Context Firewall

Context Firewall

Context Firewall

In today's digital landscape, the importance of data security cannot be overstated. Organizations across various sectors are constantly striving to protect sensitive information from malicious actors. One key element in this endeavor is the implementation of context firewalls.

In this blogpost, we will delve into the concept of context firewalls, their benefits, challenges, and how businesses can effectively navigate this security measure.

Table of Contents

Highlights: Context Firewall

Context Firewall Operation

A context firewall is a security system designed to protect a computer network from malicious attacks. It blocks, monitors, and filters network traffic based on predetermined rules.  Multiple Context Mode divides Adaptive Security Appliance ( ASA ) into multiple logical devices, known as security contexts.

Each security context acts like one device and operates independently of others. It has security policies and interfaces similar to Virtual Routing and Forwarding ( VRF ) on routers. You are acting like a virtual firewall. The context firewall offers independent data planes ( one for each security context ), but one control plane controls all of the individual contexts.

Use Cases

Use cases are large enterprises requiring additional ASAs – hosting environments where service providers want to sell security services ( managed firewall service ) to many customers – one context per customer. So, in summary, the ASA firewall is a stateful inspection firewall that supports software virtualization using firewall contexts. Every context has routing, filtering/inspection, address translation rules, and assigned IPS sensors.

 

When would you use multiple security contexts? 

  • A network that requires more than one ASA. So, you may have one physical ASA and need additional firewall services.
  • You may be a large service provider offering security services that must provide each customer with a different security context.
  • An enterprise must provide distinct security policies for each department or user and require a different security context. This may be needed for compliance and regulations.

 

Related: Before you proceed, you may find the following posts helpful:

  1. Virtual Device Context
  2. Virtual Data Center Design
  3. Distributed Firewalls
  4. ASA Failover
  5. OpenShift Security Best Practices
  6. Network Configuration Automation

 



Context Firewall

Key Context Firewall Discussion Points:


  • Introduction to the context firewall and what is involved.

  • Highlighting the details of the different context firewall types.

  • Critical points on the failover link.

  • Technical details on the routing between contexts.

  • A final note on active active failover. 

 

Back to Basics: The firewall

Highlighting the firewall

A firewall is a hardware or software, aka virtual firewalls filtering device, that implements a network security policy and protects the network against external attacks. A packet is a unit of information routed between one point and another over the network. The packet header contains a wealth of data such as source, type, size, origin, and destination address information. As the firewall acts as a filtering device, it watches for traffic that fails to comply with the rules by examining the contents of the packet header.

Firewalls can concentrate on the packet header, the packet payload, or both, and possibly other assets, depending on the firewall types. Most firewalls focus on only one of these. The most common filtering focus is on the packet’s header, with a packet’s payload a close second. The following diagram shows the two main firewall categories stateless and stateful firewalls.

Firewall types
Diagram: Firewall types. Source is IPwithease

 

A stateful firewall is a type of firewall technology that is used to help protect network security. It works by keeping track of the state of network connections and allowing or denying traffic based on predetermined rules. Stateful firewalls inspect incoming and outgoing data packets and can detect malicious traffic. They can also learn which traffic is regular for a particular environment and block any traffic that does not conform to expected patterns.

A stateless firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It does this without keeping any record or “state” of past or current network connections. It can also prevent unauthorized access to the network by controlling traffic based on source and destination IP addresses, ports, and protocols.

 

Stateful vs Stateless Firewall

Stateful Firewall:

A stateful firewall, also known as a dynamic packet filtering firewall, operates at the OSI model’s network layer (Layer 3). Unlike stateless firewalls, which inspect individual packets in isolation, stateful firewalls maintain knowledge of the connection state and context of network traffic. This means that stateful firewalls make decisions based on the characteristics of individual packets and the history of previous packets exchanged within a session.

How Stateful Firewalls Work:

Stateful firewalls keep track of the state of network connections by creating a state table, also known as a stateful inspection table. This table stores information about established connections, including the source and destination IP addresses, port numbers, sequence numbers, and other relevant data. By comparing incoming packets against the information in the state table, stateful firewalls can determine whether a packet is part of an established session or a new connection attempt.

Advantages of Stateful Firewalls:

1. Enhanced Security: Stateful firewalls offer a higher level of security by understanding the context and state of network traffic. This enables them to detect and block suspicious or unauthorized activities more effectively.

2. Better Performance: By maintaining a state table, stateful firewalls can quickly process packets without inspecting each packet individually. This results in improved network performance and reduced latency compared to stateless firewalls.

3. Granular Control: Stateful firewalls provide administrators with fine-grained control over network traffic by allowing them to define rules based on network states, such as allowing or blocking specific types of connections.

Stateless Firewall:

In contrast to stateful firewalls, stateless firewalls, also known as packet filtering firewalls, operate at the network and transport layers (Layers 3 and 4). These firewalls examine individual packets based on predefined rules and criteria without considering the context or history of the network connections.

How Stateless Firewalls Work:

Stateless firewalls analyze incoming packets based on criteria such as source and destination IP addresses, port numbers, and protocol types. Each packet is evaluated independently, without referencing the packets before or after. If a packet matches a rule in the firewall’s rule set, it is allowed or denied based on the specified action.

Advantages of Stateless Firewalls:

1. Simplicity: Stateless firewalls are relatively simple in design and operation, making them easy to configure and manage.

2. Speed: Stateless firewalls can process packets quickly since they do not require the overhead of maintaining a state table or inspecting packet history.

3. Scalability: Stateless firewalls are highly scalable as they do not store any connection-related information. This allows them to handle high traffic volumes efficiently.

 

Next-generation Firewalls

Next-generation firewalls would carry out the most intelligent filtering. Next-generation firewalls (NGFWs) are a type of advanced cybersecurity solution designed to protect networks and systems from malicious threats.

They are designed to provide an extra layer of protection beyond traditional firewalls by incorporating features such as deep packet inspection, application control, intrusion prevention, and malware protection. NGFWs can conduct deep packet inspections to analyze network traffic contents and observe traffic patterns.

This feature allows NGFWs to detect and block malicious packets, preventing them from entering the system and causing harm. The following diagram shows the different ways a firewall can be deployed. The focus of this post will be on multi-context mode. An example would be the Cisco Secure Firewall.

context firewall
Diagram: Context Firewall.

 

Lab Guide: ASA basics.

In the following lab guide, you can see we have an ASA working in routed mode. In routed mode, the ASA is considered a router hop in the network. Each interface that you want to route between is on a different subnet. You can share Layer 3 interfaces between contexts.

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. On the other hand, a transparent firewall is a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices. 

The ASA considers the state of a packet when deciding to permit or deny the traffic. One enforced parameter for the flow is that traffic enters and exits the same interface. The ASA drops any traffic for an existing flow that enters a different interface. Take note of the command: same-security-traffic permit inter-interface.

 

Cisco ASA configuration
Diagram: Cisco ASA Configuration

 

Context Firewall Types

Contexts are generally helpful when different security policies are applied to traffic flows. For example, this might be when the firewall protects multiple customers or departments in the same organization. Other virtualization technologies, such as VLANs or VRFs, are expected to be used alongside the firewall contexts; however, the firewall contexts have significant differences from the VRFs seen in the IOS routers.

 

Context Configuration Files

  • Context Configurations

For each context, the ASA includes a configuration that identifies the security policy, interfaces, and settings that can be configured. Context configurations can be stored in flash memory or downloaded from a TFTP, FTP, or HTTP(S) server.

  • System configuration

A system administrator configures the configuration location, interfaces, and other operating parameters of contexts in the system configuration to add and manage contexts. The startup configuration looks like this. Basic ASA settings are identified in the system configuration. There are no network interfaces or settings in the system configuration; when the system needs to access network resources (such as downloading contexts from the server), it uses an admin context. The system configuration has only a specialized failover interface for failover traffic.

  • Admin context configuration

Admin contexts are no different from other contexts. Users who log into the admin context have administrator rights and can access all contexts and the system. No restrictions are associated with the admin context, which can be used just like any other context. However, you may need to restrict access to the admin context to appropriate users because logging into the admin context grants administrator privileges over all contexts.

Flash memory must contain the admin context, not remote storage. When you switch from single to multiple modes, the admin context is configured in an internal flash memory file called admin.cfg. You can change the admin context if you do not wish to use admin.cfg as the admin context.

 

Steps: Turning a firewall into multiple context mode:

To turn the firewall to the multiple contexts mode, you should enter the global command mode multiple when logged in via the console port (you may do this remotely, converting the existing running configuration into the so-called admin context, but you risk losing connection to the box); this will force the mode change and reload the appliance.

If you connect to the appliance on the console port, you are logging in to the system context; the sole purpose of this context is to define other contexts and allocate resources to them. 

 

System Context

Used for console access. Create new contexts and assign interfaces to each context.

Admin Context

Used for remote access, either Telnet or SSH. Remote supports the change to command.

User Context

Where the user-defined multi-context ( virtual firewall ) lives.

 

 Multi Context Mode
Diagram: Multi Context Mode

 

Your first action step should be to define the admin context; this special context allows logging into the firewall remotely (via ssh, telnet, or HTTPS). This context should be configured first because the firewall won’t let you create other contexts before designating the admin context using the global command admin-context <name>.

Then you can define additional contexts if needed using the command context <name> and allocate physical interfaces to the contexts using the context-level command allocate-interface <physical-interface> [<logical-name>].

 

Each firewall context is assigned.

Interfaces

Physical or 802.1Q subinterface. Possible to have a shared interface where contexts share interfaces.

Resource Limits

Number of connections, hosts, xlates

Firewall Policy

Different MPF inspections, NAT translations, etc. for each context.

 

Multi Context Mode has many security contexts, acting independently. Sharing multiple contexts with a single interface confuses determining which context to send packets to. ASA must associate inbound traffic with the correct context. Three options exist for the classification of incoming packets.

Unique Interfaces

One-to-one pairing with either physical link or sub-interfaces ( VLAN tags ).

Shared Interface

Unique Virtual MAC Addresses per virtual context, either auto-generate or manual set.

NAT Configurations

Not common.

 

ASA Packet Classification

Packets are also classified differently in multi-context firewalls. For example, in multimode configuration, interfaces can be shared between contexts. Therefore, the ASA must distinguish which packets must be sent to each context.

The ASA categorizes packets based on three criteria:

  1. Unique interfaces – 1:1 pairing with a physical link or sub-interfaces (VLAN tags)
  2. Unique MAC addresses – shared interfaces are assigned Unique Virtual Mac addresses per virtual context to alleviate routing issues, which complicates firewall management
  3. NAT configuration – if unique MAC addresses are disabled, then the ASA uses the mapped addresses in the NAT configuration to classify packets.

Starting with Point 1, the following figure shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet.

 

Context Firewall
Diagram: Context Firewall configuration. Source Cisco.

 

Firewall context interface details

Unique Interfaces are self-explanatory: unique interfaces for each security context. For example, GE 0/0.1 Admin Context, GE 0/0.2 Context A, and GE 0/0.3 Context B. Unique interfaces are best practices, but you need unique routing and IP addressing. This is because each VLAN has its subnet. Transparent firewalls must use unique interfaces.

With Shared Interfaces, contexts MAC addresses classify packets so upstream and downstream routers can send packets to that context. Every security context that shares an interface requires a unique MAC address.

It can be auto-generated ( default behavior ) or manually configured. Manual MAC address assignments take precedence. We share the same outside interface with numerous contexts but have a unique MAC address per context. Use the mac-address auto command under the system context or enter the manual under the interface. Then we have Network Address Translation ( NAT ) and NAT translation per context for shared interfaces—a less common approach.

 

  • A key point: Addressing scheme

The addressing scheme in each context is arbitrary when using shared or unique interfaces. Configure 10.0.0.0/8-address space in context A and context B. ASA does not use an IP address to classify the traffic; it uses the MAC address or the physical link. The problem is that the same addressing cannot be used if NAT is used for incoming packet classification. The recommended approach is unique interfaces and not NAT for classification.

 

  • A key point: Routing between context

Like route-leaking VRFs, routing between contexts is accomplished by traffic hair-pinning in and out of the interface by pointing static routes to relevant next hops. Designs available to Cascade Contexts for shared firewalls; default route from one context indicates to the inside interface of another context.

 

Firewall context resource limitations

All security contexts share resources and belong to the default class, i.e., no division of the control plane. Therefore, no predefined limits are specified from one security context to another. However, problems may arise when one security context overwhelms other contexts, consuming too many resources and denying connection to different contexts. In this case, assign security contexts to resource classes and set upper limits on that class.

 

The default class has the following limitations:

Telnet sessions5 sessions
SSH sessions5 sessions
IPsec sessions5 sessions
MAC addresses5 sessions
VPN site-to-site tunnels0 sessions

 

Active / active failover:

Multi Context Mode offers Active / Active fail-over per Context. Primary forwards for one set of contexts and secondary forwards for another. Security contexts divide logically into failure groups, a maximum of two failure groups. There are never two active forwarding paths at the same time. One ASA is active for Context A. The second ASA is the standby for Context A. Reversed roles for Context B. 

So, in summary. Multi-context mode offers active/active fail-over per context—the primary forwards for a particular context and secondary for another. The security contexts divide logically into failure groups, with a maximum of two failure groups. There will always be one active forwarding path at a time. 

 

Lab Guide: ASA Failover.

The following have two ASAs. ASA1 and ASA2. There is a failover link connecting the two firewalls. ASA1 is the primary, and ASA2 is the backup. ASA failover only occurs when there is an issue; in this case, the links from ASA1 to the switch were down. This created the failover event. Notice the protocol used between the ASA of SCPS from a packet capture.

 

ASA Failover

 

Closing Comments on Context Firewall

Context firewalls provide several advantages over traditional firewalls. By inspecting the content of the network traffic, they can identify and block unauthorized access attempts, malicious code, and other potential threats. This proactive approach significantly enhances the security posture of an organization or an individual, reducing the risk of data breaches and unauthorized access.

Context firewalls are particularly effective in protecting against advanced persistent threats (APTs) and targeted attacks. These sophisticated cyber attacks often exploit application vulnerabilities or employ social engineering techniques to gain unauthorized access. With the ability to analyze the context of the network traffic, context firewalls can detect and block such attacks, minimizing the potential damage that can occur.

Key Features of Context Firewalls:

Context firewalls have various features that augment their effectiveness in securing the digital environment. Some notable features include:

1. Deep packet inspection: Context firewalls analyze the content of individual packets to identify potential threats or unauthorized activities.

2. Application awareness: They understand the specific protocols and applications being used, allowing them to apply tailored security policies.

3. User behavior analysis: Context firewalls can detect anomalies in user behavior, which can indicate potential insider threats or compromised accounts.

4. Content filtering: They can restrict access to specific websites or block certain types of content, ensuring compliance with organizational policies and regulations.

5. Threat intelligence integration: Context firewalls can leverage threat intelligence feeds to stay updated on the latest known threats and patterns of attack, enabling proactive protection.

In the face of increasing cyber threats, context firewalls provide a robust line of defense for organizations and individuals. By analyzing network traffic content and applying security policies based on specific contexts, context firewalls offer enhanced protection against advanced threats and unauthorized access attempts.

With their deep packet inspection, application awareness, user behavior analysis, content filtering, and threat intelligence integration capabilities, context firewalls play a vital role in safeguarding our digital environment. As the cybersecurity landscape continues to evolve, investing in context firewalls should be a priority for anyone seeking to secure their digital assets effectively.

 

Matt Conran
Latest posts by Matt Conran (see all)

One Response