Virtual Firewalls (Security Contexts)

标签：

Topics

• Cisco ASA Virtualization Overview
• Virtual Firewall Deployment Guidelines: the information you need before you deploy Virtual Firewalls
• Configuration Tasks Overview
• Configuring Security Contexts
• Verifying Security Contexts
• Managing Secuirty Contexts
• Configuring Resource Management
• Verify Resource Management
• Troubleshooting Security Contexts

Perhaps you are an Internet service provider and would like to set up multiple firewalls for different customers that use your services. Or perhaps you are a network engineer for a large enterprise that wants multiple firewalls for different areas of the enterprise network. Virtual Firewalls are created in the Cisco ASA using a technology called Security Contexts.

Part 1: Cisco ASA Virtualization Overview

Cisco ASA virtualization refers to the capability to create multiple Virtual Firewalls inside a single Cisco ASA. Before you can create these additional Security Contexts, you must convert the ASA to multiple mode. Once you have done this and have defined your contexts, you can assign interfaces, administrators, and security policies to each context just as though it is an independent firewall device.

The following features are not supported in multiple mode with the different Virtual Firewalls:

• IP Security (IPsec) VPNs and other IPsec services
• Secure Sockets Layer (SSL) VPNs
• Dynamic routing protocols
• Phone Proxy
• Threat detection
• Multicast IP routing

System Configuration

defines basic security settings for the Cisco ASA itself and is the entity that stores information about all the other Security Contexts. The system configuration also maintains the settings of the physical interfaces inside the Cisco ASA. As when running your ASA in a single mode of operation, the system configuration resides as the startup configuration in flash memory.

System Context(admin Context)

The admin context is just like any other context, except that when a user logs in to this context, they have administrative rights over all the Security Contexts set up on the system.

The system configuration relies on the admin context to access interfaces that can pass traffic. Common uses of this special context are to retrieve configurations for other contexts
and to send system-level syslog messages. When you want to create new contexts or change the system configuration in any way, you log in to the admin context. Note that you can change the name of this context from the default of admin.

Part 2: Virtual Fireall Deployment Guidelines

you must plan carefully before implementing your Virtual Firewalls. Be sure to determine the following:

• The number of Security Contexts you require: You will use this information to create and name the Security Contexts you require. Note that the number of Security Contexts that you can create depends on the type of license you have purchased with your ASA.
• The configuration storage for each context: The options are Flash memory or external servers.
• The network topology information for your deployment: You need to carefully plan which interfaces will be associated with which Security Contexts. You also need to plan for the IP addressing and routing to use inside each Security Context.
• The security policy used inside each of the Security Contexts: This information could be quite elaborate and involved, depending on the complexity of the network and the associated security policies.

Deployment Choices

When you are deciding whether to use Virtual Firewalls, consider the following conditions that typically necessitate their usage:

• You have very distinct security policies that need to be assigned to different customers or different departments within your enterprise network.
• You are an Internet service provider that needs to separate traffic from different customers.
• You are interested in providing robust redundancy in your firewall environment. The use of multiple Security Contexts enables the use of Active/Active failover.

Deployment Guidelines

There are plenty of other important deployment guidelines you should consider before implementing a multiple mode Cisco ASA with multiple Security Contexts. Here are some of the most critical for you to consider and memorize for the FIREWALL exam:

• The transparent mode option cannot be set on a per–Security Context basis. If you need a transparent mode Security Context, all your other Virtual Firewalls must also use transparent mode.
• When creating a transparent mode device, make that change first, and then create your Security Contexts. If you create your Security Contexts first and then initiate the cutover to transparent mode, the Security Contexts will be removed.
• Only two interfaces are supported in a Security Context running in transparent mode.
• Shared interfaces cannot be used when the Security Contexts are running in transparent mode.
• When using shared interfaces, ensure that you assign a unique MAC address to the interface in each context.
• Always consider the use of context resource management to ensure that a single context cannot deplete all resources available on the Cisco ASA.

Limitations
Here are some of the most important limitations you should know regarding Virtual Firewalls on the Cisco ASA:

• Key features that are not supported on a Cisco ASA in multiple mode are dynamic routing protocols, IPsec and SSL VPNs, multicast IP routing, threat detection, and
• Phone Proxy.
• The Cisco ASA 5505 does not support multiple mode.
• The number of Security Contexts you can create depends on the software license you possess and the Cisco ASA hardware model you are using.

Part 3: Configuration Tasks

When you are preparing to implement complex configurations on the Cisco ASA, it is valuable to examine a high-level overview of the configuration process.
Step 1. Enable multiple mode on the Cisco ASA.
Step 2. Create a Security Context.
Step 3. Allocate interfaces to the context.
Step 4. Specify the startup configuration location for the context.
Step 5. Configure the Security Context resource management.
Step 6. Configure each Security Context as a separate security appliance.

1. Configuring Security Contexts

single mode -> multiple mode : the changes will take place within the device:

• The Cisco ASA automatically creates a Security Context named admin.
• The running configuration of the device is converted to a system configuration for the admin Security Context. The file is stored as admin.cfg.
• The original running configuration is saved as old_running.cfg.
• Interfaces that were enabled in single mode are added to the admin Security Context.
• Disabled interfaces at the time of conversion are not assigned to any Security Context.

ciscoasa(config)# mode multiple noconfirm

Use the mode command in global configuration mode. There is a noconfirm keyword option that makes the change without a confirmation request. This option is useful for automating the process with a script.

As mentioned previously, a new Security Context is not operational until you specify the location for the context startup configuration. You specify this location as a URL. Options include the following:

• Disk0/flash: Stored in flash memory
• Disk1: Stored on a CompactFlash memory card
• Tftp: Stored on an external TFTP server
• Ftp: Stored on an external FTP server
• http(s): Stored on a web server or SSL web server

Note: The admin context must be stored on internal flash (Disk0/flash:).

In the CLI, use the context command to create a context and the allocate-interface command to provision the correct interfaces. Use the config-url command to specify the configuration file location.

2. Verifying Secuirty Contexts

When you are in the system execution space at the CLI, you can easily view a list of Security Contexts on the system.

CiscoASA# show context
Context Name 　　Interfaces 　　　　　　　　　　　　URL
*admin 　　　　　　GigabitEthernet0/1.100 　　　　disk0:/admin.cfg
　　　　　　　　　  GigabitEthernet0/1.101
contexta 　　　　  GigabitEthernet0/1.200 　　　　disk0:/contexta.cfg
　　　　　　　　　　 GigabitEthernet0/1.201
contextb 　　　　　GigabitEthernet0/1.300 　　　　disk0:/contextb.cfg
　　　　　　　　　　GigabitEthernet0/1.301
Total active Security Contexts: 3

Note that an asterisk (*) to the left of the context name indicates the current admin context.

3. Managing Security Contexts

Managing a Security Context is a matter of entering the context environment.

To change between contexts using the CLI, use the changeto command in privileged mode. For example:

ciscoasa# changeto MYCONTEXT

or

ciscoasa# changeto system

Packet Classification

When your Security Contexts are in routed mode and are sharing interfaces across contexts, the Cisco ASA requires some method for determining to which context it should send a packet. The ASA always checks for the following to do this:

• A unique interface
• A unique MAC address
• A global IP address in a NAT configuration

Remember, as stated earlier, using unique MAC addresses is recommended if you are in multiple mode with transparent mode Security Contexts. You can change MAC addresses manually, or you can call upon the Cisco ASA to generate a unique MAC address for you.

Changing the Admin Context

To change the context that is the admin context, use the admin-context command in privileged mode and simply specify the name of the new admin context, as demonstrated here:

ciscoASA(config)# admin-context administrator

4. Configuring Resource Management

By default, a particular Security Context has unlimited access to the resources of the Cisco ASA. By engaging the powerful resource management capabilities, you can impose limits on the use of specific hardware resources per Security Context. This is obviously an important aspect of Virtual Firewall implementation and can guard against malicious or accidental issues. Realize that a single context that is depleting a large number of resources of the Cisco ASA can have an impact on all the Security Contexts on the device.

You can configure resource limits for the following:

• Cisco ASDM sessions
• Connections (two options, count and rate, are available)
• Hosts that can connect
• SSH sessions
• Telnet sessions
• Address translations
• Rate of application inspections per second
• Rate of system log messages per second
• Number of MAC addresses allowed in the MAC address table

The Default Class

Resource management for a multiple mode Cisco ASA requires the creation and configuration of resource classes. You create and define resource classes and then assign Security
Contexts to these classes. By default, there is a resource class created on the Cisco ASA called the default class. This class has predefined limits, and every Security Context you
have created belongs to this class. Initially, when you create a new resource class, it will inherit the settings of the default class.

Creating a New Resource Class

To configure a resource class at the CLI, simply use the class command. Use the limit-resource command to set resource limits. Finally, use the member command in context
configuration mode to assign the resource class.

hostname(config)# class gold
hostname(config-class)# limit-resource mac-addresses 10000
hostname(config-class)# limit-resource conns 15%
hostname(config-class)# limit-resource rate conns 1000
hostname(config-class)# limit-resource rate inspects 500
hostname(config-class)# limit-resource hosts 9000
hostname(config-class)# limit-resource asdm 5
hostname(config-class)# limit-resource ssh 5
hostname(config-class)# limit-resource rate syslogs 5000
hostname(config-class)# limit-resource telnet 5
hostname(config-class)# limit-resource xlates 36000
! And then later to make the context a member of the class:
hostname(config-ctx)# member gold

Caution: Do not assign more than 100 percent of your resources across Security Contexts. It is up to you to plan and implement the available resources. The configuration
software will allow you to overallocate resources, resulting in poor performance and access to fewer resources than intended.

Verifying Resource Management

hostname# show resource allocation
Resource 　　　　　　　　Total 　　　　% of Avail
Conns [rate] 　　　　　　35000 　　　　N/A
Inspects [rate] 　　　　35000 　　　　N/A
Syslogs [rate] 　　　　10500 　　　　N/A
Conns 　　　　　　　　　　305000 　　30.50%
Hosts 　　　　　　　　78842 　　　　　　N/A
SSH 　　　　　　　　　　35 　　　　　　35.00%
Telnet 　　　　　　　　35 　　　　　　35.00%
Xlates 　　　　　　　　91749 　　　　　　N/A
All 　　　　　　　　unlimited

The show resource usage command displays the resource usage for each context

5. Troubleshooting Security Contexts

Troubleshooting Cisco ASA devices in multiple mode poses extra challenges that do not exist in single mode systems. Troubleshooting efforts will often be split between time in
the system execution space and time in individual Security Contexts. In the system configuration area, you’ll often rely on the show context, show interface, and show resource usage commands. While in a particular context, you often simply need to use show interface.

A common set of steps to use when troubleshooting Security Context issues is as follows:
Step 1. Verify interface status in the system execution space; use the no shutdown command as necessary.
Step 2. Verify interface status in a context environment. Use the no shutdown command as necessary.
Step 3. In the case of shared interfaces, ensure that packets can be classified properly into specific Security Contexts. Perhaps you need to create unique MAC addresses or properly configure NAT.

Step 4. Verify resource usage.
Step 5. Troubleshoot within a Security Context as if you were troubleshooting a standalone security appliance. Refer to the “Troubleshooting” sections in other chapters of this book for guidance.

Note: The Cisco ASA logs system messages when a context cannot pass traffic due to a resource limit. You should monitor for these messages carefully.

Virtual Firewalls (Security Contexts)

标签：

原文地址：http://www.cnblogs.com/elewei/p/4907598.html