Firewalling

ASA Failover

ASA Failover

Cisco ASA (Adaptive Security Appliance) firewalls are widely used by organizations to protect their networks from unauthorized access and threats. One of the key features of Cisco ASA is failover, which ensures uninterrupted network connectivity and security even in the event of hardware failures or other issues. In this blog post, we will explore the concept of Cisco ASA failover and its importance in maintaining network resilience.

Cisco ASA failover is a mechanism that allows two Cisco ASA firewalls to work together in an active-passive setup. In this setup, one firewall assumes the role of the primary unit, while the other serves as the secondary unit. The primary unit handles all network traffic and actively performs firewall functions, while the secondary unit remains in standby mode, ready to take over in case of primary unit failure.

Active/Standby Failover: One of the most common types of ASA Failover is Active/Standby Failover. In this setup, the primary unit actively handles all network traffic, while the secondary unit remains in a standby mode. Should the primary unit fail, the secondary unit seamlessly takes over, ensuring minimal disruption and downtime for users.

Active/Active Failover: Another type of ASA Failover is Active/Active Failover. This configuration allows both ASA units to actively process traffic simultaneously. With load balancing capabilities, Active/Active Failover optimizes resource utilization and ensures high availability even during peak traffic periods.

Configuring ASA Failover: Configuring ASA Failover involves establishing a failover link between the primary and secondary units, defining failover policies, and synchronizing configuration and state information. Cisco provides intuitive command-line interfaces and graphical tools to simplify the configuration process, making it accessible to network administrators of varying expertise levels.

ASA Failover offers numerous benefits for businesses. Firstly, it provides redundancy, ensuring that network operations continue uninterrupted even in the event of device failures. This translates to increased uptime and improved productivity. Additionally, ASA Failover enhances security by providing seamless failover for security policies, preventing potential vulnerabilities during critical moments.

Highlights: ASA Failover

Understanding Cisco ASA Failover

Cisco ASA (Adaptive Security Appliance) failover is a mechanism that allows for seamless and automatic redundancy in a network’s security infrastructure. By deploying a pair of ASA devices in failover mode, organizations can mitigate the risk of a single point of failure and achieve uninterrupted network connectivity.

The active-standby failover configuration is the most common implementation of Cisco ASA failover. In this setup, one ASA device operates as the active unit, processing all traffic, while the standby unit remains idle, ready to take over in case of a failure. This failover mode ensures minimal disruption and provides a smooth transition without any manual intervention.

For organizations with high traffic loads or a need for load balancing, the active-active failover configuration offers an optimal solution. In this setup, both ASA devices actively process traffic simultaneously, distributing the load evenly. Active-active failover enhances performance and provides redundancy, allowing organizations to handle increased network demands with ease.

Cisco ASA: Configuring and Monitoring 

Configuring Cisco ASA failover involves several steps, including assigning failover-specific IP addresses, determining the failover link, and specifying the failover mode. By following the recommended best practices and utilizing Cisco’s comprehensive documentation, organizations can ensure a smooth and successful configuration process.

While the failover configuration is in place, it is crucial to regularly monitor and test its effectiveness. Organizations should implement a comprehensive monitoring system that alerts administrators in case of failover events and provides detailed visibility into the network’s health. Additionally, conducting periodic failover tests under controlled conditions validates the failover mechanism and ensures its readiness when needed.

Benefits of Cisco ASA Failover

– Enhanced Network Uptime: Organizations can achieve uninterrupted network connectivity with Cisco ASA failover. In the event of a primary unit failure, the secondary unit seamlessly takes over, ensuring minimal disruption to network operations.

– Improved Scalability: Failover setup allows for easy scalability, as additional units can be added to the configuration. This helps accommodate growing network demands without compromising on security or performance.

– Load Balancing: Cisco ASA failover enables load balancing, distributing incoming network traffic across multiple units. This optimizes resource utilization and prevents any single unit from becoming overloaded.

The Cisco ASA Family

The Cisco ASA family offers a wide range of next-generation security features. Its features include simple packet filtering (usually configured with access control lists [ACLs]) and stateful inspection. Additionally, Cisco ASA provides application inspection and awareness. Devices on one side of the firewall can speak to devices on the other through a Cisco ASA device.

Common Security Features

NAT, Dynamic Host Configuration Protocol (DHCP), and the ability to act as a DHCP server or client are also supported by the Cisco ASA family. In addition to Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF), the Cisco ASA family supports most of the interior gateway routing protocols. Static routing is also supported. It is also possible to implement Cisco ASA devices as traditional Layer 3 firewalls, which assign IP addresses to each of their routable interfaces.

Firewall Implementation

If a firewall is implemented as a transparent (Layer 2) firewall, the actual physical interfaces are not configured with individual IP addresses but rather as a pair of bridge-like interfaces. The ASA can still implement rules and inspect traffic crossing this two-port bridge. Cisco ASA devices are often used as headends or remote ends for VPN tunnels for remote-access VPN users and site-to-site VPN tunnels. VPNs based on IPsec and SSL can be configured on Cisco ASA devices. Clientless SSL VPN.

Site to Site VPN

Understanding Failover

Failover configurations require two identical security appliances connected by an optional Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. Failover occurs if those conditions are met.

– Activate/Active failover and Activate/Standby failover are available for the security appliance. A failover configuration determines and performs failover according to its method.

Active/Active failover allows both units to pass network traffic, allowing you to configure load balancing on your network. It is only available on units running in multiple context modes.

-Active/Standby failover replaces one unit with an active unit and one with a standby unit. Performing active/standby failover on single context or multiple context units is possible.

Stateful and stateless failover configurations are both supported.

data center firewall

Stateful and Stateless Failover

Stateful Failover

Stateful failover, as the name suggests, focuses on preserving the state information during the failover process. This means that active connections, such as TCP sessions and UDP flows, are maintained during the transition. In a stateful failover setup, there are two ASA devices: the active unit and the standby unit. The active unit handles all traffic processing while the standby unit remains in a hot standby state, synchronizing its state information with the active unit.

Stateful failover offers several advantages. First and foremost, it ensures seamless failover without interrupting ongoing sessions, resulting in minimal disruption to end-users. Additionally, stateful failover provides load balancing capabilities, distributing incoming traffic between the active and standby units based on their capacity. This helps optimize resource utilization and avoids overloading a single unit.

Stateless Failover

Unlike stateful failover, where session information is preserved, stateless failover focuses solely on the configuration synchronization between the active and standby units. In a stateless failover setup, the ASA units periodically exchange their configuration information to ensure both units have identical settings. However, during failover, any active sessions or connections are reset, and clients need to reestablish their connections.

The choice between stateful and stateless failover depends on the specific requirements of your network environment. If maintaining uninterrupted connections is critical, stateful failover is the ideal choice. On the other hand, if preserving ongoing sessions is not a priority, and quicker failover with minimal configuration synchronization is desired, stateless failover can be a suitable option.

Recap: Cisco ASA Failover Modes

Active/Standby Failover: The primary unit handles traffic in this mode while the secondary unit remains in standby mode. If the primary unit fails, the secondary unit takes over, assuming the active role.

Active/Active Failover: With active/active failover, both units handle traffic simultaneously, effectively load-balancing the network traffic between them. In the event of a failure, the surviving unit takes over the traffic of the failed unit.

ASA failover

Failover Capabilities

The Cisco ASA failover enables firewall failover and offers the following:

Link High Availability: A generic solution achieved by dynamic routing running between interfaces. Dynamic routing enables rerouting around failures. ASA offers up to three equal-cost routes per interface to the same destination network. However, it does not support ECMP ( Equal Cost Multipath ) on multiple interfaces.

Reliable static routing with IP SLA instance: Redundancy achieved through enhanced object tracking and floating static routes.

Redundancy interface: Bind multiple physical interfaces together into one logical interface. It is not the same as EtherChannel. One interface is active and forwarding at any time, unlike EtherChannel, which can forward over all interfaces in a bundle. ASA redundancy interface is an active / standby technology; one interface is active, and the other is on standby.

Node Availability: Firewall Failover, which is the focus of this post.

Related: Before you proceed, you may find the following helpful:

  1. Context Firewall
  2. Stateful Inspection Firewall
  3. Data Center Failover
  4. Virtual Data Center Design
  5. GTM Load Balancer
  6. Virtual Device Context

ASA Failover

Stateful inspection Firewalls

Stateful inspection firewalls are network security devices operating at the OSI model’s network layer (Layer 3). Unlike traditional packet-filtering firewalls, which only examine individual packets, stateful inspection firewalls analyze the context and state of network connections. By maintaining a state table, these firewalls can decide which packets to allow or block based on the connection’s history and the application-layer protocols being used.

Compared to simple packet-filtering firewalls, stateful inspection firewalls offer enhanced benefits. They track every packet passing through their interfaces and verify that every packet is a good, established connection. In addition to the packet header contents, they examine the application layer information within the payload. The firewall can then be configured to permit or deny traffic based on specific payload patterns.

Stateful Inspection Firewall

A stateful firewall, such as the Cisco ASA, goes beyond traditional packet-filtering firewalls by inspecting and maintaining context-aware information about network connections. It examines the entire network conversation, not just individual packets, to make informed decisions about allowing or blocking traffic. This approach provides enhanced security and helps prevent malicious attacks.

Generic failover information

Failover is an essential component of any high-availability system, as it ensures that the system will remain operational and provide services even when the primary system fails. When a system fails, the failover system will take over, allowing operations to continue with minimal interruption.

Several types of failover systems are available, such as active/passive, active/active, and cluster-based. Each type has its advantages and disadvantages, and the type of system used should be determined based on the system’s specific requirements.

Configuring Cisco ASA Failover

Hardware Requirements: To implement Cisco ASA failover, organizations need compatible hardware, including two ASA appliances, a dedicated failover link, and, optionally, a stateful failover link.

Failover Configuration: Setting up Cisco ASA failover involves configuring both units’ interfaces, IP addresses, and failover settings. Proper planning and adherence to best practices are crucial to ensure a seamless failover setup.

Guide Cisco ASA firewall and NAT

In the following lab guide, we have a typical firewall setup. There are inside, outside, and DMZ networks. These security zones govern how traffic flows by default. For example, the interface connected to R2 is the outside, and R1 is the inside. So, by default, traffic cannot flow from Outside to Inside. In this lab, we demonstrate NAT, where traffic from Inside to Outside is NATD. View the output below in the screenshots.

Firewall traffic flow

Network Address Translation (NAT) modifies network address information in IP packet headers while in transit across a traffic routing device. NAT plays a crucial role in conserving IP addresses, enabling multiple devices within a private network to share a single public IP address. Additionally, NAT provides an extra layer of security by hiding internal IP addresses and making them inaccessible from external sources.

By combining ASA Firewall with NAT, organizations can achieve enhanced security and network optimization. The benefits include:

1. Enhanced Security: ASA Firewall protects networks from unauthorized access, malware, and other cyber threats. NAT adds an extra layer of security by concealing internal IP addresses, making it difficult for attackers to target specific devices.

2. IP Address Conservation: NAT allows organizations to conserve public IP addresses by using private IP addresses internally. This is particularly useful in scenarios where the number of available public IP addresses is limited.

3. Increased Network Flexibility: ASA Firewall and NAT enable organizations to establish secure connections between network segments, ensuring controlled access and improved network flexibility.

Guide on ASA failover: 

In this lab, we will address the Active / Standby ASA configuration. We know that the ASA supports active/standby failover, which means one ASA becomes the active device and handles everything while the backup ASA is the standby device. For something to happen, there needs to be a failure event

In our example, ASA1 is ( was ) the primary, and ASA2 is the standby. I disconnected the switch links connected to Gi0//0 on ASA1, triggering the failover event. The screenshot shows the SCPS protocol exchanged between the two ASA nodes. The hello packets are exchanged between active and standby to detect failures using messages sent using IP protocol 105. IP protocol 105 refers to SCPS (Space Communications Protocol Standards).”

The failover mechanism is stateful, meaning the active ASA sends all stateful connection information to the standby ASA. This includes TCP/UDP states, NAT translation tables, ARP tables, and VPN information.

ASA Failover

Highlighting Cisco ASA Failover

The Cisco ASA failover is the high availability mechanism that mainly provides redundancy rather than capacity scaling. While Active/Active failover can help distribute traffic load across a failover pair or devices, its scalability has significant practical implications. With this design, we can leverage failover to group identical ASA appliances or modules into a fully redundant firewall entity with centralized configuration management and stateful session replication ( if needed ).

When one unit in the failover pair can no longer pass transit traffic, its identical peer seamlessly assumes firewall functionality with minimal impact on traffic flows. This type of firewalling design is helpful for an active active data center design.

Cisco ASA failover
Diagram: Cisco ASA failover. Source Grandmetric

Unit Roles and Functions in Firewall Failover

If configuring a firewall failover pair, designate one unit as primary and the other as secondary. The roles are statically configured and do not change during failover. The failover subsystem could use this designation to resolve some operational conflicts. Still, either the primary or secondary units may pass transit traffic while in an active role while their peers remain on standby. Depending on the operational state of the failover pair, dynamic active and standby roles pass between the statically defined primary and secondary units.

Guide: ASA Failover 

Cisco ASA firewalls are often essential network devices. Our company uses them for (remote access) VPNs, NAT/PAT, filtering, and more. Since they’re so important, having a second ASA if the first fails is a good idea.

It supports active/standby failover, which means one ASA is the active device, handling everything, while the backup ASA is the standby. Without a failing active ASA, it doesn’t do anything.

Stateful failover means all stateful connection information is sent from the active ASA to the standby ASA. It includes TCP/UDP states, NAT translation tables, ARP tables, and VPN information.

Your users won’t notice anything if the active ASA fails because the standby ASA has all the connection information…

If you want to use failover, you must meet the following requirements:

  1. The platform must be the same, for example, 2x ASA 5510 or 2x ASA 5522.
  2. Hardware must be identical: same number and type of interfaces. There must be the same amount of flash memory and RAM.
  3. There are two operating modes: routed and transparent and single and multiple contexts.
  4. The license must be the same, including the number of VPN peers, encryption, etc.
  5. License correctly issued. ASA 5510 is an example of a “lower” model that requires Security Plus licenses for failover

Adaptive Security Appliance: ASA Failover

A failover group for ASA’s high availability consists of identical ASAs connected via a dedicated failover link and an optional state link. Two failover modes, Active / Standby or Active / Active, work in Routed and Transparent modes. Depending on the IOS version, you can use a mixture of routed and transparent modes per context.

There are two types of Cisco ASA failover: Active/Standby failover and Active/Active failover.

Active / Standby

In an Active/Standby failover configuration, the primary unit handles all traffic while the secondary unit remains idle, continuously monitoring the primary unit’s status. If the primary unit fails, the secondary unit becomes the new active unit. This failover process occurs seamlessly, ensuring uninterrupted network connectivity and minimal downtime.

Active / Standby: One-forwarding path and active ASA. The standby forwards traffic when the active device fails over. Traffic is not evenly distributed over both units. Active / standby uses single or multiple context modes. Failover allows two firewall units to operate in hot standby mode.

For two units to operate as a firewall failover pair, their hardware and software configurations must be identical (flash disk and minor software version differences are allowed for zero downtime upgrade of a failover pair). One firewall unit is designated as primary and another as secondary, and by default, the primary unit receives the active role, and the secondary receives the standby role.

Active / Active for context groups

Active/Active failover, as the name suggests, allows both Cisco ASA firewalls to handle network traffic simultaneously actively. Each firewall can have its own set of interfaces and IP addresses, providing load balancing and increased throughput. In a failure, the remaining active firewall takes over the failed unit’s responsibilities, ensuring uninterrupted network services.

Active / Active for context groups: This feature is not supported in single context mode and is only available in multiple context mode. When configuring failover, it is mandatory to set both firewalls in single or multiple context modes simultaneously, with multiple context modes supporting a unique failover function known as Active/Active failover.

With Active/Active failover, the primary unit is active for the first group of security contexts and standby for the second group. In contrast, the secondary unit is active for the second group and standby for the first group. Only two failover groups are supported because only two ASAs are within a failover pair, and the admin context is always a group one member.

Both ASAs forward simultaneously by splitting the context into logical failover groups. Still, technically active / standby. It is not like the Gateway Load Balancing Protocol ( GLBP ). Two units do not forward for the same context at the same time.

ASA failover
Diagram: ASA failover.

It permits a maximum of two failover groups. For example, one group was active on the primary ASA, and another was active on the secondary ASA. Active / Active failover occurs in a group and not on a system basis.

Upon failover event, either by primary unit or context group failure, the secondary takes over the primary IP and Media Access Control Address ( MAC ) address and begins forwarding traffic immediately. The failover event is seamless; no change in IP or MAC results in zero refreshes to Address Resolution Protocol ( ARP ) tables at Layer 3 hosts. If the failover changed MAC addresses, all other Layer 3 devices on the network would have to flush their ARP tables.

ASA high availability: Type of firewall failover

For ASA high availability, there are two types of failovers are available

  1. Stateful failover and
  2. Stateless failover.

Cisco ASA Failover: Stateless failover

The default mode is Stateless; no state/connection information is maintained, and upon failover, existing connections are dropped and must be re-established. It uses a dedicated failover link to poll each other. Upon failover, which can be manual or detected, the unit changes roles, and standby assumes the IP and MAC of the primary unit.

Cisco ASA Failover: Stateful failover

Failover operates statelessly by default. The active unit only synchronizes its configuration with the standby device in this configuration. After a failover event, all stateful flow information remains local to the active ASA, so all connections must be re-established. In most high-availability configurations, stateful failover is required to preserve ASA processing resources. You must configure a stateful failover link to communicate state information to the standby ASA, as discussed in the “Stateful Link” section. When stateful replication is enabled, an active ASA synchronizes the following additional information to the standby peer.

Stateful table for TCP and UDP connections. Certain short-lived connections are not synchronized by default by ASA to preserve processing resources. For example, unless you configure the failover replication http command, HTTP connections over TCP port 80 remain stateless.

In the same way, ICMP connections synchronize only in Active/Active failover scenarios with configured Asymmetric Routing (ASR) groups. The maximum connection setup rate supported by the particular ASA platform may be reduced by up to 30 percent when stateful replication is enabled for all connections.

ASA stateful failover: Pass state/connection

Stateful failover: Both units pass state/connection information to each other. Connection information could be Network Address Translation ( NAT ) tables, TCP / UDP connection states, IPSEC SA, and ARP tables. The active unit constantly replicates the state table. Whenever a new connection is added to the table, it’s copied to the standby unit. It is processor-intensive, so you need to understand the design requirements.

Does your environment need stateful redundancy? Does it matter if users must redial or establish a new AnyConnect session? Stateful failover requires a dedicated “stateful failover link.” The stateless failover link can be used, but separating these functions is recommended.

Dynamic routing protocols are maintained with stateful failover. The routes learned by the active unit are carried across to the Routing Information Base ( RIB ) table on the standby unit. However, hypertext Transfer Protocol ( HTTP ) connections are short-lived, and HTTP clients usually retry failed connection attempts. As a result, by default, the HTTP state is not replicated. The command failover replication HTTP enables HTTP connections in replication.

ASA failover
Diagram: Checking ASA failover status

Firewall Failover Link

The failover link is for Link-Local communication between ASAs and determines the status of each ASA. Layer 2 polling via HELLO Keepalives transmitted and configurations synchronized. Have the connecting switch ports in port fast mode, ensuring if a flap of the link occurs, no other Layer 2 convergence will affect the failover convergence.

For redundancy purposes, use port channels and do not use the same link for stateless connectivity. It is recommended that the failover and data links be connected through different physical paths. Failover links should not use the same switch as the data interfaces, as the state information may generate excessive traffic. In addition, you don’t want the replication of the state information to interfere with normal Keepalives.

Failover link connectivity

The failover link can be connected directly or by an Ethernet switch. If the failover link connects via an ethernet switch, use a separate VLAN with no other devices in that Layer 2 broadcast domain. ASA supports Auto-MDI/MDIX, enabling crossover or straight-through cable. MDI-MDIX automatically detects the cable type and swaps transmit/receive pairs to match the cable seen.

ASA’s high availability and asymmetric routing

Asymmetric routing means that a packet does not follow the same logical path both ways (outbound client-to-server traffic uses one path, and inbound server-to-client uses another path). Because firewalls track connection states and inspect traffic, asymmetric routing is not firewall-friendly by default, traffic is dropped, and TCP traffic is significantly affected.

The problem with asymmetric traffic flows is that if ASA receives a packet without connection/state information, it will drop it. The issue may arise in the case of an Active / Active design connected to two different service providers. It does not apply to Active / Standby as the standby is not forwarding traffic and, as a result, will not receive returning traffic sent from the active unit. It is possible to allow asymmetrically routed packets by assigning similar interfaces to the same ASR group.

Asymmetric Traffic
Diagram: Asymmetric traffic.

ASA Failover and Traffic Flow Considerations

  • An outbound session exists to ISP-A through the Primary-A context.

  • In this instance, return traffic flows from ISP-B to Primary-B context.

  • Traffic dropped as Primary-B does not have state information for the original flow.

  • However, due to interfaces configured in the same ASR Group, session information for the original outbound flow has been replicated to the Primary-B context. 

  • Layer 2 header rewritten and traffic redirected to Primary-B. Resulting in asymmetrically routed packets being restored to the correct interface.

 Stateful failover and HTTP replication are required.

Although in all real deployments, you should avoid asymmetric routing (with or without a firewall in the path), there are certain cases when this is required or when you need more control. If a firewall is in the path, there are several options to still allow traffic through:

  • If outbound traffic transits the firewall, but inbound traffic does not, use TCP state bypass for the respective connection or use static NAT with nailed option (effectively disables TCP state tracking and sequence checking for the connection).
  • If both outbound and inbound traffic transit the firewall but on different interfaces, use the exact solutions as above.
  • If outbound traffic transits one context of the ASA and inbound traffic transits another context of the ASA, use ASR groups; this applies only for multi-context mode and requires active-active stateful failover configured.

Unit Monitoring

The failover link determines the health of the overall unit. HELLO packets are sent over the failover link. The lack of three consecutive HELLOs causes ASA to send an additional HELLO packet out of ALL data interfaces, including the failover link, ruling out the failure of the actual failover link.

The ASA’s action depends on the additional HELLO packets. No action occurs if a response is received over the failover or data links, and failover actions occur if no response is received on any of the links. With interface monitoring, the number of monitored interfaces depends on the IOS version. It would help if you always tried to monitor essential interfaces.

A final note on ASA’s high availability: In an IPv6 world, ASA uses IPv6 neighbor discovery instead of ARP for its health monitoring tests. If it has to broadcast to all nodes, it uses IPv6 FE02::1. FE02::1 is an all-IPv6 speakers-multicast group.

Summary: ASA Failover

In today’s fast-paced digital landscape, network downtime can be catastrophic for businesses. As companies rely heavily on their network infrastructure, having a robust failover mechanism is crucial to ensure uninterrupted connectivity. In this blog post, we delved into the world of ASA failover and explored its importance in achieving network resilience and high availability.

Understanding ASA Failover

ASA failover refers to the capability of Cisco Adaptive Security Appliances (ASAs) to automatically switch to a backup unit in the event of a primary unit failure. It creates a seamless transition, maintaining network connectivity without any noticeable interruption. ASA failover operates in Active/Standby and Active/Active modes.

Active/Standby Failover Configuration

In an Active/Standby failover setup, one ASA unit operates as the active unit, handling all traffic. In contrast, the standby unit remains hot, ready to take over instantly. This configuration ensures network continuity even if the active unit fails. The standby unit constantly monitors the health of the active unit, ensuring a swift failover when needed.

Active/Active Failover Configuration

Active/Active failover allows both ASA units to process traffic simultaneously, distributing the load and maximizing resource utilization. This configuration is ideal for environments with high traffic volume and resource-intensive applications. In a failure, the remaining active unit seamlessly takes over the entire workload, offering uninterrupted connectivity.

Configuring ASA Failover

Configuring ASA failover involves several steps, including interface and IP address configuration, failover link setup, and synchronization settings. Cisco provides a comprehensive set of commands to configure ASA failover efficiently. Following best practices and thoroughly testing the failover configuration is essential to ensure its effectiveness during real-world scenarios.

Monitoring and Troubleshooting Failover

Proactive monitoring and regular testing are essential to maintain the reliability and effectiveness of ASA failover. Cisco ASA provides various monitoring tools and commands to monitor failover status, track synchronization, and troubleshoot any issues that may arise. Establishing a monitoring routine and promptly address any detected problems to prevent potential network disruptions is crucial.

Conclusion:

ASA failover is a critical component of network resilience and high availability. By implementing an appropriate failover configuration, organizations can minimize downtime, ensure uninterrupted connectivity, and provide a seamless experience to their users. Whether it is Active/Standby or Active/Active failover, the key lies in proper configuration, regular monitoring, and thorough testing. Invest in ASA failover today and safeguard your network against potential disruptions.

Context Firewall

Context Firewall

Context Firewall

In today's digital landscape, the importance of data security cannot be overstated. Organizations across various sectors are constantly striving to protect sensitive information from malicious actors. One key element in this endeavor is the implementation of context firewalls.

In this blogpost, we will delve into the concept of context firewalls, their benefits, challenges, and how businesses can effectively navigate this security measure.

A context firewall is a sophisticated cybersecurity measure that goes beyond traditional firewalls. While traditional firewalls focus on blocking specific network ports or IP addresses, context firewalls take into account the context and content of network traffic. They analyze the data flow, examining the behavior and intent behind network requests, ensuring a more comprehensive security approach.

Context firewalls play a crucial role in enhancing digital security by providing advanced threat detection and prevention capabilities. By examining the context and content of network traffic, they can identify and block malicious activities, including data exfiltration attempts, unauthorized access, and insider attacks. This proactive approach helps defend against both known and unknown threats, adding an extra layer of protection to your digital assets.

The advantages of context firewalls are multi-fold. Firstly, they enable granular control over network traffic, allowing administrators to define specific policies based on context. This ensures that only legitimate and authorized activities are allowed, reducing the risk of unauthorized access or data breaches.

Secondly, context firewalls provide real-time visibility into network traffic, empowering security teams to identify and respond swiftly to potential threats. Lastly, these firewalls offer advanced analytics and reporting capabilities, aiding in compliance efforts and providing valuable insights into network behavior.

Highlights: Context Firewall

The Role of Firewalling

Firewalls protect inside networks from unauthorized access from outside networks. Firewalls can also separate inside networks, for example, by keeping human resources networks from user networks.

Demilitarized zones (DMZs) are networks behind firewalls that allow outside users to access network resources such as web or FTP servers. A firewall only allows limited access to the DMZ, but since the DMZ only contains the public servers, an attack there will only affect the servers and not the rest of the network.

Additionally, you can restrict access to outside networks (for example, the Internet) by allowing only specific addresses out, requiring authentication, or coordinating with an external URL filtering server.

Three types of networks are connected to a firewall: the outside network, the inside network, and a DMZ, which permits limited access to outside users. These terms are used in a general sense because the security appliance can configure many interfaces with different security policies, including many inside interfaces, many DMZs, and even many outside interfaces.

– Understanding Firewalls: Firewalls serve as a protective barrier between a trusted internal network and an external network, such as the internet. They monitor and control incoming and outgoing network traffic based on predefined security rules. Firewalls can be categorized into several types based on their characteristics and deployment methods.

– Exploring Traditional Firewalls: Traditional firewalls, also known as packet-filtering firewalls, operate at the network layer (Layer 3) of the OSI model. They examine individual packets of data and determine whether to allow or block them based on predetermined rules. These firewalls analyze IP addresses, ports, and protocols to make filtering decisions.

– Next-Generation Firewalls: As cyber threats have evolved, so have firewalls. Next-generation firewalls (NGFWs) go beyond packet filtering and integrate additional security features. They provide advanced capabilities such as deep packet inspection, intrusion prevention, and application-level filtering. NGFWs offer enhanced visibility and control over network traffic, helping organizations combat sophisticated attacks more effectively.

– Introducing Context Firewalling: Context firewalling takes network security to a whole new level. Unlike traditional firewalls that focus on individual packets or NGFWs that analyze application-layer data, context firewalls operate at the session layer (Layer 5) of the OSI model. They establish context-aware security policies by considering the complete network session, including user identity, behavior, and device posture.

Context firewalling offers several advantages over traditional and NGFW approaches. By considering contextual information, these firewalls can make more informed decisions about network access, reducing false positives and enhancing security. Context firewalls also enable dynamic policy enforcement based on real-time user and device behavior, adapting to the evolving threat landscape.

Context Firewalling

Context firewalls provide several advantages over traditional firewalls. By inspecting the content of the network traffic, they can identify and block unauthorized access attempts, malicious code, and other potential threats. This proactive approach significantly enhances the security posture of an organization or an individual, reducing the risk of data breaches and unauthorized access.

Context firewalls are particularly effective in protecting against advanced persistent threats (APTs) and targeted attacks. These sophisticated cyber attacks often exploit application vulnerabilities or employ social engineering techniques to gain unauthorized access. By analyzing the context of network traffic, context firewalls can detect and block such attacks, minimizing the potential damage.

Key Features of Context Firewalls:

Context firewalls have various features that augment their effectiveness in securing the digital environment. Some notable features include:

1. Deep packet inspection: Context firewalls analyze the content of individual packets to identify potential threats or unauthorized activities.

2. Application awareness: They understand the specific protocols and applications being used, allowing them to apply tailored security policies.

3. User behavior analysis: Context firewalls can detect anomalies in user behavior, which can indicate potential insider threats or compromised accounts.

4. Content filtering: They can restrict access to specific websites or block certain types of content, ensuring compliance with organizational policies and regulations.

5. Threat intelligence integration: Context firewalls can leverage threat intelligence feeds to stay updated on the latest known threats and patterns of attack, enabling proactive protection.

Context firewalls provide organizations and individuals with a robust defense against increasing cyber threats. By analyzing network traffic content and applying security policies based on specific contexts, context firewalls offer enhanced protection against advanced threats and unauthorized access attempts.

With their deep packet inspection, application awareness, user behavior analysis, content filtering, and threat intelligence integration capabilities, context firewalls play a vital role in safeguarding our digital environment. As the cybersecurity landscape continues to evolve, investing in context firewalls should be a priority for anyone seeking to secure their digital assets effectively.

Example Firewalling with Linux

Understanding UFW Firewall

The UFW (Uncomplicated Firewall) is a user-friendly interface built on top of the iptables firewall system. It is designed to simplify configuring and managing firewall rules without compromising security. By leveraging iptables, UFW provides a convenient way to secure your network from unauthorized access, malicious activities, and potential threats.

Implementing a UFW firewall offers several notable advantages. First, it provides a straightforward and intuitive command-line interface, making it accessible even for users with limited technical expertise. Second, UFW supports IPv4 and IPv6, ensuring compatibility across network protocols. Third, UFW allows for easy rule configuration, such as defining specific ports, IP addresses, or even application profiles, giving you fine-grained control over network access. Lastly, UFW integrates seamlessly with other security tools and services, enhancing the overall protection of your network infrastructure.

Understanding Multi-Context Firewalls

A multi-context firewall is a security device that creates multiple virtual firewalls within a single physical firewall appliance. Each virtual firewall, known as a context, operates independently of its security policies, interfaces, and routing tables. This segregation enables organizations to consolidate their network security infrastructure while maintaining strong isolation between network segments.

Organizations can ensure that traffic flows are strictly controlled and isolated by creating separate contexts for different departments, business units, or even customers. This segmentation prevents lateral movements in case of a breach, limiting the potential impact on the entire network.

Security Context

By partitioning a single security appliance, multiple security contexts can be created. Each context has its own security policy, interface, and administrator. Having multiple contexts is similar to having multiple standalone devices. Routing tables, firewalls, intrusion prevention systems, and management are all supported in multiple context modes. Dynamic routing protocols and VPNs are not supported.

Context Firewall Operation

A context firewall is a security system designed to protect a computer network from malicious attacks. It blocks, monitors, and filters network traffic based on predetermined rules.  Multiple Context Mode divides Adaptive Security Appliance ( ASA ) into multiple logical devices, known as security contexts.

Each security context acts like one device and operates independently of others. It has security policies and interfaces similar to Virtual Routing and Forwarding ( VRF ) on routers. You are acting like a virtual firewall. The context firewall offers independent data planes ( one for each security context ), but one control plane controls all of the individual contexts.

Use Cases

Use cases are large enterprises requiring additional ASAs – hosting environments where service providers want to sell security services ( managed firewall service ) to many customers – one context per customer. So, in summary, the ASA firewall is a stateful inspection firewall that supports software virtualization using firewall contexts. Every context has routing, filtering/inspection, address translation rules, and assigned IPS sensors.

When would you use multiple security contexts? 

  • A network that requires more than one ASA. So, you may have one physical ASA and need additional firewall services.
  • You may be a large service provider offering security services that must provide each customer with a different security context.
  • An enterprise must provide distinct security policies for each department or user and require a different security context. This may be needed for compliance and regulations.

Google Cloud Security 

Understanding FortiGate and its Capabilities

FortiGate is an industry-leading network security appliance that provides comprehensive threat protection, intrusion prevention, and advanced firewall capabilities. With its advanced security features and centralized management, FortiGate ensures a robust defense against cyber threats, offering enhanced visibility and control over your Google Compute resources.

FortiGate seamlessly integrates with Google Cloud, allowing you to extend your security policies and controls to your Google Compute instances. By deploying FortiGate as a virtual machine on Google Compute Engine, you can create a secure perimeter around your cloud infrastructure, safeguarding it from both external and internal threats.

– Advanced Threat Protection: FortiGate provides real-time threat intelligence and advanced threat protection capabilities, such as intrusion prevention, antivirus, web filtering, and application control. These features help identify and mitigate potential security risks, ensuring the integrity of your Google Compute resources.

– Secure Remote Access: With FortiGate, you can establish secure remote access VPN connections to your Google Compute instances. This enables authorized users to securely access your cloud resources, while ensuring that unauthorized access attempts are blocked.

– Scalability and Performance: FortiGate is designed to handle high network traffic volume without compromising performance. It offers scalable solutions that can adapt to the dynamic needs of your growing Google Compute infrastructure.

– Centralized Management: FortiGate provides a centralized management platform, allowing you to efficiently manage and monitor your security policies across your entire Google Compute environment. This simplifies the management process and ensures consistent security across all instances.

Related: Before you proceed, you may find the following posts helpful:

  1. Virtual Device Context
  2. Virtual Data Center Design
  3. Distributed Firewalls
  4. ASA Failover
  5. OpenShift Security Best Practices
  6. Network Configuration Automation

Context Firewall

Highlighting the firewall

A firewall is a hardware or software, aka virtual firewalls filtering device, that implements a network security policy and protects the network against external attacks. A packet is a unit of information routed between one point and another over the network. The packet header contains a wealth of data such as source, type, size, origin, and destination address information. As the firewall acts as a filtering device, it watches for traffic that fails to comply with the rules by examining the contents of the packet header.

Firewalls can concentrate on the packet header, the packet payload, or both, and possibly other assets, depending on the firewall types. Most firewalls focus on only one of these. The most common filtering focus is on the packet’s header, with a packet’s payload a close second. The following diagram shows the two main firewall categories stateless and stateful firewalls.

Firewall types
Diagram: Firewall types. Source is IPwithease

A stateful firewall is a type of firewall technology that is used to help protect network security. It works by keeping track of the state of network connections and allowing or denying traffic based on predetermined rules. Stateful firewalls inspect incoming and outgoing data packets and can detect malicious traffic. They can also learn which traffic is regular for a particular environment and block any traffic that does not conform to expected patterns.

A stateless firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It does this without keeping any record or “state” of past or current network connections. Controlling traffic based on source and destination IP addresses, ports, and protocols can also prevent unauthorized access to the network.

data center firewall

Stateful vs. Stateless Firewall

Stateful Firewall:

A stateful firewall, also known as a dynamic packet filtering firewall, operates at the OSI model’s network layer (Layer 3). Unlike stateless firewalls, which inspect individual packets in isolation, stateful firewalls maintain knowledge of the connection state and context of network traffic. This means that stateful firewalls make decisions based on the characteristics of individual packets and the history of previous packets exchanged within a session.

How Stateful Firewalls Work:

Stateful firewalls keep track of the state of network connections by creating a state table, also known as a stateful inspection table. This table stores information about established connections, including the source and destination IP addresses, port numbers, sequence numbers, and other relevant data. By comparing incoming packets against the information in the state table, stateful firewalls can determine whether a packet is part of an established session or a new connection attempt.

Advantages of Stateful Firewalls:

1. Enhanced Security: Stateful firewalls offer a higher level of security by understanding the context and state of network traffic. This enables them to detect and block suspicious or unauthorized activities more effectively.

2. Better Performance: By maintaining a state table, stateful firewalls can quickly process packets without inspecting each packet individually. This results in improved network performance and reduced latency compared to stateless firewalls.

3. Granular Control: Stateful firewalls provide administrators with fine-grained control over network traffic by allowing them to define rules based on network states, such as allowing or blocking specific types of connections.

Stateless Firewall:

In contrast to stateful firewalls, stateless firewalls, also known as packet filtering firewalls, operate at the network and transport layers (Layers 3 and 4). These firewalls examine individual packets based on predefined rules and criteria without considering the context or history of the network connections.

How Stateless Firewalls Work:

Stateless firewalls analyze incoming packets based on criteria such as source and destination IP addresses, port numbers, and protocol types. Each packet is evaluated independently, without referencing the packets before or after. If a packet matches a rule in the firewall’s rule set, it is allowed or denied based on the specified action.

Advantages of Stateless Firewalls:

1. Simplicity: Stateless firewalls are relatively simple in design and operation, making them easy to configure and manage.

2. Speed: Stateless firewalls can process packets quickly since they do not require the overhead of maintaining a state table or inspecting packet history.

3. Scalability: Stateless firewalls are highly scalable as they do not store any connection-related information. This allows them to handle high traffic volumes efficiently.

Next-generation Firewalls

Next-generation firewalls (NGFWs) would carry out the most intelligent filtering. They are a type of advanced cybersecurity solution designed to protect networks and systems from malicious threats.

They are designed to provide an extra layer of protection beyond traditional firewalls by incorporating features such as deep packet inspection, application control, intrusion prevention, and malware protection. NGFWs can conduct deep packet inspections to analyze network traffic contents and observe traffic patterns.

This feature allows NGFWs to detect and block malicious packets, preventing them from entering the system and causing harm. The following diagram shows the different ways a firewall can be deployed. The focus of this post will be on multi-context mode. An example would be the Cisco Secure Firewall.

context firewall
Diagram: Context Firewall.

Guide: ASA Basics.

In the following lab guide, you can see we have an ASA working in routed mode. In routed mode, the ASA is considered a router hop in the network. Each interface that you want to route between is on a different subnet. You can share Layer 3 interfaces between contexts.

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. On the other hand, a transparent firewall is a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices. 

The ASA considers the state of a packet when deciding to permit or deny the traffic. One enforced parameter for the flow is that traffic enters and exits the same interface. The ASA drops any traffic for an existing flow that enters a different interface. Take note of the command: same-security-traffic permit inter-interface.

Cisco ASA configuration
Diagram: Cisco ASA Configuration

Multi-Context Firewall Types

Contexts are generally helpful when different security policies are applied to traffic flows. For example, the firewall might protect multiple customers or departments in the same organization. Other virtualization technologies, such as VLANs or VRFs, are expected to be used alongside the firewall contexts; however, the firewall contexts have significant differences from the VRFs seen in the IOS routers.

Context Configuration Files

For each context, the ASA includes a configuration that identifies the security policy, interfaces, and settings that can be configured. Context configurations can be stored in flash memory or downloaded from a TFTP, FTP, or HTTP(S) server.

System configuration

A system administrator configures the configuration location, interfaces, and other operating parameters of contexts in the system configuration to add and manage contexts. The startup configuration looks like this. Basic ASA settings are identified in the system configuration. There are no network interfaces or settings in the system configuration; when the system needs to access network resources (such as downloading contexts from the server), it uses an admin context. The system configuration has only a specialized failover interface for failover traffic.

Admin context configuration

Admin contexts are no different from other contexts. Users who log into the admin context have administrator rights and can access all contexts and the system. No restrictions are associated with the admin context, which can be used just like any other context. However, you may need to restrict access to the admin context to appropriate users because logging into the admin context grants administrator privileges over all contexts.

Flash memory must contain the admin context, not remote storage. When you switch from single to multiple modes, the admin context is configured in an internal flash memory file called admin.cfg. You can change the admin context if you do not wish to use admin.cfg as the admin context.

Steps: Turning a firewall into multiple context mode:

To turn the firewall to the multiple contexts mode, you should enter the global command mode multiple when logged in via the console port (you may do this remotely, converting the existing running configuration into the so-called admin context, but you risk losing connection to the box); this will force the mode change and reload the appliance.

If you connect to the appliance on the console port, you are logging in to the system context; the sole purpose of this context is to define other contexts and allocate resources to them. 

System Context

Used for console access. Create new contexts and assign interfaces to each context.

Admin Context

Used for remote access, either Telnet or SSH. Remote supports the change to command.

User Context

Where the user-defined multi-context ( virtual firewall ) lives.

 Multi Context Mode
Diagram: Multi Context Mode

Your first action step should be to define the admin context; this special context allows logging into the firewall remotely (via ssh, telnet, or HTTPS). This context should be configured first because the firewall won’t let you create other contexts before designating the admin context using the global command admin-context <name>.

Then you can define additional contexts if needed using the command context <name> and allocate physical interfaces to the contexts using the context-level command allocate-interface <physical-interface> [<logical-name>].

Each firewall context is assigned.

Interfaces

Physical or 802.1Q subinterface. Possible to have a shared interface where contexts share interfaces.

Resource Limits

Number of connections, hosts, xlates

Firewall Policy

Different MPF inspections, NAT translations, etc. for each context.

The multi-context mode has many security contexts acting independently. Sharing multiple contexts with a single interface confuses determining which context to send packets to. ASA must associate inbound traffic with the correct context. Three options exist for classifying incoming packets.

Unique Interfaces

One-to-one pairing with either physical link or sub-interfaces ( VLAN tags ).

Shared Interface

Unique Virtual MAC Addresses per virtual context, either auto-generate or manual set.

NAT Configurations

Not common.

The Basics of ASA Packet Classification

ASA packet classification is the process of categorizing network packets based on various criteria. These criteria include source and destination IP addresses, port numbers, protocol types, and more. By classifying packets, the ASA firewall can make informed decisions on how to handle them, whether it’s allowing or denying their passage.

Access Control Lists (ACLs)

ACLs are a fundamental tool for ASA packet classification. They provide a granular level of control over network traffic by defining rules that determine whether packets should be permitted or denied. ACLs are typically configured based on specific criteria such as IP addresses, port numbers, and protocols. Understanding how to create and optimize ACLs is crucial for effective packet classification.

Modular Policy Framework (MPF)

MPF takes packet classification to the next level by introducing a more flexible and sophisticated approach. It allows administrators to define policies that can encompass multiple ACLs and apply them to different interfaces or traffic flows. With MPF, packet classification becomes more dynamic and adaptable, enabling better network management and security.

Advanced Packet Classification Techniques

Beyond the basics, ASA offers advanced packet classification techniques that enhance network performance and security. These techniques include packet inspection, deep packet inspection (DPI), and application layer protocol inspection. By analyzing packet payloads and application-layer data, ASA can make more intelligent decisions, leading to improved network efficiency and threat prevention.

ASA Packet Classification: Mulit-Context

Packets are also classified differently in multi-context firewalls. For example, in multimode configuration, interfaces can be shared between contexts. Therefore, the ASA must distinguish which packets must be sent to each context.

The ASA categorizes packets based on three criteria:

  1. Unique interfaces – 1:1 pairing with a physical link or sub-interfaces (VLAN tags)
  2. Unique MAC addresses – shared interfaces are assigned Unique Virtual Mac addresses per virtual context to alleviate routing issues, which complicates firewall management
  3. NAT configuration: If unique MAC addresses are disabled, the ASA uses the mapped addresses in the NAT configuration to classify packets.

Starting with Point 1, the following figure shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet.

Context Firewall
Diagram: Context Firewall configuration. Source Cisco.

Firewall context interface details

Unique Interfaces are self-explanatory: there should be unique interfaces for each security context, for example, GE 0/0.1 Admin Context, GE 0/0.2 Context A, and GE 0/0.3 Context B. Unique interfaces are best practices, but you also need unique routing and IP addressing. This is because each VLAN has its subnet. Transparent firewalls must use unique interfaces.

With Shared Interfaces, contexts MAC addresses classify packets so upstream and downstream routers can send packets to that context. Every security context that shares an interface requires a unique MAC address.

It can be auto-generated ( default behavior ) or manually configured. Manual MAC address assignments take precedence. We share the same outside interface with numerous contexts but have a unique MAC address per context. Use the mac-address auto command under the system context or enter the manual under the interface. Then, we have Network Address Translation ( NAT ) and NAT translation per context for shared interfaces—a less common approach.

Addressing scheme

The addressing scheme in each context is arbitrary when using shared or unique interfaces. Configure 10.0.0.0/8-address space in context A and context B. ASA does not use an IP address to classify the traffic; it uses the MAC address or the physical link. The problem is that the same addressing cannot be used if NAT is used for incoming packet classification. The recommended approach is unique interfaces, not NAT, for classification.

Routing between context

Like route-leaking VRFs, routing between contexts is accomplished by traffic hair-pinning in and out of the interface by pointing static routes to relevant next hops. Designs available to Cascade Contexts for shared firewalls; the default route from one context indicates the inside interface of another context.

Firewall context resource limitations

All security contexts share resources and belong to the default class, i.e., the control plane has no division. Therefore, no predefined limits are specified from one security context to another. However, problems may arise when one security context overwhelms others, consuming too many resources and denying connections to different contexts. In this case, security contexts are assigned to resource classes, and upper limits are set.

The default class has the following limitations:

Telnet sessions5 sessions
SSH sessions5 sessions
IPsec sessions5 sessions
MAC addresses5 sessions
VPN site-to-site tunnels0 sessions

Active/active failover:

Multi-context mode offers Active / Active fail-over per Context. Primary forwards are for one set of contexts, and secondary forwards are for another. Security contexts divide logically into failure groups, a maximum of two failure groups. There are never two active forwarding paths at the same time. One ASA is active for Context A. The second ASA is the standby for Context A. Reversed roles for Context B. 

So, in summary, multi-context mode offers active/active fail-over per context—the primary forwards for one context and the secondary for another. The security contexts divide logically into failure groups, with a maximum of two failure groups. There will always be one active forwarding path at a time. 

Guide: ASA Failover.

The following have two ASAs: ASA1 and ASA2. There is a failover link connecting the two firewalls. ASA1 is the primary, and ASA2 is the backup. ASA failover only occurs when there is an issue; in this case, the links from ASA1 to the switch were down, creating the failover event. Notice the protocol used between the ASA of SCPS from a packet capture.

ASA Failover

 

Summary: Context Firewall

In today’s digital age, ensuring the security and privacy of sensitive data has become increasingly crucial. One effective solution that has emerged is the context firewall. This blog post delved into context firewalls, their benefits, implementation, and how they can enhance data security in various domains.

Understanding Context Firewalls

Context firewalls serve as an advanced layer of protection against unauthorized access to sensitive data. Unlike traditional firewalls that filter traffic based on IP addresses or ports, context firewalls consider additional contextual information such as user identity, device type, location, and time of access. This context-aware approach allows for more granular control over data access, significantly reducing the risk of security breaches.

Benefits of Context Firewalls

Implementing a context firewall brings forth several benefits. Firstly, it enables organizations to enforce fine-grained access control policies, ensuring that only authorized users and devices can access specific data resources. Secondly, context firewalls enhance the overall visibility and monitoring capabilities, providing real-time insights into data access patterns and potential threats. Lastly, context firewalls facilitate compliance with industry regulations by offering more robust security measures.

Implementing a Context Firewall

The implementation of a context firewall involves several steps. First, organizations need to identify the context parameters relevant to their specific data environment. This includes factors such as user roles, device types, and location. Once the context parameters are defined, organizations can configure the firewall rules accordingly. Additionally, integrating the context firewall with existing infrastructure and security systems is essential for seamless operation.

Context Firewalls in Different Domains

The versatility of context firewalls allows them to be utilized across various domains. In the healthcare sector, context firewalls can restrict access to sensitive patient data based on factors such as user roles and location, ensuring compliance with privacy regulations like HIPAA. In the financial industry, context firewalls can help prevent fraudulent activities by implementing strict access controls based on user identity and transaction patterns.

Conclusion:

In conclusion, the implementation of a context firewall can significantly enhance data security in today’s digital landscape. By considering contextual information, organizations can strengthen access control, monitor data usage, and comply with industry regulations more effectively. As technology continues to advance, context firewalls will play a pivotal role in safeguarding sensitive information and mitigating security risks.