Pages

Wednesday, December 16, 2015

Transparent Firewall



Routed vs Transparent : routed is default
Default Flows : higher to lower is allowed
Configuration Steps
Optional L2 Inspection : for spanning-tree and bpdu’s


Routed is default firewall mode.

Transparent mode operates like a L2 switch and do forwarding decision based on the mac addresses. Still it has ability to analyse application layer inspection. It can do NAT as well. ARP is allowed on both sides.

Instead of ip address here we configure Bridge group.
Traffic flows and Inspection rules work same like a routed firewall.

Few things ASA can’t do in transparent mode:
It can’t terminate VPN sessions.
If we want fw as VPN gateway, don’t configure it as transparent.

BVI: Bridge Virtual Interface

We can configure ip address on the transparent firewall to manage it.

#Static routes are required if we are placing NAT for nonlocal network devices. Static or default static route is needed to reach non-local management devices.

Note: Existing configs will be removed when changing from routed to transparent.

Configuration on 5520 :
clear config all
show firewall
firewall transparent
show firewall
hostname ASA1

## Create the logical BVI
this will be used primarily to manage this ASA over the network

interface BVI 1
ip address 192.168.1.150 255.255.255.0: this ip address is just for management purpose.

##Add interfaces to this bridge group. Name and security level commands go on the interface, but no IP address on the interfaces.

int g1
security-level 100
name inside

bridge-group 1
no shut

int g0
security-level 0
name outside

bridge-group 1
no shut

We can have more two interfaces as part of bridge group 1

Now we should be able to ping ip address on the outside

ping 192.168.1.1

#Lets enable http
http sevrer enable
http 0 0 inside

Now we should be able to connect to ASDM

https://192.168.1.150

#ICMP is not inspected by default hence pc is not able to ping to router .1 address. Let inspect imp through ASDM

On ASDM :
Config -> Firewall -> Service Policy -> Edit service policy rule -> enable ICMP

Note: IP ACLs can be used in addition to the special “Ethertype” ACLs on the interfaces.

By default, ASA will not allow  bpdu so to allow bpdu between two switches we can configure Ethertype ACL on ASA.

If we want multicast and broadcast to work we need to include those in the ACL on the interfaces.
By default, ASA doesn’t allow multicast and broadcast traffic.

In this case, router is acting as dhcpserver as well. DHcp discover and offer will use broadcast which is by default not allowed by ASA. Hence let's configure ACL’s to allow broadcast traffic.


for inside to out traffic we have configured ip any any
for out to in
object network broadcast
    host 255.255.255.255
object network dhcp-server
    host 192.168.1.1
access-list outside_access_in line 1 extended permit udp object dhcp-server object broadcast eq biotic
access-group outside_access_in interface outside
Now change the dhcp settings on PC to obtain ip address automatically .

ipconfig /all

ip address is assigned to pc by dhcp server

Note: in transparent mode, ASA will not have any ip addresses so no routing protocols can be configured. no RIP, no EIGRP, no OSPF.

Same Config on 5505:

clear config all
firewall transparent
show firewall
hostname ASA-5505

interface bvi 1
ip add 192.168.1.155 255.255.255.0

int e0/0
no shut
switch-port access vlan 10
exit

int e0/1
no shut
switch-port access vlan 20
exit

Logical interfaces :
int vlan 10
security-level 0
nameif outside
bridge-group 1
no shut

int vlan 20
security-level 100
nameif outside
bridge-group 1
no shut

ping should work

http server enable
http 0 0 inside
http 0 0 outside

http://192.168.1.155

Configure access-list

object network dhcp-server
  host 192.168.1.1
access-list inside_access_in line 1 extended permit ip any any
access-list outside-access_in line 1 extended permit udp object dhcp-server any eq bootpc
access-group inside-access_in interface inside
access-group outside-access_in interface outside

ifconfig
ip address assigned is .26

Allow icmp inspect for ping to work.

Config Steps :
firewall transparent
interface BVI x
Assign IP
Add int’s to group

Another feature: ARP Inspection

Say router mac address is AA  and XP PC send gratuitous arp mentioning router’s ip and mac as BB. If the arp cache is poison ppl will try to forward packet to BB instead of default gateway ie AA. ie man in middle attack
This is called as ARP Spoofing: the XP box is advertising the Router’s IP address, with the XP’s MAC address.


How to avoid this man in the middle attack?
using  ARP Inspection
Create a manual for ARP on the ASA, then tell the ASA to do ARP inspection
If anybody send gratuitous ARP, ASA will block that going through it.

We build the mapped table of ip to mac and turn on the arp inspection feature. Anything that doesn’t match with table will get dropped.

What will happen if some unknown frame come to ASA?
Based on best guessing it can forward or drop the packet
ie flood and no flood.

Config :
Config -> Device Management -> Advanced -> ARP -> ARP Static table -> Add
inside , 001b.7765.4321

This is best in the case where we know exact mapping of ip to mac ie static mapping

Under monitoring, we can check our static ARP table

Now go to ARP Inspection and enable it. Enable it per-interface basis.

When do we need a static route on ASA?
- If we are going to manage ASA from some network other than (192.168.1.0)
- if we are doing NAT


A transparent firewall, also known as a Layer 2 firewall or a bridge firewall, is a type of firewall that operates at the data link layer (Layer 2) of the OSI model. Unlike traditional firewalls that operate at the network layer (Layer 3) and are configured with IP addresses, transparent firewalls work by intercepting and inspecting traffic at the Ethernet frame level without modifying the IP addresses of the packets.

Here are some key characteristics and features of transparent firewalls:

1. **Bridge Mode Operation**: Transparent firewalls operate in bridge mode, where they act as a bridge or switch between two network segments. They have two network interfaces connected to separate network segments and forward traffic between them.

2. **Invisibility to End Devices**: Unlike traditional firewalls, which are usually configured with IP addresses and require network devices to be aware of their existence, transparent firewalls are invisible to end devices. End devices communicate with each other as if there were no firewall between them.

3. **Stateful Packet Inspection**: Transparent firewalls perform stateful packet inspection (SPI) to analyze traffic and enforce security policies. They maintain a state table that tracks the state of connections and allows only legitimate traffic based on predefined rules.

4. **Traffic Filtering and Security Policies**: Transparent firewalls filter traffic based on predefined security policies, such as allowing or blocking specific protocols, ports, or IP addresses. They can also perform deep packet inspection to detect and block malicious content or attacks.

5. **Simplified Deployment and Integration**: Because transparent firewalls do not require changes to IP addresses or network configurations, they are easier to deploy and integrate into existing networks. They can be inserted into the network without disrupting existing traffic flows or requiring changes to network devices or configurations.

6. **Stealthy Protection**: Transparent firewalls provide a stealthy layer of protection for networks by operating silently and invisibly to end devices. They can protect networks from internal and external threats without introducing additional complexity or overhead.

Transparent firewalls are commonly used in scenarios where network segmentation, traffic monitoring, and security enforcement are required without modifying existing network configurations. They are particularly useful in environments where traditional firewalls cannot be easily deployed or integrated.












No comments:

Post a Comment