Zone-based model on ASA?

Started by killabee, August 11, 2015, 12:24:57 AM

Previous topic - Next topic

killabee

Is there a way to setup an ASA firewall policy in a "zone-based" model where inter-zone traffic is blocked by default without the use of explicit ACLs?

This is what I mean:

  • Subnet A may talk to Subnet B
  • Subnet C may talk to Subnet D
  • Subnet E may talk to Any EXCEPT Subnet B and D

So far the only way I see to accomplish this is to have explicit deny ACLs restricting Subnet E from talking to B and D, then permitting it to talk to Any, but that's not very scalable when there's tons of subnets and traffic patterns like that.

On a Juniper SRX I can say:

  • Zone1/Subnet A may talk to Zone2/Subnet B
  • Zone3/Subnet C may talk to Zone4/Subnet D
  • Zone5/Subnet E may talk to Zone6/Any

This would allow Zone5/Subnet E to talk to anything only on Zone6 and implicitly block talking to Zone2 and Zone4.

I know I can use nameifs, but you still have the issue with "any" rules because nameifs just don't behave like zones.  I'm also not sure if security levels or the "same-security intra/inter..." command would help me here.  And from what I recall these commands are nullified once you apply an ACL to the interface.

Thoughts?

deanwebb

Part of that is handled with security levels for zones: lower may not talk to higher, by default.

But then, yeah, you're going to have to use ACLs.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

Yeah depending on how complex you want it levels might be how you want to go, Higher can talk to lower, but low can't talk to higher, and ones on the same level can't talk between one another by default.

The Juniper way does sound more awesome.

killabee

So say I have this:


INTERFACES:
nameif SubnetA
security-level 50

nameif SubnetB
security-level 50

nameif SubnetC
security-level 50

nameif SubnetD
security-level 50

nameif SubnetE
security-level 50

nameif SubnetX
security-level 100



ACL:
Permit SubnetA to talk to SubnetB
Permit SubnetC to talk to SubnetD
Permit SubnetE to talk to Any



Would this imply that SubnetE (security-level 50) will only be able to talk to SubnetX (security-level 100) but NOT Subnets A through D since A through D are the same security level?

packetherder

Heard that the ASAs recently received a zone-based feature. Looks like 9.3.2 and the feature is called traffic zones. If cisco is five or so years behind the market it probably means it's buggier than an ant hill.

killabee

I came across that command/feature earlier while Googling, but looks like it's just for traffic load balancing/ECMP:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html

"You can assign multiple interfaces to a traffic zone, which lets traffic from an existing flow exit or enter the ASA on any interface within the zone. This capability allows Equal-Cost Multi-Path (ECMP) routing on the ASA as well as external load balancing of traffic to the ASA across multiple interfaces."

wintermute000

Quote from: packetherder on August 11, 2015, 05:18:33 PM
Heard that the ASAs recently received a zone-based feature. Looks like 9.3.2 and the feature is called traffic zones. If cisco is five or so years behind the market it probably means it's buggier than an ant hill.
I LOLed!!!!

icecream-guy

#7
Quote from: killabee on August 11, 2015, 05:07:29 PM
So say I have this:


INTERFACES:
nameif SubnetA
security-level 50

nameif SubnetB
security-level 50

nameif SubnetC
security-level 50

nameif SubnetD
security-level 50

nameif SubnetE
security-level 50

nameif SubnetX
security-level 100



ACL:
Permit SubnetA to talk to SubnetB
Permit SubnetC to talk to SubnetD
Permit SubnetE to talk to Any



Would this imply that SubnetE (security-level 50) will only be able to talk to SubnetX (security-level 100) but NOT Subnets A through D since A through D are the same security level?

with your example above SubnetX can talk to each of the other subnets A, B, C, D, & E.
since the 'same-security-traffic permit inter-interface'  command is global to allow same-security interfaces to communicate will allow all security level 50's to talk, you'll need use denies in the ACL to block unwanted traffic flows. subnets A, B, C, D, & E will need ACL's applied to allow communication with subnetX

:professorcat:

My Moral Fibers have been cut.

killabee

Quote from: wintermute000 on August 12, 2015, 04:39:23 AM
Quote from: packetherder on August 11, 2015, 05:18:33 PM
Heard that the ASAs recently received a zone-based feature. Looks like 9.3.2 and the feature is called traffic zones. If cisco is five or so years behind the market it probably means it's buggier than an ant hill.
I LOLed!!!!

And what's frustrating is that the "zone" feature isn't even what we think of as a zone in the context of firewall/security speak!!!

Quote from: ristau5741 on August 12, 2015, 07:36:43 AM
with your example above SubnetX can talk to each of the other subnets A, B, C, D, & E.
since the 'same-security-traffic permit inter-interface'  command is global to allow same-security interfaces to communicate will allow all security level 50's to talk, you'll need use denies in the ACL to block unwanted traffic flows. subnets A, B, C, D, & E will need ACL's applied to allow communication with subnetX

Damnit! I was afraid of that.  I'm going over this with TAC at the same time, hoping there's a way to do this.  But the more I think about it, we're essentially using the ASA as a multitenant firewall...and why would Cisco give us true security zones when they can sell us ASA context licenses?

This is one place where I like the SRX better.

wintermute000

#9
Srx if you also want a router/Junos. Checkpoint and palo if you want ngfw.

Ironically I've seen srx rejected on tbe grounds that it was not best practice to run same os on firewalls as normal routing switching infrastructure.

With both Srx and palo you have the option of virtual routers as well as contexts


BUUUUT checkpoint has no zones.... and has rapey per-context licensing... and doesn't give you the config in a text/XML file.... and is checkpoint.....


so: the answer is palo  :partay: 


IN all seriousness though for multi-tenant, SRX or vSRX is compelling, the R&S factor comes into play quite heavily I find, and when dealing with multi-tenant you don't have the usual NGFW concerns (who has the time/overhead to get into that for each customer?) but rather separation and basic stateful firewalling tickbox / outbound NAT / server 1:1 NAT, SRX is a great fit and the standard go-to in a lot of multi-context firewall/router scenarios.

Disclaimer: work for a palo partner, drinks kool aid

Reggle

@ Wintermute: why not Fortinet?

And yes, Checkpoint isn't zone-based at all so that's useless here.

Nerm

Isn't Fortinet just a poor mans Juniper? lol

deanwebb

With only those three, I'd say "Man up and use your ACLs." But you said "tons of subnets" were involved. How many, approximately?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

killabee

21 interfaces with one subnet each
1 interface acts as the inside/transit to the internal network where the remaining enterprise subnets exist (>100) and Internet is reachable through

The problem is that some of the 21 subnets behind those interfaces need a limited "any" access to the inside/transit side of the network (AKA, the enterprise), so the FW rules on an ASA with ACLs would look something like this:

Subnet1 deny Subnet2
Subnet1 deny Subnet3
Subnet1 deny Subnet4
Subnet1 deny Subnet5
Subnet1 deny Subnet6
Subnet1 permit any

Subnet2 deny Subnet1
Subnet2 deny Subnet3
Subnet2 deny Subnet4
Subnet2 deny Subnet5
Subnet2 deny Subnet6
Subnet2 permit any

[and so on]

So 21 subnets with 1 additional "any" subnet, we're looking at up to 21(21-1)+X=441+X ACLs, where X is the number of "any" ACLs I'll have....maybe my math is jacked up, but you get the point.  On the other hand the SRX has around 146 rules or so thanks to its implicit deny at the end of each zone (each subnet ties into a zone)

Sure, I could use object groups...but it still hurts that there isn't a more efficient way to do it :-(

deanwebb

Especially if you want bidirectional communication... yeeesh.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.