Zones Designing in firewall

Similar Messages

• Basic Design Question - Firewall Router segment

  I'm at a new place and have to re-do the current lan.  Small office, 80-100 users. Existing setup is flat network, no QoS, no VLANs.  I have already replaced an older PIX with a new ASA (5525x) and added a DMZ.  
  I am currently trying to draw up a proposed design which currently will be single firewall, multiple VLans(user, server, voice, guest).  My question is regarding the link between core router(L3 switch, whatever) and firewall.   I'm thinking the correct setup is to have a seperate /30 subnet on the interfaces between the firewall and router as below, and then router will just have a default route of 0.0.0.0 0.0.0.0 10.1.100.2     Is this correct? 
  Internet-------Firewall-(10.1.100.2/30)----------------------------(10.1.100.1/30) --Router ----(10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, etc)                 
  Thanks,

  Your design is good. But as for the subnet between the core (router or L3 switch - switch preffered) and edge FW, i suggest something a little larger than a /30. Like a /28. You may want to add a standby FW in a few months or years, or a new WAN connection to that 'demarc' subnet' at some point. It's good practice to leave some romo for growth. Even if you dont forsee it right now.
  ==========================
  http://www.rConfig.com 
  A free, open source network device configuration management tool, customizable to your needs!
  - Always vote on an answer if you found it helpful

• Seeking advice on Zone design

  I have a ZCM Zone originally built with ZCM 10.2 and has been updated over the years to 11.2.3 and soon to be updated to 11.3.1
  The Zone services 15,000 devices with over 30k users (school district). The network topology is central, each school has a 10GB fiber link to the data center. Entire Zone is build on a VMWare vSphere 5 platform.
  Current design consists of 1 dedicated ZCC server, 1 dedicated Inventory server, 2 dedicated image servers, and 12 Authentication/Content/Config servers. Database is SQL 2008 R2 on it's own VM. Typical guest machine config uses 2 vCPU 8GB vRAM. All run on Windows 2008 R2 SP1 SQL server uses 2 vCPU and 24GB of vRAM. DB has grown to 43GB in size (gets up to 60+GB before DB maintenance operations are run).
  In ZCM 10, the closest server rules were setup to split the user traffic among four selected servers for the site. When the closest server rules allowed for groups, it was enabled to get the round robin functionality. Was never able to get the needed data from my customer to fully implement Locations, so Locations Lite is in use. Pretty much set the default closest server rule to group all 12 Auth servers in a single group. It has worked to split the load quite well among the 12 Primary servers.
  Only the ZCC server and Image servers had their entire VM memory reserved (per VMWare best practice for a Java app). Was unable to reserve memory for all guest machines since it would cause to much performance issues with other guests when doing so. Because of this, I am thinking of swapping out the 12 Primary servers for 12 Satellite servers .. but I am unsure of the sanity of doing such a change. The satellite servers would run in the same virtual environment as the Primary servers.
  My hope in doing this change is to improve the authentication speed, and satellite servers seem to be faster in getting the job done. Also reduce the amount of work the database server is doing by reducing the amount of Primary servers talking to it.
  The change almost seems pointless, so I wanted to see what other thought about doing such a change.
  thank you

  We definitely want all of the VMware Memory Reserved.
  Consider Converting the 2 Dedicated Imaging Servers to Satellite Servers
  with the Imaging Role. This will consume far fewer resources and they
  memory for Satellite Servers is not required to be fully dedicated.
  12 Auth/Content/Config servers is far more than what is necessary for
  15,000 Devices. Especially with 8gb of RAM. As a Test, Remove a couple
  of these servers from the "Server Group" and test performance.
  You may also be able to reduce the RAM from 8GB to 6GB on the remaining
  10 servers to allow for dedication.
  The key is that assigning RAM above and beyond what is dedicated can
  lead to stability issues and will not be fully dedicated.
  It is quite common for servers to fail upgrading or crash after upgrades
  when the RAM is not dedicated because the servers now start hitting and
  trying to use the non-dedicated RAM that was previously not used.
  Also Drop an Email to [email protected]
  I want to email you a utility, but will need your email address.
  Note: Location Lite is just fine.
  On 7/15/2014 4:56 PM, Provogeek wrote:
  >
  > I have a ZCM Zone originally built with ZCM 10.2 and has been updated
  > over the years to 11.2.3 and soon to be updated to 11.3.1
  > The Zone services 15,000 devices with over 30k users (school district).
  > The network topology is central, each school has a 10GB fiber link to
  > the data center. Entire Zone is build on a VMWare vSphere 5 platform.
  >
  > Current design consists of 1 dedicated ZCC server, 1 dedicated Inventory
  > server, 2 dedicated image servers, and 12 Authentication/Content/Config
  > servers. Database is SQL 2008 R2 on it's own VM. Typical guest machine
  > config uses 2 vCPU 8GB vRAM. All run on Windows 2008 R2 SP1 SQL
  > server uses 2 vCPU and 24GB of vRAM. DB has grown to 43GB in size (gets
  > up to 60+GB before DB maintenance operations are run).
  >
  > In ZCM 10, the closest server rules were setup to split the user traffic
  > among four selected servers for the site. When the closest server rules
  > allowed for groups, it was enabled to get the round robin functionality.
  > Was never able to get the needed data from my customer to fully
  > implement Locations, so Locations Lite is in use. Pretty much set the
  > default closest server rule to group all 12 Auth servers in a single
  > group. It has worked to split the load quite well among the 12 Primary
  > servers.
  >
  > Only the ZCC server and Image servers had their entire VM memory
  > reserved (per VMWare best practice for a Java app). Was unable to
  > reserve memory for all guest machines since it would cause to much
  > performance issues with other guests when doing so. Because of this, I
  > am thinking of swapping out the 12 Primary servers for 12 Satellite
  > servers .. but I am unsure of the sanity of doing such a change. The
  > satellite servers would run in the same virtual environment as the
  > Primary servers.
  >
  > My hope in doing this change is to improve the authentication speed, and
  > satellite servers seem to be faster in getting the job done. Also
  > reduce the amount of work the database server is doing by reducing the
  > amount of Primary servers talking to it.
  >
  > The change almost seems pointless, so I wanted to see what other thought
  > about doing such a change.
  >
  > thank you
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Trying to ssh from a local zone to a firewalled physical server

  When i try to ssh to the server getting the following errors
  # ssh -v x.x.x.x
  Sun_SSH_1.1.5, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Rhosts Authentication disabled, originating port will not be trusted.
  debug1: ssh_connect: needpriv 0
  debug1: Connecting to x.x.x.x [ x.x.x.x] port 22.
  debug1: connect to address x.x.x.x port 22: Cannot assign requested address
  ssh: connect to host x.x.x.x port 22: Cannot assign requested address
  This happens if i use hostname or ipaddress.  There is no record of the ssh even getting to the firewall.
  traceroute is giving the following
  # traceroute x.x.x.x
  traceroute to x.x.x.x (x.x.x.x), 30 hops max, 40 byte packets
  1 traceroute: sendto: Network is unreachable
  traceroute: wrote x.x.x.x 12 chars, ret=-1
  *traceroute: sendto: Network is unreachable
  We can do the same from other servers but none of the local or global zones on this server but cant find any difference in the setup between them.
  The global is solaris 11 and the local is a solaris 10 branded zone

  I get the blue screen asking me for a forgotten password -11 months of storage and an old brain. Thanks very much i am windows gluent and as a friend remarked when he'd queried me as to which laptop i'd bought told him i'd gotten a good deal on an old g4 model, he said " you're not a pc user anymore, you're a cult member. I still smile at that.

• Design Help - Firewall/DMZ

  Hi,
  I am about to purchase two 5515-X next generation firewalls and I need to decide what to do as far as the design goes so I need some help from the experts. This appliances seem to come with 6 1Gbps ports which is enough. In our LAN, we have two 6500 running on VSS mode and we are also going to get our second ISP. Doing the obvious which is cross-connect each firewall with the two 6500s and possibly with the internet routers. Is it something else you recommend?
  Planning to trunk a couple interfaces and connect them to a DMZ switch; however, how do I make that one switch redundant? Some of the vendors currently connected do not offer a redundant link in case of failure.
  I'll be deploying the devices as active/standby and this is because I have VPNs configured which it is my understanding that both devices can't be active with this type of configuration. Can someone advise on this matter? However, the company wants to use them both at the same time.
  Using two ISPs, how do I deal with the Public-Internal NAT?
  Any help is greatly appreciated. Thanks.

  Planning  to trunk a couple interfaces and connect them to a DMZ switch; however,  how do I make that one switch redundant? Some of the vendors currently  connected do not offer a redundant link in case of failure.
  Well, you could use the 6500s if you have enough free interfaces on it.  Create the DMZ VLAN on the 6500s as well as on the new DMZ switch.  On the 6500 and the DMZ switch configure the ports as trunk but only allow the single VLAN on that trunk.  Create a subinterface on the ASA and place that subinterface in the new DMZ VLAN and give it an IP.
  I'll be deploying the devices as  active/standby and this is because I have VPNs configured which it is my  understanding that both devices can't be active with this type of  configuration. Can someone advise on this matter? However, the company  wants to use them both at the same time.
  What the company wants isn't always what is the best solution and they should be told that, from time to time.  However, it is possible to configure the ASAs in an Active/Active setup.  This will require that the ASAs are configured in multiple context mode.  On one ASA context 1 is active while context 1 on the second ASA is in standby mode. then on the second ASA context 2 is the active context and on ASA context 2 is in standby mode.  This setup will alow the use of both ISP connections and be able to maintain VPN connections.  Keep in mind that the VPN connections will not be active on both ASAs.  It wil only be active on the active context, but will failover to the standby context if a failure occurs.
  Using two ISPs, how do I deal with the Public-Internal NAT?
  the ASA does not support two active default gateways, and therefore support for two ISPs is not supported in single context mode.  So if you have a requirement to use both ISP connection simultaneously then you need to have multiple contexts. Each context is a virtual firewall and completely seperate from eachother.
  So, back to the active contexts.  context 1 on ASA1 is the active context and is connected to ISP1.  context 2 on ASA2 is the active context and is connected to ISP2.  You would perform NAT in the exact same way as you would in a single context ASA no hocus pocus.  The only difference is that the traffic that goes towards each context and subsiquently each ISP are not from the same subnet.  They need to be seperated and then diveded between the two contexts.
  So, context 1 would have traffic for VLANs 1, 3, 5, 7, 9 and context 2 would have traffic for VLANs 2, 4, 6, 8, 10.
  here is a link on how to configure active/active failover.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html#wp1163513
  Please remember to rate and select a correct answer

• Design of Firewall

  I am Designing an Application Firewall.For that i am designing a proxy server. I have to capture the packets(both INbound and Outbound) blocking them from the server.What should i do to block the packets?.I have gota Java API named JPCAP but using those classes I can only capture the packets but I cant block themfrom going toserver.Please get me a solution.
  thanking u.
  Raghu Kumar,
  Andhra University,
  Vizag,
  Andhrapradesh.

  it'd be better if you wrote your firewall in C

• After installation of 8.0.1 Firefox will not connect through Zone Alarm Firewall

  After updating Firefox from 8.0.0 to 8.0.1, Firefox would no longer connect to either my LAN or the internet. Internet Explorer, Outlook and Ping work fine, the latest version of Chrome also will not connect. If I turn off the Zone Alarm Free firewall, everything connects again.

  Your firewall is not recognizing the new version; it is just doing its job.
  #Exit Firefox (''Firefox button'' > Exit or ''File > Exit'')
  #Remove references to firefox and plugincontainer from your firewall list of allowed programs
  #Start Firefox, let your firewall detect the new version and give permissions to allow Firefox access to the internet
  '''NOTE:'''
  *In ZoneAlarm 10.1.056.000, the ZA toolbar only works with Firefox 7.
  *In ZoneAlarm 10.1.065.000, the ZA toolbar only works with Firefox 8.
  See --> [https://support.mozilla.com/en-US/kb/Cannot%20connect%20after%20upgrading%20Firefox Cannot connect after upgrading Firefox]
  Visit the ZoneAlarm forum: http://forums.zonelabs.com/index.php
  '''If this reply solves your problem, please click "Solved It" next to this reply when <u>signed-in</u> to the forum.'''

• Cisco ACE and firewall design

  Guys,
  If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
  Sent from Cisco Technical Support iPad App

  Hi,
  With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
  Firewall ---------Switch ---------------- Load Balancer ---
  As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
  Regards,
  Siva

• ASR Zones and BGP

  We're designing a second datacenter and are looking at routers for both our MPLS network and our Internet edge. In our current datacenter we have 4x3945e routers, two on the MPLS networks and two on the Internet edge networks. Since we're going to have a 1GB link between the two datacenters, I started looking at the ASR platform for it's impressive throughput compared to the 3945e.
  I noticed the Enterprise Applications feature supports zone-based policy firewall, which seems appealing. Given the raw power of the ASR and the ability to support zones, it seems one router could handle both the external Internet access and the MPLS traffic, each residing on it's own zone.
  Considering the ASR 1001x, my two questions are
  Is my assumption correct or would the above be a security concern?
  Can each zone support a different BGP AS number?
  Thank you,
  Denny

  From within the zone, you can see what pool you're bound to by simply using
  the -q argument to poolbind(1M) with a valid pid, such as "poolbind -q $$".
  Alternatively, you can use the pooladm(1M) command with no arguments.
  Note that if you don't have pools active, this will result in a "Facility is not active"
  message but otherwise you'll see the details about the pool this zone is bound
  to.
  From the global zone, you can see the actual pool the zone is currently bound
  by doing something like "zlogin myzone 'poolbind -q $$'". And you can see
  which pool the zone will attempt to bind to the next time it reboots by using
  the "zonecfg -z myzone info pool" command.
  Does this help?

• Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.

  Hi,
  Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.
  %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to
  Stray Segment with ip ident 46866 tcpflags 0x5010 seq.no 1237259566 ack 3465174792
  If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.
  Ta
  Jim

  This may help:
  Caveat "CSCsj30582"
  http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html
  Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
  Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
  For example:
  class-map type inspect match-any cm-esp match access-group 100
  policy-map type inspect in2out class type inspect cm-esp pass
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
  Workaround: Configure the access list so that the source is "any", for example:
  access-list 100 permit esp any host 10.1.1.2 access-list 100 permit esp any host 10.0.0.2
  First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".
  Further Problem Description: If an explicit deny rule is added to the above example, for example:
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2 access-list 100 deny esp any any
  Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
  Router# show access-lists 100
  Extended IP access list 100 10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches) 20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches) 30 deny ip any any (1 match)

• ASAs failover pair which design is the best

  Guys
  I am designing the firewall solution. I have 2 ASA with 2 Switches. Please see the diagram design1 and design2. Let me know your thoughts. Design 1 uses a stacking cable with 2 switches but in a diagram it is represented as one due to lack of diagram availability. Design 2 uses 2 switches connected seperately. What are advantages of one over the another.?
  Thanks in advance.

  By all means you can use a switch to interconnect both ASAs and it is not achieving anything different from using a cross-over cable for the purpose of deploying a state-full failover.
  I have deployed at least 15 state-full failover ASAs over the course of 14 years of network career just by using a cross-over cable.  If you weight pros and cons using a switch vs the cross-over cable.  I would say cross-over cable have more pros than con and this is my take.
  Nothing against Cisco but sometime Cisco recommendation also comes with sales and marketing strategy.
  "Each interface should connect to a switch port so that the link status is always up"
  So does the cross-over cable and there is an additional point of failure by a switch coming in between ASA and a switch that sending statefull sync data to standby ASA.
  Thanks   

• OSX ML firewall is blocking smtp/imap connection to the server. how can i enable it without turning off the firewall?

  With the firewall turned on and with the "block all incoming connections" option untick, I can send email to internal and external addressee. However,
  1. Mail clients both from LAN and from outside (WAN connected) could not connect to the mail server. Both SMTP and IMAP could not connect to the server.
  2. External MTA (say from google or yahoo MX server) could not connect to the server too.
  both of these issues are resolved if I set the firewall to OFF. Is there a workaround without turning this off? appreciate your input/advise..

  I've used Mail on Exchange and Gmail with the firewall on for send/recieve on my Mac no problem there.
  However,  are you asking about the MacServer? If so, you're in the wrong section...
  Remember how public-facing systems work, they have to be universally accessible directly or through a DMZ zone in the firewall/gateway. This means the firewall/gateway has to be upstream from the server, not directly on the server.
  Also, check your DNS settings on the computers and server both inside and outside the network.

• Proxy Auth based on Policy

  I am using a Firewall IOS box 12.4 AdvancedIPServices. My design is as follows. I have 4 security zones in the firewall, and each zone has its own subnet. I want to create a policy/rule that allows port 3389 (RDP) to cross between a trust and untrust zone, and I want the user to have to authenticate to the tacacs+ or local database before it allows this connection to be made. I will have them go to a HTTP page to auth 1st. I am able to turn authentication on per interface, but I do not want all traffic leaving that zone to have to authenticate, just traffic I specify in my policy needs to authenticate. Is there a way to do this with Firewall IOS? If so can someone give me a config example?
  Thanks
  Chris

  Hi Igor,
  I don't think that is possible on ACE since client authentication is part of SSL handshake. The problem is that the server doesn't know if the client wants https://abc.com or https://abc.com/xyz until the SSL handshake has been completed. Only after SSH handshake is completed, ACE would be able to look into the URL and take LB decision, don't know of any way we can tell ACE to request for client authentication at that point which will mean complete ssl handshake again. I do see that can be done on Apache server etc but i am not aware of any way that can be done on ACE.
  Regards,
  Kanwal

• Edge Router-Security

  Dears HI
  please which Ports should be blocked in the Edge Router to privent the Attack to my Network from Internet ,please give me some Ports that used by Attacker

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  please i didnt run BGP on this router ,please can i protect this router or network from attack by ACL ? or need to install ASA Firewall ?
  Yes, you can protect your router from attack using ACLs.  Regarding protecting the rest of your network, i.e. do you need something like an ASA, that depends on the security needs of the rest of your network.
  What firewalls offer, that "normal" ACLs usually don't do, is basing security on session state.  I.e. Firewalls often will restrict some/much external traffic to return traffic (some host on the inside had to start the session).
  But do you need a firewall?
  Again, depending on your interior network security needs, security features of a router might be sufficient.  For example, you might only allow return traffic using a reflective ACL (http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html).  Or you might only allow TCP traffic that has the established bit set (could be spoofed but unless it matches what's expected by the directed to host, the host will drop).  If you use NAT, return traffic much match an outbound session.  Additionally, beyond ACLs, Cisco routers often support a security feature set that will provide additional firewall features, such as CBAC (http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html) or ZFW (http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html).
  A dedicated firewall device, such as an ASA, is often needed when your security requirements cannot be met by the above.  Is this true for you?  Don't know.  If you don't know, that's a question probably better answered obtaining personal consultation.  Network security, as a subject, is complex enough that Cisco offers secuity certifications from CCNA to CCIE.

• SR520, ping reply

  Hi,
  Not very familiar with the ZBF on the SR520, can anyone please provide me with a config enabling the SR520 to send ping reply´s.
  Regards
  Eivind

  Zone-based firewall configuration can be confusing, especially if one is used to older CBAC-type FW configuration.
  Your best resource for this problem is the
  Zone-Based Policy Firewall Design and Application Guide
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#app-b
  Appendix B has a sample config that would allow ping replies.
  There are four basic steps in setting up the firewall.
  1) Define the zones
  2) Define the class maps that identify traffic between zones
  3) Create a policy map that defines the action to take on the class map
  4) Configure the zone pair and apply the policy
  In Appendix B, you'll see the class map specifiying what traffic to inspect. The names of the class-map and policy-map could be anything.
  class-map type inspect match-any L4-inspect-class
  match protocol tcp
  match protocol udp
  match protocol icmp
  The policy map here indicates what action to take, and in this case, the only action is to 'inspect'.
  If it was 'drop', the connection would be denied.
  policy-map type inspect clients-servers-policy
  class type inspect L4-inspect-class
    inspect
  Hopefully that helps!
  Addis