internet edge deployment guide - cisco · internet edge y configuration guide foundation deployment...
TRANSCRIPT
Internet Edge Deployment Guide
Revision: H2CY10
Using this Borderless Networks Guide
Using this Borderless Networks Guide
This document is for the reader who:
• Has2000–10,000connectedemployees
• WantsmoresecureaccesstotheInternet
• WantstoprovidebackupconnectivitytotheInternetforemployees
• Requiresasolutionforteleworkerandmobileworkeraccesstotheagency’s data
• RequiresasolutiontocontrolemployeeaccesstotheInternetandblockmaliciouswebsites
• RequiresasolutiontofilterSPAMandmaliciousemailsenttotheagency
• RequiresasolutiontoimprovetheavailabilityofInternet-facingservices
• HasITworkerswithaCCNA®certificationorequivalentexperience
• Wantstodeploytheirnetworkinfrastructureefficiently
• Wantstheassuranceofatestedsolution
• Requiresamigrationpathforgrowth
Design Overview
Internet Edge Configuration Guide
Foundation DeploymentGuides
Network ManagementGuides
Design Guides Deployment Guides
You are Here
Internet EdgeDeployment Guide
TableofContents
ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.
AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)
©2010CiscoSystems,Inc.Allrightsreserved.
TableofContents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Internet Edge Agency Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Architecture Overview: Internet Edge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Internet Edge Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Remote Access VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Internet Edge Server Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Appendix A: Large Agencies Deployment Product List . . . . . . . . . . . . . . . . . 106
Appendix B: SBA for Large Agencies Document System . . . . . . . . . . . . . . . 108
1Introduction
Introduction
TheCiscoSmartBusinessArchitecture(SBA)forGovernmentLargeAgencies—BorderlessNetworksisdesignedfornetworksthathave2000to10,000connectedusers.Wecreatedaprescriptive,out-of-the-boxdeploy-mentguidethatisbasedonbest-practicedesignprinciplesandthatdeliv-ersflexibilityandscalability.ThedeploymentguidesaredesignedtomaketheBorderlessNetworkforLargeAgencieseasy—easytoconfigure,easytodeploy,andeasytomanage.
The goal of any network implementation is to support the applications thatbenefittheusersandtheagencythatitisbuiltfor.Astheyguideyouthroughthedepthandbreadthofthearchitecture,theSBAdeploymentguides are intended to simplify navigating among and learning the various networkingtechnologiesthatweusedtobuildthearchitecture.TheSBAisasolidnetworkfoundationthatprovidestheflexibilitytosupportnewuserornetworkserviceswithoutre-engineeringthenetwork.
Using the Deployment Guides
TheSBAforLargeAgenciesarchitecturewasdesigned,built,andvalidatedasanend-to-endsystem.
Tofocusonspecificelementsofthearchitecture,therearethreeprimarydeploymentguides,oneeachforlocal-areanetwork(LAN),wide-areanetwork(WAN),andInternetEdge.ToenhancetheSBAforLargeAgenciesarchitecture,thereareanumberofsupplementalguidesthataddressspecificfunctions,technologies,orfeaturesthatmaybeimportanttosolvingyouroperationalproblems.Withineachofthesedeploymentguides,youwillfindamodularapproachthatallowsyoutostartatthebeginningandworkyourwaythroughortojumptoaspecificmodule.Eachdeploymentguideandthemoduleswithinaredesignedtostandalone,sothatyoucandeploythe specific Cisco technology in a module without completing each previous module.Eachdeploymentguideincludesacompletelistoftheproductsandthesoftwarerevisionstested,andacompanionsupplementalguidecontainsallconfigurationfilesused.
Thedeploymentguidesbeginwithanagencyoverviewofthecommonoperationalproblemsaddressed,followedbyanarchitectureoverviewtoassist you with matching the value of a technology solution to your opera-tionalproblems.
The LAN Deployment Guide covers wired and wireless network access withubiquitouscapabilitiesforboththelargercampus-sizeLANaswellasthesmallerremotesiteLAN.Resiliency,security,andscalabilityareincludedtoprovidearobustcommunicationsenvironment.Qualityofservice(QoS)isintegratedtoensurethatthebasearchitecturecansupportamultitudeofapplicationsincludinglow-latency,drop-sensitivemultimediaapplica-tionscoexistingwithdataapplicationsonasinglenetwork.Theguidealsoprovides a guest and partner access solution that is secured from accessing internal confidential information while using the same wireless infrastructure thatemployeesuse.
The WAN Deployment Guide includes the primary site aggregation design as well as multiple remote site designs to accommodate varying scale and service-levelrequirementsinacommonapproach.TheflexibilityintheWANdeploymentguideprovidesguidanceandconfigurationforMultiprotocolLabelSwitching(MPLS)transportaswellasbroadbandorInternettransportinaprimaryorbackuprole.QoSisintegratedtoensurethatthebasearchitecturecansupportamultitudeofapplicationsonasingletransport.ThedesignintegratesapplicationoptimizationandthedeploymentguideprovidesdetailsonoptimizingWANtraffictoensureeconomicaluseofbandwidthwhileprovidingagooduserexperience.
The Internet Edge Deployment Guide focuses on security services such as firewalls and intrusion prevention systems to protect your agency’s gatewaytotheInternet.Internetserviceproviderconnectivityandroutingoptions,combinedwithserverloadbalancing,provideresiliencytothedesign.TheEmailSecuritymodulecoversprotectingemailfromspamandmalware.TheWebSecuritymoduleprovidesacceptable-usecontrolandmonitoring as well as managing the increasing risk associated with clients browsingtheInternet.TheVPNdesignsupportstheteleworkerandmobileuserwithsecureremoteaccess.Alloftheseelementsarecoveredinseparate modules and yet are designed to work together to provide a secure InternetEdgesolution.
Figure1showsthecomponentsoftheSBAforLargeAgencies—BorderlessNetworks.
2Introduction
Figure 1 . SBAforLargeAgencies—BorderlessNetworksOverview
Hardware and SoftwareVPN
Teleworker /Mobile Worker
Branch Router withApplication Acceleration
ClientAccessSwitch
WirelessAccess Point
Remote
RemoteAccess VPN
InternetEdge Routers
DistributionSwitches
CoreSwitches
ClientAccess
Switches
InternetServers
WirelessLAN Controller
ApplicationAcceleration
ApplicationAcceleration
RegionalRouter
Web SecurityAppliance
Email SecurityAppliance
GuestWLAN
FirewallVPN
Collapsed Distribution/Core
Switches
WirelessLAN Controller
RegionalOffice Building 1 Building 2 Building 4Building 3
Campus
I
I WANAggregation
Local AreaNetwork
InternetEdge
InternetEdge
wwWwwW
DataCenter
Internet
WAN
3Introduction
Design Goals
Thisarchitectureisbasedonrequirementsgatheredfromcustomers,partners,andCiscofieldpersonnelforagencieswith2000to10,000con-nectedusers.Whendesigningthearchitecture,weconsideredthegatheredrequirementsandthefollowingdesigngoals:
• Ease of Deployment:Agenciescandeploythedesignconsistentlyacrossallproductsincludedinthearchitecture.Theconfigurationsusedinthedeploymentrepresentabest-practicemethodologytoenableafastandresilientdeployment.
• Flexibility and Scalability: The architecture can grow with the agency withoutbeingredesigned.
• Resiliency and Security: The architecture keeps the network operating evenduringunplannedoutagesandattacks.
• Easy to Manage: The deployment guidance includes configuring devicestobemanagedbyanetworkmanagementsystem(NMS)orasuniqueelementsofthenetwork.
• Advanced Technology Ready: Implementing advanced technologies likecollaborationiseasybecausethenetworkfoundationisalreadyconfiguredwiththerequiredbaselinenetworkservices.
Ease of Deployment, Flexibility and Scalability
Agenciesof2000to10,000usersareoftenspreadoutamongdifferentgeographicallocations.Thelocationsmighthavelabelslikeremotesite,regionalsite,orheadquarters.Thisarchitectureaddresseshowtobuildanetworkforalltheselocations,irrespectiveofthelabel.
Inthisdesign,severalmethodsareusedtocreateandmaintainascalablenetwork.Definingacommonframeworkwithaconvergenceofdesignstandardsdrivesglobalconsistencyandoptimizesthedesignprocess,whichultimatelyresultsinlowercostandcomplexity.Standardizationisthekeytoscalability;bykeepingasmallnumberofstandarddesignsforcom-monportionsofthenetwork,supportstaffareabletodesignservicesfor,implement,andsupportthesenetworkareasmoreeffectively.
Toenhancescalability,wetakeamodulardesignapproach;beginningwithasetofstandard,globalbuildingblocks,wecanassembleascalablenetworktomeetrequirements.Forinstance,tobuildacampusnetwork,wemightstartwithaLANmodule,connectanInternetedgemodule,andthenaddaWANmodule.
Manyoftheseplug-inmoduleslookidenticalforseveraldifferentserviceareas;thisprovidesconsistencyandscalabilityinthatthesamesupportmethodscanbeusedinmultipleareasofthenetworktomaintainthenetwork.Thesemodulesfollowstandardcore-distribution-accessnetworkdesignmodelsanduselayerseparationtoensurethatinterfacesbetweentheplug-insarewelldefined.
Resiliency and Security
Oneofthekeystomaintainingahighlyavailablenetworkisbuildingtheappropriateredundancytoguardagainstfailureinthenetwork,whetheritislink,port,card,orchassisfailure.Butsystemscanbeengineeredtobetooredundant,exhibitingfailuresofoverlycomplexredundancyfeatures,whichresultsincompletecommunicationsfailure.Theredundancyinourarchitectureiscarefullybalancedwiththecomplexityinherentinredundantsystems.
Building production network services without any form of redundancy is unacceptabletomostagencies.Whenbuildinginthenecessaryredun-dancy,caremustalsobetakentopreventlargedependencychainsthatresultingreaterriskofsystemfailure.Forexample,chainsofdevicesthatdonothavemultiplecross-connectionsmaycreateadependencyonbothchainsbeingcompletelyavailable.
Withtheadditionofasignificantamountofdelay-sensitiveanddrop-sensitivetrafficsuchasvoiceandvideoconferencing,wealsoplaceastrongemphasisonrecoverytimes.Choosingdesignsthatreducethetimebetweenfailuredetectionandrecoveryisimportantforensuringthatthenetworkstaysavailableeveninthefaceofaminorcomponentfailure.
Securityofthenetworkisalsoaverystrongcomponentofthearchitecture.Inalargenetwork,therearemanyentrypointsandweensurethattheyareassecureaspossiblewithoutmakingthenetworktoodifficulttouse.Securingthenetworknotonlyhelpskeepthenetworksafefromattacksbutisalsoakeycomponenttonetwork-wideresiliency.
Easy to Manage
Whilethisguidefocusesonthedeploymentofthenetworkfoundation,thenextphasemanagementandoperationareconsidered.Theconfigurationsinthedeploymentguidesaredesignedtoallowthedevicestobemanagedbothvianormaldevicemanagementconnections,suchasSSHandHTTPS,butalsoviaNMS.TheconfigurationoftheNMSisnotcoveredinthisguide.
4Introduction
Advanced Technology Ready
Flexibility,scalability,resiliency,andsecurityallarecharacteristicsofanadvancedtechnology-readynetwork.Themodulardesignofthearchitec-turemeansthattechnologiescanbeaddedwhentheagencyisreadytodeploythem.However,thedeploymentofadvancedtechnologies,suchascollaboration,iseasedbecausethearchitectureincludesproductsandconfigurationsthatarereadytosupportcollaborationfromdayone.Forexample,accessswitchesprovidePoweroverEthernet(PoE)forphonedeploymentswithouttheneedforalocalpoweroutlet.TheentirenetworkispreconfiguredwithQoStosupporthigh-qualityvoice.Multicastisconfig-uredinthenetworktosupportefficientvoiceandbroadcast-videodelivery.
Beyondthewirednetwork,thewirelessnetworkisalsopreconfiguredfordevicesthatsendvoiceoverthewirelessLAN,providingIPtelephonyover802.11Wi-Fi(referredtoasmobility)atalllocations.TheInternetedgeisalsoreadytoprovidesoftphonesviaVPN,aswellastraditionalhardordeskphones.
5InternetEdgeAgencyOverview
Internet Edge AgencyOverview
TheInternetEdgeaddressesthefollowingoperationalproblems:
• GovernmentagenciesneedtoprovideusersaccesstoInternetservices(emailandweb)
• Usersneedaccesstoservicesinsidetheagencyfromremotelocations
• Agenciesneedtoprovidecontrolledaccesstodataand/orservicesforthepublic,partners,andcustomers
• AgenciesneedtoimproveemployeeproductivitybycontrollingInternetwebaccesstowork-relatedlocations
• AgenciesneedtomanagesecurityriskassociatedwithInternetconnectivity
TheInternetEdgeprovidesconnectivityfortraffictraversingbetweentheagencyandtheInternet.Thisincludestraffictoandfromtheagency,theInternet,andDMZs.Anagency’sInternetEdgedeploymentneedstoenforcetheagencysecuritypolicyandfunctionasareal-worldrepresentationofthatpolicy.
The services that the Internet Edge provides are connectivity to the Internet ServiceProvider,resiliencyforInternetservices,andaccesscontrolforserviceslikeemail,instantmessaging,andweb.Aspartofthisaccess,appropriateuseofInternetservicesbyemployeesisanimportantconsid-eration,asithelpstomaintainproductivity,avoidlegalissues,andreducecostsassociatedwithnon-work-relatedbandwidthconsumption.
AnotherserviceprovidedbytheInternetEdgeisaccessforauserfromany-whereandallowingthemaccesstotheservicesanddatatheyrequiretoperformtheirrole.IntheBorderlessNetworksbeingdeployedtoday,ausercouldbeanemployee,acontractor,apartner,oracustomer.Eachuserhasdifferentneedsforaccess,data,andtheservicesthatshouldbeavailable.
Asusers’Internetaccessrequirementsbroaden,theriskassociatedwithsuchaccesshastobemanaged.Therearethreemaintypesofriskthatneedtobemanaged;attacksagainstservices,attacksagainstclients,andattacksthatinvolvetrickingauserintoclickingonamaliciouswebsiteoropeningupafilethatcontainsmaliciouscode.Theresultofnotprotectingtheagencyagainstthisactivityincludeslossofintellectualproperty,datatheft,orevenpotentiallegalliability.
6ArchitectureOverview:InternetEdge
ArchitectureOverview: Internet Edge
ThisarchitectureusesamodulardesignmodelthatbreakstheInternetEdgeupintofunctionalblocksbyservice.Bymodularizingthedesignanagencycandeploytheservicesasrequired.
The Internet Edge design includes the following modules:
1. Internet Routing:providesconnectivitytooneormoreInternetServiceProviders(ISP)
2. Firewall: Control access into and out of the different segments of the InternetEdgeandprovideasuiteofotherserviceslikeNAT
3. Intrusion Prevention: inspection of traffic traversing the Internet Edge lookingformaliciousbehaviors
4. Remote Access VPN: Remote access functionality inside the firewall providessecure,consistentaccesstoresourcesregardlessofwherethe user is when connecting
5. Email Security:providesSPAMandmalwarefilteringservicetoman-age the risk associated with email
6. Web Security: providesacceptableusecontrolandmonitoringwhileat the same time managing the increasing risk associated with clients browsingtheInternet
7. Internet Edge Server Load Balancing:loadbalanceswebservicestothepublicandprivatenetwork
Therequirementsforeachagencywilldifferbasedonmanyfactors,how-everthesizeofanagency’sworkforceisagoodgeneralstartingpoint,andtherefore,twodesignsbasedonusercountareprovided.ThetwoInternetEdgedesignsarereferredtoasInternetEdge5KandInternetEdge10K.
Figure 2 . InternetEdgeintheSBAforLargeAgencies—BorderlessNetworks Design
RemoteAccess VPN
InternetEdge Routers
InternetServers
WirelessLAN Controller
ApplicationAcceleration
Web SecurityAppliance
Email SecurityAppliance
GuestWLAN
FirewallVPN
Campus InternetEdge
wwWwwW
Internet
WAN
WANAggregation
To Core
7ArchitectureOverview:InternetEdge
Figure 3 . Internet Edge 5K and 10K Designs
Theprimarydifferencebetweenthetwodesignsisscale,performance,andresilience.TheInternetEdge5Kdesignistypicalforanagencywithup to 5000 connected users while the Internet Edge 10K design is for agencieswith5000to10,000connectedusers.Thesedifferencesrangefromtheobvious,numbersofuserssupportedbythedevicesdeployed,tohowtheagencyconnectstotheInternet,witheitheroneortwoISPs.To
accommodatetheserequirements,eachmoduleoftheInternetEdgeisindependentoftheothers,andanagencycanmixandmatchthedifferentdesigncomponentstobestmeettheiragencyrequirements.Forexample,an agency with fewer than 5000 users might choose to use the Internet Edge 10Kdesignforremoteaccessiftheyhaveahighlymobileworkforceandtheirremoteaccessrequirementsarehigherthanaverage.
8Internet Edge Connectivity
Internet Edge Connectivity
Agency Overview
Demand for Internet connectivity has increased steadily over the last few decades;formanyagencies,accesstoInternet-basedservicesisafunda-mentalrequirementforconductingday-to-dayactivity.Email,webaccess,remoteaccessVPN,andmorerecently,cloud-basedservicesarecriticalfunctionsenablingagenciestopursuetheirmissions.AnInternetconnec-tionthatsupportstheseservicesmustbedesignedtoenabletheagencytoaccomplishitsInternet-basedmissiongoals.
Threefactorsdefinetheoperationalrequirementsforanagency’sInternetconnection:
• ValueofInternet-basedoperationalactivity:
– revenuerealizedfromInternetoperations
– savingsrealizedbyInternet-basedservices
• RevenueimpactoflossofInternetconnectivity
• Capitalandoperationalexpenseofimplementingandmaintainingvari-ous Internet connectivity options
TheagencymustidentifyandunderstanditsInternetconnectionrequire-mentsinordertoeffectivelymeetthedemandsofInternet-basedoperationalactivity.
Technology Overview
AgencieshavecometorelyheavilyonInternetservicessuchasemail,webaccess,remoteaccessVPN,andB2Bserviceconnections.Internetconnec-tionspeed,availability,andaddressspacerequirementsarecriteriathatwillshapeanInternetconnectiondesign.TheInternetconnectionmustbeabletoaccommodateanagency’srequirementsfordatavolumetotheInternet,offersufficientresiliencytomeetservice-levelagreements,andprovidesufficientIPaddressspacetoaccommodatebothInternet-facingandInternet-basedservices.
Anagency’sITstaffneedstoaddressthreemainrequirementswhendesigning and implementing an Internet Edge architecture:
• Connectivity speed: whatistheexpectedthroughputrequired?Areshortburstsofhigh-volumetrafficexpected?
• IP Address space: Asmallagencyoronethatdoesnotrelyheavilyonweb-basedservicestotheInternetwillhaveadifferentIPspacerequire-mentthanalargeagencythatdependsheavilyonemail,remote-accessVPN,andcontentorcloud-basedservicesofferedtotheInternet.
• Availability: Connectionspeedisonlypartoftheequation;ifconnectivitymustbemaintainedwhentheprimaryInternetconnectionfails,thenthedesign must offer a resilient Internet connection via a secondary Internet connection.
Twodesignoptionsaredescribedinthisguide;thefirstdesign,InternetEdge5K,offersasingleconnectiontooneISP;theseconddesign,InternetEdge10K,providesafaulttolerantconfigurationwithdualInternetconnec-tions.IntheInternetEdge10Kdesign,oneconnectionactsastheprimaryInternetconnectionandthesecondactsasabackupconnectionintheeventthatInternetaccessthroughtheprimaryconnectionislost.
9Internet Edge Connectivity
Configuration Overview
Connecting to the Internet
Internetconnectivityoptionsvarywidelybygeographicregionandserviceprovider.Anagencymaybeabletochoosebetweencable,DSL,leasedline,orEthernetforthephysicalconnectiontotheInternet.Acommondenomi-natorofInternetconnectivityistheEthernetconnectiontothecustomer-premisesequipment(CPE)device(cablemodem,T1CPErouter,etc.),andthisisassumedasthedemarcationforthisdesign(Figure4).
Figure 4 . Internet Connectivity
AgenciesdeployingtheInternetEdge5Kor10Kdesignstypicallyfallintothe following Internet connection speed ranges:
Table 1 . InternetConnectionSpeedRequirements
Number of Connected Users Internet Connection Speed
2000 to 4500 20–50Mbps
3000to7000 35–75Mbps
6000to10,000 70–130Mbps
IftheoperationalneedsincludeWANconnectivitytoconnectgeographi-callydiversesites,acostsavingscanberealizedbycombiningWANandInternetconnectivityoverthesameservice.AserviceprovidermayofferhardwaretoterminateWAN/Internetconnectivityonpremiseandmanage
theInternet/WANconnectiondevice.Provider-suppliedhardwareandserviceofferingsmayreduceoperationalburden,however.theimpactofconfigurationchangeleadtimesandconfigurationflexibilitymustbeassessed.
The recommendations for Internet access platform selection are:
Table 2 . InternetAccessPlatformRecommendations
Platform Internet Connection Speed
3925 Upto100Mbps
3945 75to150Mbps
DesignandconfigurationdiscussionsforthisguidebeginattheEthernethandoff on the outside switch in the Internet edge regardless of how access isdelivered.
HA Overview
ThedecisiontouseasingleordualInternetconnectionisbasedonanagency’sconnectionavailabilityrequirements.IfalossofInternetaccesswillcauseaninterruptioninoperationsgreaterthanthecostofabackupInternetconnection,thentheInternetEdge10Kdesignshouldbeused.AbackupInternetconnectionwillassurecontinuedInternetaccessintheeventofafailuretotheprimaryInternetconnection,althoughsomeservicesmayexperienceatemporaryoutageduringtheswitchtothebackuplink.Mostoutboundservicesshouldbeavailableinafewseconds.TheInternetEdge 10K provides:
• ResilientoutboundInternetaccessandinboundemailservices.
• Additionalinboundservicescanbeprovisionedtorecoverintheeventofafailure,althoughsomeservicesmayexperiencelongeroutages.
• InboundwebservicedoesnothaveseamlessfailoverprotectionandrequiresuserinteractiontopointtheDNSrecordsatthealternateIPaddressonthesecondaryISP.Toachievehigherweb-serviceavailability,anagencycanhostitswebserviceatacolocationfacilityoruseafullyredundantBGPdesignthatadvertisesthesameIPaddressouttodiffer-entISPs.AgencieswithservicesthatrequireaveryhighlevelofInternetavailabilityshouldconsiderhostingtheseservicesataprovider’sInternetcolocationfacility.
10Internet Edge Connectivity
Internet Routing
ThereareavarietyofwaystocontrolroutingtoandfromtheInternet.BorderGatewayProtocol(BGP)andotherdynamicroutingoptionsoffervariousmethodstoinfluenceInternetrouting,butforthemajorityofagencieswith2000to10,000connectedusers,astaticdefaultrouteisadequatetoestablishaccesstotheInternetandhastheleastoperationalcomplexity.Ifanagency’sroutingrequire-mentsexceedwhatcanbeaddressedbystaticrouting,theCiscoEnterpriseInternetEdgeDesignGuide(http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html)coversmorecomplexInternetconnectivitydeployments.
Active/Standby vs. Active/Active Internet Connectivity
TheInternetEdge10KisaresilientdesignwithprimaryandbackupInternetconnections.IfInternetaccessviatheprimarylinkislost,thedesignwillautomaticallyfailovertothesecondarylink.Thisconfigurationissufficientforagenciesof2000to10,000connecteduserswhoarenothostingcriticalcontentoreCommerceintheirDMZ.ThisdesignusesICMPprobestoanInternetIPaddressfromtheCiscoAdaptiveSecurityAppliances(ASAs)firewalls.WhentheASAfirewallstopsgettingresponsestotheprobes,itwillfailovertothesecondarylink.ThisresilientdesignoffersasimplebuteffectivesolutiontomaintainInternetaccessforusers,andInternetmail(withanappropriatelyconfiguredDNS).Furtherdetailonconfigurationofthiscapabilitywillbeaddressedinthe‘Firewall’and‘RemoteAccessVPN’sectionsofthisdocument.
Thedesigndoesnotaddressmulti-homedroutingoptions,e.g.,usingBGPwithmultipleInternetconnectionstomultipleISPs.RefertotheCiscoEnterpriseInternetEdgeDesignGuide(http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html)formoreinformationonmulti-homedInternetconnectivitydesigns.
11Firewall
Firewall
Agency Overview
The Internet edge is the point where the agency’s network connects to the Internet.Thisistheperimeterofthenetwork,wherealineisdrawnbetweenthepublicInternetandtheprivateresourcescontainedwithanagency’snet-work.Worm,virus,andbotnetinfiltrationposesubstantialthreattonetworkperformance,availability,anddatasecurity.Toaddtotheseproblems,anagency’sInternetconnectioncancontributetoemployeeproductivitylossandleakageofconfidentialdata.
Networksecurity,asappliedatthefirewall,mustassurethattheagency’sdataresourcesareprotectedfromsnoopingandtampering,andpreventcom-promiseofhostsbyresource-consumingworms,viruses,andbotnets.Additionally,thefirewallpolicymustestablishtheappropriatebalancetoprovidesecuritywithoutinterferingwithaccesstoInternet-basedapplica-tions,orhinderingconnectivitytoagencypartners’dataviaextranetVPNconnections.
Technology Overview
Internetbasedattackersareathreattoanagency’snetworkinfrastructuresanddataresources.MostnetworksconnectedtotheInternetaresubjecttoaconstantbarrageofworms,viruses,andtargetedattacks.Agenciesmustbevigilantinprotectingtheirnetwork,userdata,andcustomerinformation.Additionally,mostnetworkaddressesmustbetranslatedtoanInternet-routableaddressandthefirewallisthelogicalplaceforthisfunction.
FirewallsecurityisanintegralpartofeveryInternetEdgedeploymenttoday—toprotectinformationwhilemeetingtheneedforsecurereliablenetworks,andtoenforcepolicytomaintainemployeeproductivity.Whereindustryregulationsapply,firewallsplayacrucialroleinanagency’sabilitytoaddressregulatorycompliancerequirements.Regulatoryrequirementsvarybycountryandindustry;thisdocumentwillcoverspecificregulatorycompliancerequirements.
TheCiscoAdaptiveSecurityAppliance(ASA)firewallfamilysitsbetweentheagency’s internal network and the Internet and is a fundamental infrastruc-turalcomponentthatminimizestheimpactofnetworkintrusionswhilemaintain-ingworkerproductivityanddatasecurity.
ThisdesignusesCiscoASA5500sforInternetEdgefirewallsecurity.Theyareconfiguredinanactive/standbypairforhighavailabilitytoensurethatInternetaccessisminimallyimpactedbyfirewallsoftwaremaintenanceorhardwarefailure.TheCiscoASAsareconfiguredinroutingmode.TheyapplyNATandfirewallpolicy,andhostIPS-SSMstodetectandmitigatemaliciousorharmfultraffic.
TwodeploymentoptionsarediscussedtoaddressInternetaccessrequire-mentsforhighavailabilityandtomeetoperationalrequirementsfordevice-levelseparationbetweenRemoteAccessVPNandFirewall:
• TheInternetEdge5KfirewalldesignusesasingleInternetconnection,andintegratestheRemoteAccessVPNfunctioninthesameASApairthatprovidesfirewall(Figure5):
Figure 5 . Internet Edge 5K Topology
• TheInternetEdge10KfirewalldesignusesdualInternetconnectionsforresilientaccesstotheInternet.RemoteAccessVPNisprovidedbyaseparatepairofASAs,toprovideadditionalscalabilityandoperationalflexibility(Figure6):
12Firewall
Figure 6 . Internet Edge 10K Topology
AgoodportionoftheconfigurationdescribedinthissectioniscommontoboththeInternetEdge5KandInternetEdge10Kdesigns.IfasectiondescribesconfigurationthatisspecifictotheInternetEdge5KorInternetEdge10Kdesign,thiswillbespecificallymentionedinthatsection.Theconfigurationswouldbevalidforanyoftheone-rack-unitASAsecurityappliances,althoughtheinterfacenamesdescribedintheconfigurationexamplesneedtobemodifiedslightlytoaddresstheFastEthernetinter-facesavailableontheASA5510.
Hardwareappliedinthisdesignisselectedbasedonthefollowingperfor-mance values:
Table 3 . CiscoASAFamilyDevicePerformance
Cisco ASA Family Product Throughput
CiscoASA5510 300Mbps
CiscoASA5520 450Mbps
CiscoASA5540 650Mbps
The firewall configuration process consists of the following procedures:
Process
1. Basic Connectivity Configuration
2. Inside Routing Configuration
3. FirewallLoggingandMonitoringConfiguration
4. FirewallRemoteManagementConfiguration
5. FirewallInternetConnectivityConfiguration
6. FirewallDe-MilitarizedZoneConfiguration
7. FirewallAddressTranslation(NAT/PAT)Configuration
8. BlacklistPolicyConfigurationforinsidehosts’accesstotheInternet
9. WhitelistPolicyConfigurationforInternetaccesstoWebandEmailDMZhosts
10.HighAvailabilityConfiguration
Firewall Configuration Details
TheCiscoASAcanbeconfiguredfromthecommandlineorfromthegraphicaluserinterface,CiscoAdaptiveSecurityDeviceManager(ASDM).IfASDMisthepreferredmethodfordeviceconfiguration,theappliance’sdefaultconfigurationoffersaDHCPscopeandmanagementinterfacesonthe‘management’interface:
interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management
13Firewall
ConnecttheCiscoASA’smanagementportdirectlytoaPCortoanEthernetswitch,andconnectahostwithaJava-enabledwebbrowsertothesameVLANontheswitch.
Tech Tip
IfconnectingtoanEthernetswitch,makesurethattheswitchisnot connectedtotheproductionnetworkoronaVLANwithanexistingDHCPserverastheASAwillserveDHCP.
Accessthedevice’smanagementURL,https://192.168.1.1/,andbrowsetheconfiguration.Ifcommand-lineinterfaceispreferable,theCiscoASACLIisavailableviatelnetorSSH,ormaybeaccessedviaserialconnectiontotheconsoleport.
OnlyoneofthetwoASAsintheHApairneedstobeconfiguredasthesecondaryCiscoASAwillreplicatetheprimaryCiscoASA’sconfigurationwhenthetwodevicessynchronizetheirconfiguration.Thelaststepoftheconfigurationwillsetuphighavailabilityandsynchronizetheconfigurationsandsessionactivity.
Procedure 1 Basic Connectivity Configuration
TogettheFirewallupandrunning,afewbasicparametersmustbeconfig-ured:theinsideinterface’saddressmustbedefined,andbasicroutingmustbesetup.
Proceduresteps:
1. Configuredeviceidentityvalues(hostnameanddomainname)
2. Define connectivity to inside network
3. Connectinsideinterfacetotheadjacentdistributionswitch
Tech Tip
IPaddressesandinterfacenamesinthisexamplearespecifictothe Ciscolabtestingenvironment,valuesinanactualdeploymentwilllikelybedifferent.
Step 1: Browse to Device Setup > Device Name/Password.ConfiguretheCiscoASA’shostanddomainnameandsettheenablepassword(Figure7).
Tosimplifytroubleshooting,thehostanddomainnamewillmatchtheoutsideDNSnameandIPaddressofthefirewall,particularlyifthefirewall’soutsideinterfacewillacceptremote-accessVPNconnections.
Figure 7 . ConfigureHostnameandPasswords
14Firewall
Step 2:Definethefirewall’sIPconnectivitytothe‘inside’networkontheGigabitEthernet0/0interfacebybrowsingtoDevice Setup > Interfaces (Figure8).
AllinterfacesontheASAmusthaveasecurity-levelsetting.Thesecurityleveldenotesaninterface’ssecurityrelativetootherinterfaces;clientson a higher security interface can connect to hosts on a lower security interfacebydefault.Insideinterfacesareassignedsecuritylevel100,thehighestvalue,whileoutsideinterfacesareassignedsecuritylevel0,thelowestvalue.TheASArecognizestheinterfacenames“outside”and“inside”,andappliesthedefaultsecurity-levelconfigurations.Interfacesmaybeconfiguredforanysecuritylevel;thisconfigurationwillbediscussedinthe‘De-MilitarizedZone’section.
Figure 8 . Interface Configuration Detail
Step 3: ConnecttheCiscoASA’s‘inside’interfacetotheappropriatedistri-butionswitchport.
The‘inside’GigabitEthernetportontheASAconnectstoaVLANaccessportontheInternetEdge/WANdistributionswitchorcollapsedcore/dis-tributionswitch.DefinetheappropriateaccessVLANconfigurationontheadjacentinsideswitch(es)thattheASAsconnectto:
interface GigabitEthernet3/0/10 description ASA5540 switchport access vlan 300 spanning-tree link-type point-to-point
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
hostname [ASA5540] domain-name [cisco.local] enable password [password] passwd [password] interface GigabitEthernet0/0 nameif inside security-level 100 ip address 10.4.240.30 255.255.255.224 standby 10.4.240.29 no shutdown
15Firewall
Procedure 2 Inside Routing Configuration
TheASAexchangesroutinginformationviaEIGRPdynamicallyonthe‘inside’networktosimplifytheroutingconfiguration.ChangestothecampusandWANnetworks’addressingortopologyshouldnotrequireroutingconfigurationchangesontheASA.
Proceduresteps:
1. DefineEIGRPprocessnumber
2. DefinenetworkstobeincludedinEIGRPupdates
3. RestrictEIGRPactivitytospecificinterfaces
4. Definestaticrouteredistribution
Step 1:DefinetheASA’sEIGRPprocessnumberinthe Device Setup > Routing > EIGRP > Setuppanel(Figure9).
TheASAmustbeconfiguredinthesameEIGRPprocessastheotherdevicesitisexpectedtoexchangeroutinginformationwith.
Figure 9 . DefineEIGRPProcess
Step 2:ConfigurethenetworksubnetswheretheASAwillexchangeroutes.Thisconfigurationisfoundonthe‘Networks’tabintheDevice Setup > Routing > EIGRP > Setuppanel.
The‘Networks’configurationshouldnotincludetheoutsidesubnets.ApplyasubnetnumberthatencompassesalloftheinsideandDMZsubnetstoreducetheamountofconfigurationneededtoapplytoestablishdynamicrouteconfiguration(Figure10).Ifthenetworkscannotbeeasilysummarized,allinterfacesexceptfortheoutsideinterfacecanbeenteredseparately.
Figure 10 . ConfigureEIGRPNetworks
16Firewall
Step 3:ConfigureEIGRPpassive-defaultandenablerouteadvertisementsonlyontheinsideinterface.Thisconfigurationisfoundonthe‘PassiveInterfaces’tabintheDevice Setup > Routing > EIGRP > Setup panel (Figure11).
Alltheinterfacesexcepttheinsideinterfacearesetto“passive”;thisissotheywillnotexchangeroutesonpublicinterfaces.TherearenootherrouterstheASAneedstoexchangeroutinginformationwithandadvertisinginternalroutinginformationtolesssecurenetworksisnotrecommended.
Figure 11 . DefinePassive-Default
Step 4:ConfigureEIGRPtoredistributestaticroutes.Thisconfigurationis found on the Device Setup > Routing > EIGRP > Redistribution panel (Figure12).
TheASAredistributesstaticroutes,whichallowstheASAtoadvertiseadefaultroutetotherestofthenetwork.Ifaspecificnetwork(thatisnotencompassedbysummaryroutesfromthecore)cannotbeaccessed,thetrafficwillfollowthedefaultroutetotheASAanditwillsendthetrafficouttotheInternet.
Figure 12 . DefineStaticRouteRedistribution
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
router eigrp 100 no auto-summary network 10.4.240.0 255.255.255.240 passive-interface default no passive-interface inside redistribute static
17Firewall
Procedure 3 Logging and Monitoring Configuration
Loggingandmonitoringarecriticalaspectsofnetworksecuritydevicestosupporttroubleshootingandpolicycomplianceauditing.
Proceduresteps:
1. Configurenetworktimesynchronization
2. Enablelogging
3. Defineloggingparametersandbehavior
4. Configure log server addresses
5. EnableSNMPmanagement
Step 1: ConfigurenetworktimesynchronizationintheDevice Setup > System Time > NTPpanel(Figure13).
Firewallsneedaccuratetimefornetwork-activitylogging.Bysynchronizingthefirewalltoanetworktimesource,thefirewallwillbesynchronizedtothesametimeasothernetworkdevicesandNTPtimeservers.
Figure 13 . NTPConfiguration
Step 2:Checkthe‘Enablelogging’checkboxinDevice Management > Logging > Logging Setup(Figure14).
Figure 14 . EnableLogging
18Firewall
Step 3: Configurethe‘InternalBuffer’and‘SyslogServer’logfiltersto‘Severity:Informational’intheDevice Management > Logging > Logging Filterspanel(Figure15).
Informational-levelloggingprovidestheidealbalancebetweendetailandlog-messagevolume.Lowerloglevelsproducelessmessages,butnotenoughdetailtoeffectivelyauditnetworkactivity.Higherloglevelsproducealargervolumeofmessages,butdonotaddsufficientvaluetojustifythenumberofmessageslogged.
Figure 15 . DefineLoggingFilters
Step 4: Configure syslog server addresses in Device Management > Logging > Syslog Servers(Figure16).
Syslogtransmitsstatusupdatesandfirewallpolicyactivitytoalogserver.Thisisusefulfornetworkdiagnosticsandpolicycompliancereview.
Figure 16 . ConfigureLoggingServers
19Firewall
Step 5:ConfiguretheSNMPcommunitystringandadditionalconfigurationin Device Management > Management Access > SNMP(Figure17).
SpecifytheIPaddressoftheSNMPmanagerandwhetheritwillpolltheASAforvalues,orifitwillreceivetraps.ThisconfigurationprovidesthecapabilityforSNMPmanagementtoolstoaccessstatisticsonthedevice.
Figure 17 . ConfigureSNMPValues
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
ntp server [10.4.200.17] logging enablelogging trap informationallogging buffered informational logging host inside [10.4.200.17]snmp-server community Ciscosnmp-server host inside [finish configuration][poll | trap][version] snmp-server enable
Procedure 4 Remote Management Configuration
AftertheinitialsetupoftheASA,remotemanagementaccessisavailableforconvenientconfiguration,management,andtroubleshooting.Thefollowingconfiguration allows for remote connectivity from any internal network via HTTPSorSSH.
Proceduresteps:
1. EnableHTTPserver
2. DefineSSHaccess
3. Configure local username and password for administrative access
4. AddAAA-basedadministrativeaccess
Step 1:EnabletheHTTPserverfortheinsidenetworksintheDevice Management > Management Access > ASDM/HTTPS/Telnet/SSH panel (Figure18).
ASDMrequiresthattheASA’sHTTPserverbeavailable.Besurethatthecon-figuration includes networks where administrative staff will access the device throughASDM;theASAcanoffercontrolledASDMaccessforasingleaddressormanagementsubnetbychangingthenetworkstatementsbelow.
Figure 18 . EnableASDMAccess
20Firewall
Step 2:EnabletheSSHserverfortheinsidenetworksintheDevice Management > Management Access > ASDM/HTTPS/Telnet/SSH panel (Figure19).
Telnetisnotrecommendedformanagementbecausetrafficissentoverthenetworkwithoutencryption.
Figure 19 . AddSSHAccess
IftheCLIisusedtoconfiguretheCiscoASA,RSAkeysmustbegeneratedmanuallytoenableSSHfunctionality:
crypto key generate rsa
Step 3: Configure a local username and password in Device Management > Users/AAA > User Accountspanel(Figure20).
Alocalusernamefordeviceaccessisvaluableintheeventtheauthentica-tionresources(AAA,AD,etc.)areunavailable.
Figure 20 . ConfigureLocalUsernames
21Firewall
Step 4: ConfiguretheASAtoauthenticatemanagementaccesswithaAAAserver in the Device Management > Users/AAA > AAA Server Groups panel(Figure21).
AdministrativeaccessisauthenticatedwithaRADIUSserver.IntheRemoteAccessVPNsection,aseparateservergroupwillbeconfiguredthatusesLDAP(MicrosoftActiveDirectory)fortheauthentication/authorizationbackend,inordertoleverageanagency’sexistinguserdirectory.
Figure 21 . ConfigureAAAServers
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
http server enable http 10.4.0.0 255.254.0.0 insidessh 10.4.0.0 255.254.0.0 inside ssh version 2username admin password [password] privilege 15 aaa-server AAA-SERVER protocol radiusaaa-server AAA-SERVER (inside) host 10.4.200.15key [SecretKey]aaa authentication enable console AAA-SERVER LOCAL
Procedure 5 Firewall Internet Edge Configuration
Internetconnectivityvariesbasedontheagency’savailabilityrequirementforInternetaccess.Twooptionsareavailable:
• InternetEdge5KusesasingleInternetconnectionviaonerouterthatcarriestheInternettraffic(Figure22)
Figure 22 . InternetEdge5KISPConnectivity
22Firewall
• InternetEdge10KusesdualInternetconnectionsviatworoutersthatcarrytheInternettraffic(PrimaryInternetCustomerPremiseEquipment[‘InternetCPE-1’]andSecondaryInternetCustomerPremiseEquipment[‘InternetCPE-2’])(Figure23).
Figure 23 . InternetEdge10KISPConnectivity
NOTE:IPaddressesandinterfacenamesinthisexamplearespecifictotheCiscolabtestingenvironment,valuesinanactualdeploymentwilllikelybedifferent.
Internet Edge 5K Outside Routing Configuration
IfhighavailabilityforInternetaccessisnotrequired(InternetEdge5Kdesign),theASAs’GigabitEthernet0/3istheoutsideinterfaceandiscon-nectedthroughaswitchtotheInternetCPE.
Proceduresteps:
1. ConnecttheoutsideinterfacetoaswitchviatheappropriateVLAN.
2. ConfigureoutsideIPaddress.
3. Defineoutsidedefaultroute.
Step 1: ConnecttheCiscoASA’sGigabitEthernet0/3totheadjacentswitch,whichisalsoconnectedtotheISProuter.IfmorethanoneVLANisusedonthe‘outside’switch,besurethattheASA’sswitchportisconfiguredinthesameVLANastheInternetCPE.
Step 2:ConfiguretheGigabitEthernet0/3interfacethatwillbeusedfortheoutsideconnection.When‘nameifoutside’isconfigured,theinterface’ssecuritylevelwillbeautomaticallysetto0.
Step 3: AssignthedefaultroutetotheInternetCPE’saddress.Executing the preceding steps in ASDM will apply the following CLI configuration: interface GigabitEthernet0/3 nameif outside security-level 0 ip address 172.16.130.125 255.255.255.128 standby 172.16.130.124route outside 0.0.0.0 0.0.0.0 172.16.130.126 1
Internet-10K Outside Routing Configuration
IfresilientInternetaccessisrequired,theInternet10Kdesign,theASAs’GigabitEthernet0/3isconfiguredasaVLANtrunktotheoutsideswitch,whichseparatestheVLANstotheappropriaterouters,InternetCPE-1andInternetCPE-2.
Proceduresteps:
1. ConnecttheoutsideinterfacetoaswitchviatheappropriateVLAN.
2. ConfigureoutsideIPaddress.
3. Defineprimaryoutsidedefaultroutewithobject-tracking.
4. Define secondary outside default route
5. Defineastatichostrouteforthetrackedobject.
6. Verifythatthetrackedobjectisworking
23Firewall
Step 1:ConnecttheCiscoASA’sGigabitEthernet0/3totheadjacentswitch,whichisalsoconnectedtotheISProuter.IfmorethanoneVLANisusedonthe‘outside’switch,besurethattheASA’sswitchportisconfiguredinthesameVLANastheInternetCPE.
Step 2:ConfiguretheGigabitEthernet0/3interfacethatwillbeusedfortheoutsideconnection(Figure24).
AVLANtrunkconnectstheASAtotheoutsideswitch.TwosubinterfacesareconfiguredfortwoVLANs,oneforeachconnectiontotheupstreamInternetrouters,InternetCPE-1andInternetCPE-2.
Figure 24 . InternetEdge-10KOutsideInterfaceConfiguration
Step 3: DefinetheprimaryroutetothetwoInternetCPEaddressesandconfigureobject-trackingontheroutebyclicking‘Add’ in the Device Setup > Routing > Static Routespanel(Figure25).
Theprimaryroutewillcarryametricof1,makingtheroutepreferred;thepri-maryroute’savailabilityisdeterminedbythestateofthe‘track1’objectthatisappendedtotheprimaryroute.Theroute-trackingconfigurationdefinesatargetinISP-1’snetworkthattheASAwillsendICMPprobes(pings)todetermineifthenetworkconnectionisactiveornot.Thetargetisanobjectontheprimaryserviceprovider’snetwork,suchasanintermediaterouterthatcanbediscoveredwithtraceroute.
Figure 25 . Tracked Route Configuration
24Firewall
Step 4:Configurethesecondaryroute,alsointheDevice Setup > Routing > Static Routespanel(Figure26).
Thesecondaryroutecarriesametricof‘254’sothattheASAwillonlyusetheroutewhentheprimaryrouteisunavailable.
Figure 26 . AddRouteforSecondaryISPConnection
Step 5: StillintheDevice Setup > Routing > Static Routespanel,addahostrouteforthetrackedobjectviatheInternet-CPE-1address.ThiswillassurethatprobestothetrackedobjectwillalwaysusetheISP-1connection(Figure27).
ThetrackedobjectshouldbeintheprimaryInternetServiceProvider’snetwork.ThepointoftrackinganobjectintheprimaryISP’snetworkisbecauseifreachabilitytothisobjectisavailable,thenallconnectivitytothatpointisworking:theASA’sconnectiontothecustomerpremiserouter,theWANconnection,andmostroutinginsidetheISP’snetwork.Ifthetrackedobjectisunavailable,itislikelythatthepathtotheprimaryISPisdownandtheASAshouldpreferthesecondaryISP’sroute.
Figure 27 . AddHostRouteforTrackedObject
25Firewall
Step 6: Verifythatthetrackedobjectisreachablewiththe‘showtrack’com-mandontheASACLI:
ASA5540# show trackTrack 1 Response Time Reporter 16 reachability Reachability is Up 14 changes, last change 2d02h Latest operation return code: OK Latest RTT (millisecs) 1 Tracked by: STATIC-IP-ROUTING 0
ExecutingtheprecedingstepsinASDMwillapplyfollowingCLIconfiguration:
interface GigabitEthernet0/3 no nameif no security-level no ip address! interface GigabitEthernet0/3.16 vlan 16 nameif outside-16 security-level 0 ip address 172.16.130.124 255.255.255.128 standby 172.16.130.123! interface GigabitEthernet0/3.17 vlan 17 nameif outside-17 security-level 0 ip address 172.17.130.124 255.255.255.128 standby 172.17.130.123 !route outside-16 0.0.0.0 0.0.0.0 172.16.130.126 1 track 1sla monitor 16 type echo protocol ipIcmpEcho 10.194.112.65 interface outside-16 num-packets 3 frequency 10sla monitor schedule 16 life forever start-time now!track 1 rtr 16 reachabilityroute outside-17 0.0.0.0 0.0.0.0 172.17.130.126 254route outside-16 10.194.112.65 255.255.255.255 172.16.130.126
Procedure 6 Firewall De-Militarized Zone Configuration
TheFirewall’sDe-MilitarizedZone(DMZ)isaportionofthenetworkwhere,typically,traffictoandfromotherpartsofthenetworkistightlyrestricted.AgenciesplacenetworkservicesinaDMZforexposuretotheInternet.Theseserversaretypicallynotallowedtoinitiateconnectionstothe‘inside’network,exceptforspecificcircumstances.
ADMZforwebandfile-transferserversisconfiguredforInternet-accessibleserverstobehostedonsite.
TheDMZnetworkisconnectedtotheASAsontheASAs’GigabitEthernetinterfaceviaaVLANtrunktoallowthegreatestflexibilityifnewVLANsmustbeaddedtoconnectadditionalDMZs.ThetrunkconnectstheASAstoa3750Gaccess-switchstacktoprovideresiliency.TheDMZVLANinterfacesontheCiscoASAareeachassignedanIPaddress,whichwillbethedefaultgatewayforeachoftheVLANsubnets.TheDMZswitchonlyoffersLayer2switchingcapability;theDMZswitch’sVLANinterfacesdonothaveanIPaddressassigned,saveforoneVLANinterfacewithanIPaddressformanagementoftheswitch(Figure28).
Figure 28 . DMZVLANTopologyandServices
26Firewall
ThenumberofsecureVLANsisarbitrary.Thisdesignillustratesanexampleofonesecurednetwork.IfmultipletypesofhostsaretobeconnectedinanInternet-facingDMZ,segmentingtheDMZalongfunctionalboundariesmaybenecessary,particularlysincehoststhatareexposedtotheInternetarevulnerabletocompromise,andmustnotofferaspringboardtootherhosts.However,trafficbetweenDMZVLANsshouldbekepttoaminimum.PlacingserversthatmustsharedataonasingleVLANwillimproveperformanceandreduceloadonnetworkdevices.
Proceduresteps:
1. ConfigureDMZVLANTrunk
2. ConfigurebasicDMZVLAN
3. ConfigureDMZtrunkswitchport
4. ConfigureDMZaccessswitchports
Step 1: ConfigureGigabitEthernet0/1astheinterfacethatcarriestheVLANtrunkforthevariousDMZs(Figure29).
Valuesarenotassignedfortheinterfacename,securitylevel,orIPaddressontrunkinterfaces.
Figure 29 . DefineDMZTrunkInterface
Tech Tip
SettingtheDMZconnectivityasaVLANtrunkoffersthegreatestflexibility.
27Firewall
Step 2:ConfiguretheDMZVLANconnectivityonGigabitEthernet0/1subinterfaces(Figure30).
EachofthevariousDMZVLANinterfacesmustbeconfiguredwithappropri-ateIPaddressesfortheattachedsubnet,aswellasanintuitiveinterfacenametobeusedforNATandsecuritypolicyconfiguration.Table4illus-tratestheconfigurationforoneVLANinterface.ThisdesignappliesseveralDMZVLANinterfaces:
Table 4 . DMZConfigurationInformation
Interface LabelIP Address & Netmask VLAN
Security Level Name
GigabitEthernet0/1.1121
10.4.245.1/24 1120 50 dmz-web
Figure 30 . DMZSub-InterfaceConfiguration
Step 3:DefinetheDMZswitchportsthatconnecttotheASAsastrunkportsandaddtheappropriateVLANs:
interface GigabitEthernet1/0/1 description ASA5540-1 DMZ uplink switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,1121 switchport mode trunk spanning-tree link-type point-to-point
Step 4:ConfigureDMZswitchportsthatconnecttoDMZhostsasaccessportsandassigntheappropriateVLANs:
interface GigabitEthernet1/0/11 description vpn-7206-1 gig0/3 switchport access vlan 1128
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
interface GigabitEthernet0/1 description dmz trunk to dmz-3750 stack port x/0/1 no nameif no security-level no ip addressinterface GigabitEthernet0/1.1120 vlan 1120 nameif dmz-web security-level 50 ip address 10.4.245.1 255.255.255.0 standby 10.4.245.2
28Firewall
Procedure 7 Address Translation Configuration
Priortothisstep,noaccessfromtheinsidenetworktotheInternet,orfromtheInternettotheDMZswaspossible.ThisstepisrequiredtopermitInternettrafficfortheinsidenetworkandtheDMZs;theinsideandDMZnet-worksarenumberedusingprivate(RFC1918)addressingthatisnotInternetroutable,sotheASAsmusttranslatetheprivateaddressestooutsideInternetroutableaddresses.Forthisconfiguration,allinsideaddressesaretranslatedtothepublicaddressontheoutsideinterface.
NOTE: Astheaddresstranslationconfigurationdescribedinthisportionofthedocumentisapplied,theASAwillapplyitsdefaultaccessrulesetthatpermitstrafficfromhigher-securityinterfacestolower-securityinterfaces.Reviewtheexpectedtrafficcarefully;ifsomeoralltrafficthatisallowedbythedefaultrulesshouldnotbepermitted,shutdowntheinterfacesuntilthefirewallrulesetiscompletelyconfigured.
NATconfigurationvariesdependingontheInternetEdge5KorInternetEdge10Kdesign.Mostoftheconfigurationiscommontoeitherdesign,althoughsomestepsmustbeduplicatedtoconfigurebothoutsideinter-facesintheInternetEdge10Kdesign.
Proceduresteps:
1. Configurenetworknamesfornetworkhostsandsubnets
2. ConfiguredynamicNAT
3. Defineanobject-groupofhoststhatwillnotbeincludedintheNATpolicy
4. AddtheNATExemptrule,usingtheexempthosts’object-group
5. DefinestaticNATforhostsintheDMZ(s)
Step 1: Navigate to Configuration > Firewall > Objects > Network Objects/Groupsandconfigureintuitivenamesfornetworkhostsandsubnets.ThesenameswillbeusedforNATconfiguration,aswellasAccess-Ruledefinition.Applynamesthatwillbeapplicableforallpartsoftheconfiguration(Figure31).
Usingaddress-familynamesandobject-groupsimprovesASDMandcommand-lineusabilityfortheCiscoASA,asthevariousIPnetworksandhostswithinthenetworkarerepresentedasnamesinsteadofIPaddresses.SincetheSBAforLargeAgencies—BorderlessNetworksencompassesthe10.4.0.0and10.5.0.0networks,theentireinsidenetworkcanberepresentedbythe10.4.0.0/15subnet.
Figure 31 . ConfigureNetworkObjectNames
29Firewall
Step 2: ConfiguretheDynamicNATrulethatwillbeusedfortheinsidenetwork in Configuration > Firewall > NAT Rules(Figure32).
AnInternetEdge5Kconfigurationthatusesonlyoneoutsideinterfacewillhaveone‘global’configurationline.
Figure 32 . DefineDynamicNATforInternetEdge5K
Step 3:Addanetworkobject-groupforNATexemptionintheConfiguration > Firewall > Objects > Network Objects/Groupspanel(Figure33).
TheNATexemptionobject-groupactsasacontainerforallofthesubnetsthatshouldbeexemptfromoutboundNATwhenthefirewallcarriestraffictoandfromthe‘inside’networkandtheDMZ.Usinganetworkobject-groupprovidesmoreflexibilityifyouaddmultipleDMZsandremote-accesspoolsthatwillbeexemptedfromNAT.
Figure 33 . DefineInsideNAT0NetworkObject-Group
30Firewall
Step 4:DefinetheInsideNATExemptruleintheConfiguration > Firewall > NAT Rulespanel(Figure34).
Thisruleusestheobject-groupfromtheprevioussteptotheinside-networksourceaddressrange.
Figure 34 . DefineInsideNATExemptionRule
Step 5: Define static translation policies for Internet traffic to and from the DMZs(Figure35).
AllserversthatareexposedtotheInternetrequireastatictranslation.Thisconfiguration is also applied in Configuration > Firewall > NAT Rules.
Figure 35 . DefineInternetEdge5KStaticTranslationsforDMZHosts
31Firewall
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
namesname 10.4.0.0 internal-netaccess-list INSIDE_NAT0_OUTBOUND extended permit ip internal-net 255.254.0.0 object-group NAT0-DMZ-EXEMPT global (outside) 1 interface nat (inside) 0 access-list INSIDE_NAT0_OUTBOUNDnat (inside) 1 internal-net 255.254.0.0
Internet Edge 10K NAT Configuration
TheInternetEdge10Kdesignrequiresadditional‘global’NATconfigurationforthesecondoutsideinterface.
Step 1:Configurebothinterfacesthatwillbeusedfortheoutside(global)addresses(Figure36).
AnInternetEdge10Kconfigurationthatusestwooutsideinterfacewillneedtwo‘global’configurationlines,oneforeachoutsideinterface.
Figure 36 . DefineDynamicNATforInternetEdge-10K
Step 2: DefineadditionaltranslationrulesfortraffictoandfromtheDMZs(Figure37).
NOTE:AnyhostthatshouldbeaccessiblefromtheprimaryorsecondaryISPconnectionsmusthaveastatictranslationforbothoutsideinterfaces.Thisconfiguration,shownhereforcompleteness,ismoreapplicabletooffering a secondary address for hosts such as email servers or a second-arysite-to-siteVPNhub.
Figure 37 . DefineInternetEdge10KStaticTranslationsforDMZHosts
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
global (outside-16) 1 interfaceglobal (outside-17) 1 interfacenat (inside) 0 access-list INSIDE_NAT0_OUTBOUNDnat (inside) 1 internal-net 255.254.0.0
32Firewall
Firewall Policy Development and Configuration
AnagencyshouldhaveanITsecuritypolicytouseasareferencefordefiningitsfirewallpolicy.Ifthereisnodocumentedsecuritypolicy,itisverydifficulttocreateafirewallpolicyfortheagencybecausenoconsistentsetofrulescanbeenforced.
Policy Recommendations
Networksecuritypoliciescanbebrokendownintotwobasiccategories:‘whitelist’policiesand‘blacklist’policies.Awhitelist-basedpolicyoffersastrongerinitialsecurityposturebecausealltrafficisblockedexceptforapplicationsthatareexplicitlyallowed.However,whitelistpoliciesaremorelikely to interfere with network applications and are more difficult to maintain aseachnewapplicationmustbepermittedthroughthefirewall.Awhitelistpolicyiseasilyrecognizedbecausethelastaccesscontrolentry(ACE)deniesalltraffic(i.e.,denyipanyany).WhitelistpoliciesarebestsuitedfortrafficfromtheInternettoservicesintheDMZ.
Information needed to be able to effectively define a whitelist security policy
Whatapplicationswillbeusedonthenetwork? Cantheirtrafficbecharacterizedattheprotocollevel?
Isadetaileddescriptionofapplicationbehavioravailabletofacilitate troubleshootingifthesecuritypolicyinterfereswiththeapplication?
Ablacklistpolicyisgenerallymoresuitableforrequestsfromthe‘inside’networktotheInternet.Thistypeofpolicyoffersreducedoperationalbur-denandminimizesthelikelihoodthatthesecuritypolicywillinterferewithInternetapplications.Blacklistpoliciesaretheoppositeofwhitelistpolicies,theyonlystoptrafficthatisexplicitlydenied,typicallyapplicationsarenotallowedbecauseofanagency’spolicyorbecausetheyexposetheagencytomalicioustraffic.AblacklistpolicyisrecognizablebythelastACEiftherulesetpermitsalltrafficthathasnotalreadybeendenied(thatis, “permit ip any any”).
Insomecases,traffic(suchaswebcontent)ofhighoperationalvalueisverydifficulttodistinguishfromtrafficwithnooperationalvalue,suchasmalwareandentertainmenttraffic.AsanadjuncttotheCiscoASA,theCiscoWebSecurityApplianceofferswebfilteringfortrafficthatcontainsmalwareornegativelyaffectsuserproductivity.Additionally,CiscoIPScanbeusedtoblockmalicioustrafficembeddedwithinpermittedapplications.CiscoWSAandIPSconceptsandconfigurationarediscussedintheIPSandWebSecuritymodulesinthisdocument.
ThisdocumentdescribeswhitelistpoliciestoallowtrafficfromtheInternettotheDMZs,andablacklistpolicyfortrafficfromthe‘inside’destinedfortheInternet.
Procedure 8 Blacklist Security Policy Configuration
This policy is typically configured so that inside network access to the Internetisblockedonlyforhigh-riskservices;allotheraccessisallowed.
Blacklist Security Policy Configuration
Thispolicyallowswide-openaccessfromtheinternalnetworktotheInternet,exceptforafewspecificexampleservicesthatareblocked.
Proceduresteps:
1. Definearuleblockingtelnetaccess..
2. Addaruletopermitanytrafficthatisnotspecificallydenied.
Step 1: Definearuletodenytheinternalnetworkfromsendingoutboundtelnetrequests,aswellasanyotherservicesthatmustnotbeallowedpastthefirewall.(Figure38).
Telnetisanexampleofanetworkservicethatcarriesallofitsdataunen-crypted.Thisposesariskbecausehoststhatcaninterceptthedatacanpotentiallyviewsensitivedata.Forthisreasonoutboundtelnetisblocked.
33Firewall
Figure 38 . IntheFirewall>AccessRulespanel,configureRuletoBlockTelnet
Step 2: Addaruletoallowallremainingtrafficthathasnotbeenspecificallyblockedorallowed(Figure39).
Thisfinalrulerealizesthe‘blacklist’policydescribedabove;alltrafficthatisnotexplicitlydeniedispermitted.The‘allowanyany’rulemustbeaddedbeforetheimplicit‘denyanyany’ruleattheendofallCiscoASAaccessrulesets.Disableloggingonthisrule,unlessloggingisneededfordebugging.
Figure 39 . Add‘allowanyany’Rule
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
access-list INSIDE_ACCESS_IN extended deny tcp internal-net 255.254.0.0 any eq telnet access-list INSIDE_ACCESS_IN extended permit tcp internal-net 255.254.0.0 dmz-mail-net 255.255.255.0 eq smtp access-list INSIDE_ACCESS_IN extended deny tcp internal-net 255.254.0.0 any eq smtp access-list INSIDE_ACCESS_IN extended permit ip internal-net 255.254.0.0 anyaccess-group INSIDE_ACCESS_IN in interface inside
Procedure 9 Whitelist Security Policy Configuration
AwhitelistpolicyallowsaccessfromtheInternettoawebserverintheDMZ..
Proceduresteps:
1. DefineafirewallpolicytoallowconnectionstoHTTPandHTTPSfromtheInternettoaspecificserver.
Web DMZ Policy Configuration
TheWebDMZoffersHTTPandHTTPSservicefortheInternet.Thiscouldprovidecapabilitiestosupportemployee/partnerweb-portalaccess,basiccustomerserviceandsupport,small-scaleeCommerceorB2Bservice,orotherappropriatetasks.
Step 1:Defineanaccess-controlentrytoallowHTTPandHTTPSaccesstothewebServer(Figure40).
Thispolicyisappliedontheoutside-interfaceAccessRule.ThisdesignoffersnodescriptiontoopenaccessfromtheWebDMZtotheinternalnetwork,asthisposesasubstantialsecurityrisk.
Tech Tip
Eachsecuritypolicyisuniquetothepolicyandmanagementrequire-mentsofanagency.Examplesinthisdocumentareintendedtoillus-tratepolicyconfigurationconcepts.
34Firewall
Figure 40 . DefineInboundWebDMZPolicy
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
access-list OUT-ACCESS-IN extended permit tcp any dmz-web-net 255.255.255.0 eq httpsaccess-list OUT-ACCESS-IN extended permit tcp any dmz-web-net 255.255.255.0 eq wwwaccess-group OUT-ACCESS-IN in interface outside-16access-list DMZ-MAIL_ACCESS_IN extended permit tcp dmz-mail-net 255.255.255.0 host inside-mail eq 25access-list DMZ-MAIL_ACCESS_IN extended permit object-group TCPUDP dmz-mail-net 255.255.255.0 host dns-server eq domainaccess-list DMZ-MAIL_ACCESS_IN extended permit tcp dmz-mail-net 255.255.255.0 internal-lan 255.255.255.0access-group DMZ-MAIL-ACCESS_IN in interface dmz-mailaccess-list OUT-ACCESS-IN extended permit tcp any host outside-mail-1 eq smtpaccess-list OUT-ACCESS-IN extended permit tcp any dmz-web-net 255.255.255.0 eq httpsaccess-list OUT-ACCESS-IN extended permit tcp any dmz-web-net 255.255.255.0 eq wwwaccess-group OUT-ACCESS-IN in interface outside-16
Whitelist Security Policy Development and Troubleshooting
Whitelistpolicydevelopmentcanbechallenging.Ifidentifyingallapplica-tionsthatmustbepermittedthroughthefirewallisdifficult,enableloggingforalltrafficthatishandledbythe‘deny’actionattheendoftheruleset.Thiswilloffervisibilityfortrafficthatisnotspecificallyallowedandneedsanexplicitfirewallrule.Logswillindicateapplicationactivityandillustratethespecificrulesrequiredtoenableapplications’requirements.
Verify Firewall Policy
TesttheCiscoASAconfigurationtoverifythatthepolicybehavesasexpected.
Firewall High Availability
TheCiscoASAsaresetupasahighlyavailableactive/standbypair.Active/standbyisused,ratherthananactive/activeconfiguration,becausethisisamorecommonconfigurationandallowsthesameappliancetobeusedforfirewallandVPNservices(VPNfunctionalityisdisabledontheASAinactive/active).IntheeventthattheactiveASAappliancefailsorneedstobetakenoutofserviceformaintenance,thesecondaryASAappliancewillassumeallactivefirewall,IPS,andVPNfunctions.Inanactive/standbyconfiguration,onlyonedeviceispassingtrafficatatime;thus,theCiscoASAsmustbesizedsothattheentiretrafficloadcanbehandledbyeitherdeviceinthepair.
Bothunitsinthefailoverpairmustbethesamemodel,withidenticalfeaturelicensesandSecurityServicesModules(SSMs)(ifSSMsareinstalled).ThesecondaryASAunitneedstobepoweredupandcabledtothesamenetworksastheprimaryforfailovertobeenabled.
OneinterfaceoneachASAisconfiguredasthestate-synchronizationinterface,whichtheASAsusestoshareconfigurationupdates,determinewhichdeviceinthehigh-availability(HA)pairisactive,andexchangestateinformationforactiveconnections.Thefailoverinterfacecarriesthestatesynchronizationinformation.Allsessionstateisreplicatedfromtheprimarytothestandbyunitthoughthisinterface.Therecanbeasubstantialamountofdata,anditisrecommendedthatthisbeadedicatedinterface.
Inthisexample,GigabitEthernet0/2isthefailoverinterface.Acrossovercableconnectstheseportsontheprimaryandsecondaryappliances.
35Firewall
Procedure 10 HA Configuration
Configureactive-standbyfailover.
Proceduresteps:
1. Enablefailoveranddefineprimaryunitandfailoverinterface
2. Definemonitoredinterfaces’standbyaddresses
3. Adjustfailovertimers
4. Applystandbyconfigurationtosecondaryunit.
5. Verifyfailoversync
Step 1: Browsetothe‘Setup’panelonDevice Management > High Availability > Failover;enablefailover,definewhichappliancewillbetheprimaryunit,andsetthefailoverinterface(Figure41).
The“failoverkey”valuemustmatchonbothdevicesinanactive-standbypair.Thiskeyisusedfortwopurposes;toauthenticatethetwodevicestoeachother,andtosecurestatesynchronizationmessagesbetweenthedevicesthatenabletheASApairtomaintainserviceforexistingconnectionsintheeventofafailover.
Figure 41 . DefineFailoverConfiguration
Step 2:Onthe‘Interfaces’panelonDevice Management > High Availability > Failover,defineinterfaces’standbyaddresses(Figure42).
Allofthedevices’interfacesthatareincludedinthefailoverconfigurationhavetwoIPaddressesassigned:aprimary,activeIPaddress;andastandbyIPaddress.Whentheappliancesswaproles(standbybecomesactive,orviceversa),theaddressesswapbetweentheactiveandstandbyinterfaces.ThestandbyaddressmustbeconfiguredinthesameIPsubnetastheactiveaddress,asthedevicespasstrafficbetweeneachothertomonitorinterfacestate.Ifaninterfaceconnectstoanetworkthatdoesnotrequirehighavail-ability,thennostandbyaddressisneeded;however,thisdesignoffersHAforallnetworksonthefirewall,thus,alloftheappliances’interfaceshaveaddressesdefinedforthe‘active’and‘standby’devices.
Figure 42 . DefineInterfaceStandbyAddresses
36Firewall
Step 3:Onthe‘Criteria’panelonDevice Management > High Availability > Failover,adjustthefailovertimestoofferashorterhigh-availabilityfailoverinterval(Figure43).
Bydefault,theASAcantakefrom2to25secondstorecoverfromafailure.Tuningthefailoverpolltimescanreducethatto0.5to5seconds.OnanappropriatelysizedASA,thepolltimescanbetuneddownwithoutperformanceimpacttotheASA,whichminimizesthedowntimeauserexperiencesduringfailover.Theconfigurationlinesthatbeginwith“failoverpolltime”reducethefailovertimersfromthedefaultstoachievesub-secondfailover.Reducingthefailovertimerintervalsbelowthesevaluesisnotrecommended.
Figure 43 . AdjustFailoverTimers
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfigura-tiontotheprimaryCiscoASA:
failover failover lan unit primary failover lan interface failover GigabitEthernet0/2 failover key [key]failover replication http failover link failover GigabitEthernet0/2 failover interface ip failover 10.4.242.65 255.255.255.248 standby 10.4.242.66interface GigabitEthernet0/0 ip address [10.4.240.30] [255.255.255.0] standby [10.4.240.29] failover polltime unit msec 200 holdtime msec 800 failover polltime interface msec 500 holdtime 5
Step 4: ApplythesecondaryASAHAconfigurationtothestandbypeer.
Applythisblockofconfiguration(aftercustomizingforthedeployment)usingthecommand-lineinterfaceontheCiscoASA’sconsoleport.Remembertoissuethe‘noshut’commandonbothdevices’failoverinter-face,iftheinterfaceshavenotalreadybeenenabled:
failover failover lan unit secondaryfailover lan interface failover GigabitEthernet0/2failover polltime unit msec 200 holdtime msec 800 failover polltime interface msec 500 holdtime 5failover key [key-value]failover replication httpfailover link failover GigabitEthernet0/2failover interface ip failover 10.4.242.65 255.255.255.248 standby 10.4.242.66
37
Step 5: VerifystandbysynchronizationbetweentheCiscoASAdevices.
Issue the show failover commandontheASA’sCommand-LineInterface.asa5540A# sh failoverFailover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/2 (up)Unit Poll frequency 200 milliseconds, holdtime 800 millisecondsInterface Poll frequency 500 milliseconds, holdtime 5 secondsInterface Policy 1Monitored Interfaces 5 of 210 maximumfailover replication httpVersion: Ours 8.2(2), Mate 8.2(2)Last Failover at: 17:07:53 PACIFIC May 27 2010 This host: Primary - Active Active time: 57475 (sec) [output deleted] Other host: Secondary - Standby Ready [output deleted]
Firewall Summary
ThissectionhasdescribedconceptsandconfigurationforroutingtotheInternet,firewallmanagementandmonitoring,andinside-networkandDMZconnectivityandrouting.NATandfirewallpolicyrecommendationsandconfigurationfortheprivateLAN,variousservicenetworks,andthewirelessguestnetworkwerealsocovered.Thesectionfinishedwithadiscussionandconfigurationofactive-standbyfailoverforCiscoASAfirewalls.
Firewall
38
IntrusionPrevention
Agency Overview
Internetserviceshavebecomeakeypartofday-to-dayoperationsformanyagenciestoday.ProvidingsecureInternetaccess,whilepreventingmaliciouscontent from entering an agency is critical to maintaining employee produc-tivity.InadditiontoclientaccesstotheInternet,agencieshavenearuniver-salneedtohaveawebpresenceupandavailableforpartnersandclientstoaccessbasicinformationabouttheagency.Whenyouplaceagencyinfor-mationontheInternet,yourunariskofexposureofdatathroughanattackonthepublic-facingservices.ForanagencytousetheInterneteffectively,solutionsmustbefoundforalloftheseconcerns.
Technical Overview
Worms,viruses,andbotnetsposeasubstantialthreattoagencies.Tominimizetheimpactofnetworkintrusions,intrusionpreventionsystems(IPSs)andintrusiondetectionsystems(IDSs)canbedeployedtoprovideadditional protection for the traffic that is permitted through the Internet edgefirewall.IPSisacomplementarytechnologytothefirewallandinspecttrafficthatispermittedbythefirewallpolicyforattacks.IfanIPSdetectsanattack,theoffendingtrafficisdroppedandanalertissent.TheIPSSecurityServiceModule(SSM)canalsoruninanIDSmodewhereattacksaredetectedandalerted,butnotdropped.DeployingtheSSMinIDSmodecanbehelpfulwheninitiallydeployingIPStomakesurethatnoproductiontrafficisaffected.
ThisdesignemploystheCiscoAdaptiveInspectionPreventionSecurityServiceModule(AIP-SSM)forIPSservicesintheInternetedgeCiscoASA5500seriesfirewalls.Thedesignoffersseveraloptionsthatarebasedontheperformancerequirementsoftheagency.FortheInternetEdge5K,theASA5520withAIP-SSM-20isrecommended.TheSSM-20supportsupto375MbpsoftrafficforIPSinspection.Forlargernetworks,liketheInternetEdge10Kdesign,theASA5540withAIP-SSM-40willsupportupto650MbpsoftrafficforIPSinspection.ItisimportanttorememberthattheInternetedgefirewallandIPShavemorethanjustemployeeInternettrafficgoingthroughthebox.InternaltraffictoserversintheDMZ,wirelessguesttraffic,site-to-siteVPN,andremoteaccessVPNtrafficallcombinetomakethethroughputrequirementsfortheInternetedgefirewallandIPSmuchhigherthanInternetconnectionspeed.
Figure 44 . PacketFlowThroughanASA/AIP-SSM
IPSmodulesintegratedintotheASArelyontheASAforhighavailabilityservices.TheASAsintheInternetedgearedeployedinanactive/standbyconfiguration,iftheprimaryASAfails,thenthesecondaryASAwilltakeoverallfirewalloperationsandthetrafficwillbeinspectedbytheIPSmoduleinthesecondaryASA.
IntrusionPrevention
39
Figure 45 . IPSProcessingFlowchart
Pre-Processing
IPS ReputationFilters
SignatureInspection
AnomalyDetection
GlobalCorrelation
DecisionEngine
CiscoIPSversion7.0addedasetoffeaturesthatallowthesystemtomakeinformeddecisionsonwhethertopermitorblocktrafficbasedoffofreputa-tion.CiscousesreputationintwokeywaysontheIPS:
• Reputationfilters:asmalllistofIPaddressesthathavebeenhijackedorareownedbymaliciousgroups
• GlobalCorrelationInspection:aratingsystemforIPaddressbasedoffofpriorbehavior.
ReputationfiltersallowtheIPStoblockalltrafficfromknownbadaddressesbeforeanysignificantinspectionisdone(Figure45).GlobalCorrelationusesthe reputation of the attacker in conjunction with the risk rating associated with the signature that triggered to come up with a new risk rating and drop trafficthatismorelikelytobemalicious(Figure46).
Figure 46 . Reputation Effect on Risk Rating
AdiscussionabouthowtrafficmovesthroughtheASA/AIP-SSMcombina-tioncanbefoundhere: http://www.cisco.com/en/US/partner/docs/security/asdm/6_1/user/guide/ips.html#wp1535290
IntrusionPrevention
40
Configuration Details
ThefirststepusedtoconfigureanIPSSSMistosessionintothemodulefromtheASAandsetupbasicnetworkingsuchasIPaddress,gateway,andaccessliststoallowremoteaccesstotheGUI.Oncethebasicsetupiscomplete,configurationiseasythroughaGUIsuchasIPSDeviceManagerlaunchedfromtheASASecurityDeviceManager(ASDM)ortheIPSManagerExpress(IME).
Process
1. InitialSetup
2. IPSPolicy
3. IDSPolicy
Procedure 1 Initial Setup
ProcedureSteps:
1. SessionintothemodulefromtheASA
2. RunSetup
3. Configuring the second module
4. ConnecttothesensorinASDM
5. Runningthestartupwizard
6. StartupWizard-SensorSetup
Step 1:SessionintothemodulefromtheASA.
AfterloggingintotheASA,theSSMmodulecanbeaccessedbyissuingthefollowingcommand.
ASA5540# session 1Opening command session with slot 1.Connected to slot 1. Escape character sequence is ‘CTRL-^X’.
ThedefaultusernameandpasswordfortheIPSmoduleiscisco/cisco.Ifthisisthefirsttimethesensorhasbeenloggedinto,therewillbeaprompttochangethepassword.Changethepasswordtoavaluethatcomplieswiththesecuritypolicyoftheagency.
login: cisco Password:
***NOTICE***This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to [email protected].
IntrusionPrevention
41
Step 2:RunSetup.
Afterlogin,runthe setup commandtolaunchtheinitialconfigurationdialog.(Inthisexample,userdataisshowninbold.)
sensor# setup --- Basic Setup --- --- System Configuration Dialog ---
At any point you may enter a question mark ‘?’ for help.User ctrl-c to abort configuration dialog at any prompt.Default settings are in square brackets ‘[]’.
Current time: Mon Apr 19 17:52:08 2010 Setup Configuration last modified: Mon Apr 19 17:51:48 2010 Enter host name[sensor]: SSM-40-A Enter IP interface[192.168.1.2/24,192.168.1.1]: 10.4.240.27/24,10.4.240.1Modify current access list?[no]: yes Current access list entries: No entries Permit: 10.0.0.0/8Permit: Use DNS server for Global Correlation?[no]: yes DNS server IP address[]: 10.4.200.10 Use HTTP proxy server for Global Correlation?[no]: yes HTTP proxy server IP address[]: 128.107.241.169 HTTP proxy server port number[]: 80 Modify system clock settings?[no]: Participation in the SensorBase Network allows Cisco to collect aggregated statistics about traffic sent to your IPS. SensorBase Network Participation level?[off]: partial
If you agree to participate in the SensorBase Network, Cisco will collect aggregated statistics about traffic sent to your IPS. This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other sensitive business or personal information. All data is aggregated and sent via secure HTTP to the Cisco SensorBase Network servers in periodic intervals. All data shared with Cisco will be anonymous and treated as strictly confidential. The table below describes how the data will be used by Cisco.
Participation Level = “Partial”: • Type of Data: Protocol Attributes (e.g. TCP max segment
size and options string) Purpose: Track potential threats and understand threat exposure • Type of Data: Attack Type (e.g. Signature Fired and Risk
Rating) Purpose: Used to understand current attacks and attack severity
• Type of Data: Connecting IP Address and port Purpose: Identifies attack source
• Type of Data: Summary IPS performance (CPU utilization memory usage, inline vs. promiscuous, etc)
Purpose: Tracks product efficacy Participation Level = “Full” additionally includes: • Type of Data: Victim IP Address and port Purpose: Detect threat behavioral patternsDo you agree to participate in the SensorBase Network?[no]: yesThe following configuration was entered. service host network-settings host-ip 10.4.240.27/27,10.4.240.1 host-name SSM-40-A telnet-option disabled access-list 10.0.0.0/8ftp-timeout 300 no login-banner-text dns-primary-server enabled address 10.4.200.10 exitdns-secondary-server disabled dns-tertiary-server disabled http-proxy proxy-server address port exit exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service global-correlation network-participation partial
IntrusionPrevention
42
exit[0] Go to the command prompt without saving this config. [1] Return to setup without saving this config. [2] Save this configuration and exit setup. [3] Continue to Advanced setup. Enter your selection[3]: 2
--- Configuration Saved ---
Complete the advanced setup using CLI or IDM. To use IDM, point your web browser at https://<sensor-ip-address>. sensor#
Step 3: Configuring the second module
PressCTRL-XtoexitthesensoranddropbackintotheCiscoASAcommandline.TosetupthesecondSSMonthestandbyASA,logintotheCLIandrerunthesetupscripttoconfigurethebasicnetworkconnectivity.AdifferenthostnamemustbeusedonthesecondSSMsothatmonitoringsystemsdonotgetconfused.Inthetestlab,SSM-40-BwasusedonthestandbySSM.
Step 4:ConnecttothesensorinASDM
AtthispointtheIPSsensorsareaccessiblefromASDM.LogintoASDMandclick on the ConfigurationtabandthenclickIPS.ASDMshoulddisplaythe“ConnectingtoIPS…”window.EntertheusernameandpasswordspecifiedontheIPSsensorandclickContinue(Figure47).
Figure 47 . ASDMConnectingtoIPSModule
ASDMwillimportthecurrentconfigurationfromtheIPSsensorandthestartupwizardlauncherwillbedisplayedinthemainwindow.
IntrusionPrevention
43
Step 5:Runningthestartupwizard
Click Launch Startup Wizard (Figure48).
Figure 48 . StartupWizard
Step 6: StartupWizard-SensorSetup
IntheStartupWizard:SensorSetup,enteranNTPserverandanynecessarycredentialsfortheserver,setthetimezoneandsummertimesettings,andaddtheagency’sDNSserversasneeded.TheAllowedHostspaneldefineswhichIPaddressesthesensorwillacceptatthemanagementinterface(Figure49).
Click Next.
Figure 49 . SensorSetup
IPS Sensor Policy
AtthispointadecisionmustbemadetorunthesensorinIPSmodewherethesensorisinlineinthetrafficpath.Inthismodethetrafficisinspectedandcanbedroppedifitismalicious.ThesecondmodeofoperationthatisavailableisIDSmodewhereacopyofthetrafficispassivelysenttothesensortobeinspectedandalertscanbesentifthetrafficismalicious.IPSmode provides more protection from Internet threats and has a low risk of blockingimportanttrafficatthispointinthenetwork,particularlywhenitiscoupledwithreputation-basedtechnologies.IDSmodecanbedeployedasatemporarysolutiontoseewhatkindofimpactIPSwouldhaveonthenetworkandwhattrafficwouldbestopped.Aftertheimpactisunderstoodandanynecessarytuninghasbeendone,thenthesensorcanbeeasilychangedtoIPSmode.
IfrunningthemoduleinIPS(inline)mode,followprocedure2.IfrunningthemoduleinIDS(promiscuous)mode,followprocedure3.
IntrusionPrevention
44
Procedure 2 IPS Policy
Procedure2Steps:
1. ConfiguringIPSPolicyinStartupWizard
2. ConfiguringtheIPSTrafficPolicy
3. EnablingIPSinspection
4. EditVirtualSensorconfiguration
Step 1:ConfiguringIPSPolicyinStartupWizard
WhenrunningtheStartupWizard,thethirdstepisTrafficAllocationwherethedecisionismadeofwhattraffictosendtotheIPSmoduleandwhetherthetrafficissentininlinemode(IPS)orpromiscuousmode(IDS).
ForIPSmodewewilladdaninlinepolicygloballythatwillinspectalltrafficinandoutoftheASAfirewall(Figure50).
Click Add.
Figure 50 . ConfiguringIPSPolicyinASDM
Step 2: ConfiguringtheIPSTrafficPolicy
AcceptthedefaultsettingstoinspectalltrafficandthenclickOK(Figure51).
Figure 51 . IPSTrafficPolicy
AglobalIPSpolicyhasbeenconfiguredandisreadytobeappliedtothesensor.ClickFinish(Figure52).
Figure 52 . IPSInlinePolicyinASDM
IntrusionPrevention
45
Step 3: EnablingIPSinspection
Forthepolicytobeactiveonthefirewallitmustbeappliedtoaninterface.Click on Policies > IPS: Policiesinthelefthandwindow.ClickEdit(Figure53).
Figure 53 . EnablingIPSInspection
Step 4:EditVirtualSensorconfiguration
ChecktheboxunderinterfacesandassignedtoassociatetheIPSpolicytotheASA’sbackplaneinterface.ClickOK(Figure54).
Figure 54 . EditIPSVirtualSensorConfiguration
Click ApplyandsavetheASAconfigtocompletetheIPSinlinesetup.
IntrusionPrevention
46
Procedure 3 IDS Policy
Procedure3Steps:
1. ConfiguringIDSPolicyinStartupWizard
2. ConfiguringtheIDSTrafficPolicy
3. EnablingIDSinspection
4. EditVirtualSensorconfiguration
Step 1:ConfiguringIDSPolicyinStartupWizard
ForIDSmode,apromiscuouspolicyneedstobecreatedinthestartupwizard.ToaddanIDSpolicy,startbyclickingAddonscreen3ofthewizard(Figure55).
Figure 55 . ConfiguringIDSPolicyinASDM
Step 2: ConfiguringtheIDSTrafficPolicy
ChangethetrafficinspectiontypetoPromiscuousandclickOK(Figure56).
Figure 56 . IDSTrafficPolicy
Atthispoint,thepromiscuouspolicyiscreatedandreadytobeappliedtothesensor.ClickFinishtocompleteIDSmodeconfiguration(Figure57).
Figure 57 . IDSInlinePolicyinASDM
IntrusionPrevention
47
Step 3:EnablingIDSinspection
Forthepolicytobeactiveonthefirewall,itmustbeappliedtoaninterface.Click on Policies > IPS > Policiesinthelefthandwindow.ClickEdit(Figure58).
Figure 58 . EnablingIDSInspection
Step 4:EditVirtualSensorconfiguration
ChecktheboxunderinterfacesandassignedtoassociatetheIPSpolicytotheASA’sbackplaneinterface.ClickOK(Figure59).
Figure 59 . EditIDSVirtualSensorConfiguration
Click ApplyandsavetheASAconfigtocompletetheIPSpromiscoussetup.
IntrusionPrevention
48
Inline Security Policy Modifications
IfIPSmodewaschosen,thesensorisconfiguredtodrophigh-risktraffic.Thisconfigurationmeansthatifanalertfireswithariskratingof90,orifthetrafficcomesfromanIPaddresswithanegativereputationthatraisestheriskratingto90orhigher,thetrafficwillbedropped.Iftheriskratingisraisedto100becauseofthesourceaddressreputationscore,thenalltrafficfromtheIPaddresswillbedropped(Figure60).
Figure 60 . IPSPolicy
ThechancesoftheIPSdroppingtrafficthatisnotmaliciouswiththisconfig-urationisverylow,butifamoreconservativepolicyisdesired,changetheHIGHRISKclassificationfrom90-100to100-100byeditingtheHIGHRISKpolicyandsettingthevalueto100(Figure61).
Figure 61 . IPSRiskCategories
Final Steps
TheIPSsensorisnowsetupandneedstoberebootedforalloftheconfig-urationstotakeeffect,ifthesensorthatisbeingrebootedisontheprimaryASA,thereloadwillcauseafailovertothestandbyfirewall.TochecktoseeiftheASAistheprimaryfirewall,usetheshow failover command to show which ASAisactive,logintotheASAthatisnotthecurrentactiveboxandissuethe failover active command.LoggingbackintoASDMshouldconnecttotheotherASA(thenewlyactivefirewall)withthestillunconfiguredIPSSSMandthesamesetupshouldbefollowedexceptusingthenameSSM-40-BandtheIPaddressof10.4.240.28/27.
Summary
AgenciesareexposedtoalargenumberofthreatsfromtheInternet.CiscoIPSdeployedintheInternetEdgeofanagencyplaysasignificantroleinindentifyingandblockingmalicioustrafficandimprovestheavailabilityandsecurityoftheInternetfacingservices.
IntrusionPrevention
49RemoteAccessVPN
RemoteAccessVPN
Agency Overview
Manyagenciesneedtooffernetworkconnectivitytotheirdataresourcesforusersregardlessoftheirlocation.Employees,contractors,andpartnersmayneed to access the network when traveling or working from home or from otheroff-sitelocations.Theremote-accessconnectivityshouldsupportawide variety of endpoint devices and provide seamless access to networked dataresources.Theremote-accessconnectivityshouldsupportauthentica-tion and policy control that integrates with the authentication resources in usebytheagency.Thisconnectivityshouldutilizecryptographicsecuritytopreventtheexposureofsensitivedatatounauthorizedpartieswhoacci-dentallyorintentionallyinterceptthedata.
Technology Overview
Theremote-accessforremoteuserscanbeprovidedthroughoneofthefollowing methods:
• SoftwareVPNclient
• HardwareVPNclient
• SecureSocketLayer(SSL)VPNwebportal
TheCiscoAdaptiveSecurityAppliance(ASA)familysupportsIPsec,webportal,andfulltunnelSSLVPNsforclient-basedremoteaccessandIPsecforhardwareclientorsite-to-siteVPN.ThissectiondescribesthebasicconfigurationofremoteaccessIPsec,webportal,andSSLVPNsforbasicremoteaccess,plustheconfigurationofCiscoEasyVPNforhardwareclient(ASA5505)access.
SoftwareclientssuchastheCiscoVPNClientandCiscoAnyConnectClientarerecommendedforremoteusersthatrequirefullnetworkconnectivity.TheIPsecVPNclientrequirestheusertohaveclientsoftwarealreadyloadedandconfiguredontheirmachineinordertoconnect,andworksbestwithagency-ownedmachinessuchaslaptops.TheCiscoAnyConnectclientusesSSLandisdesignedforautomateddownloadandinstallation.SSLaccesscanbemoreflexibleandislikelytobeaccessiblefrommorelocationsthanIPsec,asfewagenciesblockHTTPSaccessoutoftheirnetworks.
Ahardwareclientisaphysicaldevicelikeasmallapplianceorrouterthatcanprovidean“alwayson”connectionbacktotheagencynetwork.Theyaretypicallyusedinsituationswheretheuserconnectsregularly,forlongperiodsoftime,fromastaticlocation,suchasahomeofficeuser.
TheSSLVPNwebportalprovidesanSSL-basedfront-endtospecificappli-cations.ThisfunctionssimilartoawebproxyandisidealforHTTP-basedapplicationsandsimplefileuploadanddownloadoperations.WithSSL,arestrictedlevelofservicecanbeofferedwhentheuserconnectsfromunknownmachines,thusprovidinggreatersecurityfortheagencynetwork.
TheSBAforLargeAgencies—BorderlessNetworksofferstwodifferentremote-accessVPNdesigns:
• Remote-AccessVPN(RAVPN)concentrationintegratedwithfirewallCiscoASApairforInternetEdge5Kdesign.Thisofferslowercapitalinvestmentandreducesthenumbersofdevicesthenetworkengineeringstaffmustmanage.
• Remote-AccessVPNconcentrationdeployedonapairofstandaloneCiscoASAfortheInternetEdge10Kdesign.Thisdesignoffersgreateroperationalflexibilityandscalability,whileprovidingasimplemigrationpathfromanexistingRAVPNinstallation.
ThisdocumentdescribestheconfigurationforremoteaccessVPNviatheSSLVPNWebVPNportal,aswellasAnyConnectandIPsecclients.Theconfigurationisbrokenintosectionsforeachofthevariousaccessmethods,andbeginswithaconfigurationthatiscommontoalloftheaccessmethods.ConfigurationsforboththeInternetEdge5KandInternetEdge10Kofferidenticalfunctionalityandcapability,sothatregardlessofdesignchosen,theuserexperiencewillbeunchangedfromonedesigntotheother.Unlessspecificallynoted,theconfigurationdescribedinthisdocumentiscommontoboththeInternetEdge5KandInternetEdge10Kdesign.
Hardwareappliedinthisdesignisselectedbasedonthefollowingperfor-mance values:
Cisco ASA Family Product
Maximum IPsec VPN Sessions
Maximum SSL VPN Sessions
CiscoASA5510 250 250
CiscoASA5520 750 750
CiscoASA5540 5000 2500
50RemoteAccessVPN
Remote Access VPN Configuration Details
ThebaselineconfigurationoftheASAincludingavailability,routing,Internet,andinsideconnectivity,aswellasmanagement/administrationaccesshasalreadybeencoveredinthe“Firewall”sectionofthisdeploymentguide.
Iftheseaspectsofthisconfigurationareunfamiliar,reviewtherelevant‘Firewall’sections.
TheCiscoASA’sRemoteAccessVPNterminationcapabilitiescanbecon-figured from the command line or from the graphical user interface Cisco AdaptiveSecurityDeviceManager(ASDM).CiscoASDMprovidesaguidedstep-by-stepapproachtotheconfigurationofRAVPNandreducesthelikelihoodofconfigurationerrors.
Thisguide’scompleteRemoteAccessVPNconfigurationmaybepastedintotheCLI,theneditnetwork-specificportionsoftheconfigurationwithASDM.
Remote Access VPN Configuration
Process
1. Globalconfiguration
2. NATPolicymodificationforInternetEdge5K
3. Configureclientpoolroutesummarization
4. IPsecclientconfiguration
5. WebVPNbasicconfigurationandAnyConnectconfiguration
6. Hardware Client configuration
Procedure 1 Global Remote Access Configuration
Thisproceduresetsupuserauthenticationandglobalremote-accessparam-etersthatarecommontoallaccessmethods.
ProcedureSteps:
1. Configure address pools
2. Configureroutesummarization
3. Define default group policy
4. ConfigureActiveDirectoryadministrativeaccount
5. AddVPNgroupstoActiveDirectory
6. AdduserstoVPNgroupsinActiveDirectory
7. DefineAAAauthenticationparameters
8. ConfigureNATexemption(forInternetEdge5Kdesignonly)
Step 1:Configureaddresspools(Figure62).
OpentheConfiguration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Poolspanel.DefinetheRemote-AccessVPNaddresspoolthatwillbeassignedtouserswhentheyconnecttotheVPNservice:
Thisaddress-pooldefinesasufficientlylargeaddressrangetoallowfor1022users.Ifmoreaddress-spaceisneeded,allocatealargersubnet,ordefine additional pools:
Figure 62 . AddRAVPNIPAddressPool
51RemoteAccessVPN
Assignanobject-groupfortheVPNpoolintheConfiguration > Remote Access VPN > Network (Client) Access > Advanced > ACL Manager panel (Figure63).
Referringtotheremote-accessaddress-poolismoreintuitiveifitisassignedarelevantnetworknameforthebeginningaddressoftheVPNpool.
Figure 63 . ConfigureVPNPoolAccess-List
Step 2:Configureroutesummarizationontheadjacentswitchfortheremote-accessVPNaddress-pool.
TheCiscoASAadvertizestheremote-accessaddress-pooltotherestofthenetworkasindividualhostsroutesforeachconnecteduser.Summarizingtheaddress-poolavoidsthenuisanceoftheVPNclients’individualhostroutespropagatingthroughoutthenetwork.
interface TenGigabitEthernet1/0/1ip summary-address eigrp 100 10.4.240.0 255.255.240.0 90!interface TenGigabitEthernet2/0/1ip summary-address eigrp 100 10.4.240.0 255.255.240.0 90
Step 3: Define the Default Group Policy (DfltGrpPolicy) configuration in the Configuration > Remote Access VPN > Network (Client) Access > Group Policies panel:
ThissectionoftheconfigcarriesattributesthatarecommontoallVPNgroups,suchastheaddresspool(Figure64),DNSservers(Figure65),tunnelpolicy(Figure66),thedomainforsplit-tunnelnameresolution,andwhichVPNserviceswillbegloballyallowedforthevariousVPNgroups.Thedefaultpolicyconfigurationmaybeoverriddenbymore-granularconfigura-tioninthevariousVPNgroups’description.
Figure 64 . DefaultGroupPolicy:AddressPool
Figure 65 . DefaultGroupPolicy:DNSServer
Figure 66 . DefaultGroupPolicy:SplitTunnelingPolicy
52RemoteAccessVPN
Step 4: UsetheMicrosoftWindowsserveradministrativetoolstodefineActiveDirectoryconfigurationinSteps4through6.Configuretheadminis-trativeaccountinActiveDirectory(Figure67).
The administrative account provides the remote access concentrator’s accesstotheActiveDirectory.ThisconfigurationisappliedontheWindowsActiveDirectoryserver.
Figure 67 . ActiveDirectory:AdministrativeAccount
Step 5:AddtherelevantVPNgroupstotheActiveDirectorythatwillcor-respondtothevariousVPNaccesspolicies(Figure68).
TheActiveDirectoryprovidestheusers’groupmembershiptotheASA asareturn-attribute,alongwithanotificationofsuccessorfailurefortheusers’credentials.ThisconfigurationisappliedontheWindowsActiveDirectoryserver.
Figure 68 . ActiveDirectory:CreateGroupforVPNUsers
53RemoteAccessVPN
Step 6:AdduserstotheappropriateVPNaccessgroupiftheyaretobeallowedtoaccesstheRemoteAccessVPN(Figure69).
ThisconfigurationisappliedontheWindowsActiveDirectoryserver.
Figure 69 . ActiveDirectory:AddUserstoVPNGroup
Step 7: Define the authentication group in the Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groupspanel(Figure70).
Authenticationistheportionoftheconfigurationthatverifiesthatusers’credentials(usernameandpassword)matchthosestoredwithintheagency’sdatabaseofusersthatareallowedtoaccesselectronicresources.TheSBAforLargeAgencies—BorderlessNetworksusesMicrosoftActiveDirectoryfor
itsauthenticationdatabase.WhentheCiscoASAqueriestheActiveDirectorydatabasetodeterminewhetherauser’snameandpasswordisvalidtoestablishaRemoteAccessVPNconnection,theActiveDirectoryreturnsaVPNgroup-nameattributethattheCiscoASAappliestoassigntheusertotheappropriateVPNaccessgroup.ThisrequiresconfigurationontheActiveDirectoryServertocreateauserwithaccesstothedirectory,andaddi-tionalconfigurationontheASAtoassociatethevaluesreturnedbyActiveDirectorywithlocallysignificantgroupnames.
Figure 70 . LDAPParametersforActiveDirectoryIntegration
54RemoteAccessVPN
Step 8: ConfigureanLDAPattribute-mapthatassociatesvpn-groupvaluesreturnedfromADwithlocalVPNGroups.
TheLDAPattribute-mapconvertstheLDAPreturnattributestolocallysignificantvalues.LDAPattribute-mapconfigurationisfoundontheConfiguration > Remote Access VPN > AAA/Local Users > LDAP Attribute Mappanel.
The‘MappingofAttributeName’paneldefineswhichattributeswillbemappedtogether(Figure71).
Figure 71 . ConfigureLDAPAttributeMap-AttributeName
The‘MappingofAttributeValue’paneldefineswhichvalues(DirectoryVPNUserGroupnames)toexpectfromtheActiveDirectoryserver,andwhichlocalvalue(CiscoASAVPNGroupname)willbederivedfromtheADreturn-attribute(Figure72).
Figure 72 . ConfigureLDAPAttributeMap:AttributeValue
55RemoteAccessVPN
Step 9: Definetunnelpoliciesandconfiguregroup-policiesbybrowsingtoRemote Access VPN > Network (Client Access) > IPsec Connection Profiles.Findtheappropriategroupnameunder‘Connection Profiles’, and click ‘Edit’(Figure73).
AdifferentVPNgroupisrequiredforeachremote-accesspolicy.ThisdesignincludesthreeVPNgroups.Allthreegroupsuseafull-tunnelpolicyinordertoensurethathoststhatareinfectedwithmalwarecannotberemote-controlledwhileconnectedtotheVPN.Thethreegroupsdifferinthese respects:
• AdministrativeusersareauthenticatedbyActivedirectory,oralocalusernameandpasswordcanbechecked.ThisensuresthatVPNaccessisavailablewhentheActiveDirectoryserverisunavailable.Administrativeusershavefullaccesstotheentirenetwork.
• EmployeesareauthenticatedbyActivedirectoryandhaveopenaccessto the entire network
• PartnersareauthenticatedbyActiveDirectoryand,althoughtheyuseatunnel-allVPNpolicy,thereisanaccess-listappliedtothetunnelstorestrictaccesstospecifichosts.
Figure 73 . ConfigureTunnelPolicy
Step 10:Definethetunnel-group,whichtiestogethertheLDAPgroupreturnattribute,thegrouptunnelpolicy,andtheaddress-poolthatwillbeusedbythetunnel-group.
Figure 74 . AssociategrouppolicywithAAAvalues
ExecutingtheprecedingstepsinASDMwillapplythisCiscoASACommand-LineInterfaceconfiguration:
ip local pool [ravpn-pool] [ra-pool]-[10.4.251.255] mask [255.255.252.0]names name [10.4.248.0] [ra-pool]group-policy [DfltGrpPolicy] attributes dns-server value [10.4.200.10] vpn-tunnel-protocol IPSec svc webvpn split-dns value [cisco.local] address-pools value [ravpn-pool]aaa-server [AD] protocol [ldap]
56RemoteAccessVPN
aaa-server [AD] ([inside]) host [dns-server] server-port [389] ldap-base-dn CN=[Users],DC=[Cisco],DC=[local] ldap-naming-attribute sAMAccountName ldap-login-password [cisco] ldap-login-dn CN=[ASA 5520],CN=[Users],DC=[Cisco],DC=[local] server-type [Microsoft]ldap attribute-map [VPN-Group-AD-Map] map-name memberOf IETF-Radius-Class map-value memberOf CN=[vpn-partner],CN=[Users],DC=[cisco],DC=[com] [bn-partner] map-value memberOf CN=[vpn-user],CN=[Users],DC=[cisco],DC=[com] [bn-user]group-policy [bn-adm-group] internalgroup-policy [bn-adm-group] attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value [RA_FullTunnelACL]group-policy [bn-user-group] internalgroup-policy [bn-user-group] attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value [RA_FullTunnelACL]group-policy [bn-partner-group] internalgroup-policy [bn-partner-group] attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value [RA_FullTunnelACL]tunnel-group [bn-user] type remote-accesstunnel-group [bn-user] general-attributes address-pool [ravpn-pool] authentication-server-group [AD] default-group-policy [bn-user-group]tunnel-group [bn-admin] type remote-accesstunnel-group [bn-admin] general-attributes address-pool [ravpn-pool] default-group-policy [bn-adm-group]tunnel-group [bn-partner] type remote-accesstunnel-group [bn-partner] general-attributes address-pool [ravpn-pool] authentication-server-group [AD] default-group-policy [bn-partner-group]access-list [inside_nat0_outbound] extended permit ip [10.4.0.0] [255.254.0.0] [10.4.252.0] [255.255.252.0]
Procedure 2 Configure NAT Exemption
TheInternetEdge5KDesigncannotNATthetraffictotheRemote-AccessVPNusers,ortheirtrafficwillnotwork.ThisstepisnotrequiredbytheInternetEdge-10Kdesign.
Step 1:ConfigureNATExemptionforRAVPNUserPoolbybrowsingtoFirewall > NAT Rules(Figure75).
IntheInternetEdge5Kdesign,NATexemptionmustbeconfiguredfortrafficfromtheLANthatisgoingtotheremoteaccessclients.Ifthiswerenotconfigured,traffictoclientswouldendupbeingtranslated,whichwouldchangethesourceaddressofthetraffic,makingitimpossibleforclientstoreceivetrafficcorrectlyfromserversthattheycommunicatewith.ThisstepisnotneededontheInternetEdge10KdesignbecausetheVPNfunctionisseparatedfromtheInternetFirewallfunctionalityinthatdesign,andNATisnotimplementedontheVPN-onlyASA.
Figure 75 . AddNATExemptionforRAVPNaddresspool
57RemoteAccessVPN
Procedure 3 Configure Route Summarization
ThisprocedureaddsroutingconfigurationtotheadjacentdistributionswitchtominimizethenumberofroutesthatmustbeadvertisedtotherestofthenetworkfortheVPNclientpool.
ProcedureSteps:
1. Configureroutesummarization
Step 1: Configureroutesummarizationontheadjacentswitchfortheremote-accessVPNaddress-pool.
TheCiscoASAadvertizestheremote-accessaddress-pooltotherestofthenetworkasindividualhostsroutesforeachconnecteduser.Summarizingtheaddress-poolavoidsthenuisanceoftheVPNclients’individualhostroutespropagatingthroughoutthenetwork.
interface TenGigabitEthernet1/0/1ip summary-address eigrp 100 10.4.240.0 255.255.240.0 90!interface TenGigabitEthernet2/0/1ip summary-address eigrp 100 10.4.240.0 255.255.240.0 90
Procedure 4 IPsec Configuration
ThefollowingconfigurationenablesuseraccesstothenetworkviatheCiscoIPsecVPNClient.Thisconfigurationrequirestheconfigurationdescribedaboveinthe“GlobalRemoteAccessConfiguration.”
ProcedureSteps:
1. ConfigureHead-EndISAKMPandIPSecPolicies
2. ConfigureRemoteAccessConnectionProfile
3. ConfigureIPSecVPNClient
Step 1:ConfiguretheRemoteAccessISAKMPandIPsecPolicies(Figure76).
ISAKMPpoliciesdefinetheprotectionthatisappliedfortheinitialconnec-tionfromIPsecVPNClientstotheCiscoASA.
Figure 76 . CreateISAKMPPolicy
58RemoteAccessVPN
IPsecpoliciesdefinethecryptographicprotectionthatisappliedforremoteaccessVPNusers’dataconnectivity.
Figure 77 . CreateIPSecPolicies
Step 2: AddIPsecVPNClientRemoteAccessconnectionprofile(Figure78).
TheremoteVPNclientinheritsasignificantportionofitsconfigurationfromtheRAVPNheadend.
Figure 78 . Head-EndRemoteAccessConnectionProfile
59RemoteAccessVPN
Step 3: ConfiguretheIPsecVPNClienttoconnecttotheappropriateVPNgroup(Figure79).
TheIPsecVPNclientneedtobeconfiguredtomatchtheparametersontheVPNheadend.OntheclientsideforIPsec,theuserneedstheIPaddressorDNSnameoftheheadend,thegroupnameandpassword,andausernameandpassword.
Figure 79 . IPsecVPNClientConfiguration
ExecutingtheprecedingstepsinASDMwillapplythefollowingCLIconfiguration:
crypto isakmp enable [outside-16]crypto isakmp enable [outside-17]crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmaccrypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmaccrypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmaccrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map [BN_DYN_CRYPTO_MAP_1] 101 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHAcrypto dynamic-map [BN_DYN_CRYPTO_MAP_1] 101 set reverse-routecrypto dynamic-map [BN_DYN_CRYPTO_MAP_2] 102 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHAcrypto dynamic-map [BN_DYN_CRYPTO_MAP_2] 102 set reverse-routecrypto map [outside-16_map] 65535 ipsec-isakmp dynamic [BN_DYN_CRYPTO_MAP_1]crypto map [outside-16_map] interface [outside-16]crypto map [outside-17_map] 65535 ipsec-isakmp dynamic [BN_DYN_CRYPTO_MAP_2]crypto map [outside-17_map] interface [outside-17]tunnel-group [bn-user] ipsec-attributes pre-shared-key [c1sco123]tunnel-group [bn-admin] ipsec-attributes pre-shared-key [c1sco123]tunnel-group [bn-partner] ipsec-attributes pre-shared-key [c1sco123]
60RemoteAccessVPN
Procedure 5 AnyConnect Configuration
ProcedureSteps:
1. UploadAnyConnectClientBinariestoHead-EndASA
2. GlobalWebVPNConfiguration
3. CreateWebVPNGroupConnectionURLs
4. AnyConnectClientConfiguration
TheCiscoASArequiresspecificconfigurationtoenableAnyConnectclientsupport.
Step 1:Uploadtheappropriateplatforms’anyconnectclientstotheASAsusingtheFileTransfertool,foundintheTools > File Managementmenu.SelecttheBetween Local PC and Flash . . . in the File Transferbutton(Figure80).
TheAnyConnectclientbinariesareavailablefordownloadonCisco.com;download all clients needed to support the hardware and software platforms thatareinusewithintheagency.UploadthefilestobothASAsintheHighAvailabilitypair.
Figure 80 . UploadAnyConnectBinarytoASA
Step 2:AddglobalWebVPNconfigurationtotheDefaultGroupPolicy(DfltGrpPolicy)configuration(Figure81).
Figure 81 . ConfigureAnyConnectClientPolicy
61RemoteAccessVPN
Step 3:Onceuploaded,assignthecurrentversionoftheactiveAnyConnectclient(Figure82).
Figure 82 . DefineAnyConnectClient
Step 4:CreateWebVPNGroupConnectionURLs
BydefiningspecificconnectionURLaliases,userscanconnectdirectlytotheirrespectiveVPNgroupinsteadofneedingtoselecttheirgroupontheloginscreen.IfusingtheInternetEdge10KdesignwithdualISPconnec-tions,expecttoofferVPNconnectivitythroughbothISPconnections,besuretoprovidegroup-urlsfortheIPaddressorhostnamesforbothISPs.OpenawebbrowserontheclientPCandconnecttothegroup-url.
TheAnyConnectclient’sinitialconnectionistypicallylaunchedwithawebbrowser.Aftertheclientisinstalledonauser’scomputer,subsequentcon-nectionscanbeestablishedthroughthewebbrowseragain,ordirectlythroughtheAnyConnectclient,whichisnowinstalledontheuser’scomputer.TheuserneedstheIPaddressorDNSnameoftheCiscoASA,ausernameandpassword,andthenameoftheirVPNgroupthattheyareassignedto.Alternatively,theusercandirectlyaccesstheirVPNgroupwiththeirgroup-url,afterwhichtheywillneedtoprovidetheirusernameandpassword.
Figure 83 . AnyConnectClientInitiationviaWebVPNPortal
62RemoteAccessVPN
ExecutingtheprecedingstepsinASDMwillapplythisCiscoASACommand-LineInterfaceconfiguration:
group-policy [DfltGrpPolicy] attributes webvpn svc ask none default svcwebvpn enable [outside-16] enable [outside-17] anyconnect-essentials svc image [disk0]:/[anyconnect-win-2.5.0196-k9.pkg] [1] svc image [disk0]:/[anyconnect-macosx-i386-2.5.0196-k9.pkg] [2] svc enable tunnel-group-list enabletunnel-group [bn-user] webvpn-attributes group-alias [bn-user] enable group-url https://[10.194.112.114]/[bn-user] enable group-url https://[10.194.112.118]/[bn-user] enabletunnel-group [bn-admin] webvpn-attributes group-alias [bn-admin] enable group-url https://[10.194.112.114/bn-admin] enable group-url https://[10.194.112.118/bn-admin] enabletunnel-group [bn-partner] webvpn-attributes group-alias [bn-partner] enable group-url https://[10.194.112.114]/[bn-partner] enable group-url https://[10.194.112.118/[bn-partner] enable
Procedure 6 Hardware Client Configuration
TelecommutersorotherusersthatwillusemultipledevicesincludingIPphonesorotherplatformsthatcannotuseaVPNclienttoofferremote-siteconnectivitycanusea‘hardwareclient’devicetoconnecttheirremotelocationtoagencyITresourceswithcryptographicsecurity.Thehardware-clientconfigurationappliesaslightlydifferentVPNconnectionmode,called‘NetworkExtensionMode,’whereindevicesontheremotenetworkareconfiguredwithintheIPaddressrangeoftheagency’snetwork(withintheremote-accessVPNpool,inthiscase).
ProcedureSteps:
1.ConfigureNetworkExtensionModePolicy
2.ConfigureLocalAuthentication
3.ConfigureaCiscoASA5505HardwareClient
Step 1:EnableNetworkExtensionMode.group-policy 5505Group internalgroup-policy 5505Group attributes vpn-tunnel-protocol IPSec ip-comp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value [RA_SplitTunnelACL] user-authentication-idle-timeout 480 nem enableusername 5505site5 password c1sco123 username 5505site5 attributes vpn-group-policy 5505Grouptunnel-group RA5505 type remote-accesstunnel-group RA5505 general-attributes default-group-policy 5505Grouptunnel-group RA5505 ipsec-attributes pre-shared-key c1sco123
63RemoteAccessVPN
Step 2: Definelocalauthenticationforthetelecommuterconnections.
LocalauthenticationoffersaneffectivesolutionfortelecommuterVPNconnections,becausethetelecommutercredentialsareonlyrelevanttoremote-accessconnectionsthatterminateonthesinglepairofASAs,unlikeotherremote-accessconnectionsthatapplynetworkusernamesthathaverelevanceformanyothernetworkservices.
username 5505site5 password c1sco123 username 5505site5 attributesvpn-group-policy 5505Group
Step 3: ConfigureaCiscoASA5505HardwareClient
TheASAwillsupportawidevarietyofroutersasVPNhardwareremotecli-entsaswellastheASA5505.Inthisexample,weareusingtheASA5505fortheremotehardwareclient.ApplythefollowingtexttocompletelyconfigureconnectivityforanASA5505:
hostname 5505Site32 domain-name cisco.local enable password c1sco123 passwd c1sco123 names ! interface Vlan1 nameif inside security-level 100 ip address [10.4.251.249] [255.255.255.248] ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0no shut! interface Ethernet0/1no shut ! interface Ethernet0/2no shut ! interface Ethernet0/3no shut ! interface Ethernet0/4
no shut ! interface Ethernet0/5no shut! interface Ethernet0/6no shut! interface Ethernet0/7 switchport access vlan 2no shut ! dns server-group DefaultDNS domain-name [cisco.local]http server enable http [10.4.0.0] [255.254.0.0] [inside]crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 10.4.0.0 255.254.0.0 inside telnet timeout 5 ssh 10.4.0.0 255.254.0.0 inside ssh timeout 5 ssh version 2 console timeout 0 management-access inside dhcpd auto_config outside dhcpd option 150 ip 10.4.200.20 ! dhcpd address 10.4.251.250-10.4.251.254 insidedhcpd dns 10.4.200.10 interface insidedhcpd domain cisco.local interface insidedhcpd enable inside! vpnclient server 10.194.112.114 vpnclient mode network-extension-mode vpnclient nem-st-autoconnect vpnclient vpngroup RA5505 password c1sco123 vpnclient username 5505site5 password c1sco123 vpnclient enable ! username admin password c1sco123 privilege 15
64RemoteAccessVPN
Remote Access VPN Summary
TheCiscoASAsupportsIPsec,webportal,andfulltunnelSSLVPNsforclient-basedremoteaccessandIPsecforhardwareclientorsite-to-siteVPN.ThissectiondescribedthebasicconfigurationofremoteaccessIPsec,webportal,andSSLVPNsforbasicremoteaccess,plustheconfigurationofCiscoEZVPNforhardwareclient(ASA5505)access.
65EmailSecurity
EmailSecurity
Agency Overview
Emailisacriticalserviceinmostagencies.Failingtoprotectthatservicecanresultinalossofdataandemployeeproductivity.
Therearetwomajorproblemswithemailinnetworkstoday.Thefirstissueisthatfloodsofunsolicitedemail,commonlyreferredtoasspam,wasteemployeetime(becauseofthesheervolumeofmessages),andwastenetworkbandwidthandstorage.
Anotherproblemisthatlargenumbersofemailsaremaliciousandcontainmalware or phishing attacks that try to deceive users into releasing sensitive informationsuchascreditcardnumbers,socialsecuritynumbers,orintel-lectualproperty.
Technology Overview
Anemailsolutionwillbecomeunusableifjunkemailisnotfilteredproperly.The sheer volume of spam messages crowd out legitimate mail and cause employeestowastetimemanuallyfilteringthroughmessages.Asideeffectofsomejunkemail-filteringsolutionsarefalsepositives,oremailthatisincorrectlyidentifiedasspamcausinglegitimatemessagestobediscarded.
Whenthisoccurstheagencymustsiftthroughthejunkemaillookingforlegitimate messages or lower the level of filtering allowing more potential junkmessagestogotousers,makingtheuserresponsiblefordeterminingwhetheremailsarespam.Unsolicitedemailisalsomorelikelytobemali-ciousandincludeembeddedattacks.Criminalagenciesareusingattacksinemailasaneffectiveandcheapwaytoattackusermachines.Anexampleof an attack contained within email is malware that attempt to infect the host machineorthatofferuserscounterfeitURLs(phishing)totrickthemintogoingtoawebsitewherecriminalscanstealbanklogincredentialsorinfectthehostmachine.
Theobjectiveofthesetypesofattacksaretogathersocialsecuritynum-bers,creditcardnumbers,ortocompromisethehosttouseitasalaunchpointtosendspamandotherattacks.
TheCiscoIronPort®C-SeriesEmailSecurityAppliance(ESA)protectstheemailinfrastructureandemployeeswhouseemailatworkbyfilteringunso-licitedandmaliciousemailbeforeitreachestheuser.ESAeasilyintegratesintoexistingemailinfrastructureswithahighdegreeofflexibility.ItdoesthisbyactingasaMailTransferAgent(MTA)withintheemaildeliverychain.AnothernameforanMTAisamailrelay.AnormalemailexchangewhenanagencyisusinganMTA(mailrelay)mightlooklikethemessageflowshownbelow(Figure84).
Figure 84 . EmailMessageFlow
66EmailSecurity
ESAcanbedeployedwithasinglephysicalinterfacetofilteremailtoandfromanagency’smailserver.Theseconddeploymentoptionisatwo-interfaceconfiguration,oneinterfaceforemailtransferstoandfromtheInternetandtheotherforemailtransferstoandfromtheinternalservers.The Internet Edge design uses the single interface model for simplicity (Figure85).
Figure 85 . CiscoE-mailSecurityApplianceDeploymentOverview
ESAusesavarietyofmechanismsforspamandantivirusfiltering.Therearetwowaystofilterspam:reputation-basedandcontext-based.ReputationfiltersprovidethefirstlayerofdefensebylookingatthesourceIPaddressof the email server and comparing this to the reputation data downloaded fromCiscoSenderBase®.SenderBaseistheworld’slargestrepositoryforsecuritydata,includingspamsources,botnets,andothermalicioushosts.WhenhostsontheInternetengageinmaliciousactivity,SenderBaselowersthereputationofthathost.DeviceslikeESAthatusereputationgetupdatesseveraltimesadayfromSenderBase.WhenESAreceivesanemail,itcomparesthesourceIPtothedatabaseprovidedbySenderBase.Ifthereputationofthesenderispositive,theemailgetsforwardedontothenextlayerofdefense.Ifitisnegative,theemailisdiscarded.Ifthereputationfallsinbetween,theemailisconsideredsuspiciousandisquarantinedandwaitsforinspectionbeforebeingdelivered(Figure86).
Context-basedantispaminspectioninESAinspectstheentiremailmes-sage,includingattachments,lookingfordetailslikesenderidentity,messagecontent,embeddedURLs,andemailformatting.Usingthesealgorithms,theESAcanidentifyspammessageswithoutblockinglegitimateemail.
CiscoIronPortEmailSecurityApplianceusesamultilayerapproachtofightviruses.ThefirstlayeristheVirusOutbreakFilters.VirusOutbreakFiltersaredownloadedfromSenderBasebytheappliance.Theycontainalistofknownbadmailservers.Thesefiltersaregeneratedbywatchingglobalemailtrafficpatternsthatlookforanomaliesassociatedwithanoutbreak.Whenanemailisreceivedfromaserveronthislist,itiskeptinquarantineuntiltheantivirussignaturesareupdatedtocounterthecurrentthreat.
ThesecondlayerofdefensethatESAusesisantivirus(AV)signaturestoscanquarantinedemailstoensurethattheydonotcarryvirusesintothenetwork.
Figure 86 . EmailFilteringOverview
Anti-SpamEngine
Incoming MailGood, Bad, and
“Gray” or Unknown Email
• Known good is delivered
•Known bad is deleted/tagged
•Suspicious is throttled & spam filtered
Cisco Email Security
Configuration Details
CiscoESAdeploymentisdesignedtobeaseasyaspossible.ItisdeployedintotheexistingmaildeliverychainasaMailTransferAgent(MTA).TheESAwillbethedestinationofemailfortheagency;assuch,thepublicMXrecords(theDNSrecordthatdefineswheretosendmail)musteventuallypointtothepublicIPaddressoftheESA.
Inthisdeploymentguide,theESAisphysicallydeployedontheDMZoftheInternetEdgefirewallusingasingleinterfaceforsimplicity.Thisinterfacehandlesallincomingandoutgoingemailandcarriesmanagementtraffic.TheportontheESAistheM1managementinterface(Figure87).
67EmailSecurity
ItisimportantthattheESAbeaccessiblethroughthepublicInternetandthatitisthefirsthopintheemailinfrastructure.ThesenderIPaddressisusedbyseveralofESAprocessesandisoneoftheprimaryidentifiersSenderBaseusestodeterminethereputationofthesender.IfanotherdevicereceivesmailbeforeforwardingittotheESA,theESAwillnotbeabletodeterminethesenderIPaddressandfilteringcannotbeappliedproperly.
Figure 87 . E-mailSecurityApplianceDeployment
Process
1. InitialESADeployment
2. SystemUpdatesandFeatureKeys
3. SetupBounceVerification
4. SetMailPoliciestodropSPAM
Procedure 1 Initial ESA Deployment
1. DNSConfiguration
2. InitialSetupOptions
3. ConfigureManagementAccess
4. Alternate(GUIManagementAccessConfiguration)
5. SystemSetupWizard
6. SystemConfiguration
7. Network Integration
8. MessageSecurity
9. FinalizeInitialConfiguration
Step 1:DNSConfiguration
TheESAhostnameisthenamecarriedintheDNSMailExchange(MX)recordandindicatesthattheESAistheprimaryMTA.TheDNSA(IPaddress)recordisthepublicIPaddressfortheESA(inthiscase,thestati-callymappedpublicaddressonthefirewallfortheESAthatresidesontheDMZinFigure5).
172.16.130.16isthepublicaddressinISPAtosendemailtocisco.local
ThisexternaladdressisstaticallyNAT’edbacktodmz-mailinterfacetotheESA(whichhasanactualaddressof10.4.244.16).
TheMXrecordsforcisco.localpointtothe172.16.130.16addressasitisthepublicaddress(specifictothislabonly)thatotheragenciesusetosendemail.
AfterphysicallyinstallingandconnectingtheESAtothenetwork,thenextstepisinitialsetup.
Tech Tip
Thedefaultusernameandpasswordareadmin/ironport.
68EmailSecurity
Step 2:InitialSetupOptions
ThefirststepindeployingtheESAistocompletetheSystemSetupWizardbyaccessingtheESAGraphicalUserInterface(GUI)throughawebbrowser.
Iftheagency’sinstallproceduresallowaPCtodirectlyconnecttotheESAviaitsdefaultIPaddress,thenskipaheadtothesectiontitled“SystemSetupWizard.”
IftheinstallationprocedurerequirestheESAtoberackmountedinaremoteroom,andtheinitialconfigurationtobeperformedremotelyusinganout-of-bandconnectionsuchasserialport,thentheESAwillneedtobepreconfiguredwithbasicnetworksettings.Thesesettingsareexplainedinthe“Out-of-BandNetworkConfiguration”section.Oncecomplete,continuethesetupbyusingthe“SystemSetupWizard.”
Step 3: ConfiguringManagementAccess
Tochangethedefaultnetworksettingsviaaserialconsoleport,connectusingastandardnullmodemcablewiththeterminalemulatorsettingsof8-1-none-9600baud.Onceconnectedandloggedin,runinterfaceconfig and setgateway tochangethebasicnetworksettings.Issuethecommit commandtosavethechangestotherunningconfiguration.
Tech Tip
Dependingonthecodeversiontheappliancehasinstalled,theCLIorGUIinterfacesmightdisplayslightlydifferentoptions.
ironport.example.com> interfaceconfig
Currently configured interfaces:1. Management (192.168.42.42/24 on Management: ironport.example.com)
Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- GROUPS - Define interface groups.- DELETE - Remove an interface.[]> edit
Enter the number of the interface you wish to edit.[]> 1
IP interface name (Ex: “InternalNet”):[Management]> Mail_DMZ
IP Address (Ex: 192.168.1.2):[192.168.42.42]> 10.4.244.16
Ethernet interface:1. Data 12. Data 23. Data 34. Management[4]>
Netmask (Ex: “255.255.255.0” or “0xffffff00”):[255.255.255.0]> 255.255.255.0
Hostname:[ironport.example.com]> c370.cisco.local
Do you want to enable FTP on this interface? [N]>Do you want to enable Telnet on this interface? [Y]> nDo you want to enable SSH on this interface? [Y]>Which port do you want to use for SSH?[22]>
Do you want to enable HTTP on this interface? [Y]>Which port do you want to use for HTTP?[80]>
Do you want to enable HTTPS on this interface? [Y]>Which port do you want to use for HTTPS?[443]>
Do you want to enable Spam Quarantine HTTP on this interface? [N]> yWhich port do you want to use for Spam Quarantine HTTP?[82]>
Do you want to enable Spam Quarantine HTTPS on this interface? [N]> yWhich port do you want to use for Spam Quarantine HTTPS?[83]>
You have not entered an HTTPS certificate. To assure privacy, run “certconfig” first. You may use the demo, but this will not be secure.
69EmailSecurity
Do you really wish to use a demo certificate? [Y]>Both HTTP and HTTPS are enabled for this interface, should HTTP requests redirect to the secure service? [Y]>
Both Spam Quarantine HTTP and Spam Quarantine HTTPS are enabled for this interface, should Spam Quarantine HTTP requests redirect to the secure service? [Y]>
Do you want MAIL_DMZ as the default interface for Spam Quarantine? [N]> y
Do you want to use a custom base URL in your Spam Quarantine email notifications? [N]>
The interface you edited might be the one you are currently logged into. Are you sure you want to change it? [Y]>
Currently configured interfaces:1. MAIL_DMZ (10.4.244.16/24 on Management: c370.cisco.local)
Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- GROUPS - Define interface groups.- DELETE - Remove an interface.[]>
Please run “systemsetup” or “sethostname” then “commit” before sending mail.ironport.example.com> setgateway
Warning: setting an incorrect default gateway may cause the currentconnection to be interrupted when the changes are committed.Enter new default gateway:[]> 10.4.244.1
Please run “systemsetup” or “sethostname” then “commit” before sending mail.ironport.example.com> commit
Please enter some comments describing your changes:[]> initial setup
Changes committed: Thu Apr 29 21:20:57 2010 UTC
AfterconfiguringtheESA,itshouldbeabletopingtheappliancefromthenetwork,assumingthecorrectfirewallruleshavebeenapplied.
ironport.example.com> ping 10.4.244.1
Press Ctrl-C to stop.PING 10.4.244.1 (10.4.244.1): 56 data bytes64 bytes from 10.4.244.1: icmp_seq=0 ttl=255 time=0.481 ms64 bytes from 10.4.244.1: icmp_seq=1 ttl=255 time=0.271 ms64 bytes from 10.4.244.1: icmp_seq=2 ttl=255 time=0.195 ms
Step 3: Alternate(GUIManagementAccessConfiguration)
IfyoudidnotdothestepsaboveinCLI,thentoconnecttotheGUIdevicemanager,openabrowserandbrowseviaHTTPStothedefaultaddressofthee-mailappliance(https://192.168.42.42/).
Ifyoudidcompletethestepabove,thenconnecttotheIPaddressconfig-uredpreviouslyinthe“ConfiguringManagementAccess”section.
Step 4:SystemSetupWizard
ThenextstepistoruntheSystemSetupWizardfromtheGUIbyconnectingtotheIPaddressthatwasconfiguredinthestartupscriptfromtheserialportconnectionoralternatelyviathe192.168.42.42addressifinitialsetupwasdonebyconnectingtothemanagementEthernetinterface(Figure88).
Figure 88 . SystemSetupWizard
70EmailSecurity
AttheStartscreen,readthelicenseandclickthe I accept,thenclickBegin Setup(Notpictured).
Step 5: SystemConfiguration
OntheSystemtab,entersystemconfigurationsettingsliketimesettingsanddefaulthostname,andchangethedefaultpasswordusingthevaluesasshownintheFigure(Figure89).
ThelasttwoquestionsdeterminewhethertheESAparticipatesintheSenderBasenetwork.ThisallowstheESAtosendanonymizedreputationdetailsaboutemailtrafficbacktoCiscotoimproveSenderBaseandtheproductingeneral.
Figure 89 . SystemConfiguration
Step 6: Network Integration
OntheNetworktab,anetworkadministratorperformsnetworkintegrationtasks such as setting up the network gateway and defining which interfaces touseandwhatDNSserverstouse(orusetheInternet’sRootDNSserv-ers).Thistabiswheretheadministratorneedstoentertheagency’semailinformation,whatincomingmailtoacceptandwhattodowithit,andwhatemailtorelayoutbound(Figure90).
Figure 90 . Network Integration
71EmailSecurity
Step 7:MessageSecurity
OntheSecuritytab,definemessagesecuritybyselectingwhetherantispamandantivirusfilteringareenabledandwhichengineisusedforeachfunc-tion(Figure91).
Figure 91 . MessageSecurity
Step 8: FinalizeInitialConfiguration
TheReviewtab(notshownhere)allowsreviewoftheconfigurationthathasbeendefined,andtoacceptormodifytheconfiguration.Ifitisaccepted,theESAwillinstalltheconfiguration.
Click Install this Configuration.
BypasstheActiveDirectoryWizardbyclickingCancel.
Procedure 2 System Updates and Feature Keys
ItisimportanttolookattwootherareasontheESAbeforebeginningtouseit:featurekeysandsystemupgrades.
Step 1: SystemUpdates
Toupgradethecodeontheappliance,selectSystem Administration > System Upgradeandviewthecurrentsoftwareversion.ClickAvailable Updatestodetermineifupdatesareavailable.
Ifnewerversionsareavailable,theycanbeselectedandinstalled.Whileitisnotnecessarytoloadallupdatessequentially,itispossiblethatalaterupdatewillrequireinterimupdatesbeforeitcanbeloaded.Ifinterimupdatesarerequired,theappliancewillalerttheoperator.
AnotheroptionistoruntheupgradecommandfromtheCLI.
Step 2:UpdateFeatureKeys
Inthewebconfigurationtool,browsetoSystem Administration > Feature Keys.
Thispagedisplaysthelicensekeysforthedifferentfeaturesonthebox.TocheckwhethertheESAhasanylicensesthatarenotcurrentlyenabled,clickCheck for New Keys.ThisactionwillenabletheESAtoconnecttoCisco.comanddetermineifallpurchasedlicensesareinstalledandenabled.
Onceanynewfeaturekeysaredownloaded,theycanbeactivated.
Figure 92 . FeatureKeys
Tech Tip
Itisnotpossibletodowngradesoftwareversions,sobecertainthatanupgradeisdesiredbeforeproceeding.Itispossiblethatanappliancecanreceivedifferentupgradeoptionsifitisonanearlyreleaselist.
72EmailSecurity
Procedure 3 Setup Bounce Verification
OneofthelaststepsofsettingupastandardconfigurationfortheESAissettingupBounceVerifications.BounceverificationisaprocessthatallowstheESAtotagoutgoingmessageswithaspecifictagsothatwhenbouncedemailscomebacktotheESA,itcanverifythattheemailswereactuallysentoutoriginallybytheESA.Spammersandhackersusefakebouncedmes-sagesformanymaliciouspurposes.
Step 1: CreateBounceVerificationKey
Tosetupbounceverifications,selectMail Policies > Bounce Verifications.
Click New Key.
EnteranarbitrarytextstringthattheESAwillapplyintheBounceverificationprocess.Committhechanges(Figure93).
Figure 93 . BounceVerification
Step 2: SetBounceVerificationAddressTaggingtoOn
SelectMail Policies > Destination Controls.
Click Defaultinthefirsttable,whichisundertheDomainheader:
ChangeBounceVerificationto:Perform Address Tagging Yes
Submitandcommitthechanges.
Figure 94 . BounceVerificationEnable
Procedure 4 Set Mail Policies to drop SPAM
Step 1: ChangeSpamSettingstoDrop
ThelaststepinsettinguptheESAisreviewingtheIncomingMailPoliciesandchangingthedefaultsettingtodropemailthathasbeenpositivelyidentifiedasspam.
Toreviewmailpolicies,selectMail Policies > Incoming Mail Policies.
Currentlythereisonedefaultmailpolicy.
Step 2:SelecttheentryundertheAnti-Spamcolumnheader.
Step 3:ChangeaPositivelyIdentifiedSpamresultfromaQuarantineactiontoaDropaction(Figure95).
Submitandcommitthechanges.
Figure 95 . MailPolicies—AntiSpam
73EmailSecurity
Firewall Configuration
Process
1. FirewallDMZConfiguration
2. FirewallAddressTranslation(NAT/PAT)Configuration
3. ConfigureFirewallPolicyforDMVPNHub
Procedure 1 Firewall DMZ Configuration
TheFirewall’sDMZ(De-MilitarizedZone)isaportionofthenetworkwhere,typically,traffictoandfromotherpartsofthenetworkistightlyrestricted.AgenciesplacenetworkservicesinaDMZforexposuretotheInternet.Theseserversaretypicallynotallowedtoinitiateconnectionstothe‘inside’network,exceptforspecificcircumstances.
ThevariousDMZnetworksontheDMZswitchareconnectedtotheASAson theASAs’GigabitEthernetinterfaceviaaVLANtrunk.Forthisdeployment,aseparateDMZforemailwillbecreatedandtheESAwillbedeployedinthenetworkonthatDMZ.TheDMZ-mailVLANinterfaceontheCiscoASAisassignedanIPaddress,whichisthedefaultgatewayfortheDMZ-mailVLANsubnet.TheDMZswitch’sVLANinterfacedoesnothaveanIPaddressesassignedfortheDMZ-mailVLAN.
ProcedureSteps:
1.ConfigureASAfirewallphysicalinterface
2.Configuresub-interfaceforDMZ-mail.
3.DMZSwitchConfiguration
Step 1: ConfigureASAfirewallphysicalinterface
NOTE:IftherearealreadyDMZsthathavebeencreatedandconfiguredandtheASAphysicalinterfacetotheDMZswitchhasalreadybeenconfigured,skiptoStep2.
ConfiguretheinterfacethatcarriestheVLANtrunkforthevariousDMZs.Valuesarenotassignedfortheinterfacename,securitylevel,orIPaddressontrunkinterfaces.ConfigurationdetailsareshowninFigure96.
Figure 96 . DefineDMZTrunkInterface
interface GigabitEthernet0/1 description dmz trunk to dmz-3750 stack port x/0/1 no nameif no security-level no ip address
Step 2:ConfiguretheDMZVLANconnectivityonGigabitEthernet0/1subinterface.
TheDMZVLANinterfacemustbeassignedanappropriateIPaddressfortheattachedsubnet,aswellasanintuitiveinterfacenametobeusedforNATandsecuritypolicyconfiguration.ThetesteddesignusesthevaluesshowninTable5.TheconfigurationforoneVLANinterfaceisdisplayedbelow(Figure97).
Table 5 . VPN-DMZConfigurationParameters
Interface LabelIP Address & Netmask VLAN
Security Level Name
GigabitEthernet0/1.1120 10.4.244.1/24 1120 50 dmz-mail
74EmailSecurity
Figure 97 . DMZSub-interfaceConfiguration
interface GigabitEthernet0/1.1120 vlan 1120 nameif dmz-mail security-level 50 ip address 10.4.244.1 255.255.255.0 standby 10.4.244.2
Step 3: OntheDMZswitch,addtheappropriateVLANtothetrunkportsthatconnecttotheASAs.
UsethefollowingsetofcommandsforprimaryASA:interface GigabitEthernet1/0/23 switchport trunk allowed vlan add 1120
AndusesimilarcommandsforthestandbyASA:interface GigabitEthernet1/0/24 switchport trunk allowed vlan add 1120
Procedure 2 Address Translation Configuration
Priortothisprocedure,theDMZ-mailnetworkwouldhaveconnectivitytotheASAs’interface,buttherewouldbenoaccessfromtheDMZ-mailnetworktotheInternet,orfromtheInternettotheDMZ-mail.AlaststepisrequiredtoallowInternetconnectivityfortheESA.TheDMZ-mailnetworkusesprivatenetwork(RFC1918)addressingthatisnotInternetroutable,sotheASAsmusttranslatetheESAaddresstoanoutsidepublicaddress.Forthisconfiguration,createastatictranslationoftheDMZ-mailaddressoftheESAtoapublicIPaddressthatcanberoutedontheInternetasshowninTable6.
Table 6 . EmailSecurityApplianceIPAddressTranslationInformation
DMZ Address of ESA Outside Address of ESA on ISP-A
10.4.244.16 172.16.130.16
NOTE: Asyouapplytheaddresstranslationconfigurationdescribedinthisportionofthedocument,theASAwillapplyitsdefaultaccessrulesetthatpermitstrafficfromhigher-securityinterfacestolower-securityinterfaces.Reviewyourexpectedtrafficcarefully;ifyoucannotallowsomeoralltrafficthatisallowedbythedefaultrules,youshouldshutdownthevariousdeviceinterfacesuntilyouhavecompletelyconfiguredyourfirewallruleset.
ProcedureSteps:
1.Configurename-to-addressmappingsforDMZ-mailsubnetandESA.
2.DefinestatictranslationpolicyfortrafficpassingbetweentheInternetandtheESAintheDMZ-mail.
Step 1:Configurename-to-addressmappingsforDMZ-mailsubnetandESA.
ThesenameswillbeusedforNATconfiguration,aswellasAccess-Ruledefinition.Besurethenamesthatyouapplywillbeapplicableforallpartsoftheconfiguration.Usingaddress-familynamesandobject-groupsimprovescommand-lineandASDMusabilityfortheCiscoASA,asthevariousIPnetworks and hosts within your agency are represented as names instead of IPaddresses.Configurationofoutside-mail-1isshowninFigure98.Repeatthisfordmz-mail-net(thenetworkinformationfortheDMZ-MAILnetwork)andforDMZ-C370(theDMZ-mailaddressoftheC370).
75EmailSecurity
Navigate to Configuration > Firewall > Objects > Network Objects/Groups.
Figure 98 . ConfigureNetworkObjectNames
namesname 172.16.130.16 outside-mail-1name 10.4.244.0 dmz-mail-netname 10.4.244.16 dmz-C370
Step 2:DefinestatictranslationpolicyfortrafficpassingbetweentheInternetandtheESAintheDMZ-mail.
AlldevicesthatmustbeexposedtotheInternetwillrequireastatictransla-tion.TheESAtranslationisshowninFigure99.
Figure 99 . DefineFirewallStaticTranslation
static (dmz-mail,outside-16) outside-mail-1 dmz-C370 netmask 255.255.255.255
Procedure 3 Configure Firewall Policy for ESA
Securitypolicyconfigurationisfairlyarbitrarytosuitthepolicyandmanage-mentrequirementsofanagency.Thus,exampleshereshouldbeusedasabasisforyournetwork ’ssecurityrequirements.
TheEmailDMZprovidesanadditionallayerofprotectiontolowerthelikelihood of certain types of misconfiguration or a compromise of a host in theDMZexposingotherdevicesornetworkstoanattackerontheInternet.AfilterallowsonlymailtraffictotheESA.TheESAisallowedtosendSMTPtrafficaswellasmakeHTTPandHTTPSconnections(neededforreputationupdates)toanyhostontheInternet.TheESAisallowedtomakeinboundSMTPconnectionstotheagencyexchangeserveraswellasDNSrequeststotheagency’sDNSserver.
ProcedureSteps:
1.Defineaccess-controlentriestoallowtrafficfromtheInternettotheESA
2.Defineaccess-controlentriestoallowESAtoaccessinternalresourcesandblockallotherrequests
3.Defineaccess-controlentriestoallowinternalaccesstoESA,butblockSMTPaccessforallotherdevices
Step 1:Defineaccess-controlentriestoallowtrafficfromtheInternettotheESA
ThispolicyallowsSMTPtotheoutside-mail-1publicaddressandisappliedontheoutside-16interfaceAccessRule,andbuildsonexistingpolicies(Figure100).
Figure 100 . InternetSMTPAccess
76EmailSecurity
Step 2:Defineaccess-controlentriestoallowESAtoaccessinsideandInternetresourcesandblockotherrequests
ThispolicyisappliedontheDMZ-mailinterfaceAccessRule,andbuildsonexistingpolicies.Itallowsalldevicesonthedmz-mail-nettosendSMTPtotheinsidemailhost(theinternalExchangeserver),tomakeDNSrequeststothedns-serverhost(theinternalDNSserver),tosendlogsusingsshandftptodatacenterloggingdevices,andthenblockallotherinternalrequests.
ItalsoallowsalldevicesonDMZ-mailtoconnecttoanyInternethostusingSMTP,HTTP,andHTTPS.Allotheraccessisdenied(Figure101).
Figure 101 . DMZ-MailAccess
Internet Edge 10K Deployment
Becausedifferentagenciesuseemailindifferentquantities,caremustbetakeninsizingtheappliance(s)carefully.ACiscoPartnerorAccountManagercanbeofvaluableassistance.
Itiseasiertodeploy,manage,andmaintainasingleappliance,butanycapacityforresilienceislost.Ifresilienceisrequired,thenanadditionalappliancecanbedeployed.
TheInternetEdge5KdesignusesasingleC370appliancethatprovidescapacity to handle a medium message load for an agency of up to 5000 con-nectedusers,butlacksanyresilience.TheInternetEdge10KdesignusesapairofC370s.Thisprovidestwicethemessagecapacityhandlingalongwithresilience.
WhenusingtheESAintheInternetEdge10Kdesign,someadditionalstepsneedtobetaken.BecausetheInternetEdge10KdesignusestwoISPsandeachisdeployedwithitsownIPaddressspace,theremustbeaDNSentryfortheESAforeachIPaddressspace.IntheInternetEdge10Kdesign,the172.16.130.0/24rangeisusedforISPAandthe172.17.130.0/24rangeisusedforISPB.EachESAneedstohaveanaddressineachrangeandthe
addressneedstobemappedinDNStotheappropriateMXandArecordssothatiftheconnectiontoISPAislost,otheragenciescanusetheMXrecordforISPBsothattheagencycancontinuereviewingmail.
Toconfigurethisfunctionality,anadministratorwillneedtoensurethefirewallconfigurationallowsaccesstotheESAfrombothISPAandISPB.Toaccomplishthis,astaticaddresswillneedtobecreatedfortheESA’saddressontheISPBnetwork,172.17.130.16.Inaddition,accesstoTCPport25mustbeallowedforanyoneontheInternet,whichisthesameaccessthatisallowedforISPA(Figure102).
Figure 102 . BackupISPNATCreation
Aftercompletion,astaticfortheC370ESAfromdmz-mailtooutside-16andastaticfromdmz-mailtooutside-17shouldbothexistandACLsshouldexisttopermitSMTPinboundonbothoutsideinterfaces.
ForthesecondC370(dmz-C370-B)usedintheInternetEdge10Kdesign,staticNATrulesmustbebuilttobothISP-AandISP-Bandassignedanaddressinthoseaddressspaces(Figure103).
Figure 103 . 2ndC370NATConfiguration
77EmailSecurity
Additionally,ACLshavetobecreatedthatprovidethesameaccessasthosecreatedfordmz-C370(Figure104).
Figure 104 . 2ndC370ACLConfiguration
High Availability
TheCiscoESAfunctionsaspartofthemailtransferchainandthereisareasonableamountofresiliencybuiltintothesystemsinceamailserverin the chain will store a message for some period of time if the destination serverisunresponsive.AdditionalresilienceisachievedbyaddingasecondESA.ThesecondESAshouldbeconfiguredthesameasthefirstESAandanadditionalMXrecordshouldbeaddedtoDNS.
Foranyadditionaldevices,accesslistsandstaticNATruleswillneedtobeaddedtotheASA.
Final Steps
Monitoring
TomonitorthebehavioroftheESA,thereareavarietyofreportsavailableunderMonitor.Thesereportsallowanadministratortotrackactivityandstatisticsforspam,virustypes,incomingmaildomains,outbounddestina-tions,systemcapacity,andsystemstatus.
Troubleshooting
TodeterminewhytheESAappliedspecificactionsforagivenemail,anadministratorcanruntheTracetoolunderSystemAdministration.
Bydefiningasearchusingdetailsofagivenemailinquestion,itispossibletotestaspecificemailtodeterminehowandwhytheESAhandledthemessage.ThissearchcapabilityisespeciallyusefulifsomeofthemoreadvancedfeaturesoftheESAareusedlikeDLP.
Summary
TheCiscoESAhasbeenconfiguredforbasicnetworkaccessandanantis-pamandantiviruspolicyhasbeenbuiltandapplied.DNShasbeenmodifiedtosupporttheESA,theappliancesoftwarewasupdated,andthefeaturekeysfortheappliancewereinstalled.Someslightpolicychangeshavebeenmade,butadetailedpolicydiscussion,troubleshooting,andongoingmonitoringaretopicsthatcanbepursuedwithaTrustedCiscoPartneroraccountteam.PolicymigrationandadvancedpolicycreationfortheCiscoESAdeviceshouldbedirectedtothelocalCiscoSEorpartner.
Additional Information
Userdocumentationcanbefoundhere(loginavailablebyworkingwiththeCiscoChannelPartner):http://www.ironport.com/support/login.html
78WebSecurity
WebSecurity
Agency Overview
AsaccesstoInternetwebsiteshasmovedfromanice-to-haveoptiontoarequirementintheday-to-dayactivityofmanyusers,thecapabilityforanagencytobeabletoprotectemployeeproductivityandmanageriskbyimpos-ingagencysecuritypolicyonhowtheusersmayusethewebhasbecomearequirementaswell.
AnotherriskassociatedwithInternetaccessfortheagencyisthepervasivethreatthatexistsfromaccessingsitesandcontent.AsthemonetarygainformaliciousactivitiesontheInternethasgrownanddeveloped,themeth-ods used to affect these malicious and or illegal activities has grown and becomemoresophisticated.Botnets,oneofthegreatestthreatsthatexistsintheInternettodayisthatofmaliciousInternetservers(mostlyweb)beingusedtohostcontentthatthenattacksinnocentuser’sbrowsersastheyviewthecontent.Thesetypesofattackshavebeenusedverysuccessfullyby“botherders”togatherinmillionsofinfectedmembersthataresubjecttothewhimsofthepeoplewhonowcontroltheirmachines.Otherthreatsincludethestillpopularandverybroadthreatsofvirusesandtrojanswhereauserreceivesafileinsomemannerandistrickedintorunningit,wherethefilethenexecutesmaliciouscode.Thethirdvariantusesdirectedattacksoverthenetwork.ExamplesoftheseattacksaretheInternetwormsthatgatheredsomuchattentionintheearlytomid2000s.Thesetypesofrisksaredepictedbelow(Figure105).
Figure 105 . ReasonsforDeployingtheWebSecurityAppliance
Webaccessisarequirementfortheday-to-dayfunctionsofmostagencies,butachallengeexiststomaintainappropriatewebaccessforeveryoneintheagency,whileminimizingunacceptableorriskyuse.Asolutionisneededtocontrolpolicy-basedwebaccesstoensureemployeesworkeffectively,andensurethatpersonalwebactivitywillnotwastebandwidth,affectproductivity,orexposetheagencytounduerisk.
Technical Overview
CiscoIronPortS-SeriesWebSecurityAppliance(WSA)offersacombinationofwebusagecontrolswithcategoryandreputation-basedcontrol,malwarefiltering,anddataprotectionthataddressesthisneed(Figure106).
Figure 106 . WebSecurityDeploymentintheBorderlessNetwork
Browsingwebsitescanberiskyandmanywebsitesinadvertentlyendupdistributingcompromisedormaliciouscontentasaresultofinattentiontoupdaterequirementsorlaxsecurityconfigurations.Thewebsitesthatserve the compromised and malicious content are constantly changing as human-operatedandworm-infestedcomputersscantheInternetinsearchofadditionalwebserversthattheycaninfectinordertocontinuepropagat-ing.Thisdynamicenvironmentintroducessignificantchallengestomaintainup-to-dateInternetthreatprofiles.
TheCiscoIronPortWebSecurityAppliance(WSA)FamilyisawebproxythatworkswithotherCisconetworkcomponentslikefirewalls,routersorswitchestomonitorandcontrolwebcontentrequestsfromwithintheagencyandscrubsthereturntrafficformaliciouscontent(Figure107).
79WebSecurity
Figure 107 . LogicalTrafficFlowUsingWSA
CiscoWSAisconnectedbyoneinterfacetotheinsidenetworkoftheCiscoAdaptiveSecurityAppliance.IntheInternetEdgedesign,theCiscoWSAconnectstothesameLANswitchastheASAandonthesameVLANastheinsideinterfaceoftheASA.TheCiscoASAredirectsHTTPandHTTPSconnectionsusingtheWebCacheControlProtocol(WCCP)totheWSA.
CiscoWSAusesseveralmechanismstoapplyWebSecurityandContentControl.TheCiscoWSAbeginswithbasicURLfilteringwithcategory-basedCiscoIronPortWebUsageControlsthatarebasedonanactivedatabasethatincludesanalysisofsitesin190countriesinover50languages.Contentisfilteredbythereputationdatabase.TheCiscoSecurityIntelligenceOperationsupdatesthereputationdatabaseeveryfiveminutes.TheseupdatescontainthreatinformationgleanedfrommultipleInternet-basedresources,aswellascontentreputationinformationobtainedfromcustom-ers with Cisco security appliances that choose to participate in the Cisco SenderBase®network.Ifnodetailsofthewebsiteoritscontentareknown,theCiscoWSAappliesDynamicContentAnalysistodeterminethenatureofthecontentinrealtimeandfindingsarefedbacktotheSenderBasereposi-toryifthecustomerhaselectedtoparticipate.
Configuration Details
Planning
ThefirststeptoplanningthedeploymentoftheCiscoWebSecurityAppliance(WSA)istodeterminehowwebtrafficwillberedirectedtotheWSA.TherearetwopossiblemethodstoaccomplishtheredirectionoftraffictotheWSA:transparentproxymodeandexplicitproxymode.
Inatransparentproxydeployment,allTCPtrafficwithadestinationofport80or443,isredirectedtotheWSAbyaWCCPv2-capablenetworkdevicewithoutanyconfigurationontheclient.ThetransparentproxydeploymentisusedinthisdesignandtheCiscoASAfirewallisusedtoredirecttraffictotheWSAbecausealltheoutboundwebtrafficpassesthroughthedeviceandisgenerallymanagedbythesametechniciansthatwillmanagetheWSA.
Anexplicitproxydeploymentiswhenaclientapplication,likeawebbrowser,isconfiguredtouseanhttpproxy,liketheWSA.Fromanapplicationsupportstandpoint,thismethodintroducestheleastamountofcomplicationsastheproxy-awareapplicationsknowaboutandworkwiththeWSAdirectlytoprovidetherequestedcontent.However,fromadeploymentstandpoint,theexplicitproxymethodpresentschallengesastohowtheadministratorwillconfigureeveryclientintheagencywiththeWSAproxysettingsandhowtheywillconfiguredevicesnotundertheagency’scontrol.WebProxyAutomaticDetection(WPAD)andProxyAutomaticConfiguration(PAC)scripts,alongwithtoolssuchasMicrosoftGroupandSystempolicycontrolswithinMicrosoftActiveDirectory(AD)makedeployingthismethodsimpler,butadiscussionofthosetoolsisbeyondthescopeofthisdocument.
Itispossibletousebothoptions—explicitproxyandtransparentproxy—atthesametimeonthesameWSA.ExplicitproxyisalsoagoodwaytotesttheconfigurationoftheWSAasitisdeployed,asexplicitmodedoesnotdependonanythingelseinthenetworktofunction.
ThenextstepinplanningaWSAdeploymentistodeterminewhattypeofphysicaltopologywillbeused.TheWSAhasmultipleinterfacesandcanbeconfiguredindifferentways.IntheInternetEdgedesigns,theWSAisdeployedusingasingleinterfaceforbothproxyandmanagementtraffic.
80WebSecurity
WSA Configuration
Process
1. ConfigureManagementAccess
2. SystemSetupWizard
3. SystemUpdate(s)andFeatureKeys
4. WebUsageControls
5. Logging
6. CustomURLCategories
7. AccessPolicies
8. WebReputationandAnti-Malware
9. WCCPConfiguration
10.HTTPS
11.Authentication
12.Monitoring
13.Troubleshooting
Procedure 1 Configure Management Access
ThefirststepindeployingtheWSAistocompletetheSystemSetupWizard.ThisisaccomplishedbyaccessingtheWSAGraphicalUserInterface(GUI)throughawebbrowser.
TherearetwowaystoreachtheWSAtocompletetheSystemSetupWizard.
1. ConnectdirectlytotheWSAwithaPCandconfigureitviatheWSAdefaultprivateIPAddress
2. ReconfiguretheWSAIPAddressviatheconsoleportpriortocomplet-ingtheSystemSetupWizard
Option 1: Configure a PC to connect to the WSA private IP Address
IfitisnotpossibletodirectlyconnectaPCtotheWSA,theWSAcanbereachedviaitsdefaultprivateIPaddress.ConnectthePCEthernetporttotheWSAM1NICandconfigurethePCwithanIPaddressinthe192.168.42.xnetworkrange(acrossovercableisnotnecessaryforthis).
TheWSAIPaddresscanalsobechangedusingaserialout-of-bandcon-nectioniftheWSAneedstobeconnectedtotheagency’snetworktobeabletoreachtheWSA.
Option 2: Reconfigure the WSA IP Address
ThisstepisonlyrequiredifthedeploymentmodeldoesnotuseaPCtoconnectdirectlytotheWSAtoperformtheSystemSetupWizardandthedefaultIPinformationhastobechangedtoreachtheWSA.TochangetheWSAnetworksettingsviaaserialconsoleport,connectusingastandardnullmodemcablewiththeterminalemulatorsettingsof8-1-none9600baud.
Important Consideration:Thecommandsthatfollowrequireahostnametobeentered.ThisconfiguredhostnamefortheWSAneedstobefullyresolv-ableforwardsandreverse,aswellasinshortformwithintheDNSsystem.
ironport.example.com> interfaceconfig
Currently configured interfaces: 1. Management (192.168.42.42/24 on Management: ironport.example.com)
Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - DELETE - Remove an interface. []>edit
Enter the number of the interface you wish to edit. []> 1
IP Address (Ex: 192.168.1.2): [192.168.42.42]> 10.4.240.15
Netmask (Ex: “255.255.255.0” or “0xffffff00”): [255.255.255.0]> 255.255.255.224
Hostname: [ironport.example.com]> s370.cisco.local
Do you want to enable FTP on this interface? [Y]> Which port do you want to use for FTP? [21]>
Do you want to enable SSH on this interface? [Y]> Which port do you want to use for SSH? [22]>
81WebSecurity
Do you want to enable HTTP on this interface? [Y]> Which port do you want to use for HTTP? [8080]>
Do you want to enable HTTPS on this interface? [Y]> Which port do you want to use for HTTPS? [8443]>
You have not entered an HTTPS certificate. To assure privacy, run “certconfig” first. You may use the demo, but this will not be secure. Do you really wish to use a demo certificate? [Y]>
Both HTTP and HTTPS are enabled for this interface, should HTTP requests redirect to the secure service? [Y]>
Currently configured interfaces: 1. Management (192.168.31.240/24 on Management: websec1.cisco.local)
Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - DELETE - Remove an interface. []>
ironport.example.com> setgateway
Warning: setting an incorrect default gateway may cause the current connection to be interrupted when the changes are committed. 1. Management Default Gateway 2. Data Default Gateway []> 1
Enter new default gateway: [ ]> 10.4.240.1
ironport.example.com> commit
AfterconfiguringtheWSA,itshouldbeabletopingdevicesonthenetwork,assumingappropriatenetworkaccesshasbeencreated(onthefirewallifneeded).ThefollowingoutputisacaptureoftheWSApingingitsdefaultgateway:
s370.cisco.local> ping 10.4.240.1Press Ctrl-C to stop.PING 10.4.240.1 (10.4.240.1): 56 data bytes64 bytes from 10.4.240.1: icmp_seq=0 ttl=255 time=0.497 ms64 bytes from 10.4.240.1: icmp_seq=1 ttl=255 time=9.387 ms64 bytes from 10.4.240.1: icmp_seq=2 ttl=255 time=0.491 ms^C
Procedure 2 Complete the System Setup Wizard
ProcedureSteps:
1. AcceptLicense
2. WebSecurityAppliancefunctions
3. NetworkContext
4. ProxyMode
5. DeploymentSummary
6. SystemSettings
7. NetworkInterfacesandWiring
8. RoutesforManagementandDataTraffic
9. TransparentConnectionSettings
10.AdministrativeSettings
11.Security
12.Review
AccesstheWSAGUIbyopeningabrowserandbrowsingtotheWSAsIPviaHTTPSonport8443.
https://[IP Address]:8443
AfterlogginginthewizardisaccessedfromSystem Administration > System Setup Wizard(Figure108).
ItisbesttoperformonlytheminimalconfigurationpossiblethroughtheSystemSetupWizard,leavingthemoreadvancedconfigurationstotheirrespectivesectionsintheUI.Inotherwords,configureonlythebasicnetworksettings,DNSinformation,timesettings,andusername/passwordinforma-tionasdescribedbelow.
82WebSecurity
UnderstandthattheSystemSetupWizardspecificscreensandoptionsvarybycodeversion.Dependingonthestartingcodeversionoftheappliancebeingconfigured,thescreensdisplayedmaydifferfromthoseshownbelow.
Figure 108 . SystemSetupWizard
Step 1: OntheStarttab,readthelicenseandaccepttheterms,thenclickBegin Setup(notpictured).
Step 2: OntheDeployment > Web Security Appliancefunctionstab,accept the defaults and click Next(notpictured).
Step 3: Deployment > Network Contexttab.
SincetheWSAisthelastproxyinnearlyanynetworkdeployment,thisscreencanbeskipped.ClickNext(notpictured).
Step 4: Deployment-ProxyMode
TheWSAwillbedeployedinTransparentModesothedefaultsarecorrecthere.ClickNext(notpictured).
Step 5: DeploymentSummary
Click Nexttoaccept(notpictured).
Step 6:OntheNetwork > System Settingstab,configuresystemsettings.
Thispanelsetsupthedefaulthostname,DNS,andtime.NTPisusedbecauseeffectivesecuritypracticesrequireacommontimereferencethroughoutanetwork(Figure109).ClickNext.
Figure 109 . NetworkSystemSettings
Tech Tip
TheCiscoWebSecurityAppliancehasadefaultusername/passwordofadmin/ironport.
83WebSecurity
Step 7: NetworkInterfacesandWiring
ThisscreensetsupwhichinterfacewillbeusedandwhatIPaddressesareusedoneachinterface.Inthisdeployment,forsimplicity,M1isusedforbothmanagementandproxyservicesandistheonlyinterfaceused.Iftheyarenotalreadyconfigured,configuretheIPAddress,NetworkMask,andhost-namefortheWSA.DonotchecktheboxforUse M1 port for Management only.DonotuseinterfaceP1.ClickNext(Figure110).
Figure 110 . NetworkInterfacesandWiring
Step 8: TheRoutesforManagementandDataTrafficScreendisplaysthecurrent Gateway information and allows entry of any static routes that might beneeded.
Entertheappliance’sdefaultgatewayinformationnow,ifnotcompletedpreviously.Noextraroutedareneeded.ClickNext(notpictured).
Step 9: TheTransparentConnectionSettingsScreeniswheretheWCCPconfigurationisdefined.WCCPistheprotocolusedtoredirecttraffictotheWSAfromtheASA.
SkipthisfornowbyclickingNext(notpictured).
Step 10:AdministrativeSettings
Thisscreeniswheretheadminpasswordwillbesetandwheresystemalertswillbeemailed(Figure111).
Figure 111 . AdministrativeSettingsScreen
84WebSecurity
Step 11:OntheSecuritytab,definethesecuritypolicyfortheapplianceandwhatactionswillbetakenforthedifferentsecurityfeatures.ThedefaultconfigurationisfineasitleavestheapplianceinMonitormodeformalwareandspywarescanning.
ItisalsowhereSenderBaseNetworkParticipationisdefined.ThisishowtheadministratorcontrolsifdataisfedbackintoCiscoSenderBaseandifso,whattypeofdata(Figure112).
Figure 112 . SecuritySettings
Step 12:Reviewtheconfigurationtoensureitiscorrectbeforeapplyingit.Then click Install this Configuration(notpictured).
Afterinstallation,abrowserreconnectwillbeneedediftheIPaddressischangedfromthedefault.RememberthatifthePCaddresswaschangedtoconnecttotheWSA,itwillbenecessarytochangeitbacktoanappropriatesettinginthenetworktoreconnecttotheWSAusingthenewlyassignedIPaddress.
Tech Tip
Itisnotpossibletodowngradesoftwareversions,sobecertainthatanupgradeisdesiredbeforeproceeding.Itispossiblethatanappliancecanreceivedifferentupgradeoptionsifitisonanearlyreleaselist.
Procedure 3 System Updates and Feature Keys
ProcedureSteps:
1. Upgrade the appliance software
2. Install the license keys
ItisimportanttolookattwootherareasontheWSAbeforegoinganyfurther:featurekeysandsystemupgrades.BothoftheseareasrequiretheWSAtohaveHTTP/SInternetaccess.
Step 1:Upgradetheappliancesoftware.
SelectSystem Administration > System Upgrade to upgrade the code ontheappliance.Thedisplaywillshowthecurrentsoftwareversion.ClickAvailable Updatestoseewhatnewerupdatesareavailable.
Ifnewerversionsareavailable,theyshouldbeselectedandinstalled.Ingeneral,allupgradesshouldbeinstalled.Eachupgradewillusuallyrequirearebootoftheappliance.Theentireprocesscantakesometime.
Itisalsopossibletoupgradefromtheconsole.Runtheupgrade command untilnonewupgradesareavailable:
websec1.cisco.local> upgrade No available upgrades.
Thisindicatesthattheapplianceisfullyupgraded.
85WebSecurity
Step 2:Installthelicensekeys.
System Administration > Feature Keys
Thissectioniswherethelicensekeysforthedifferentfeaturesontheboxaredisplayed.Tochecktoseewhethertheappliancehasanylicensesthatarenotcurrentlyenabled,clickCheck for New Keys.ThisactionwillinstructtheWSAtomakeaconnectiontothelicenseserviceandquerytoseeifithasallthefeaturesitisallowedtorun.Itisverylikelythatafterupgrad-ingcode,especiallyifmanyupgradeswereapplied,therewillbemissingfeaturekeys.Thefigurebelowshowswhatanappliancefeaturekeydisplaymightlooklikeafterbeingupgradedtothelatestgenerallyavailableversionofcodeandthencheckingforupdatedfeaturekeys(Figure113).
Figure 113 . FeatureKeys
Notethatsomekeysmighthavelessthan30daysremaining,whichlikelyindicatesanEvaluationAppliance.Auser-purchasedboxwillhaveapproxi-matelyoneormoreyearsofremainingtime.
AlsonotethatthekeysincludeonelabeledCisco IronPort Web Usage Controls.Thiskeyisafeaturethatwasaddedtotheapplianceinsomeofthemostrecentsoftwarereleases.IftheWSAcamewithanolderversionofcodebeforethisfeaturewasadded,itwillnothaveakeyforitinitially.
Iftheapplianceismissingkeysorthedurationofthekeysisnotcorrect,contactatrustedpartnerorCiscoresellertoresolvetheissue.Havetheapplianceserialnumberavailable.TheserialnumbercanbefoundatthetopoftheFeatureKeypage.
Procedure 4 Web Usage Controls
EnablesecurityservicesontheWSAbyturningonthewebusagecontrols.
Step 1: Go to Security Services > Acceptable Use Controls.
Step 2: Click Edit Global Settings.
Step 3:ChangetheIronPortURLFilterstoCisco Ironport Web Usage Controls,andclickEnable Dynamic Content Analysis Engine(Figure114).
Figure 114 . AcceptableUseControls
Step 4:Submit(readandacceptthelicenseagreementifpresented)andthenCommitchanges.
TheAcceptableUseControlsmainpageliststheAcceptableUseControlsEngineUpdates.ClickUpdate Nowandwaituntilthepagereportsbacksuccess.Ensurethatatleastsomeofthecontrolshaveanupdatethatiscurrentorverynearlyso.Duetorandomnessofupdateschedules,itisimpossibletoknowwhenupdateswillcomeoutforeachcomponent.TheWebCategoriesPrefixFiltersandtheWebCategoriesListgetupdatedfairlyoftenandaregoodbetsforrecentupdatehistories(Figure115).
86WebSecurity
Figure 115 . Engine Updates
TheWSAcannowbetestedforfunctionality.WedothisbysettingupaclientontheinsideofthenetworkwiththeWSAastheexplicitproxyinthewebbrowseroftheirchoice.UsetheIPaddressoftheWSAastheproxyandsettheportto3128.
Testtwodifferentaddresses.Oneaddressshouldberesolvableexternally,for instance www.cisco.com,whichshouldreturnwithoutissue.ThisprovestheclienthasInternetaccess,butdoesnotprovetheconnectionisgoingthroughtheWSA.Theotheraddressshouldbesomethingnotresolv-ableexternally.ThisrequestshouldreturnanerrorfromtheWSA,notthebrowser;provingtheWSAisservingthecontent.
FirefoxreturnsanerrorlikethatshowninFigure116:
Figure 116 . Browser Error
TheWSAreturnsanerrorlikethatshowninFigure117:
Figure 117 . WSAError
Procedure 5 Enable Logging
ProcedureSteps:
1. AddLogSubscription
2. SubmitandCommit
TomonitorWebUsage,theappliancestoresclientaccessdataforarela-tivelyshortduration,androtateslogsforspacereasons.Foruserslookingforlong-termcompliancereporting,theyshouldlookintotheCiscosoftwaresolutioncalledSawmillforIronPort.Thissoftwareiseitheranadd-onforthelargerinstallationsorcomesbundledinthepackageforsmallerpurchases.ThisguidedoesnotcovertheinstallationoruseoftheSawmillproduct.
87WebSecurity
FortheSawmillreportingproducttowork,theWSAneedstosenditslogsovertoanFTPserverwheretheSawmillproductcanaccessthem.Forthisdeployment,itisassumedanFTPserverisalreadydeployedandconfig-ured.ThefollowingconfigurationmovesthelogaccesslogsofftheWSAtotheFTPserver(Figure118).
Step 1: System Administration > Log Subscriptions and click Add Log Subscription.
Addthenewlogginginformation(Figure118).
Figure 118 . LogSubscriptions
Step 2: Click Submit and then Commit changes.
Figure119showstheresultsafterinputtingthechanges:
Figure 119 . ConfiguredSubscriptions
Procedure 6 Custom URL Categories
ProcedureSteps:
1. AddCustomCategories
2. CreateBlockList
3. Monitor,WarnandAllowLists
4. SubmitandCommit
ThenextconfigurationstepfortheWSAistosetupstandardcustomURLcategories that most administrators find they need to implement for their desiredURLfiltering.
Step 1: SelectWeb Security Manager > Custom URL Categories and click Add Custom Category.
Step 2:AddfourplaceholdersforthefourdifferentactionexceptionswherewecanputURLs.CreatefourdifferentCustomURLCategories.Thetitleofthefirstoneis“BlockList”(Figure120).
Figure 120 . Addingcustomcategory
AplaceholderURL(block.com)hastobeenteredbecauseitisnotpossibletocreateacategoryandhaveitbeempty.Inthefuture,whenaURLisfoundthatneedstobeblocked,addittothelist,andthendeletetheplaceholder.Submit.
Step 3: Nowcreatethreemorelistsusingthesethreetitles:“MonitorList”,“WarnList”,and“AllowList”followingthetemplateabove.
88WebSecurity
Thiswillcreateanorderedlistofcustomcategories(Figure121).
Figure 121 . Custom Categories
Step 4:Committhechanges.
Procedure 7 Access Policies
ProcedureSteps:
1. AccessPolicies
2. IncludeeachCustomURL
3. ChangetheActionsforeachCategory
4. WebAcceptableUseConfiguration
5. SubmitandCommit
NowthatwehavecreatedtheCustomCategories,weneedtoenablethemforuseanddefineactionsforeach.
Step 1: SelectWeb Security Manager > Access Policies and click the link beneaththeURL Categoriesheader(Figure122).
Figure 122 . CustomCategoryActions
Step 2: Click IncludeforeachCustomURLcategory(Figure123).
Figure 123 . SelectCustom Categories
Step 3:OntheAccess Policiespage,changetheactionoftheCustomCategorytomatchthecategoryname.Forexample,changeBlockListtohavetheBlockaction,MonitorListtotheMonitoraction,andsoon(Figure124).ClickSubmit.
Figure 124 . ChangingCustomCategoryActions
89WebSecurity
Step 4: Onthispage,theagency’swebacceptableusepolicycanalsobeimplemented.
ThispolicycanincludethecategoryoftheURL(adult,sports,streamingmedia)aswellastheactionsdesired(monitor,warn,orblock)andwhetheratime-basedfactorisinvolvedaswell.
Fortestingpurposes,wewanttochangeoneofthepredefinedcategoriesbelowtoBlocktotestthedeployment.
Change Gambling from Monitor to Block and change Sports from Monitor to Warn(Figure125).
Figure 125 . URLCategoryActions
Step 5: Submitandcommitallchanges.
TotestthesechangesusingabrowserexplicitlypointingtotheWSAAppliance,trybrowsingtoawellknowngamblingsite.
TheWSAshouldreturnthemessageshowninFigure126:
Figure 126 . BlockedWebsite
Procedure 8 Web Reputation and Anti-Malware
ProcedureSteps:
1. AccessPolicies
2. WebReputationConfiguration
Step 1:TomakechangestotheWebReputationandMalwaresettings,navigate to Web Security Manager > Access Policies.
Step 2: Click the link underneath the Web Reputation and Anti Malware Filteringheader(Figure127).
Figure 127 . WebReputation
Reputationcanrangefrom–10astheworstto+10beingcompletelytrustwor-thy.Bydefault,websiteshavinga–6orworsereputationareautomaticallyblocked,whichpreventspossiblyinfectedcontentfrombeingbroughtbackintothenetworkfromsuchsites.Siteswithreputationsbetween–5.9and+5.9triggertheWSAtoscantheclientrequestandtheserverresponseusingtheCiscoIronPortDVSEngine.Thisscanlooksformanypossibletypesofattackslikephishing,malware,viruses,andworms.Bydefault,thesecuritypolicyisnotsetuptoblocktheseifdetected.ThepageshowninFigure128iswherethosechangeswouldbeimplementediftheagency’ssecuritypolicyrequiresit.URLswithareputationscorehigherthan6.0arepassedwithoutscanningbydefault.
Figure 128 . WebReputationandAnti-MalwareSettings
90WebSecurity
Procedure 9 Configuring WCCP on the WSA
ProcedureSteps:
1. Transparent Redirection: Edit Device
2. SelectWCCPv2Router
3. Submit
4. AddService
5. Commit Changes
NowthatwehavetheWSAworkingandapplyinganaccesspolicyforHTTP traffic,wecanimplementtheWebCacheCommunicationsProtocol(WCCP)ontheWSAandtheASAfirewall.ImplementWCCPallowstheWSAtobegintoreceivetrafficdirectlyfromtheASAinsteadofhavingbrowsersconfig-uredtousetheWSAasanexplicitproxy.
ToconfigureWCCPontheWSA ,clickNetwork > Transparent Redirection.
Step 1: SelectEdit Devicetoaddanewredirectdevice.
Step 2: FromtheType pull down menu select WCCP v2 Router.
Step 3: Click Submit.
Step 4: Click Add ServiceunderWCCPv2Services
ThisiswherewewilldefinethepolicythattheInternetEdgeASAwillusetoredirecttraffictotheWSA.ItpullsthepolicyofftheWSAusingthenameofthepolicyasdefinedontheWSA.
TheServiceProfileNamenamesthispolicy: HTTP_and_HTTPS_WCCP
TheDynamicserviceIDisthenumberusedtodefinethispolicyandistheIDusedbyASAtorequestthepolicy: 90
Inthispolicy,redirectportsareHTTPandHTTPS:80, 443
TheRouterIPaddressistheinsideaddressoftheASA:10 .4 .240 .30 (Figure129)
Figure 129 . HTTPandHTTPSWCCP
ServiceProfileName:Standard_HTTP_Only_WCCP
Tech Tip
HTTPSproxyhasnotyetbeensetupontheWSA,soifWCCPredirectweretobeinitiatedforHTTPSimmediately,thoseconnectionswouldfailuntilitgetsconfigured.IftheWSA/ASAdeploymentisliveandoperationalandcannothavedowntime,createanadditionalpolicyforjustport80temporarily(Figure130).AfterconfiguringtheHTTPSpolicyontheWSA,changethepolicyusedonASAtoinsteadpulltheHTTPandHTTPSpolicy.
DynamicServiceID:0 (web_cache)
Ports:80
RouterIPAddress:10 .4 .240 .40
91WebSecurity
Figure 130 . StandardHTTPOnlyWCCP
TheWCCPservicespanelshouldlooklikethebelowfigureaftercompletion(Figure131).
Figure 131 . WCCPv2Services
Step 5: Commitallchanges.
Procedure 10 Configuring WCCP on the Firewall
ProcedureSteps:
1. ASDMWCCPConfiguration
2. ServiceGroups
3. RedirectLists
4. AddACL
5. AddACE
6. AddACE
7. ApplytheRedirectACL
8. AddWCCPRedirection
9. TestaResolvableAddress
10.TestaBlockedAddress
11.CheckASAtoShowWCCPisWorking
Step 1: ToconfiguretheASAfirewallontheInternetEdgetoredirectHTTPandHTTPStraffictotheWSA,bringupASDMonthefirewallandgotoConfiguration > Device Management > Advanced > WCCP.
92WebSecurity
Step 2: UnderServiceGroups,buildanewservicegroupusingtheDynamicServiceNumberof90(orusetheweb_cacheforport80redirectonly)thatwedefinedontheWSA(Figure132).
Figure 132 . ConfigureWCCPRedirectontheASAFirewall
TheWCCPpolicyconfiguredredirectsallHTTPandHTTPStraffictotheWSA.ThisincludesanytrafficfromtheinsidenetworktotheDMZwebserversandanydevicemanagementtrafficthatusesHTTPorHTTPS.ThereislittlereasontosendanyofthistraffictotheWSA.ToavoidhavinganyofthistrafficredirectedtotheWSA,createanACLonthefirewalltofilteroutanyHTTPorHTTPStrafficdestinedtoRFC1918addressesfrombeingredirected.
Step 3: In the same Add Service Groups windowfromabove,clicktheManagebuttontotherightoftheRedirectListfield(Figure133).
Figure 133 . WCCPRedirectListManagement
Step 4: In the ACL Managerwindow,selecttheAddbutton,andselecttheAdd ACLoption.InputanamefortheACL:WCCP_Redirect
Step 5: SelecttheAdd ACEbuttonandaddalinetoDenyanysourcetoallRFC1918addressesasthedestinationwithaServiceofIP.
Step 6:SelecttheAdd ACE buttonandaddalinetoPermitanysourcetoanydestinationwithaServiceofIP.ClicktheOKbutton
Figure 134 . CreatingaWCCPRedirectACL
93WebSecurity
Step 7:OntheAdd Service Groupwindow,inthepulldownfortheRedirect List,selecttheACLcreatedabove(WCCP_Redirect).ClicktheOKbuttonandApply(Figure135).
Figure 135 . RedirectListSelection
Step 8: Configuration > Device Management > Advanced > WCCP > RedirectiononASDM,createapolicytoaddtheredirectfortheInsideInterfaceusingservicegroup90(Figure136).
Figure 136 . EnablingtheWCCPPolicyontheASAInsideInterface
Totesttheconfiguration,useabrowserthatisnotalreadyconfiguredtogototheapplianceasanexplicitproxy(orremovetheexplicitproxysettings).
Step 9: Testtoaresolvableallowedaddresslikewww.cisco.com.
Step 10:Testtoaresolvableblockedaddress(fromoneofthepreviously configuredBlockedcategories)
Step 11: TocheckthatWCCPredirectionisworking,inASDM,navigatetoMonitoring > Properties > WCCP > Service Groups.
ThestatuswindowshouldshowarouterIDthatisoneoftheIPaddressesoftheASA(inthiscase192.168.16.1)andthenumberofcacheenginesis1,whichistheCiscoWSAappliance.Ifthingsareworkingcorrectlyandredirectionsareoccurring,theTotalPacketsRedirectedcounterwillbeincreasing(Figure137).
Figure 137 . CheckingthatASARedirectionisworkingontheASA
High Availability and Resilience
Foravailabilitypurposes,iftheWSAfails,theWCCPprotocolreportsthatfacttotheASAanditstopsredirectingtraffictotheWSAbydefault.Ifwebsecurityresilienceisarequirement,twoormoreWSAscanbedeployed.Todeploymultipledevices,definemultipleWCCProutersontheASAandtheWCCPprotocolwillloadbalancebetweenthem.Ifoneisdown,theASAtakesthatdeviceoutofthelistuntilitcomesbackonlineandstartsrespondingtoWCCPrequestsagain.
94WebSecurity
HTTPS Proxy Configuration
Procedure 11 HTTPS Proxy Setup
ProcedureSteps:
1. HTTPSProxySettings
2. SubmitandCommit
3. CustomURLCategories
4. Create 3 Custom Categories
5. DecryptionPolicies
6. URLCategories
7. ChangeCustomURLCategoriesActions
TosetuptheWSAtoproxyHTTPSconnections,startbyenablingthefeature.
Step 1: Security Services > HTTPS Proxy and then click Enable and Edit Settings.
Onthispage,definetheportstoproxyHTTPSwherethedefaultisonlyonTCP443.
AcertificatefortheWSAtouseontheclientsideoftheproxyconnectionneedstobegenerated.GeneratingacertificatetypicallymeansthattheclientbrowserwillcomplainaboutthecertificateforeachconnectiontoanHTTPSwebsite.Toavoidthis,uploadacertificatethatistrustedintheagencyanditsmatchingprivatekeyfiletotheappliance.Iftheclientsalreadyhavethiscertificateloadedontheirmachines,theHTTPSproxywillnotgenerateerrorsrelatedtoUnknownCertificateAuthority.
BesidesaddinganagencyrootcertificatetotheWSA,anotheroptionistoinformusersintheagencytoaccepttherootcertificatesuppliedbytheWSAasatrustedsource.
FormoreinformationaboutusingcertificatesaspartoftheWSAHTTPSProxymechanism,seetheWSAUserGuide,orconsultatrustedpartnerorCiscoSalesRepresentative.
AlsoontheWSAHTTPSProxySettingspage,itispossibletodefinetheactionWSAshouldtakewhenitencountersaninvalidcertificateonanHTTPSserver.Thechoices,dependingonthecertificateerror,canrangefromdroppingtheconnection,decryptingit,ormonitoringit(Figure138).
Figure 138 . EditHTTPSProxySettings
Step 2: Afterdefiningthepolicy,ClickSubmit and then Commit(Figure139).
Figure 139 . HTTPSProxySettings
95WebSecurity
ThesecondstepforHTTPSproxyconfigurationistoconfigurepoliciesfortheHTTPSproxy.
Step 3: SelectWeb Security Manager > Custom URL Categories.
Step 4: Asbefore,addthreenewCustomCategories(makesuretoincludeadummyURLforeach):DropList,DecryptList,PassThroughList(Figure140).Committhechanges.
Figure 140 . HTTPSCustomCategories
Step 5: SelectWeb Security Manager > Decryption Policies.
Step 6: SelectthelinkbelowtheURL Categories header to get to the Decryption Policies: URL Categories: Global Policyscreen.
Thiswilllistallthecustomcategoriesthathavebeencreated.DonotincludetheonespreviouslycreatedforHTTP.Onlyincludethethreenewones.Changetheactionofthecategorytocorrespondwiththeirname:forexample,DropshouldbetheactionfortheDropListcategory(Figure141).
Figure 141 . DecryptionPolicies-URLCategories
ThePredefinedURLCategoriesatthebottomofthepageallowanadministratortocreateandenforceapolicyaroundhowtheWSAhandlesspecifictypesofwebsiteswithrelationtodecryption.Someagencieshavestrictpoliciesaboutnotdecryptinghealthcareorfinancialwebsitesandpotentiallyothercategoriesaswell.ThecategoriesonthispageallowanadministratortoenforcethatpolicyontheWSA.Forexample,itispossibletoconfiguretheWSAsothatFinancialHTTPSwebsitesaresettoPassThroughsotheywillnotbeproxied,whileGamblingsitesaresettoDrop.
Step 7:ChangeGamblingtoDrop,andchangeFinancetoPassThrough (Figure142).
Figure 142 . PredefinedURLCategoryFiltering
Totestthenewconfiguration,setupcategoriesforwebpagesthatyouknowareencrypted(HTTPS)andthenusethoseURLsinthetestingprocess.BecausetheadministratorhastoknowwhetherthesiteusesHTTPSornot,itiseasiertouseCustomCategoriesforaspecificwebpagethatheknowsusesHTTPSandputtheaddressintotheDropList.Whenthatsiteisaccessed,theWSAshoulddroptheconnection.
96WebSecurity
Authentication Using WSA
Procedure 12 Authentication
ProcedureSteps:
1. AddRealm
2. SpecifyActiveDirectoryInformation
3. JoinDomain
4. TestAuthenticationRealmSettings
5. Identities
6. Create Identities
7. SubnetsnottoAuthenticate
8. UserAgentsnottoAuthenticate
9. GlobalIdentityPolicy
10.ChangingtoAuthenticateastheDefault
11.SubmitandCommit
Authenticationistheactofconfirmingtheidentityofauser.Whenauthen-ticationisenabled,theWSAauthenticatesclientsonthenetworkbeforeallowingthemtoconnecttoadestinationserver.WhenusingauthenticationintheWSA,itispossibletosetupdifferentwebaccesspoliciesbyuserorgroupmembershipusingacentraluserdirectory.Anotherprimarydriverforusingauthenticationisthatofusertracking,sothatwhenauserviolatesanacceptableusepolicy,theWSAcanmatchuptheuserwiththeviolationinsteadofjustusinganIPaddress.Thelastreasonforauthenticationofwebsessionsisforcompliancereporting.
TheWSAsupportstwodifferentauthenticationprotocols:lightweightdirectoryaccessprotocol(LDAP)andNTLANManager(NTLM).SincemostagencieswillhaveanActiveDirectoryserver,theywillbeusingNTLM.SingleSign-On(SSO)isalsoonlyavailablewhenusingNTLM.
WhentheWSAisdeployedintransparentmodewithauthenticationenabledandatransactionrequiresauthentication,theWSArepliestotheclientapplicationaskingforauthenticationcredentials.However,notallclientapplicationssupportauthentication,sotheyhavenowaytopromptuserstoprovidetheirusernamesandpasswords.TheseapplicationsmighthaveissueswhentheWSAisdeployedintransparentmodebecausetheapplica-tiontriestorunnon-HTTPtrafficoverport80andcannothandleanattemptbytheWSAtoauthenticatetheconnection.
Hereisapartiallistofapplications(andthesearesubjecttochangeasnewercodeversionsarereleased)thatdonotsupportauthentication:
• MozillaThunderbird
• AdobeAcrobatUpdates
• MicrosoftWindowsUpdate
• OutlookExchange(whentryingtoretrieveInternet-basedpicturesforemailmessages)
NOTE:IfapplicationsneedtoaccessaparticularURL,thenitispossibletocreateanidentitybasedonacustomUserAgentcategorythatdoesnotrequireauthentication.Whenthishappens,theclientapplicationisnotaskedforauthentication.
97WebSecurity
Foragenciesthatrequireauthentication,consultatrustedCiscoIronPortPartnerorReselleroryourCiscoaccountteam.Theywillbeabletoassistinsettingupanauthenticationsolutionthatmeetstheagency’srequirements,whileminimizinganypossiblecomplications.
ThefirststepinsettingupAuthenticationistobuildanAuthenticationRealm.ARealmdefineshowAuthenticationissupposedtooccur.
Inthisdeployment,aRealmwasbuiltforNTLMauthenticationtotheADserver.
Step 1:SelectNetwork > Authentication > Add Realm.
Step 2:IntheRealmdefinition,specifytheADserverandtheADdomain (Figure143).
Figure 143 . Authentication>AddRealm
Step 3: SelecttheJoin Domainbutton.Whenthisisconfigured,ADDomainAdministratorcredentials(oranadministratortoenterthem)willberequiredtocreatedomainaccountsforcomputers(Figure144).
Figure 144 . ADAdministrativeDomainLogon
Step 4:Oncelogincredentialshavebeenentered,clickStart Test on the samepagetotesttheNTLMconnectiontotheADdomain.
Ifsuccessful(Figure145),SubmitandCommitchanges.
Figure 145 . ADTest
ThenextstepinsettingupAuthenticationistoconfigureidentitygroups.Identitiesarebasedontheidentityoftheclientorthetransactionitself.
Step 5: SelectWeb Security Manager > Identities.
Step 6: Click Add Identity.
Twodifferentsampleidentitieswillbecreated:“SubnetsnottoAuthen”and“UserAgentsnottoAuthen.”
98WebSecurity
Step 7:Iftheneedarisestobuildanidentityaroundsubnets,inserttheclientIPaddressorrangeorsubnetthatyoudonotwanttohavetoauthen-ticatetoaccesstheInternet.UnderstandthatperformingthisactiondefeatsthepurposeofrunningauthenticationforthatIPaddressandthatloginfor-mationfromtheWSAwillneverhaveauthenticationdatafromemployeesusingthatIPaddress.Evenso,takingthisactionmightberequiredincertaincasesandisgivenhereasanexampleofhowtochangetheoperationalpolicyoftheWSA(Figure146).
Figure 146 . ExampleIdentity:“SubnetsnottoAuthen”
Step 8:TheotherIdentitywewillbuildisoneforUserAgents.SelecttheAdvancedtabforUserAgentsandselectMicrosoft Windows Update and Adobe Acrobat Updateragenttypes.SelectingtheseagentsmeansthatwhenconnectionsoverHTTPwiththoseUserAgentsintheHTTPHeaderareseen,noauthenticationwillberequested.CustomUserAgentscanbedefinedforanyapplicationthatusesHTTPandisfailingauthentication.Ifthatisnotpossible,thenaspecificcustomURLcategorycanbebuiltandthenusedintheAdvancedtabforURLCategories(Figure147).
Figure 147 . ExampleIdentity:“UserAgentsnottoAuthen”
NowthattwoIdentitieshavebeenbuiltfor“UserAgentsnottoAuthenticate”and“SubnetsnottoAuthenticate”,thereisonemoresteptocompletetheAuthenticationsection.
Step 9: SelectthelinkatthebottomoftheIdentitiessectionlabeledGlobal Identity Policy.
Thisistheidentitygroupforanybodywhodoesnotmeetoneofthepreced-ingtwogroupswejustbuilt.Sincethosegroupswerebuiltforthepurposeofnotauthenticating,changetheglobalidentitytoauthenticateeverybodyelse.
99WebSecurity
Step 10:ChangethegrouptoRequestAuthenticationforAllRealmsandtouse Basic or NTLMSSPscheme(Figure148).
Figure 148 . GlobalPolicySettings
Step 11: SubmitandCommitchanges.
Itisnowpossibletotestthedeploymenttoensurethatthesystemisenforcingpolicyasexpected,thatallapplicationsandprocessesworkasbefore,andthatthedatathatthesystemloggingmeetsallyourneedsorrequirements.
Internet Edge 10K Deployment
AsingleCiscoWSAS370appliancewasdeployedintheInternetEdge5Kdesign.ForthosewhoneedeithertheperformanceortheresilienceofferedbytheInternetEdge10Kdesign,asimpleupgradesolutionispossiblebyaddinganadditionalWSAS370appliance.WhendeployedasaboveintheHighAvailabilitysection,thetwoapplianceswillloadsharetheoutgoingconnections.Ifonedevicefails,theloadwillbemovedtotheotherWSA.Itispossiblethatnetworkperformancecouldbedegradedifonedeviceishandlingtheloadthatwasdesignedfortwo,butInternetwebaccesswillremainavailableandprotected.
Final Steps
Monitoring
TomonitorthehealthoftheWSAandtheactionsbeingtakenbytheWSAontrafficitisexamining,thereareavarietyofreportsavailableunderMonitor.Thesereportsallowanadministratortotrackstatisticsforclientwebactivity,malwaretypes,webreputationfilters,systemstatus,andmore.
Becausetheapplianceitselfonlystoresdataforalimitedamountoftime,youneedtoinstallseparatesoftwarefromSawmilltoallowforlong-termstorageandreportingofeventsfromtheWSA.
ConsultwithyourCiscoAccountTeamoryourtrustedPartnerformoreinformationonSawmillandlong-termreporting.
Troubleshooting
TodeterminewhytheWSAtooktheactionitdidonawebconnectiontoaspecificsitefromaspecificuser,anadministratorcanruntheTracetoolunder System Administration > Policy Trace.
Byfillingoutthetool,youcantestaspecificURLtofindoutwhattheexpectedresponsefromtheWSAwouldbeiftheURLwereprocessedbytheWSA.Thisinformationisespeciallyusefulifsomeofthemoreadvancedfeaturesareused.
Summary
YouhavenowinstalledtheCiscoWebSecurityAppliance.Abasicconfigu-rationhasbeenappliedandthedevicecanbeinsertedintothenetworkandreceiveredirectsfromtheASAfirewall.AdefaultpolicyhasbeenbuiltthatallowsanagencytosetupaccesscontrolsforHTTPandHTTPS.ApolicyhasbeenbuilttoconfigureHTTPSdecryption.AndauthenticationhasbeensetuptoallowtheWSAtoauthenticateusersandtieusernamewiththeaccesscontrolsinthelogs.
AmoredetaileddiscussionaboutspecificimplementationofpolicyshouldbeinitiatedwithatrustedpartnerorCiscoaccountrepresentative.
Additional Information
Userdocumentationcanbefoundhere: http://www.ironport.com/support/login.html
WorkwithaCiscoIronPortChannelpartnertoobtainalogin.
100InternetEdgeServerLoadBalancing
InternetEdgeServerLoadBalancing
Agency Overview
Anagency’spresenceontheInternetplaysakeyroleinthesuccessofanagency.Ataminimumwebpresence,asitethatpresentsbasicinformationabouttheagencyisarequirement.Itisimportantthatthiswebsitehasahighlevelofavailabilityastheinternetisa24x7operationandpartnersorcustomerscouldviewthesiteatanytime.Downtime,evenforasimpleinformationalsitemeansmissedopportunities.
Technology Overview
TheInternetboomusheredintheeraoftheserverloadbalancers(SLBs).TheprimaryfunctionofanSLBistospreadtheloadfromclientsacrossbanksofserverstoimprovetheirresponsetimeandavailability.AdditionalfunctionalityprovidedbyanSLBincludesapplicationproxiesandcompleteLayer4through7applicationswitching.
TheApplicationControlEngine(ACE)isthelatestSLBofferingfromCisco.FromitsmainstreamroleinprovidingLayer4through7switching,ACEalsoprovidesanarrayofaccelerationandserveroffloadbenefits,includingTCPprocessingoffload,SecureSocketLayer(SSL)offload,compression,andvariousotheraccelerationtechnologies.IntheInternetEdge,theCiscoACEsitsinfrontofthewebandapplicationserversandprovidesarangeofservicestomaximizeserverandapplicationavailability,security,andapplicationacceleration.Asaresult,CiscoACEcangiveanagencymorecontroloverapplicationandserverinfrastructure,whichenablesittoman-age and secure application services more easily and improves performance andavailability.
Asthenext-generationApplicationDeliveryController,CiscoACEprovidesfourkeybenefits:
• Scalability . ACEscalestheperformanceofaserver-basedapplication,suchasawebserver,bydistributingitsclientrequestsacrossmul¬tipleservers,knownasaserverfarm.Astrafficincreases,additionalserverscanbeaddedtothefarm.
• High Availability . ACEprovideshighavailabilitybyautomaticallydetect-ing the failure of a server and redirecting client traffic to remaining serverswithinseconds,thusprovidinguserswithcontinuousservice.
• Application Acceleration . ACEimprovesapplicationperformanceandreducesresponsetimebyminimizinglatencyanddatatransfersforanyHTTP-basedapplication,foranyinternalorexternalenduser.
• Server Offload . ACEoffloadsTCPandSSLprocessing,whichallowsserverstoservemoreusersandhandlemorerequestswithoutincreasingthenumberofservers.
ACEhardwareisalwaysdeployedinpairsforhighavailability:oneprimaryandonesecondary.IftheprimaryACEfails,thesecondaryACEtakesover.Thisfailovercantakeplacewithoutdisruptingtheclient-to-serverconnections.
CiscoACEusesbothactiveandpassivetechniquestomonitorserverhealth.Byperiodicallyprobingservers,theACEwillrapidlydetectserverfailuresandquicklyrerouteconnectionstoavailableservers.Avarietyofhealth-checkingfeaturesaresupported,includingtheabilitytoverifywebservers,SSLservers,applicationservers,databases,FTPservers,stream-ingmediaservers,andahostofothers.
Physically,theACEappliancecanbedeployedinseveralways.“One-armed”modeisthesimplestdeploymentmethod.Inthismode,theACEresidesonthesameVLANastherealservers.Itisnotdirectlyinthepathoftrafficflowandonlyreceivestrafficthatisspecificallyintendedforit.TrafficisdirectedtotheACEandiscontrolledbythedesignofVLANs,virtualserveraddresses,andserverdefaultgatewayselection(Figure149).
Figure 149 . ACE
101InternetEdgeServerLoadBalancing
Configurations Details
Inthisconfigurationexample,wefirstconfiguretheACEappliancewiththebasicnetworksettingssoitisaccessibleoverthenetwork.Thesecondpartof the configuration covers how to configure a policy for directing traffic to the webservers.ThefirstpartoftheconfigurationistypicallyperformedattheCLIwhenbootingACEforthefirsttime,butbothpartscanbeconfiguredviatheACEGUI.Becausetheexampleloadbalancingconfigurationissimple,thesetupinthedeploymentguideisshownusingCLIcommands.
Procedure 1 Initial Setup
ProcedureSteps:
1. Setsystempassword
2. Configurebasicaccesspolicy
3. InterfaceSetup
4. Setuphighavailability
5. InterfaceIPConfiguration
Step 1: Setsystempassword
WhenyousetuptheACEforthefirsttime,youmustchangethedefaultpasswordfortheadminaccount.
switch login: admin Password: admin Admin user is allowed to log in only from console until the default password is changed. www user is allowed to log in only after the default password is changed. Enter the new password for user “admin”: [admin password]Confirm the new password for user “admin”: [admin password]admin user password successfully changed. Enter the new password for user “www”: [www password]Confirm the new password for user “www”: [www password]www user password successfully changed. Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright © 1985-2009 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/ gpl.html. ACE>
This script will perform the configuration necessary for a user to manage the ACE Appliance using the ACE Device Manager. The management port is a designated Ethernet port that has access to the same network as your management tools including the ACE Device Manager. You will be prompted for the Port Number, IP Address, Netmask, and Default Route (optional). Enter ‘ctrl-c’ at any time to quit the script ACE>Would you like to enter the basic configuration dialog (yes/no) [y]: n switch/Admin#
Step 2: Configurebasicaccesspolicy
Beforeproceedingwithadditionalconfiguration,youmustsetupbasicnetworksecuritypoliciestoallowformanagementaccessintotheACE.
access-list ALL line 8 extended permit ip any any class-map match-all http-vip 2 match virtual-address [Server Virtual IP] tcp eq www class-map type management match-any remote_ access 2 match protocol xml-https any 3 match protocol icmp any 4 match protocol telnet any 5 match protocol ssh any 6 match protocol http any 7 match protocol https any 8 match protocol snmp any policy-map type management first-match remote_ mgmt_allow_policy class remote_access permit
Step 3: InterfaceSetup
EthernetVLANtrunkstothenetworkswitchingresourcesconnecttheACEappliances.TwoGigabitEthernetportsoneachACEneedtobeconfiguredto trunk to the core switch:
interface gigabitEthernet 1/1 channel-group 1 no shutdown interface gigabitEthernet 1/2 channel-group 1 no shutdown interface gigabitEthernet 1/3 switchport trunk allowed vlan 12 no shutdowninterface port-channel 1 switchport trunk allowed vlan 1121 no shutdown
102InternetEdgeServerLoadBalancing
TheswitchportsthatconnecttothesecurityappliancesmustbeconfiguredsothattheyaremembersofthesamesecureVLANsandforwardsecuretraffic to switches that offer connectivity to servers and other appliances in the serverroom.
TheACEappliancesareconfiguredforActive-StandbyHighAvailability.WhenACEappliancesareconfiguredinActive-Standbymode,theStandbyappliancedoesnothandletraffic,sotheprimarydevicemustbesizedtoprovideenoughthroughputtoaddressconnectivityrequirementsbetweenthecoreandtheserverroom.
Afault-tolerant(FT)VLANisadedicatedVLANusedbyaredundantACEpairtocommunicateheartbeatandstateinformation.Allredundancy-relatedtrafficissentoverthisFTVLAN,includingheartbeats,configurationsyncpackets,andstatereplicationpackets.
Step 4: Setuphighavailabilityft interface vlan 12 ip address [Failover Primary IP] 255.255.255.0 peer ip address [Failover Secondary IP] 255.255.255.0 no shutdown ft peer 1 heartbeat interval 300 heartbeat count 10 ft-interface vlan 12 ft group 1 peer 1 priority 120 peer priority 110 associate-context Admin inservice
Step 5: InterfaceIPConfiguration
FortheACEtobeginpassingtraffic,weneedtocreateaVLANinterfaceandassignanIPaddresstoit.Becauseweareemployingone-armedmode,weneedtocreateaNATpoolaswell.
interface vlan 1121 ip address [Interface IP] 255.255.255.0 peer ip address [Peer IP] 255.255.255.0 access-group input ALL nat-pool 1 [NAT IP] [NAT IP] netmask 255.255.255.0 pat service-policy input remote_mgmt_allow_ policy no shutdown ip route 0.0.0.0 0.0.0.0 [Default Gateway IP]
Thefollowingistheconfigurationgeneratedandusedinthelabfromprocedureone.
peer hostname ace-4710-2hostname ace-4710-1interface gigabitEthernet 1/1 channel-group 1 no shutdowninterface gigabitEthernet 1/2 channel-group 1 no shutdowninterface gigabitEthernet 1/3 switchport trunk allowed vlan 12 no shutdowninterface port-channel 1 switchport trunk allowed vlan 1121 no shutdown
access-list ALL line 8 extended permit ip any anyclass-map match-all http-vip 2 match virtual-address 10.4.245.100 tcp eq wwwclass-map type management match-any remote_access 2 match protocol xml-https any 3 match protocol icmp any 4 match protocol telnet any 5 match protocol ssh any 6 match protocol http any 7 match protocol https any 8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy class remote_access permit
interface vlan 1121 ip address 10.4.245.22 255.255.255.0 peer ip address 10.4.245.21 255.255.255.0 access-group input ALL nat-pool 1 10.4.245.99 10.4.245.99 netmask 255.255.255.0 pat service-policy input remote_mgmt_allow_policy service-policy input int1121 no shutdown
ft interface vlan 12 ip address 10.10.12.11 255.255.255.0 peer ip address 10.10.12.12 255.255.255.0 no shutdown
103InternetEdgeServerLoadBalancing
ft peer 1 heartbeat interval 300 heartbeat count 10 ft-interface vlan 12ft group 1 peer 1 peer priority 110 associate-context Admin inservice
ip route 0.0.0.0 0.0.0.0 10.4.245.1
Atthispoint,theACEshouldbereachableonthenetwork.Nowwecanbeginconfiguringaload-balancingpolicy.
Procedure 2 Configure Load Balancing
ProcedureSteps:
1. DefineServers
2. Setupserverhealthmonitoring
3. DefineServerFarm
4. Setuploadbalancingpolicy
Step 1: DefineServers
Startbydefiningtheapplicationserversthatrequireloadbalancing:rserver host webserver1 ip address [Web Server 1 IP] inservice rserver host webserver2 ip address [Web Server 2 IP] inservice
Step 2:Setupserverhealthmonitoring
ThiscreatesasimpleHTTPprobetotestthehealthofthewebservers:probe http http-probe port 80 interval 15 passdetect interval 60 request method head expect status 200 200 open 1
Step 3: DefineServerFarm
Placethewebserversandtheprobeintoaserverfarm:serverfarm host webfarm probe http-probe rserver webserver1 80 inservice rserver webserver2 80 inservice
Step 4: Setuploadbalancingpolicy
Configuretheload-balancingpolicyandassignittotheVLANinterface:class-map match-all http-vip 2 match virtual-address [Server Virtual IP] tcp eq www policy-map type loadbalance first-match http-vip-l7slb class class-default serverfarm webfarm policy-map multi-match int1121 class http-viploadbalance vip inserviceloadbalance policy http-vip-l7slb loadbalance vip icmp-reply active nat dynamic 1 vlan 1121 interface vlan 1121service-policy input int1121
Thefollowingistheconfigurationgeneratedandusedinthelabfromproceduretwo.
rserver host webserver1 ip address 10.4.245.112 inservicerserver host webserver2 ip address 10.4.245.113 inserviceprobe http http-probe port 80 interval 15 passdetect interval 60 request method head expect status 200 200 open 1 serverfarm host webfarm probe http-probe rserver webserver1 80 inservice
104InternetEdgeServerLoadBalancing
rserver webserver2 80 inservice class-map match-all http-vip 2 match virtual-address 10.4.245.100 tcp eq www policy-map type loadbalance first-match http-vip-17slb class class-default serverfarm webfarmpolicy-map multi-match int1121 class http-viploadbalance vip inserviceloadbalance policy http-vip-l7slb loadbalance vip icmp-reply active nat dynamic 1 vlan 1121 interface vlan 1121service-policy input int1121
Atthispoint,theapplicationshouldbeaccessibleviatheVIPwecreated(10.4.245.100)andtherequestsshouldbedistributedbetweenthetwo webservers.
Summary
ITorganizationsfacesignificantchallengesassociatedwiththedeliveryofapplicationsattheInternetEdgetoaglobalgroupofpartners,clients,andthepublic.Application-deliverytechnologieshelpagenciesimproveavailability,performance,andsecurityofallapplications.TheCiscoApplicationControlEngineprovidescore-serverload-balancingservices,advancedapplicationacceleration,andsecurityservicestomaximizeapplicationavailabil-ity,performance,andsecurity.Itiscoupledwithuniquevirtualizationcapabilities,application-specificintelligence,andgranularrole-basedadministrationtoconsolidateapplicationinfrastructure,reducedeploymentcosts,andminimizeoperationalburdens.
105Summary
Summary
Hardware and SoftwareVPN
Teleworker /Mobile Worker
Branch Router withApplication Acceleration
ClientAccessSwitch
WirelessAccess Point
Remote
RemoteAccess VPN
InternetEdge Routers
DistributionSwitches
CoreSwitches
ClientAccess
Switches
InternetServers
WirelessLAN Controller
ApplicationAcceleration
ApplicationAcceleration
RegionalRouter
Web SecurityAppliance
Email SecurityAppliance
GuestWLAN
FirewallVPN
Collapsed Distribution/Core
Switches
WirelessLAN Controller
RegionalOffice Building 1 Building 2 Building 4Building 3
Campus
I
I WANAggregation
Local AreaNetwork
InternetEdge
InternetEdge
wwWwwW
DataCenter
Internet
WAN
ThisdeploymentguideisareferencedesignforCiscocustomersandpartners.ItcoverstheInternetEdgecomponentofBorderlessNetworksforLargeAgenciesandismeanttobeusedinconjunctionwiththeCisco SBA for Large Agencies—Borderless Networks LAN Deployment Guide and WAN Deployment Guide,whichcanbefound at www.cisco.com/go/sba.Ifyournetworkisbeyondthescaleofthisdesign,pleaserefertotheCiscoValidatedDesigns(CVD)forlargerdeploymentmodels.CVDscanbefoundonCisco.com.TheCiscoproductsusedinthisdesignweretestedinanetworklabatCisco.Thespecifcproductsarelistedattheendofthisdocumentforyourconvenience.Aseparatedocument,theInternetEdgeConfigurationGuide,containsthespecificconfigurationfilesfromtheproductsusedintheCiscolabtestingandcanbefoundonCisco.com.
106AppendixA
AppendixA:LargeAgenciesDeploymentProductList
Functional Area Product Part Numbers Software Version
Internet Edge 5K
Firewall ASA5510or ASA5520or ASA5540
ASA5510-AIP10-SP-K9 ASA5520-AIP20-K9 ASA5540-AIP40-K9
8.2.2
IPS SSM-AIP-10or SSM-AIP-20or SSM-AIP-40
*partofthefirewallbundle 7.0.2E4
SoftwarelicenseformainASAFW
250or500SSLSessionSoftwarelicense ASA5500-SSL-250 ASA5500-SSL-500
*asFirewall
EmailSecurity C370 C370-BUN-R-NA *PleaseconsultTrustedPartnerorIronportSalesTeamforpricing and licensing
AsyncOS7.0
WebSecurity S370 S370-BUN-R-NA *PleaseconsultTrustedPartnerorIronportSalesTeamforpricing and licensing
AsyncOS6.3
ServerLoadBalancing ACE4710 ACE-4710-0.5F-K9 A3(2.2)
OutsideSwitch 2xCatalyst3750 WS-C3750G-24TS-S1U 12.2(53)SE1
DMZSwitch 2xCatalyst3750 WS-C3750G-24TS-S1U 12.2(53)SE1
Internet Edge 10K
107AppendixA
Functional Area Product Part Numbers Software Version
Firewall 2xASA5520or 2xASA5540
ASA5520-AIP20-K9 ASA5540-AIP40-K9
8.2.2
IPS 2xSSM-AIP-20or 2xSSM-AIP-40
*partofbundleabove 7.0.2E4
VPN 2xASA5520and500SSLseatsor 2xASA5540and1000SSLseats
ASA5520-SSL500-K9 ASA5540-SSL1000-K9
8.2.2
EmailSecurity 2xC370 C370-BUN-R-NA *PleaseconsultTrustedPartnerorIronportSalesTeamforpricing and licensing
AsyncOS7.0
WebSecurity 2xS370 S370-BUN-R-NA *PleaseconsultTrustedPartnerorIronportSalesTeamforpricing and licensing
AsyncOS6.3
ServerLoadBalancing ACE4710 ACE-4710-1F-K9 A3(2.2)
OutsideSwitch 2xCatalyst3750 WS-C3750G-24TS-S1U 12.2(53)SE1
DMZSwitch 2xCatalyst3750 WS-C3750G-24TS-S1U 12.2(53)SE1
108AppendixB
AppendixB:SBAforLargeAgenciesDocumentSystem
Design Overview
IPv6 AddressingGuide
LAN DeploymentGuide
LAN Configuration Guide
WAN DeploymentGuide
WAN Configuration Guide
Internet EdgeDeployment Guide
Internet Edge Configuration Guide
SolarWinds Deployment Guide
Foundation DeploymentGuides
Network ManagementGuides
Wireless CleanAirDeployment Guide
Data SecurityDeployment Guide
Nexus 7000 Deployment Guide
ArcSight SIEM Partner Guide
LogLogic SIEM Partner Guide
nFx SIEM Partner Guide
RSA SIEM Partner Guide
Splunk SIEM Partner Guide
CREDANT Data Security Partner Guide
Lumension Data Security Partner Guide
SIEM DeploymentGuide
Design Guides Deployment Guides
You are Here
Supplemental Guides
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands
SMARTBUSINESSARCHITECTURE
C07-640806-0012/10