© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Advertisements

LAN Segmentation Virtual LAN (VLAN).
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Troubleshooting Working at a Small-to-Medium Business or ISP – Chapter 9.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.
SIS - Security Lab Introductory Session University of Pittsburgh 2006.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Module Summary  Ethernet cables and segments can span only a limited physical distance,
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:
Connecting LANs, Backbone Networks, and Virtual LANs
1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
Networking Features Upon completion of this module, you should be able to: Discuss and configure VNX networking features This module continues the discussion.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 6 Switch Configuration Cisco Networking Academy.
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 3 Configuring a Router.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 3 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Cisco S2 C4 Router Components. Configure a Router You can configure a router from –from the console terminal (a computer connected to the router –through.
Discovery 2 Internetworking Module 5 JEOPARDY John Celum.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Cisco Discovery Protocol. CDP and Router Boot Up When a Cisco device boots up, CDP starts up automatically and allows the device to detect neighbor devices.
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
ITGS Networks. ITGS Networks and components –Server computers normally have a higher specification than regular desktop computers because they must deal.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
Configuring the PIX Firewall Presented by Drew Spesard.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Cisco PIX Firewall Family
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Understanding Switch Security.
Virtual Private Network Configuration
Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance.
SIS - Security Lab Introductory Session University of Pittsburgh 2008.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 4 Learning About Other Devices.
Network Security Principles & Practices By Saadat Malik Cisco Press 2003.
© 2002, Cisco Systems, Inc. All rights reserved..
Configuring a Router Module 3 Semester 2. Router Configuration Tasks Name a router Set passwords Examine show commands Configure a serial interface Configure.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 2 Introduction to Routers.
Instructor Materials Chapter 8 Configuring Cisco Devices
Module 4: Configuring Site to Site VPN with Pre-shared keys
Implementing Cisco Data Center Unified Computing
Layer 3 Redundancy 1. Hot Standby Router Protocol (HSRP)
© 2002, Cisco Systems, Inc. All rights reserved.
IFIP-UNU ADVANCED COURSE ON NETWORKING AND SECURITY Module II-Wireless Communications Section 5 Access Points.
Vmware 2V0-642 VMware Certified Professional 6 - Network Virtualization (NSX v6.2) VCE Question Answers.
Chapter 11: It’s a Network
Chapter 5: Switch Configuration
Chapter 10: Device Discovery, Management, and Maintenance
Chapter 6: Network Layer
Chapter 2: Basic Switching Concepts and Configuration
NAT , Device Discovery Chapter 9 , chapter 10.
Chapter 10: Device Discovery, Management, and Maintenance
Configuring a Router Module 3 Semester 2.
Cisco Routers Presented By Dr. Waleed Alseat Mutah University.
Presentation transcript:

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2006 Cisco Systems, Inc. All rights reserved. Lesson 8.2 Configure PIX Security Appliance Failover Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-3 Understanding Failover

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-4  Hardware failover –Connections are dropped. –Client applications must reconnect. –Provides hardware redundancy. –Provided by serial or LAN-based failover link.  Stateful failover –TCP connections remain active. –No client applications need to reconnect. –Provides redundancy and stateful connection. –Provided by stateful link. Internet Hardware and Stateful Failover

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-5 Hardware failover protects the network should the primary go offline.  Active/Standby: Only one unit can be actively processing traffic while the other is a hot standby Secondary: Standby Primary: Failed Secondary: Active Failover: Active/Standby Primary: Active Failover: Active/Standby Internet Hardware Failover: Active/Standby

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-6 Hardware failover protects the network should the primary go offline.  Active/Active: Both units can process traffic and serve as backup units. Secondary: Primary: Contexts Active/StandbyStandby/Active Primary: Failed/StandbyActive/Active Secondary: Internet Hardware Failover: Active/Active

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-7 The primary and secondary security appliances must be identical in the following requirements:  Same model number and hardware configurations  Same software versions* (prior to version 7.0)  Same operating mode  Same features (DES or 3DES)  Same amount of Flash memory and RAM  Proper licensing* Secondary: Active Failover: Active/Standby Primary: Standby Internet Primary : Failed/Standby Secondary: Active/Active Contexts Internet Failover Requirements 1212

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-8 Failover Interface Test  Link up/down test: Testing the network interface card itself  Network activity test: Testing received network activity  ARP test: Reading the security appliance ARP cache for the 10 most recently acquired entries  Broadcast ping test: Sending out a broadcast ping request

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-9 Types of Failover Links LAN-Based Stateful PIX Security Appliance Secondary Security Appliance Primary Security Appliance /24.1e /24 e1.11 Cable-Based (PIX Security Appliance only) LAN-Based e2 e3 Stateful Link Internet Cable-Based

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-10 Serial Cable-Based Failover Configuration

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0— Serial Cable: Active/Standby Failover Primary: Active Security Appliance Primary: Failed Security Appliance Secondary: Active Security Appliance Secondary: Standby Security Appliance Failover Serial Cable Serial Cable Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-12 Overview of Configuring Failover with a Failover Serial Cable Complete the following tasks to configure failover with a failover serial cable:  Attach the security appliance network interface cables.  Connect the failover cable between the primary and secondary firewalls.  Configure the primary firewall for failover and save the configuration to flash memory.  Power on the secondary firewall.

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-13 show failover Command: Secondary Security Appliance Not Connected fw1# show failover Failover On Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 7.2(1), Mate Unknown Last Failover at: 13:21:38 UTC Dec This host: Primary - Active Active time: 200 (sec) Interface outside ( ): Normal (Waiting) Interface inside ( ): Normal (Waiting) Other host: Secondary – Not detected Active time: 0 (sec) Interface outside ( ): Unknown (Waiting) Interface inside ( ): Unknown (Waiting) Stateful Failover Logical Update Statistics Link : Unconfigured

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-14 Configuration Replication Configuration replication occurs:  When the standby firewall completes its initial bootup  As commands are entered on the active firewall  By entering the write standby command Primary Security Appliance Secondary Security Appliance Internet Replication

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-15 show failover Command Detected an active mate Beginning configuration replication to mate. End configuration replication to mate. fw1# show failover Failover On Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 13:21:38 UTC Dec This host: Primary - Active Active time: 320 (sec) Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary – Standby Ready Active time: 0 (sec) Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : Unconfigured

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-16 Force Control Back fw2(config)# failover active  Forces control of the connection back to the unit you are accessing failover active firewall(config)# Primary: Standby Active fw1 Secondary: Active Standby fw Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-17 Active/Standby LAN-Based Failover Configuration

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-18 LAN-Based Failover Overview LAN-based failover:  Provides long-distance failover functionality  Uses an Ethernet cable rather than the serial failover cable  Requires a dedicated LAN interface, but the same interface can be used for stateful failover  Enables you to use a dedicated switch, hub, or VLAN, or a crossover cable to connect the two security appliances  Uses message encryption and authentication to secure failover transmissions

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-19 LAN-Based Failover Configuration Overview Complete the following tasks to configure LAN-based failover: 1.Install a LAN-based failover connection between primary and secondary security appliances. 2.Configure the primary security appliance. 3.Configure the primary security appliance for stateful failover. 4.Save the primary security appliance configuration to flash memory. 5.Power on the secondary security appliance. 6.Configure the secondary security appliance with the minimum failover LAN command set. 7.Save the secondary security appliance configuration to flash memory. 8.Connect the secondary unit LAN failover interface to the network. 9.Reboot the secondary security appliance.

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-20 Cabling LAN Failover Primary Security Appliance g0/0 Secondary Security Appliance g0/1 g0/0 g0/1 g0/2 LAN Failover Internet

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-21 asa1(config)# interface GigabitEthernet0/2 asa1(config-if)# no shut asa1(config)# failover lan interface LANFAIL GigabitEthernet0/2 asa1(config)# failover interface ip LANFAIL standby asa1(config)# failover lan unit primary asa1(config)# failover key asa1(config)# failover Secondary Security Appliance Primary Security Appliance asa asa2 Internet Configuring LAN Failover: Primary

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-22 failover link if_name [phy_if] ciscoasa(config)# asa1(config)# failover link LANFAIL  Specifies the name of the dedicated interface used for stateful failover Primary Security Appliance asa1.2 asa2 Secondary Security Appliance Stateful failover g0/2 Internet Stateful Failover

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-23 asa2(config)# interface GigabitEthernet0/2 asa2(config-if)# no shut asa2(config)# failover lan interface LANFAIL GigabitEthernet0/2 asa2(config)# failover interface ip LANFAIL standby asa2(config)# failover lan unit secondary asa2(config)# failover key asa2(config)# failover Primary asa1.2 Secondary asa Internet Configuring LAN Failover: Secondary

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-24 Primary Security Appliance asa1 Secondary Security Appliance asa2 Internet Beginning configuration replication sending to mate. End configuration replication to mate. Replication to Secondary

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-25 show failover Command with LAN-Based Failover asa2(config)# show failover Failover On Failover unit Secondary Failover LAN Interface: LANFAIL GigabitEthernet0/2 (up) Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 18:03:38 UTC Dec This host: Secondary – Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys) Interface outside ( ): Normal (Waiting) Interface inside ( ): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)IPS, 5.0(2)S152.0 Up Other host: Primary – Active Active time: 3795 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys) Interface outside ( ): Normal (Waiting) Interface inside ( ): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)IPS, 5.0(2)S152.0 Up...

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-26 failover mac address mif_name act_mac stn_mac ciscoasa(config)# asa1(config)# failover mac address GigabitEthernet0/0 00a0.c989.e481 00a0.c969.c7f1 asa1(config)# failover mac address GigabitEthernet0/1 00a0.c976.cde5 00a0.c  Enables you to configure a virtual MAC address for a security appliance failover pair Primary Security Appliance asa Inside MAC address Act - 00a0.c976.cde5 Stby - 00a0.c Outside MAC address Act - 00a0.c989.e481 Stby - 00a0.c969.c7f1 Internet failover mac address Command

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-27 Active/Active Failover Configuration

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-28 Active/Active Failover Active/active failover requires the use of contexts. For example, you could have two security appliances with two contexts each.  CTX1  CTX2 In normal conditions, each appliance has one active and one standby context.  The active context processes traffic.  The standby context is located in the peer security appliance. CTX1- Active CTX2- Standby CTX1- Standby CTX2- Active g0/0g0/3 g0/1 m0/0 g0/2 g0/0g0/3 g0/1 m0/0 g0/2 Traffic Unit B Active/Standby Unit A Active/Standby Internet 1212

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-29 Under failed conditions, Unit A determines that the outside interface on CTX1 has failed.  CTX1 is placed in a failed state.  Unit A has one failed and one standby context. CTX1 on Unit B becomes active.  Unit B has two active contexts.  Both active contexts pass traffic. Failover can be context-based or unit-based. Active/Active Failover (Cont.) Unit B: Active/Active CTX2- Standby CTX2- Active Traffic Unit B Active/Active Unit A Failed/Standby CTX1- Failed g0/0 g0/3 g0/1 m0/0 g0/2 g0/0g0/3 g0/1 m0/0 g0/2 CTX1- Active Internet 1212

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-30 Summary

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-31 Summary  In order for failover to work, a pair of security appliances must be identical in several respects, including platform type and model, number and types of interfaces, amount of flash memory, and amount of RAM.  When failover occurs, the security appliance unit type (primary or secondary) does not change; however, the role (active or standby) of the unit does change. In multiple context mode, the role of the context changes.  With stateful failover, connection status is tracked and relayed between security appliances; therefore, connections remain active.  With active/standby failover, only one security appliance actively processes user traffic while the other unit acts as a hot standby and is prepared to take over if the active unit fails.

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-32 Summary (Cont.)  With active/active failover, both units can actively process firewall traffic while serving as a back up for their peer unit.  Active/active failover is only available to security appliances in multiple context mode.  The configuration of the primary security appliance is replicated to the secondary security appliance during configuration replication.  Commands entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.

© 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-33