Editor’s note: Special thanks for Alexandre Moraes for writing this month’s Chalk Talk article! See the end of this article for a list of additional resources from Alexandre. Click here for a list of all of all Tech Insight articles featured in the TS Newsletter.
The IP address is a basic attribute related to computer systems that rely on the TCP/IP protocol stack to establish network connectivity. As a result, the vast majority of access control rules deployed on Stateful Firewalls are based upon parameters present, for instance, in the IP,TCP,UDP and HTTP headers. Although this protocol-based approach has demonstrated to be powerful, the need for networks that are flexible enough to accommodate multiple classes of users (employees, contractors, guests) along with the increasing need for network mobility, has motivated the search for alternative ways of implementing access control.
This article briefly examines the creation of firewall rules that include some sort of Identity-based information for the users initiating connection requests. As we will see later, in some scenarios identity information may also be associated with the servers.
Even though Cisco offers two families of firewalls (ASA and IOS), we will concentrate our discussion on the ASA platform, which supports three generations of Identity-based access control.
The first generation is centered on the captive portal paradigm, mainly relying on downloadable ACLs to differentiate among users that are connecting through the firewall. The second, normally referred to as the ID Firewall, allows the creation of permissions based on MS AD user/group domain information. The third generation, known as the SGT Firewall, represents a true evolution because it provides integration not only between the firewall with the edge devices (such as wireless APs and LAN switches), which are the main source of user information, but also between the firewall with the switches that reside on the server side.
The ASA Cut-through Proxy feature leverages the authentication functionality embedded on a set of protocols (HTTPS, HTTP, Telnet and FTP) to intercept connection attempts (through the firewall) and extract user credentials. The user information obtained is forwarded to the AAA Server for validation. The most interesting use cases are those in which an authorization profile in the form of a downloadable ACL (dACL) is received from the AAA Server (Cisco ACS or Cisco Identity Services Engine are the most common options). It is important to emphasize that the dACL may specify permissions for any application protocol and not only those that natively support authentication.
Among the triggering protocols available, HTTPS is the most suitable option not only for its encryption support but also because the standard user is familiar with browser interfaces.
The Cut-through Proxy process is summarized on figure 1.
Figure 1 - click to enlarge
The Identity Firewall (ID-FW) approach allows ASA to integrate with Microsoft Active Directory (MS AD) and create access rules based on domain membership information. To accomplish this mapping of user and groups from MS AD, ASAs makes use of an auxiliary element called the AD agent.
One important aspect of the ID-FW solution is that the lists of user and groups are readily available for the firewall administrator, thus significantly facilitating policy creation and making it more suitable for modern corporations, which need to guarantee access to resources regardless of user location in the network (figure 2).
It is interesting to notice that since the introduction of the ID-FW, a “user” column is present in the firewall rules table as a possible source criterion (figure 2). This second generation solution renders policy creation a more logical (and intuitive) process. For instance, it is much easier to understand a rule that states “do not allow sales personnel to connect to the Engineering servers” than to look up tables of IP assignment to extract information about the pertinent users and servers.
Figure 2 - click to enlarge
Even though the ID FW is already more flexible (in terms of policy creation) than simply using IP/Port combinations, this model is quite dependent on domain integration, which is not an option for many use cases.
With that in mind, and knowing that valuable user and device information is available on the network edge devices (such as WLAN APs and LAN switches), Cisco decided to build a truly innovative method of defining access rules on firewalls. This brand new architecture is called the SGT Firewall (SGT FW) and builds upon Cisco’s TrustSec framework.
The main aspects of the ASA-Trustsec integration are listed as follows:
Figure 3 - click to enlarge
It is very important to observe that the SGT FW architecture promotes cooperation among devices. Edge equipment (which know a lot about users and endpoints) dynamically pass information to a central enforcement element, which is close to the servers (where the actual data resides). At this point, it is worth comparing this with a pure 802.1x environment (even those in which ACLs are downloaded to the switches and Access Points):
Figure 4 - click to enlarge
Even though all 3 forms of Identity-based control are simultaneously available on recent versions of the ASA platform, the third generation represents a huge progress in terms of security and ease of operations. This happens not only because the SGT-FW makes the process of rule maintenance much simpler but also for the optimization it provides with respect to device assignment (each element in the network is being used in a way it can add more value to the overall infrastructure). Another interesting advantage of the SGT FW model is that it is equally applicable to physical and virtual Data Center switches, thus allowing an unprecedented level of integration in the network.
Notes and References
For other Firewall related topics, please check the Cisco Press title:
By Alexandre M.S.P. Moraes. (Cisco Press – 2011)
To explore the potential of ISE, and other Identity-based solutions, the following Cisco Press book is highly recommended:
Cisco ISE for BYOD and Secure Unified Access
Another source of useful information on Security and Networking topics is the author's blog:
* The new posts are announced on twitter: @alexandre_mspm