Isolate Internet connectivity to non standard ports

CHRIS KALETH · ‎08-27-2019

We have ASA's in every office as the egress firewall for the Internet. We only allow 80/443 outbound but we receive many requests from staff to access client sites that include a random port (ex. www.xyz.com:8080) so we have to add a firewall rule each time we have this for our ASA's. I was hoping we could create an isolated sandbox environment that a user could spin up a vm on demand and this vm would be isolated from our internal network (except for connectivity to it) and the user would login, access the site, and when done it would wipe the vm. Is there any recommendations along this line or other recommended methods to allow these random ports outbound w/out compromising security?

Karsten Iwen · ‎08-28-2019

This is more a virtualisation question than an ASA-question. I use something similar, but the spin-up of the VMs is done manually on demand.

The ASA-config is straight-forward. The VM-host resides in the DMZ and has an access-control with nearly everything allowed to the internet but nothing to the rest of the network.

The VMs are configured to always start from the template. And this is the part that does not scale. But with a VDI-solution (like Citrix or VMware Horizon) you should be able to automate this in a scalable way.