Re: Ask the Expert: Cisco Adaptive Security Appliance (ASA) Fire - Page 2

ciscomoderator · ‎07-29-2013

With Akhil Behl

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Akhil Behl about the Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data Centers including various new features of the Cisco ASA firewall as a next-generation data center firewall in terms of its capability, scalability, and performance. He can also answer questions on Cisco ASA as a next-generation data center firewall, providing clustering and intelligent threat defense using Cisco ScanSafe technology and access control based on Cisco TrustSec.

Akhil Behl is a solutions architect with Cisco Advanced Services, focusing on Cisco collaboration and security architectures. He leads collaboration and security projects worldwide for the enterprise segment as well as the collaborative professional services portfolio for the commercial segment. Previously at Cisco, he spent 10 years in various roles at Linksys and the Cisco Technical Assistance Center. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications. He has published several research papers in international journals, including IEEE Xplore. He has been a speaker at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. He is the author of Securing Cisco IP Telephony Networks by Cisco Press.

This event is a continuation of the live Webcast and the panelist were

Sumanta Bhattacharya and Parminder Pal Singh

Sumanta Bhattacharya is a Network Consultant with Cisco Advanced Services and has more than 12 years of networking experience with specialization in Security topics that includs Firewall / IPS / VPN, Wireless, Network Optimization, Audits, Security assessments. He holds CCNP, CCSP, VCP & ISO 27001 Lead Audit certifications.

Parminder Pal Singh is a Datacenter Specialist for Cisco Presales in Data Center and has more than 9 years of experience. Prior to this role he has worked in companies like VCustomer, Convergys and Aricent Technology Holdings. He is an active instructor for both Data Center & Network Security Technologies. He hold CCIE certification (#19972)in Security domain.

Remember to use the rating system to let Akhil and team know if you have received an adequate response.

Akhil might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through August 9, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

Webcast related links:

Akhil Behl · ‎08-02-2013

Hi Umair,

Your drawing looks just fine!

Here are the answers to your queries:

1. Do we have support for VPC feature on the firewall, any plan for vpc feature in the future

VPC is supported for Cluster Control Link (CCL), please see following URLs

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1559338

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1595624

2. Do Clustering feature support Active-Active mode in the same context ? is it at the session Level or packets lever ?

Clustering is supported in single or multiple mode contexts. By default clustering is active active. Clustering can be at Layer 2 (spanned, etherchannel, VPC) or at layer 3 (individual mode)

3. In the figure above, how we make sure the routing be correct. Should we use Policy based routing on Nexus to force datacenter traffic towards firewall ?

If you have spanned interfaces with port channel or routed interfaces, you have an IP address to route traffic to as next hop. You can use this IP address as gateway of last resort for everything going out of DC. See the following topologies

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1669969

4. Is there any best practice document for ASA deployment in the data center.

There are a few documents around ASA as a DC firewall detailing best practices. I've listed the ones I refer to most often

ASA DC design guide for 550-X series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/design_guide_c22-624431.html

ASA DC deployment guide

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Mid_DC_DataCenterDeploymentGuide-February2012.pdf

Cisco ASA DC config guide

http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center

Hope this information is helpful!

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

shillings · ‎08-02-2013

Hi Akhil,

Hope you can help with a couple of pre-sales/design queries.

Any dates as to when Cisco will support both CX and IPS in the same box?
Online Cisco documentaion says it will implement IPS functionality into CX, in future. Does this mean Cisco will simply fix the above interoperability issue, or will it develop an entirely new IPS solution that is embedded within CX?
Any idea when Cisco will fix the EtherChannel restriction for ASA cross-stack connectivity (VSS is fine)? I appreciate there is a work around and it's not exactly data centre, but would like to see it supported and working straight out of the box for the SME customer.
Will ASDM be migrated to Prime Security Manager, like CX? If so, when?
A brief scenario. You need to connect an active/standby HA pair. There are three spare interfaces on each firewall. Normally, I'd assign one interface for the failover link and one for the replication link. I'd also follow Cisco best practice and place a switch between each failover interface. However, could we negate the requirement for the switch by bundling two interfaces into a single EtherChannel (or use a Redundant interface)? I appreciate only one channel in the EtherChannel bundle is ever used at any one time, but that shouldn't be an issue. The point is that if one of the two failover ports fail, on the active firewall, then connectivity is not lost. I think the chances of both failing a slim. The downside is that it requires a total of 3 interfaces, instead of just 2. Perhaps it's not a great idea, but would appreciate your thoughts (or those of any forum members).

Many Thanks!

Akhil Behl · ‎08-02-2013

Hi Shillings,

I'll try to answer your queries based on my know how about the road map and feature sets.

1. Any dates as to when Cisco will support both CX and IPS in the same box?

First release of CX was planned without IPS support, though future release(s) do have IPS support for NGFW service module on the roadmap.

To your point, statistically, in many organizations it is not common to have all firewall and related services on the same network device based on performance and separation of duties perspectives. For those that need IPS functionality in the same physical chasis as a Firewall, ASA 5585x supports hardware (SSP) based IPS solution. I know this is not really inline with your query however, trying to provide a perspective of how larger community thinks.

2. Online Cisco documentation says it will implement IPS functionality into CX, in future. Does this mean Cisco will simply fix the above interoperability issue, or will it develop an entirely new IPS solution that is embedded within CX?

As I mentioned earlier, I don't see an interoperability issue here since, the FCS release never had IPS planned into it. IP functionality for CX NGFW services module is on the roadmap and will support full IPS capabilities.

3. Any idea when Cisco will fix the EtherChannel restriction for ASA cross-stack connectivity (VSS is fine)? I appreciate there is a work around and it's not exactly data centre, but would like to see it supported and working straight out of the box for the SME customer.

This restriction still applies in 9.x release and from where I see it, it's there till defined on the roadmap. If you have a strong business case to have this feature, please approach your account manager to have your case shared with BU (if not already done) so they can work on the same for future releases.

4. Will ASDM be migrated to Prime Security Manager, like CX? If so, when?

For now ASDM will continue to be management interface for ASA and PRSM for NGFW CX. On roadmap future plan is to manage ASA firewall features through PRSM, so that customers get a single management pane for ASA and NGFW Services.

5. A brief scenario. You need to connect an active/standby HA pair. There are three spare interfaces on each firewall. Normally, I'd assign one interface for the failover link and one for the replication link. I'd also follow Cisco best practice and place a switch between each failover interface. However, could we negate the requirement for the switch by bundling two interfaces into a single EtherChannel (or use a Redundant interface)? I appreciate only one channel in the EtherChannel bundle is ever used at any one time, but that shouldn't be an issue. The point is that if one of the two failover ports fail, on the active firewall, then connectivity is not lost. I think the chances of both failing a slim. The downside is that it requires a total of 3 interfaces, instead of just 2. Perhaps it's not a great idea, but would appreciate your thoughts (or those of any forum members).

In my honest opinion, using port channel with ASA failover is not the best of designs. The major reason is that - you lose 2 interfaces for something which could have been handled by one and hence, lose on a good ZONE. Moreover, for ASA in an Active/Standby failover deployment, you need to create separate EtherChannels on the switches in the VSS, one for each ASA, which is an overhead.

Hope the information provided is useful!

Regards,

Akhil Behl
Solutions Architect

Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

shillings · ‎08-03-2013

Thanks for taking the time to respond in full Akhil.

1. Any dates as to when Cisco will support both CX and IPS in the same box?

First release of CX was planned without IPS support, though future release(s) do have IPS support for NGFW service module on the roadmap.

To your point, statistically, in many organizations it is not common to have all firewall and related services on the same network device based on performance and separation of duties perspectives. For those that need IPS functionality in the same physical chasis as a Firewall, ASA 5585x supports hardware (SSP) based IPS solution. I know this is not really inline with your query however, trying to provide a perspective of how larger community thinks.

I can understand that from a data centre perspective. However, many small/medium businesses are not willing to spend on dedicated IPS sensors, 5585-Xs, or additional midrange firewall pairs, at least not in the UK in the current financial climate.

Also, if Cisco has concluded that IPS and CX features should not be combined in the same small/midrange appliance, then why is it not sticking to this decision? I do appreciate this is more of a product marketing topic, and not exactly data centre either, but thank you for being open to the questions. Hope I'm not getting you into hot water! It certainly adds value to the forum.

2. Online Cisco documentation says it will implement IPS functionality into CX, in future. Does this mean Cisco will simply fix the above interoperability issue, or will it develop an entirely new IPS solution that is embedded within CX?

As I mentioned earlier, I don't see an interoperability issue here since, the FCS release never had IPS planned into it. IP functionality for CX NGFW services module is on the roadmap and will support full IPS capabilities.

Good news.

In my honest opinion, using port channel with ASA failover is not the best of designs. The major reason is that - you lose 2 interfaces for something which could have been handled by one and hence, lose on a good ZONE. Moreover, for ASA in an Active/Standby failover deployment, you need to create separate EtherChannels on the switches in the VSS, one for each ASA, which is an overhead.

OK, thanks for your feedback on this.

Akhil Behl · ‎08-03-2013

Hi Shillings,

I understand your point here and agree with the same. However, what I said for the CX's IPS capabilities was in perspective based on what my colleagues have seen in today's Data Centers.

Goes without saying (and same as what you mentioned), it's on need by need basis and as per the requirement of network as well as organizational security requirements / regulatory requirements that one may or may not want same platform to do multiple things. Cost also drives many a things and I agree that many organizations want to have all in one security appliance or blade.

Again, Cisco isn't taking IPS away from CX and coming up with an option for it as it is on roadmap. So, you stay empowered in next releases!

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

shillings · ‎08-05-2013

I understand your point here and agree with the same. However, what I said for the CX's IPS capabilities was in perspective based on what my colleagues have seen in today's Data Centers.

Goes without saying (and same as what you mentioned), it's on need by need basis and as per the requirement of network as well as organizational security requirements / regulatory requirements that one may or may not want same platform to do multiple things. Cost also drives many a things and I agree that many organizations want to have all in one security appliance or blade.

Again, Cisco isn't taking IPS away from CX and coming up with an option for it as it is on roadmap. So, you stay empowered in next releases!

Thanks Akdehl.

On an IPS/CX related topic, and appologies my CX understanding is not very good yet, but would CX benefit from using the integrated IPS to inspect SSL traffic? Put another way, my understanding is that CX can already decrypt, inspect, and then encrypt SSL traffic, but is there any value in sending the decrypted HTTP traffic to the IPS engine as well, or does CX already perform the same tasks that IPS does, in this particular scenario?

Akhil Behl · ‎08-07-2013

Hello Shillings,

Your understanding on CX is as good as mine : )

So, the basic difference in a firewall inspecting a packet and an IPS inspecting a packet is as follows:

Firewall inspection - is mainly geared towards UPNP protocols e.g. FTP, SCCP, H225 etc. to open ports and also to look the content inside the packet and match it with one or other policy. Essentially firewall does filtering based on static rules.

IPS inspection - is mainly required to drill down to the payload / header and based upon signatures or attack profiles take an action (depending on whether IPS is inline or promiscuous). IPS can also perform heruistic analysis for 0-day signatures which a firewall is not designed to do. So say, there's malicious payload being tunneled in HTTP packet, while firewall may not be able to look into the content and segregate as malicious traffic, IPS can do it based on signatures, profiles, pattern matching or heruistics.

Hope this gives a perspective on CX vs. CX + IPS

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

shillings · ‎08-07-2013

OK, it was just a thought - that there might be some direct co-operation between the two.

Thanks for all your responses.

S25012010 · ‎08-03-2013

Dear team,

My cisco router 1841 is not taking clear counters command why??

Akhil Behl · ‎08-04-2013

Hello Sandeep,

This topic is dedicated to Cisco ASA's next gen security features.

Although your query is not in line with the topic, here're a few things you can try:

1. Since you have not provided the snapshot or error, are you trying the command on privilege (EXEC) mode? See

http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfacces.html#wp1120161

2. If yes, do you have the right privilege to issue the command (if there's an AAA local or server based authorization)?

3. Are you able to issue any other clear counter commands - clear counters

Try these. If you're not able to do any clear counters command it's most probably AAA.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

miller_mark · ‎08-07-2013

Hello! Could you help me download ciscovusb.zip. Because I have a bad gateway error 502

Akhil Behl · ‎08-08-2013

Hi Mark,

This query is unrelated to the thread and I don't have a probable solution or suggestion for you.

The best I can do is to point you to google results on the same

https://www.google.com/webhp?hl=en&tab=ww#bav=on.2,or.r_qf.&fp=45f29c3ea6f6e75f&hl=en&q=+ciscovusb.zip

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Ask the Expert: Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data Centers