Network technologies and trends


August 20, 2016  11:40 AM

Cisco ASA FirePOWER deployment options – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Decryption, Encryption, IPsec, Security, Security policies, Ssl vpn, traffic

Cisco ASA FirePOWER module can be configured in promiscuous monitor-only mode also known as passive mode. As the name suggests, in passive mode the Cisco ASA FirePOWER module does nothing to the traffic passes through it. Rather the ASA just forwards a copy of the packet to Cisco ASA FirePOWER module.

The below figure illustrates the complete order of operation of the Cisco ASA FirePOWER module in Promiscuous monitor-only (passive) mode

Figure 1.1 - ASA FirePOWER Passive Mode

Figure 1.1 – ASA FirePOWER Module in promiscuous monitor-only mode

Suppose Host A sent a traffic to host B, it will go through the following process

  1. Traffic sent from Host A is received by an Outside interface of the ASA Firewall
  2. Suppose IPsec or SSL VPN is configured them the incoming encrypted traffic is decrypted.
  3. Firewall policies are applied to the decrypted traffic.
  4. If the received traffic is complaint and allowed by the ASA policies them a copy traffic is sent to the ASA FirePOWER module. If the traffic is not complaint with security policies or it is malicious in nature, then the Cisco ASA FirePOWER module can be configured to send an alert to Network Security Administrator, however it cannot take any action to stop the malicious or non-complainant traffic.
  5. Suppose IPsec or SSL VPN is configured them the decrypted traffic is encrypted back
  6. The processed traffic is then forwarded to respective interface, in this case its an Inside interface.

One can see the real benefit of Cisco ASA FirePOWER module in Inline mode, as the Promiscuous monitor-only (passive) mode has no capability to take any action on an infected or non-complaint traffic. Rather it might be useful for POCs and even good for capacity planning for any new deployments.

August 19, 2016  5:55 PM

Cisco ASA FirePOWER deployment options – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Decryption, Encryption, Security policies

When it comes to deploying the Cisco ASA FirePOWER module, it can be configured in one of the following modes

  • Inline Mode
  • Promiscuous monitor-only (passive) mode

Inline Mode

In an inline mode, the traffic passes through the configured ASA firewall polices and then the traffic is sent to the ASA FirePOWER module for further action.

The below figure illustrates the complete order of operation of the Cisco ASA FirePOWER module in an Inline mode.

Figure 1.1 - ASA FirePOWER Inline Mode

Figure 1 – ASA FirePOWER in Inline Mode

Suppose Host A sent a traffic to host B, it will go through the following process

  1. Traffic sent from Host A is received by an Outside interface of the ASA Firewall.
  2. Suppose IPsec or SSL VPN is configured them the incoming encrypted traffic is decrypted.
  3. Firewall policies are applied to the decrypted traffic.
  4. If the received traffic is complaint and allowed by the ASA policies them the traffic is sent to the ASA FirePOWER module.
  5. The Cisco ASA FirePOWER module then applies its security policy to the traffic, and takes an appropriate action. If the traffic is not complaint with security policies or it is malicious in nature, then the Cisco ASA FirePOWER module send back its verdict to the ASA to block the traffic and ASA also sent an alerts to Network Security Administrator. Suppose the traffic is valid, then the ASA allows the traffic to pass though.
  6. Suppose IPsec or SSL VPN is configured them the decrypted traffic is encrypted back.
  7. The processed traffic is then forwarded to respective interface, in this case its Inside interface.

Only Cisco knows how the traffic is processed in the Cisco ASA Next Generation Firewall at the hardware level, also at the same time there are very few deployment option Cisco offers with their Next Generation Security solutions.


August 14, 2016  7:48 AM

An Introduction Cisco ASA FirePOWER Services

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Decryption, IPS, SSL

As we all know Cisco jumped into Next Generation Firewall segment, though they are late yet they are trying sell their next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP) in form of Cisco ASA FirePOWER Services.

Cisco offers FirePOWER services either in the form or hardware module or software based security module.

The Cisco ASA 5585-X runs on hardware-based security module (SSP) and Cisco ASA 5506-X to 5555-X runs on software-based security module on Solid State Drives (SSD)

ASA- Firepower

Some of the key FirePOWER Security Features are as follows

  • Application Control
  • Identity Control
  • Intrusion Detection and Prevention (IPS)
  • Security Intelligence
  • URL Filtering
  • Advance Malware Protection (AMP)
  • File Blocking
  • SSL Decryption

The newly introduced features by Cisco provides a good control over the types of application one can allow based on the user identity. It’s interesting to see how decryption part going work, as it really needs good hardware to intercept the encrypted traffic and take an appropriate action.


August 2, 2016  5:35 AM

A review for “Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP”

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco, Cisco ASA, Cisco Press, Exam, firewall, Security, threat

The newly released Cisco Press title “Cisco Next-Generation Security Solutions” seems to be a great resource which deals with Cisco ASA FirePOWER Services, NGIPS and AMP. Thanks to Cisco Press for sharing the eBook with me. I have been eagerly waiting for this title as I was keen to know how Cisco Next-Generation Firewalls are? And how Cisco is going to bundle their Next-Generation features into the Cisco ASA firewall.

Cisco ASA-NGIF

This title deals only the new concepts, Cisco introduced with their Next-Generation Security Solutions like how Cisco ASA works with FirePOWER services? How different models of Cisco ASA 5500-X Series Firewalls can be integrated with FirePOWER modules? What is AMP? etc.

This title comes with 12 chapters focusing on the following topics

  • Fundamentals of Cisco’s Next-Generation Network Security
  • Understanding Cisco ASA with FirePOWER Services and designing solutions based on it
  • Configuring and troubleshooting Cisco ASA with FirePOWER Services
  • Implementing Cisco AMP for Networks, Cisco AMP for Endpoints, and Cisco AMP for Content Security
  • Working with AMP Threat GRID: On-Premise Malware Analysis and Threat Intelligence
  • Understanding, configuring, troubleshooting, and designing solutions with Cisco Next-Generation IPS Appliances
  • Managing Cisco FirePOWER solutions with Cisco Security Manager (CSM) and FireSIGHT Management Center (FSMC)

The introductory chapter “Fundamentals of Cisco Next-Generation Security” is well crafted by the authors as its quite simple and it does gives the brief over view of Cisco’s Next-Generation Security solutions like ASA 5500-X Series Firewalls with FirePOWER modules, Next-Generation Intrusion Prevention Systems (NGIPS), Cisco AMP for End points, Networks and for Cloud Solutions.

The design chapter is my personnel favourite chapter, as it showcases how the Cisco ASA FirePOWER modules can be deployed in real world networks, what management options one can avail to manage the Cisco ASA FirePOWER module.

Chapter 4 deals with troubleshooting Cisco ASA with FirePOWER services and Firepower Threat Defense (FTD) is interesting as it demonstrates how to troubleshoot common problems one may occur while deploying the Cisco ASA FirePOWER Service module and the Firepower Threat Defense Software.

The title is well written and does leaves up to the standards of Cisco Press titles, however I felt if little more emphasis was given to elaborate the Cisco ASA FirePOWER Packet Processing Order. I am keen to see how the packet is processed at the hard level, especially would love to see how the next-generation features are enabled. I hope this would be addressed in the next edition.

Over all the title is a great resource to understand how Cisco Press title Cisco Next-Generation Security Solutions works and one can rely on this title to have a better understanding of the newly introduced concepts by Cisco. Also this title is recommended book for the Cisco CCIE Security written and practical exam.


February 29, 2016  12:45 PM

Things to consider before introducing Palo Alto Firewall into routing domain- Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, BGP, Cisco, firewall, Network design, OSPF, Routing

In my previous post , I did mentioned Palo Alto Networks Firewall having issues in running OSPF protocol and forming an adjacency with its neighbor especially when its used as an ABR.

This issue generally occurs if a zone protection profile (ZPP) is applied on the interface which is forming an adjacency with remote routers, the moment the ZPP is removed OSPF adjacency will form and Palo Alto Firewall can be used as an ABR.

 In upcoming post I will try to talk more about Zone Protection Profile.


February 29, 2016  12:07 PM

How does Palo Alto Firewall identify an App?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
app, application, ASA, BGP, Cisco, firewall, HTTP, IP address, Network design, OSPF, Routing, Signatures, Technology

When it comes to identifying an application  Palo Alto Firewall is quite accurate and yield great results in either allowing or dropping the traffic based on security policy applied.  I believe App-ID is the strongest point of Palo Alto Firewalls and it makes them leaders in the Next Generation Firewall segment.

App-ID™ is a patented traffic classification technology of Palo Alto Next Generation firewalls and it uses multiple identification mechanisms to  identify applications traversing the network.

Pa-appid

Based on the above App-ID flow , Palo Alto Firewall applies following  mechanisms to identify the application

  1. Initially the traffic will be classified based on an IP Address and port number used.
  2. An application is identified on the allowed traffic by applying Signatures.
  3. If encryption is use and decryption policy is in use then the application is decrypted and application signatures are applied on the decrypted flow.
  4. Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (for example, Yahoo! Instant Messenger used across HTTP).
  5. For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.

Once an application is identified , the policy check will decide how to treat the application, based on the policy defined it will either allow, block or scan for threats/files transfers/data patters, or rate-limit using QoS.


February 28, 2016  6:15 AM

Things to consider before introducing Palo Alto Firewall into routing domain- Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, BGP, Cisco, firewall, Gartner, Gartner Magic Quadrant, Network design, OSPF, Routing

When it comes to routing, most of us are quite comfortable in using dedicated routers in Enterprise networks.  Some time the Business need or the existing network design forces an Organisation to use a traditional firewall not only as a firewall but also as a router. Well this works well, if some one is using basic routing. However challenges are seen when some one wants to use ECMP or wants to use the Firewall as an ABR using an OSPF routing protocol. Based on my experience Cisco ASA firewalls works like a charm especially with routing features , they do support ECMP for both OSPF and BGP as a routing protocols. Also the Cisco ASA Firewall works well as a ABR, one will not experience any issues in OSPF adjacency.

ASA - ECMPThe above mentioned scenario works well Cisco ASA Firewall. It will do ECMP with R1 & R2  and does play the role of ABR as well, and you will not see any issues with OSPF adjacency.

However if the same scenario used with Palo Alto next generation firewalls one will face huge challenges with routing. Palo Alto Firewalls, as a next generation firewalls are great, they do offer quite unique features, hence they are the leaders in Gartner Magic Quadrant.  But when it comes to routing, they need some really good enhancements.

PA-Routing

In the above scenario Palo Alto Firewall works well as an ABR with 6.x PAN-OS , it can form an OSPF adjacency with Area 5 router (R3) how ever it does not support ECMP for OSPF and BGP routing protocols. Only one router will be used to route the traffic. The other router will form an adjacency with Palo Alto Firewall but it will never route the traffic through other router until the active router fails.

In order to support ECMP one need to upgrade the Palo Alto Firewall to 7.x PAN-OS. By upgrading one may fix the ECMP issue with additional configurations, but at the same time it fails to work as an ABR. The Palo Alto Firewall will never form an OSPF adjacency with Area 5 router ( R3).

PA-Routing-OSPFCurrently with PAN-OS  6.x or 7.x one cannot use the above mentioned scenario , one has to compromise either on ECMP by using PAN-OS version 6.x or change his routing design by not using Palo Alto firewall as ABR with PAN-OS version 7.x.

Note: These are my observations and my views which might not be true for other kinds of Network Designs.


February 26, 2016  4:28 PM

Palo Alto Firewall with PAN-OS 7.02 have issues with OSPF

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
firewall, OSPF, Palo Alto Networks, router

When it comes to Palo Alto Networks Firewall, we all know PAN-OS 6.x is a quite stable version, Palo Alto announced PAN-OS version 7 almost 8 months back,  but I see very few people are using this version of PAN-OS.

Those who are considering  a migration from PAN-OS 6.x to PAN-OS 7.x  they need to  be very careful as some interesting issues might occur. Recently I did tried a migration from 6.1.7  > 7.0.2 and finally planned to migrate to PAN-OS 7.0.4 but ended up with some issues, which forced me to revert back to the old version of PAN-OS 6.1.7.

There are some bugs in PAN-OS 7.0.2 which are not yet reported by Palo Alto neither in their website nor their TAC team is aware of.  One such bug or an issue is related to OSPF.

One should never consider to use  Palo Alto Firewall with PAN-OS 7.x  as an ABR . As Palo Alto never forms an adjacency with its neighbors in non 0 Area, the  Palo Alto Firewall gets struck in Exchange state with its neighbor and it never goes into two way or full OSPF state.  Even if you restart the OSPF process nothing changes, the firewall always struck in the exchange state. Interestingly it was forming an Adjacency with an Area 0 router.

Palo Alto - ABR OSPF

From the above scenario, Palo Alto Firewall with PAN-OS 7.0.2 will never form’s an OSPF  adjacency with its peer router R3 in Area 5 unless you downgrade the  PAN-OS of the Palo Alto Firewall to 6.x.  However you would notice with the same PAN-OS version 7.0.2 the Palo Alto Firewall will form an OSPF adjacency with R1 which is in Area 0.

So far I didn’t found a fix for this issue , the only way I could use Palo Alto Firewall as an ABR is to downgrade the Palo Alto Firewall to PAN-OS  6.1.7. Hopefully Palo Alto comes out with a solution for this issue.


February 24, 2016  12:55 PM

Using ECMP with Palo Alto Firewalls? Make sure you’re running PAN-OS 7

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
BGP, firewall, OSPF, Routing

When it comes to using Equal Cost Multipath in Palo Alto Firewalls, one needs to be very careful as this feature is not available in all PAN-OS versions by default.  Most of the Network Engineers assume ECMP is supported by default,  and they are shocked to discover ECMP is not working when they configure or enable ECMP using either OSPF or  BGP on Palo Alto Firewall running PAN-OS 6.x trail.

You don’t need to panic as Palo Alto doesn’t support ECMP on PAN-OS 6.x or lesser PAN-OS trail. Palo Alto introduced  Equal Cost Multipath (ECMP) as a new feature in  PAN-OS 7.0.  Palo Alto Firewall supports a maximum of 4 equal cost paths and supports this on OSPF and BGP protocols.

One can use Equal Cost Multipath to increase throughput, redundancy and reduce convergence times. This feature also can substantially increase bandwidth performance by load-balancing traffic over multiple paths.


February 22, 2016  5:54 AM

Cisco launches fully integrated next-generation firewall

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, ISE, NGFW, Throughput

Recently Cisco announced their  first fully integrated, threat-focused Cisco Firepower™ Next-Generation Firewall (NGFW) , its good to see Cisco  jumping into the Next Generation Firewall business , despite being late into this segment its quite interesting to see how Cisco is going to capture the Next Generation Firewall market segment. We could see leaders like Palo Alto and Check Point are doing great in this segment.  For sure Cisco is going to give a tough fight and I believe they hold an upper hand, especially  when it comes to integration with the Campus Network. Products like Cisco Identity Services Engine (ISE)  and AMP will add more value to their NGFW.

The good thing I see with the newly announced  4100 Series NGFW is the through put they offer and the also the size of the firewall. Most of them are 1 U firewall and can offer throughput up to 60 Gbps and can also work at 40 Gbps speed.

Coming days will say how Cisco is going to capture the market as leaders like Palo Alto are far ahead in Next Generation Firewall race.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: