Messages

Cool, man.  Thanks for the feedback

Too many gifs, man...too many gifs!

Good points on everything.

Weren't you looking or testing a TrustSec system awhile ago? I remember you were deep into ISE, but had also investigated another system that had a client-based and clientless model for identity awareness and security? If so, what happened to that project?

Also, do you run IPS on your internal firewall?

Hey all, long time no see! 

Have any of you done, or working on, segmenting end users, departments, or different business units within your company cannot communicate with each other?

I'm doing research into this now and I'm finding two ways that this can be done:
1. VRFs (EVN, VRF-Lite, etc) and firewalls
2. Cisco TrustSec using SGTs, ISE, etc
3. Lots of firewalls

I'm OK with #1, but I feel like it requires more work and consideration to create new VRFs.  On the other hand, it's well known and widely used.

I like #2 and I feel like it's easier and better at scaling, but its reliance on ISE scares me.  I also don't know how mature or widely deployed it is.

I don't really like #3, but it's the most well known method of segmenting users.

What did you choose and why?  What are your thoughts?

Thanks!

We were actually close to disabling all the inspections on all of our internal ASAs because of the problems they created (especially ESMTP).  We never pulled the trigger, though

Danggggggg, that sucks.  Get well soon, sir! And don't give up on your X Games dreams!

I've been actually thinking about this for the past few months...

First and foremost, one with no on-call responsibility (still in the networking arena).  I'm getting to the point where I DON'T want my personal life invaded with after hours calls.  I'm still OK with maintenance windows. 

Other than that, one with various networking gear and technology and is very progressive with keeping up with technology.  Perhaps one that heavily embraces "next generation networking" (e.g. SDN, automation, orchestration, programmability, blah blah blah)

Any ideas?

And I appreciate your approach, AspiringNetworker :-)

Just to close the book on my issue, we ended up creating a deny rule for each nameif that denied it's network from talking to other networks on the same box, then created permit rules to whereever the network needed to go.  Copy and paste saved the day, as usual.  This really made me appreciate true zone-based firewalls, but it is what it is.

21 interfaces with one subnet each
1 interface acts as the inside/transit to the internal network where the remaining enterprise subnets exist (>100) and Internet is reachable through

The problem is that some of the 21 subnets behind those interfaces need a limited "any" access to the inside/transit side of the network (AKA, the enterprise), so the FW rules on an ASA with ACLs would look something like this:

Subnet1 deny Subnet2
Subnet1 deny Subnet3
Subnet1 deny Subnet4
Subnet1 deny Subnet5
Subnet1 deny Subnet6
Subnet1 permit any

Subnet2 deny Subnet1
Subnet2 deny Subnet3
Subnet2 deny Subnet4
Subnet2 deny Subnet5
Subnet2 deny Subnet6
Subnet2 permit any

[and so on]

So 21 subnets with 1 additional "any" subnet, we're looking at up to 21(21-1)+X=441+X ACLs, where X is the number of "any" ACLs I'll have....maybe my math is jacked up, but you get the point.  On the other hand the SRX has around 146 rules or so thanks to its implicit deny at the end of each zone (each subnet ties into a zone)

Sure, I could use object groups...but it still hurts that there isn't a more efficient way to do it :-(

Heard that the ASAs recently received a zone-based feature. Looks like 9.3.2 and the feature is called traffic zones. If cisco is five or so years behind the market it probably means it's buggier than an ant hill.

I LOLed!!!!

And what's frustrating is that the "zone" feature isn't even what we think of as a zone in the context of firewall/security speak!!!

with your example above SubnetX can talk to each of the other subnets A, B, C, D, & E.
since the 'same-security-traffic permit inter-interface'  command is global to allow same-security interfaces to communicate will allow all security level 50's to talk, you'll need use denies in the ACL to block unwanted traffic flows. subnets A, B, C, D, & E will need ACL's applied to allow communication with subnetX

Damnit! I was afraid of that.  I'm going over this with TAC at the same time, hoping there's a way to do this.  But the more I think about it, we're essentially using the ASA as a multitenant firewall...and why would Cisco give us true security zones when they can sell us ASA context licenses?

This is one place where I like the SRX better.

I came across that command/feature earlier while Googling, but looks like it's just for traffic load balancing/ECMP:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html

"You can assign multiple interfaces to a traffic zone, which lets traffic from an existing flow exit or enter the ASA on any interface within the zone. This capability allows Equal-Cost Multi-Path (ECMP) routing on the ASA as well as external load balancing of traffic to the ASA across multiple interfaces."

So say I have this:


INTERFACES:
nameif SubnetA
security-level 50

nameif SubnetB
security-level 50

nameif SubnetC
security-level 50

nameif SubnetD
security-level 50

nameif SubnetE
security-level 50

nameif SubnetX
security-level 100



ACL:
Permit SubnetA to talk to SubnetB
Permit SubnetC to talk to SubnetD
Permit SubnetE to talk to Any



Would this imply that SubnetE (security-level 50) will only be able to talk to SubnetX (security-level 100) but NOT Subnets A through D since A through D are the same security level?

Is there a way to setup an ASA firewall policy in a "zone-based" model where inter-zone traffic is blocked by default without the use of explicit ACLs?

This is what I mean:

• Subnet A may talk to Subnet B
• Subnet C may talk to Subnet D
• Subnet E may talk to Any EXCEPT Subnet B and D

So far the only way I see to accomplish this is to have explicit deny ACLs restricting Subnet E from talking to B and D, then permitting it to talk to Any, but that's not very scalable when there's tons of subnets and traffic patterns like that.

On a Juniper SRX I can say:

• Zone1/Subnet A may talk to Zone2/Subnet B
• Zone3/Subnet C may talk to Zone4/Subnet D
• Zone5/Subnet E may talk to Zone6/Any

This would allow Zone5/Subnet E to talk to anything only on Zone6 and implicitly block talking to Zone2 and Zone4.

I know I can use nameifs, but you still have the issue with "any" rules because nameifs just don't behave like zones.  I'm also not sure if security levels or the "same-security intra/inter..." command would help me here.  And from what I recall these commands are nullified once you apply an ACL to the interface.

Thoughts?

I was going through our ISE policies and saw a policy rule labeled "TEST" with object elements also containing the word "test."  I think, "Hmmm, this pesky test rule has been here forever and I'm tired of looking at it. I'm going to disable it!"...

Several days later I get a ticket that certain users have been having wireless issues for several days.  Sure enough, that "test" rule was serving a production function.  It pissed me off pretty badly.  I'm OK making my own mistakes, but when someone drops a banana peel for me to slip on.....that's not cool.

Thanks for sharing!

I had a feeling I wasn't thinking broadly enough.

I passed the CCDP while at Cisco Live and I have several certs I want to get, but my biggest issue at the moment with having a diverse vendor cert collection is keeping track of them and renewing them.  I got a few CompTIAs (low hanging fruit) and the JNCIA exactly three years ago in the same month and they're all expiring soon.  Do I really want to spend time relearning/recerting them when I could be spending that time getting other more valuable cert? If I get a Check Point, Palo Alto, VMware, F5, and CWNA cert like I want, I'll have a laundry list of certs to renew in a few years (not to mention the Cisco ones).  For now, I have to pick and choose wisely or they'll bite me in the butt later.

I'd love to hear what others think of this, because at the same time I think I'm overthinking/overplanning, lol