Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
302
Views
0
Helpful
2
Replies

Security Concerns - transparent firewalls

ITforever
Level 1
Level 1

‎12-14-2016 02:23 PM - edited ‎03-12-2019 01:39 AM

Hello,

A week ago I came accross a network designed in the following fashion:

LAN---CheckPoint(routed)---ASAwithSSP(transparent)---UNTRUSTED

SubnetXt - External range on the CheckPoint's outside inf

ASA (transparent and might have inspection turned on) had a rule allowing "any to SubnetXt" wthout any ports/services defined.

However, CheckPoint has a rght policy in place to stop/filter unnecessary traffic to SubetXt.

I am just curious if this setup is ok. Do you see any issues with this setup? - I might be wrong but it feels like the exessive (by attackers like DDOS) transit traffic through the ASA to the CheckPoint can make ASA unresponsive even if the CheckPoint drops it? My concern is that by the time the traffic gets to the CheckPoint for dropping, it would consume  the resources of the ASA?

Please feel free to bring up any other security issue you see with this type of  setup. 

Many thanks.

Labels:
0 Helpful
2 Replies 2

Oliver Kaiser
Level 7
Level 7

‎12-14-2016 11:39 PM

You have stated that traffic is being blocked on checkpoint and after that asa just permits everything from your trusted segment to your untrusted segment. 

I dont see any technical issue with that since traffic is already denied nearest to the source (checkpoint),

Considering your concern I would assume this is a bi-directional policy, so traffic from untrusted to trusted is also only filtered on checkpoint. In that case it could be argued that the conn table of asa could be depleted with half-open sessions that are being blocked after asa on checkpoint. In that case it would make sense to filter on asa but tbh most DDoS attacks wont try to deplate your conn table resources, but either target legitimate destinations (e.g. force asa to waste cpu cycles on control plane actions -> black nurse attack, request resources on a backend server that must be processed) or just fill up your pipe, which you can only solve by working with your isp or using a cloud based ddos protection service. 

The only other issue I see with this setup is why even bother with two firewalls if only one enforces policy? In case Asa uses firepower services and does IPS/AMP the setup makes sense but if its only stateful inspection and permits all traffic its not doing any good

0 Helpful

ITforever
Level 1
Level 1
In response to Oliver Kaiser

‎12-15-2016 04:15 AM

Thanks a lot for your thoughts. Sorry for confusion - I was referring to the outbound traffic mainly - the traffic from the UNTRUSTED towards LAN thru ASA first and then ChkPt.

Your point about the black nurse attack is interesting - a good topic to research a bit. Do you refer to filling up the pipe between these 2 firewalls or between the ISP and the ASA? Or both maybe? 

I have not see the detailed config on the ASA but I guess it might be using FP/IPS/AMP. Even with AMP/IPS/FPS, would it be safe to have the following rule on the ASA - allow any(from OUTSIDE/UNTRUSTED) to SubnetXt(towards ChkPt/LAN) without locking down to ports/services required? - I though it might be useful to add the list of ports to the ACL as well - it might be a bit tedious for admins thou as SubnetXt is /24 and they should find and list all the ports/services the subnet needs and plus they should maintain this services object.   

0 Helpful
Review Cisco Networking for a $25 gift card
li.common.scroll-to.top