Highlighting the firewall

A firewall is a hardware or software, aka virtual firewalls filtering device, that implements a network security policy and protects the network against external attacks. A packet is a unit of information routed between one point and another over the network. The packet header contains a wealth of data such as source, type, size, origin, and destination address information. As the firewall acts as a filtering device, it watches for traffic that fails to comply with the rules by examining the contents of the packet header.

Firewalls can concentrate on the packet header, the packet payload, or both, and possibly other assets, depending on the firewall types. Most firewalls focus on only one of these. The most common filtering focus is on the packet’s header, with a packet’s payload a close second. The following diagram shows the two main firewall categories stateless and stateful firewalls.

• Stateful Firewall:

A stateful firewall is a type of firewall technology that is used to help protect network security. It works by keeping track of the state of network connections and allowing or denying traffic based on predetermined rules. Stateful firewalls inspect incoming and outgoing data packets and can detect malicious traffic. They can also learn which traffic is regular for a particular environment and block any traffic that does not conform to expected patterns.

• Stateless Firewall

A stateless firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It does this without keeping any record or “state” of past or current network connections. Controlling traffic based on source and destination IP addresses, ports, and protocols can also prevent unauthorized access to the network.

Stateful vs. Stateless Firewall

**Stateful Firewall**

A stateful firewall, also known as a dynamic packet filtering firewall, operates at the OSI model’s network layer (Layer 3). Unlike stateless firewalls, which inspect individual packets in isolation, stateful firewalls maintain knowledge of the connection state and context of network traffic. This means that stateful firewalls make decisions based on the characteristics of individual packets and the history of previous packets exchanged within a session.

How Stateful Firewalls Work:

Stateful firewalls keep track of the state of network connections by creating a state table, also known as a stateful inspection table. This table stores information about established connections, including the source and destination IP addresses, port numbers, sequence numbers, and other relevant data. By comparing incoming packets against the information in the state table, stateful firewalls can determine whether a packet is part of an established session or a new connection attempt.

Advantages of Stateful Firewalls:

1. Enhanced Security: Stateful firewalls offer a higher level of security by understanding the context and state of network traffic. This enables them to detect and block suspicious or unauthorized activities more effectively.

2. Better Performance: By maintaining a state table, stateful firewalls can quickly process packets without inspecting each packet individually. This results in improved network performance and reduced latency compared to stateless firewalls.

3. Granular Control: Stateful firewalls provide administrators with fine-grained control over network traffic by allowing them to define rules based on network states, such as allowing or blocking specific types of connections.

**Stateless Firewall**

In contrast to stateful firewalls, stateless firewalls, also known as packet filtering firewalls, operate at the network and transport layers (Layers 3 and 4). These firewalls examine individual packets based on predefined rules and criteria without considering the context or history of the network connections.

How Stateless Firewalls Work:

Stateless firewalls analyze incoming packets based on criteria such as source and destination IP addresses, port numbers, and protocol types. Each packet is evaluated independently, without referencing the packets before or after. If a packet matches a rule in the firewall’s rule set, it is allowed or denied based on the specified action.

Advantages of Stateless Firewalls:

1. Simplicity: Stateless firewalls are relatively simple in design and operation, making them easy to configure and manage.

2. Speed: Stateless firewalls can process packets quickly since they do not require the overhead of maintaining a state table or inspecting packet history.

3. Scalability: Stateless firewalls are highly scalable as they do not store any connection-related information. This allows them to handle high traffic volumes efficiently.

**Next-generation Firewalls**

Next-generation firewalls (NGFWs) would carry out the most intelligent filtering. They are a type of advanced cybersecurity solution designed to protect networks and systems from malicious threats.

They are designed to provide an extra layer of protection beyond traditional firewalls by incorporating features such as deep packet inspection, application control, intrusion prevention, and malware protection. NGFWs can conduct deep packet inspections to analyze network traffic contents and observe traffic patterns.

This feature allows NGFWs to detect and block malicious packets, preventing them from entering the system and causing harm. The following diagram shows the different ways a firewall can be deployed. The focus of this post will be on multi-context mode. An example would be the Cisco Secure Firewall.

Guide: ASA Basics.

In the following lab guide, you can see we have an ASA working in routed mode. In routed mode, the ASA is considered a router hop in the network. Each interface that you want to route between is on a different subnet. You can share Layer 3 interfaces between contexts.

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. On the other hand, a transparent firewall is a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices. 

The ASA considers the state of a packet when deciding to permit or deny the traffic. One enforced parameter for the flow is that traffic enters and exits the same interface. The ASA drops any traffic for an existing flow that enters a different interface. Take note of the command: same-security-traffic permit inter-interface.

Multi-Context Firewall Types

Contexts are generally helpful when different security policies are applied to traffic flows. For example, the firewall might protect multiple customers or departments in the same organization. Other virtualization technologies, such as VLANs or VRFs, are expected to be used alongside the firewall contexts; however, the firewall contexts have significant differences from the VRFs seen in the IOS routers.

**Context Configuration Files**

For each context, the ASA includes a configuration that identifies the security policy, interfaces, and settings that can be configured. Context configurations can be stored in flash memory or downloaded from a TFTP, FTP, or HTTP(S) server.

**System configuration**

A system administrator configures the configuration location, interfaces, and other operating parameters of contexts in the system configuration to add and manage contexts. The startup configuration looks like this. Basic ASA settings are identified in the system configuration. There are no network interfaces or settings in the system configuration; when the system needs to access network resources (such as downloading contexts from the server), it uses an admin context. The system configuration has only a specialized failover interface for failover traffic.

**Admin context configuration**

Admin contexts are no different from other contexts. Users who log into the admin context have administrator rights and can access all contexts and the system. No restrictions are associated with the admin context, which can be used just like any other context. However, you may need to restrict access to the admin context to appropriate users because logging into the admin context grants administrator privileges over all contexts.

Flash memory must contain the admin context, not remote storage. When you switch from single to multiple modes, the admin context is configured in an internal flash memory file called admin.cfg. You can change the admin context if you do not wish to use admin.cfg as the admin context.

Steps: Turning a firewall into multiple context mode:

To turn the firewall to the multiple contexts mode, you should enter the global command mode multiple when logged in via the console port (you may do this remotely, converting the existing running configuration into the so-called admin context, but you risk losing connection to the box); this will force the mode change and reload the appliance.

If you connect to the appliance on the console port, you are logging in to the system context; the sole purpose of this context is to define other contexts and allocate resources to them. 

Your first action step should be to define the admin context; this special context allows logging into the firewall remotely (via ssh, telnet, or HTTPS). This context should be configured first because the firewall won’t let you create other contexts before designating the admin context using the global command admin-context <name>.

Then you can define additional contexts if needed using the command context <name> and allocate physical interfaces to the contexts using the context-level command allocate-interface <physical-interface> [<logical-name>].

Each firewall context is assigned.

The multi-context mode has many security contexts acting independently. Sharing multiple contexts with a single interface confuses determining which context to send packets to. ASA must associate inbound traffic with the correct context. Three options exist for classifying incoming packets.

The Basics of ASA Packet Classification

ASA packet classification is the process of categorizing network packets based on various criteria. These criteria include source and destination IP addresses, port numbers, protocol types, and more. By classifying packets, the ASA firewall can make informed decisions on how to handle them, whether it’s allowing or denying their passage.

1- Access Control Lists (ACLs)

ACLs are a fundamental tool for ASA packet classification. They provide a granular level of control over network traffic by defining rules that determine whether packets should be permitted or denied. ACLs are typically configured based on specific criteria such as IP addresses, port numbers, and protocols. Understanding how to create and optimize ACLs is crucial for effective packet classification.

2- Modular Policy Framework (MPF)

MPF takes packet classification to the next level by introducing a more flexible and sophisticated approach. It allows administrators to define policies that can encompass multiple ACLs and apply them to different interfaces or traffic flows. With MPF, packet classification becomes more dynamic and adaptable, enabling better network management and security.

3- Advanced Packet Classification Techniques

Beyond the basics, ASA offers advanced packet classification techniques that enhance network performance and security. These techniques include packet inspection, deep packet inspection (DPI), and application layer protocol inspection. By analyzing packet payloads and application-layer data, ASA can make more intelligent decisions, leading to improved network efficiency and threat prevention.

4- ASA Packet Classification: Mulit-Context

Packets are also classified differently in multi-context firewalls. For example, in multimode configuration, interfaces can be shared between contexts. Therefore, the ASA must distinguish which packets must be sent to each context.

The ASA categorizes packets based on three criteria:

1. Unique interfaces – 1:1 pairing with a physical link or sub-interfaces (VLAN tags)
2. Unique MAC addresses – shared interfaces are assigned Unique Virtual Mac addresses per virtual context to alleviate routing issues, which complicates firewall management
3. NAT configuration: If unique MAC addresses are disabled, the ASA uses the mapped addresses in the NAT configuration to classify packets.

Starting with Point 1, the following figure shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet.

Firewall context interface details

Unique Interfaces are self-explanatory: there should be unique interfaces for each security context, for example, GE 0/0.1 Admin Context, GE 0/0.2 Context A, and GE 0/0.3 Context B. Unique interfaces are best practices, but you also need unique routing and IP addressing. This is because each VLAN has its subnet. Transparent firewalls must use unique interfaces.

With Shared Interfaces, contexts MAC addresses classify packets so upstream and downstream routers can send packets to that context. Every security context that shares an interface requires a unique MAC address.

It can be auto-generated ( default behavior ) or manually configured. Manual MAC address assignments take precedence. We share the same outside interface with numerous contexts but have a unique MAC address per context. Use the mac-address auto command under the system context or enter the manual under the interface. Then, we have Network Address Translation ( NAT ) and NAT translation per context for shared interfaces—a less common approach.

Addressing scheme

The addressing scheme in each context is arbitrary when using shared or unique interfaces. Configure 10.0.0.0/8-address space in context A and context B. ASA does not use an IP address to classify the traffic; it uses the MAC address or the physical link. The problem is that the same addressing cannot be used if NAT is used for incoming packet classification. The recommended approach is unique interfaces, not NAT, for classification.

Routing between context

Like route-leaking VRFs, routing between contexts is accomplished by traffic hair-pinning in and out of the interface by pointing static routes to relevant next hops. Designs available to Cascade Contexts for shared firewalls; the default route from one context indicates the inside interface of another context.

Firewall context resource limitations

All security contexts share resources and belong to the default class, i.e., the control plane has no division. Therefore, no predefined limits are specified from one security context to another. However, problems may arise when one security context overwhelms others, consuming too many resources and denying connections to different contexts. In this case, security contexts are assigned to resource classes, and upper limits are set.

The default class has the following limitations:

Active/active failover:

Multi-context mode offers Active / Active fail-over per Context. Primary forwards are for one set of contexts, and secondary forwards are for another. Security contexts divide logically into failure groups, a maximum of two failure groups. There are never two active forwarding paths at the same time. One ASA is active for Context A. The second ASA is the standby for Context A. Reversed roles for Context B. 

So, in summary, multi-context mode offers active/active fail-over per context—the primary forwards for one context and the secondary for another. The security contexts divide logically into failure groups, with a maximum of two failure groups. There will always be one active forwarding path at a time. 

Guide: ASA Failover.

The following have two ASAs: ASA1 and ASA2. There is a failover link connecting the two firewalls. ASA1 is the primary, and ASA2 is the backup. ASA failover only occurs when there is an issue; in this case, the links from ASA1 to the switch were down, creating the failover event. Notice the protocol used between the ASA of SCPS from a packet capture.

Closing Points: Context Firewalling

Context firewalling is a modern approach to network security that goes beyond traditional firewall mechanisms. Unlike conventional firewalls that rely primarily on static rules, context firewalling incorporates dynamic context into its decision-making process. This means that it considers various factors such as user identity, device type, location, and behavior patterns to determine whether to allow or block network traffic. By integrating these contextual elements, context firewalling provides a more nuanced and adaptive security solution.

At its core, context firewalling functions by continuously analyzing the environment in which network requests are made. It employs advanced algorithms and machine learning techniques to assess the legitimacy of each request based on its context. For example, if a user attempts to access sensitive data from an unusual location or device, the context firewalling system can flag this activity as suspicious and take appropriate action. This dynamic evaluation process helps in identifying and mitigating potential threats in real time, thereby enhancing overall security.

One of the primary advantages of context firewalling is its ability to adapt to changing scenarios. Traditional firewalls operate on pre-defined rules, which can become obsolete as new threats emerge. In contrast, context firewalling evolves alongside the digital landscape, offering a proactive defense mechanism. Additionally, by leveraging context, organizations can reduce the likelihood of false positives, allowing legitimate traffic while blocking malicious attempts more accurately.

Context firewalling is particularly beneficial in environments where security must be highly adaptive and responsive. Industries such as finance, healthcare, and e-commerce, which handle sensitive data and are frequently targeted by cyberattacks, can greatly benefit from this approach. By implementing context firewalling, these sectors can ensure that only authorized users and devices can access critical resources, minimizing the risk of data breaches and unauthorized access.