Virtual Private Networks
Case Study 3 Data Center Security with Cisco ASA
SecureMe builds security policies that align asset protection with business goals. To secure its data center, the security administrator defines separate security zones. These zones divide the data center into areas that are logically alienated from one another to contain security threats and anomalies at minimal impact. The individual zones in SecureMe's data center support individual application groups of servers. Each zone is protected by a virtual firewall context on the Cisco ASA 5520s at the data center (DC-5520-1 and DC-5520-2). Figure 22-7 illustrates how each zone is protected by each security context.
Figure 22-7. Data Center Zones and Virtual Contexts
SecureMe's data center has four different zones, corresponding to individual virtual firewall contexts running in transparent mode:
- Authentication servers (authservers context)
- E-commerce applications (e-commerce context)
- MySQL database server and third-party applications (databases context)
- Mail and DNS servers (maildns context)
Communication between applications is limited to specific traffic required for application integration, data warehousing, and web services.
Interfaces cannot be shared in transparent mode, thus creating the need for different subinterfaces for the inside and outside interfaces of each virtual context. Example 22-11 shows the system context configuration and how each separate context is created.
Example 22-11. Admin Context Configuration
!Cisco ASA 5520 running in transparent multi-mode firewall transparent ! !Separate subinterfaces are created and associated to their respective VLANs interface GigabitEthernet0/0 ! interface GigabitEthernet0/0.1 vlan 200 ! interface GigabitEthernet0/0.2 vlan 201 ! interface GigabitEthernet0/0.3 vlan 202 ! interface GigabitEthernet0/0.4 vlan 203 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/1.1 vlan 100 ! interface GigabitEthernet0/1.2 vlan 101 ! interface GigabitEthernet0/1.3 vlan 102 ! interface GigabitEthernet0/1.4 vlan 103 ! interface GigabitEthernet0/2 ! interface GigabitEthernet0/2.1 vlan 501 ! interface GigabitEthernet0/2.2 vlan 502 ! interface GigabitEthernet0/3.1 vlan 503 ! interface GigabitEthernet0/3.2 vlan 504 ! interface Management0/0 ! enable password 8Ry2YjIyt7RRXU24 encrypted hostname DC-5520-1 ftp mode passive pager lines 24 no failover no asdm history enable arp timeout 14400 console timeout 0 ! !Admin context configuration. Management0/0 interface is allocated for the admin context admin-context admin context admin allocate-interface Management0/0 config-url disk0:/admin.cfg ! ! Virtual context for RADIUS and Domain Controllers context authservers description Virtual context for Radius and Domain Controllers allocate-interface GigabitEthernet0/0.1 allocate-interface GigabitEthernet0/1.1 config-url disk0:/authservers.cfg ! !Virtual context for e-commerce applications context ecommerce description Virtual context for e-commerce applications allocate-interface GigabitEthernet0/0.2 allocate-interface GigabitEthernet0/1.2 config-url disk0:/ecommerce.cfg ! ! Virtual context for databases and third-party application context databases description Virtual context for databases and third-party app allocate-interface GigabitEthernet0/0.3 allocate-interface GigabitEthernet0/1.3 config-url disk0:/databases.cfg ! !Virtual context for email and DNS servers context maildns description Virtual context for email and DNS servers allocate-interface GigabitEthernet0/0.4 allocate-interface GigabitEthernet0/1.4 config-url disk0:/maildns.cfg !Virtual context for active/active failover context FO_context1 allocate-interface GigabitEthernet0/2.1 allocate-interface GigabitEthernet0/3.1 config-url flash:/FO_context1.cfg failover-group 1 ! !Virtual context for active/active failover context FO_context2 allocate-interface GigabitEthernet0/2.2 allocate-interface GigabitEthernet0/3.2 config-url flash:/FO_context2.cfg failover-group 2
The Cisco ASA 5520s at SecureMe's data center include a configuration for each context that identifies the security policy for each zone. Figure 22-8 illustrates one of the security contexts (maildns context) within the respective data center zone.
Figure 22-8. Mail and DNS Server Data Center Zone
Example 22-12 shows the maildns virtual context configuration.
Example 22-12. maildns Context Configuration
DC-5520-1/maildns(config)# show running-config : Saved : ASA Version 7.0(1) firewall transparent names ! interface GigabitEthernet0/1.4 nameif inside security-level 100 ! interface GigabitEthernet0/0.4 nameif outside security-level 0 ! enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted ! !ASA automatically configures the hostname parameters to the context name hostname maildns ! !ACL allowing only mail and DNS traffic to corresponding servers access-list maildns extended permit tcp any host 10.20.4.50 eq smtp access-list maildns extended permit tcp any host 10.20.4.50 eq pop3 access-list maildns extended permit tcp any host 10.20.4.50 eq imap4 access-list maildns extended permit udp any host 10.20.4.98 eq domain access-list maildns extended permit udp any host 10.20.4.99 eq domain pager lines 24 mtu outside 1500 mtu inside 1500 ip address 10.10.1.55 255.255.255.0 no asdm history enable arp timeout 14400 ! !A static NAT is configured to limit the maximum number of connections to 10000 and !maximum embryonic connections to 500. static (inside,outside) 10.20.4.0 10.20.4.0 netmask 255.255.255.0 tcp 10000 500 static (inside,outside) 10.20.4.0 10.20.4.0 netmask 255.255.255.0 udp 10000 500 ! !Access-group for the previously configured access-list access-group maildns in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp telnet timeout 5 ssh timeout 5 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:00000000000000000000000000000000 : end [OK] DC-5520-1/maildns(config)#
ESMTP inspection is configured in the maildns context. All other security contexts are configured similarly to the maildns context, except for the appropriate ports and protocols allowed for each application.