ASA FirePOWER module in an Inline mode.

Figure 1.1 - ASA FirePOWER Inline Mode

Figure 1 – ASA FirePOWER in Inline Mode

Suppose Host A sent a traffic to host B, it will go through the following process

  1. Traffic sent from Host A is received by an Outside interface of the ASA Firewall.
  2. Suppose IPsec or SSL VPN is configured them the incoming encrypted traffic is decrypted.
  3. Firewall policies are applied to the decrypted traffic.
  4. If the received traffic is complaint and allowed by the ASA policies them the traffic is sent to the ASA FirePOWER module.
  5. The Cisco ASA FirePOWER module then applies its security policy to the traffic, and takes an appropriate action. If the traffic is not complaint with security policies or it is malicious in nature, then the Cisco ASA FirePOWER module send back its verdict to the ASA to block the traffic and ASA also sent an alerts to Network Security Administrator. Suppose the traffic is valid, then the ASA allows the traffic to pass though.
  6. Suppose IPsec or SSL VPN is configured them the decrypted traffic is encrypted back.
  7. The processed traffic is then forwarded to respective interface, in this case its Inside interface.

Only Cisco knows how the traffic is processed in the Cisco ASA Next Generation Firewall at the hardware level, also at the same time there are very few deployment option Cisco offers with their Next Generation Security solutions.


August 14, 2016  7:48 AM

An Introduction Cisco ASA FirePOWER Services

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Decryption, IPS, SSL

As we all know Cisco jumped into Next Generation Firewall segment, though they are late yet they are trying sell their next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP) in form of Cisco ASA FirePOWER Services.

Cisco offers FirePOWER services either in the form or hardware module or software based security module.

The Cisco ASA 5585-X runs on hardware-based security module (SSP) and Cisco ASA 5506-X to 5555-X runs on software-based security module on Solid State Drives (SSD)

ASA- Firepower

Some of the key FirePOWER Security Features are as follows

  • Application Control
  • Identity Control
  • Intrusion Detection and Prevention (IPS)
  • Security Intelligence
  • URL Filtering
  • Advance Malware Protection (AMP)
  • File Blocking
  • SSL Decryption

The newly introduced features by Cisco provides a good control over the types of application one can allow based on the user identity. It’s interesting to see how decryption part going work, as it really needs good hardware to intercept the encrypted traffic and take an appropriate action.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: