9

I currently manage 6 Cisco ASA devices (2 pairs of 5510s and 1 pair of 5550s). They all work quite nicely and are stable so this is more of a best-practice advice question rather then "OMG it's broken help me fix it".

My network is split into multiple VLANs. Pretty much each service role has its own VLAN so DB servers would have their own VLAN, APP servers, Cassandra nodes.

Traffic is being managed on an allow only specific, deny rest basics (so default policy is to drop all traffic). I do this by creating two ACLs per network interface, eg.:

  • access-list dc2-850-db-in ACL that's being applied to dc2-850-db interface in "in" direction
  • access-list dc2-850-db-out ACL that's being applied to dc2-850-db interface in "out" direction

It's all pretty tight and works as expected, however I was wondering whether this is the best possible way to go? At the moment I got to a point where I have over 30 VLANs and I must say it's becoming slightly confusing at some points to manage those.

Probably something like common/shared ACLs would help here which I could inherit from other ACLs but AFAIK there's no such thing...

Any advice much appreciated.

CaptainBli
  • 107
  • 6
bart613
  • 548
  • 1
  • 6
  • 15
  • 3
    Have you looked into flattening the address space and using [`private vlans`](http://tools.ietf.org/html/rfc5517)? Another alternative might be breaking business units into [`VRFs`](http://en.wikipedia.org/wiki/Virtual_Routing_and_Forwarding). Either of those might help manage some of the explosion of ACL requirements. Honestly though, it's hard to comment on this question because so much depends on the business and technical reasons for your existing design – Mike Pennington Jul 24 '12 at 11:23
  • Thanks Mike - I'm going to read up a bit about both you've mentioned. – bart613 Jul 24 '12 at 13:35
  • You're welcome... the basic idea behind both suggestions is that you build a natural layer-2 or layer-3 boundary based on business needs which permits all communication between hosts within the same business function. At that point, you would need to firewall between business interests. Many companies are building separate VPNs for each business unit in the company; the concept is similar to what I'm suggesting here, but the VPN would be local inside your facility (and based on private vlans or VRFs) – Mike Pennington Jul 24 '12 at 13:58

3 Answers3

1

For you having Cisco ASA devices (2 pairs of 5510s and 1 pair of 5550s). This means you are moving away from packet filtering with acls and moving to firewall zone based techniques in ASAs.

Create class-maps ,policy-maps and service-policies.

Network objects will make your life easy.

The trend in firewall technique is

packet filtering - packet inspection - ip inspect (stateful inspection) - Zonebasedfirewall

These techniques were made for it to be less confusing as the areas increase.

There is a book ,You might want to the read.

The accidental adminitrator -It really helped me.

Have a look at it and move from the acls in in two different directions.

With ASAs you should have no problem.

In the past ,I made 800 series ip inspect and ZBF ,then compared there advantages and they used the same technique in the ASAs moving away from packet filtering to advanced ip inspect.

slm
  • 7,355
  • 16
  • 54
  • 72
don IT Consultant
  • 21
  • 1
  • don, I don't see any chapter discussing moving away from filtering using acls in the (your?) book. Can you refer me to the chapter and page? – 3molo Nov 27 '13 at 20:12
0

One very simple (and, admittedly, a bit of a cheat) solution would be to assign each VLAN interface a security-level consistent with the traffic it needs to allow.

You can then set same-security-traffic permit inter-interface, thus obviating the need to specifically route and secure the same VLAN across multiple devices.

It wouldn't cut down on the number of VLANs, but it would probably halve the number of ACLs you need for VLANs that reach across all 3 firewalls.

Of course, there's no way for me to know if this makes sense in your environment.

adaptr
  • 16,479
  • 21
  • 33
0

Why do you have both inbound and outbound access lists? You should try to catch traffic as close to the source as possible. That would mean only inbound access lists, halving your total number of ACL's. This would help keep the scope down. When having only one possible access list per flow, your ASA will become easier to maintain and more importantly: easier to troubleshoot when things go wrong.

Also, do all VLAN's have to go past a firewall to reach each other? This severely limits throughput. Remember: an ASA is a firewall, not a (good) router.

JelmerS
  • 777
  • 6
  • 12