Cisco Cisco IPS 4520 Sensor Libro bianco
22
Firewall
August 2012 Series
22
• Dual ISP uses dual Internet connections via two routers (the primary and
secondary ISP routers) that carry the Internet traffic.
Figure 8 - Dual ISP connectivity
3006
Outside
Switches
IP-SLA Probes
Cisco
ASA Standby
Cisco
ASA Primary
Internet
VLAN 16&17
Trunked to Cisco ASA
Probe
Destination
172.18.1.1
Primary
ISP
Secondary
ISP
Primary ISP
Router
VLAN 16
172.16.0.0
VLAN 17
172.17.0.0
Secondary ISP
Router
An organization should have an IT security policy to use as a reference for
defining its firewall policy. If there is no documented security policy, it is very
difficult to create a firewall policy for the organization because no consistent
set of rules can be enforced.
defining its firewall policy. If there is no documented security policy, it is very
difficult to create a firewall policy for the organization because no consistent
set of rules can be enforced.
Policy Recommendations
Network security policies can be broken down into two basic categories:
Network security policies can be broken down into two basic categories:
whitelist policies and blacklist policies. A whitelist-based policy offers a
stronger initial security posture because all traffic is blocked except for
applications that are explicitly allowed. However, whitelist policies are more
likely to interfere with network applications and are more difficult to maintain,
as each new application must be permitted through the firewall. A whitelist
policy is easily recognized because the last access rule denies all traffic
(i.e., “
stronger initial security posture because all traffic is blocked except for
applications that are explicitly allowed. However, whitelist policies are more
likely to interfere with network applications and are more difficult to maintain,
as each new application must be permitted through the firewall. A whitelist
policy is easily recognized because the last access rule denies all traffic
(i.e., “
deny ip any any”
). Whitelist policies are best suited for traffic from the
Internet to services in the DMZ.
The following information is needed to be able to effectively define a
whitelist security policy:
whitelist security policy:
• What applications will be used on the network?
• Can their traffic be characterized at the protocol level?
• Is a detailed description of application behavior available in order
• Can their traffic be characterized at the protocol level?
• Is a detailed description of application behavior available in order
to facilitate troubleshooting if the security policy interferes with the
application?
application?
A blacklist policy is generally more suitable for requests from the inside
network to the Internet. This type of policy offers reduced operational
burden and minimizes the likelihood that the security policy will interfere
with Internet applications. Blacklist policies are the opposite of whitelist poli-
cies; they only stop traffic that is explicitly denied. Typically an application
is blocked because of an organization’s policy or because they expose the
organization to malicious traffic. A blacklist policy is recognizable by the last
access rule; the rule set permits all traffic that has not already been denied
(that is, “
network to the Internet. This type of policy offers reduced operational
burden and minimizes the likelihood that the security policy will interfere
with Internet applications. Blacklist policies are the opposite of whitelist poli-
cies; they only stop traffic that is explicitly denied. Typically an application
is blocked because of an organization’s policy or because they expose the
organization to malicious traffic. A blacklist policy is recognizable by the last
access rule; the rule set permits all traffic that has not already been denied
(that is, “
permit ip any any”).
In some cases, traffic (such as web content) of high business value is very
difficult to distinguish from traffic with no business value, such as malware
and entertainment traffic. As an adjunct to the Cisco ASA, the Cisco Web
Security Appliance (WSA) offers web filtering for traffic that contains
malware or negatively affects user productivity. Additionally, Cisco IPS can
be used to block malicious traffic embedded within permitted applica-
tions. Cisco IPS concepts and configuration are discussed in the Intrusion
Prevention chapter in this document. Cisco WSA concepts and configuration
are discussed in the Cisco SBA—Borderless Networks Web Security Using
difficult to distinguish from traffic with no business value, such as malware
and entertainment traffic. As an adjunct to the Cisco ASA, the Cisco Web
Security Appliance (WSA) offers web filtering for traffic that contains
malware or negatively affects user productivity. Additionally, Cisco IPS can
be used to block malicious traffic embedded within permitted applica-
tions. Cisco IPS concepts and configuration are discussed in the Intrusion
Prevention chapter in this document. Cisco WSA concepts and configuration
are discussed in the Cisco SBA—Borderless Networks Web Security Using
WSA Deployment Guide.
Procedure 1
Configure the outside switch
If you already have a switch on the outside into which you are allowed to
plug both Cisco ASAs, then you can skip this procedure. This switch could
be ISP-provided gear, such as a cable modem with a 4-port switch or similar.
The only requirement in Single ISP mode is that both Cisco ASAs’ outside
interfaces have to be plugged into the same Layer-2 domain in order to allow
failover to function. In this deployment, a trunked outside interface is used,
even in Single ISP mode, to allow easier migration to Dual ISP mode later. If
you are using an outside switch that doesn’t support trunking, you will need
to assign the outside IP address directly to the interface of the Cisco ASA.
plug both Cisco ASAs, then you can skip this procedure. This switch could
be ISP-provided gear, such as a cable modem with a 4-port switch or similar.
The only requirement in Single ISP mode is that both Cisco ASAs’ outside
interfaces have to be plugged into the same Layer-2 domain in order to allow
failover to function. In this deployment, a trunked outside interface is used,
even in Single ISP mode, to allow easier migration to Dual ISP mode later. If
you are using an outside switch that doesn’t support trunking, you will need
to assign the outside IP address directly to the interface of the Cisco ASA.