FirePOWER Access Control Policy suggestion on a routed ASA

CSR XRV · ‎08-09-2017

Hi!

We are currently working on a design that for a number of remote site, we will use ASA with FirePOWER services will be sitting in the middle of different type of services at a remote site, including MPLS WAN, Office, Internet, Server, etc.

There will be 5 interfaces (our goal is to standardize design and template the config mostly) on each of these ASA and are running BGP for dynamic routing.

Since there will be probably 30 sites with the same setup, we would like to minimize the operation and maintenance of the policies, one of the idea is to assign all these interfaces with a zone (so there are 5 zones), and to create a single Access Control Policy that matches any source zone to any destination zone, we will basically allow everything (explicit access control will leave it to the traditional ASA ACL) and will apply an Intrusion Policy that will enable inline drop.

One of the concern is that due to all these different sites will be in a private MPLS network that shares the RFC1918 addresses, so when it comes to intrusion detection I'm wondering if all these sites using the same variable set might affect the detection of some of the SNORT rules, for example if a rule is from $HOME_NET to $EXT_NET, if an attack is between these sites, it might not be able to detect properly?

Any recommendation or suggestion on the Access Control Policy and Intrusion Policy setup for this scenario will be much appreciated :)

yogdhanu · ‎08-10-2017

Hello,

That's a good question. Variable set would matter when snort rules are used for inspection.

You can try to find out few common networks and add them in Home_Net and then add each of their individual network in Home_net as well.

That would be essential to make sure all the traffic is inspected. Adding 0.0 network in Home_net is also not recommended as that could impact performance.

Thanks

yogesh

CSR XRV · ‎08-15-2017

In order to illustrate the idea a picture should be better explaining the situation. The interfaces have been simplified to just Inside and Outside, each site will be allocate a subnet from the RFC1918 address. It just shows 3 sites in this illustration but in the production there could be reaching 30 sites with the same topology.

Basically the intention is that due to the site design are standardized so in terms of interface names and routing, and the protected site should be the LAN at the Inside zone. The ideal solution is to apply all these ASA to a single Access Control Policy and a single Intrusion Policy, to simplify the on-going operation.

However, if there is a scenario that one of the client in Site1 is compromised with self-spreading malware via CIFS/SMB, which could be scanning around to infect other hosts in Site2 and Site3, if a rule is written as from $HOME_NET to $EXTERNAL_NET port 445 for this particular exploit, I assume if all the ASA is applied with a single Access Control Policy, then this will not be able to detect.

One of the option we are considering is to have an Access Control Policy per ASA, each with it's own variable set that specify it's corresponding LAN subnet as $HOME_NET, and !$HOME_NET as $EXTERNAL_NET, Intrusion Policy will be using a generic one share with all these AC Policy.