|
0:00:15
|
We are going to talk about the transparent firewall
|
|
0:00:19
|
which the examples that we saw upto this piont were using the routed firewall
|
|
0:00:23
|
where the inside and the outside interfaces are on the different subnets
|
|
0:00:27
|
where in the case of the transparent firewall we are going to be bridging between interfaces
|
|
0:00:32
|
we will take a look at some configuration
|
|
0:00:34
|
examples with the transparent firewall
|
|
0:00:36
|
and we will also talk about some issues with address resolution protocol
|
|
0:00:40
|
and the MAC address mappings
|
|
0:00:43
|
for the bridging table
|
|
0:00:45
|
that the ASA can
|
|
0:00:47
|
do some special things for extra security on the layer 2 segment
|
|
0:00:54
|
Now, again the configurations we saw upto this point with the ASA were the routed firewall
|
|
0:00:59
|
which means the interfaces are not only in different VLANs
|
|
0:01:03
|
but they are also in different subnets
|
|
0:01:05
|
where we saw on the inside network, we were using the subnet
|
|
0:01:08
|
10.0.125.0/24
|
|
0:01:12
|
on the outside we had a separate
|
|
0:01:14
|
public network the 200.0.122.0/24
|
|
0:01:19
|
So just lke any normal routing device
|
|
0:01:22
|
we are going to have the different segments, separated into different layer 3 networks
|
|
0:01:27
|
So it means the ASA when it is actually moving traffic between the links
|
|
0:01:31
|
it has to use the routing table to do this
|
|
0:01:35
|
So we are going to be doing layer 3 ip packets lookup
|
|
0:01:38
|
based on whatever the destination ip addresses
|
|
0:01:41
|
we are going to find the longest matched route
|
|
0:01:44
|
and then switch the traffic towards that interface
|
|
0:01:47
|
So, a normal routing lookup just like any other routing lookups, any other vendors
|
|
0:01:52
|
routers going to work
|
|
0:01:54
|
now in the case of the transparent firewall
|
|
0:01:58
|
the interfaces are in the same subnet
|
|
0:02:01
|
but they are in different VLANs
|
|
0:02:04
|
So the inside and the outside, they are still technically two separate broadcast domains, they are two different VLANs
|
|
0:02:10
|
but now they are in the same subnet
|
|
0:02:13
|
So this means that from a layer 3 routing point of view
|
|
0:02:18
|
the devices on the inside
|
|
0:02:20
|
can be the on the same routing agencies, or have the same routing agencies with devices on the outside
|
|
0:02:25
|
So we don't need to do any subnetting
|
|
0:02:27
|
to split the layer 3 networks from inside to outside
|
|
0:02:31
|
now with this then employs
|
|
0:02:33
|
is the traffic is no longer going to be routed
|
|
0:02:36
|
through the firewall, its going through layer 2 bridge
|
|
0:02:39
|
based on the
|
|
0:02:40
|
CAM table or the MAC address table
|
|
0:02:42
|
of the ASA
|
|
0:02:44
|
which is essentially now a transparent bridge
|
|
0:02:48
|
so the same type of logic is how a regular layer 3 switch works
|
|
0:02:52
|
what were separating the different
|
|
0:02:55
|
normally collision domains between the ports
|
|
0:02:58
|
but in this case were the transparent firewalls separating the broadcast domains
|
|
0:03:02
|
and then bridging between the two interfaces
|
|
0:03:06
|
so its the same layer 3 network but two different layer 2 networks
|
|
0:03:13
|
now some of the limitations of this
|
|
0:03:16
|
first and foremost is that it disables our ability to run the VPN feature set
|
|
0:03:21
|
so we cannot run any IPSec LAN-to-LAN
|
|
0:03:24
|
VPNs , no ipsec remote access
|
|
0:03:26
|
or SSL remote access VPNs
|
|
0:03:30
|
there is a very minor exception for this
|
|
0:03:32
|
with the ASA can be configured for an ASA tunnel for management
|
|
0:03:38
|
if for some reason you didn't want to use SSH for the encryption of your
|
|
0:03:41
|
your management traffic
|
|
0:03:43
|
you could run this over a
|
|
0:03:45
|
an IPSec tunnel
|
|
0:03:48
|
now additional its going to remove our ability to do dynamic routing
|
|
0:03:54
|
because we are not routing the traffic between the interfaces, we are going to be doing layer 2 bridging based on the CAM table
|
|
0:04:01
|
So only static routing is going to be supported
|
|
0:04:04
|
typically you would only need a default route
|
|
0:04:06
|
because the only reason the ASA is now running IP
|
|
0:04:10
|
is just for basic management access
|
|
0:04:12
|
either through telnet or through SSH
|
|
0:04:15
|
or through the web interface with the ASTM
|
|
0:04:19
|
now the inspection engine with the Modular Policy Framework
|
|
0:04:23
|
is going to work exactly the same as it does in the routed mode
|
|
0:04:27
|
So, we are going to watch the traffic as it
|
|
0:04:29
|
is moving from the high security interfaces to the low security interfaces
|
|
0:04:34
|
then depending on what particular application inspection we are doing
|
|
0:04:38
|
we are either going to permit or deny the traffic as it trying to come back in
|
|
0:04:42
|
from the low security interfaces
|
|
0:04:44
|
to the high security interfaces
|
|
0:04:50
|
Now there is a question here - Brian is there a separate
|
|
0:04:52
|
CAM table for each VLAN?
|
|
0:04:56
|
- yes and no, there is going to be
|
|
0:04:59
|
separate MAC address association on a port basis
|
|
0:05:04
|
but there going to only be two segments, there going only be an
|
|
0:05:07
|
inside and an outside segment
|
|
0:05:09
|
when we are doing the transparent firewall
|
|
0:05:11
|
So, you cannot have more than
|
|
0:05:13
|
you cannot have 3 or more security zones
|
|
0:05:17
|
so really the only thing that the ASA needs to do
|
|
0:05:20
|
is figure out what are the MAC addresses on the inside
|
|
0:05:23
|
and what are the MAC addresses on the outside
|
|
0:05:27
|
So once we actually get to the configuration, we will look at the
|
|
0:05:30
|
the CAM table or the actual MAC address associations
|
|
0:05:33
|
and figure out how
|
|
0:05:34
|
the ASA actually figures out where to switch the traffic towards
|
|
0:05:41
|
now we will see there are some key differences
|
|
0:05:43
|
in how the traffic forwarding policy works
|
|
0:05:47
|
in the transparent firewall
|
|
0:05:48
|
firewall that is different from the router firewall mode
|
|
0:05:53
|
now when we are moving traffic from the
|
|
0:05:55
|
inside to the outside
|
|
0:05:57
|
which is again is going to be our high security
|
|
0:05:59
|
interface to our low security interface
|
|
0:06:03
|
we are going to be permiting
|
|
0:06:05
|
Address Resolution Protocol or ARP
|
|
0:06:07
|
between the segements, from inside to outside
|
|
0:06:11
|
normally arp is not permitted
|
|
0:06:14
|
because arp is considered a link local protocol
|
|
0:06:17
|
that is only supposed to be switched
|
|
0:06:20
|
within a single broadcast domain, or within a single VLAN
|
|
0:06:24
|
So one were looking at two different routed segments, if a router has a serial interface
|
|
0:06:29
|
thats running frame relay and ethernet interface
|
|
0:06:33
|
the router is normally not going to pass the out packets
|
|
0:06:36
|
that are received on the ethernet out toward the frame relay
|
|
0:06:39
|
because they are two different layer 2 domains, they are 2 different broadcast domains
|
|
0:06:44
|
but the in the case of transparent firewall we are trying to bridge the two broadcast domains together
|
|
0:06:50
|
because again the inside and the outside are going to be on the same ip subnet
|
|
0:06:55
|
so this means that when someone on the inside
|
|
0:06:57
|
tries to figure out the MAC address to IP address mapping
|
|
0:07:01
|
with the Address Resolution Protocol
|
|
0:07:03
|
the ASA needs to allow that through
|
|
0:07:07
|
now its also going to support
|
|
0:07:10
|
passing of our layer 2 broadcasts
|
|
0:07:13
|
where typically broadcasts are not passed between interfaces because they are in separate broadcast domains
|
|
0:07:19
|
but again this is an exception because now we are doing layer 2 bridging
|
|
0:07:22
|
as opposed to layer 3 routing
|
|
0:07:26
|
now just like the regular router firewall we are also going to permit our expected unicast
|
|
0:07:32
|
which would be things like TCP UDP traffic
|
|
0:07:35
|
and then whatever the default inspection
|
|
0:07:38
|
classes based on the individual applications
|
|
0:07:41
|
So things like DNS FTP will still going to be doing our application layer inspection of those
|
|
0:07:48
|
Now one key point that has changed
|
|
0:07:51
|
from the routed firewall to the transparent firewall
|
|
0:07:54
|
is that the vast majority of control plane protocols are going to be dropped
|
|
0:08:00
|
and note that this is for the
|
|
0:08:02
|
inside
|
|
0:08:03
|
to the outside
|
|
0:08:05
|
where normally outside to inside is dropped anyway, because we are going from lower security to high
|
|
0:08:11
|
but in this case we are going from high to low, from inside to outside
|
|
0:08:16
|
so protocols like OSPF EIGRP
|
|
0:08:20
|
CDP for layer 2
|
|
0:08:22
|
reachability information
|
|
0:08:24
|
protocol independent multicast for IPv4 for multicast routing
|
|
0:08:28
|
these packets are going to be dropped as they are received
|
|
0:08:31
|
in on the out
|
|
0:08:32
|
excuse me , in on the inside interface
|
|
0:08:37
|
so what this means is that if we have two layer 3 devices, two routers
|
|
0:08:42
|
that are on the inside and the outside of ASA respectively
|
|
0:08:46
|
and we are trying to run some sort of control plane routing
|
|
0:08:50
|
like an OSPF agency, or an EIGRP agency
|
|
0:08:54
|
we are going to need to manually allow this
|
|
0:08:56
|
in on the inside
|
|
0:09:00
|
now you don't neccessarily need to memorize exactly what is permitted and what is dropped
|
|
0:09:04
|
because we can use an access list with its logging
|
|
0:09:07
|
or simply the debug logging on the ASA
|
|
0:09:10
|
to see exactly what type of traffic is being dropped
|
|
0:09:13
|
as it comes in on the inside interface
|
|
0:09:19
|
now for traffic that is moving from the outside to the inside
|
|
0:09:24
|
which again would be our security levels to our high security levels
|
|
0:09:29
|
just like as if a normal routed firewall
|
|
0:09:31
|
we are going to be permitting our return traffic flows
|
|
0:09:36
|
based on what was already inspected
|
|
0:09:38
|
So if I have a telnet session or a web browsing thats coming from the inside and going out
|
|
0:09:44
|
I am going to allow the return traffic to go back in
|
|
0:09:47
|
because its already hitting the inspection policy of the Modular Policy Framework
|
|
0:09:52
|
Now again a key point to know here
|
|
0:09:55
|
is that since the control plane protocols are not being inspected
|
|
0:10:00
|
when they are moving from the inside to outside
|
|
0:10:02
|
it means that likewise we would need to allow this inbound
|
|
0:10:06
|
with access-list exception, so inbound on the inside interface and inbound on the outside interface
|
|
0:10:14
|
So for anything else that is not a return
|
|
0:10:18
|
of an already inspected flow
|
|
0:10:19
|
this is going to be dropped just like the normal low security
|
|
0:10:22
|
to high security traffic flows
|
|
0:10:27
|
So for anything else other than a normal
|
|
0:10:29
|
traffic that is being inspected
|
|
0:10:31
|
we are going to need some exceptions with the access list
|
|
0:10:34
|
So both from inside to outside as well as outside to inside
|
|
0:10:40
|
Now additionally if we are running any type of non IP protocol
|
|
0:10:44
|
like may be IPv6 routing
|
|
0:10:47
|
or for using IOS to IOS which is a CLNS transport
|
|
0:10:51
|
for IPT routing
|
|
0:10:52
|
or may be some legacy protocols like netbios or sna
|
|
0:10:56
|
we would need to manually allow this
|
|
0:10:59
|
by ?? on the layer 2
|
|
0:11:01
|
ethertype value
|
|
0:11:04
|
So the ethertype value is the layer 2 protocol type code
|
|
0:11:09
|
that is used in ethernet header to tell
|
|
0:11:11
|
the device what is the next layer 3
|
|
0:11:14
|
protocol in the
|
|
0:11:15
|
actual packet that is encapsulated
|
|
0:11:18
|
So for example IPv4 packet
|
|
0:11:22
|
is going to use the ethertype 0 by 800
|
|
0:11:25
|
where the IP version 4 are
|
|
0:11:27
|
uses the ethertype 0 by 806
|
|
0:11:32
|
so I will take a look at some examples of using the ethertype ACLs
|
|
0:11:36
|
if we have a very specific type of non IP traffic
|
|
0:11:39
|
that we do need to pass through to transparent firewall
|
|
0:11:45
|
Now the configuration for the transparent configuration is fairly straight forward
|
|
0:11:50
|
first thing we need to do is to change the firewall from the routed mode
|
|
0:11:54
|
to the transparent mode
|
|
0:11:55
|
and we do this in global config by issuing the firewall transparent
|
|
0:12:00
|
or to revert it back to routing mode we would say no firewall transparent
|
|
0:12:05
|
no you do need to be careful with this command
|
|
0:12:08
|
because unlike switching between the
|
|
0:12:10
|
context modes
|
|
0:12:12
|
so switching from single mode to multiple mode
|
|
0:12:15
|
or from multiple mode to single mode
|
|
0:12:17
|
there is no confirmation
|
|
0:12:19
|
of switching between routed firewall and transparent firewall
|
|
0:12:25
|
now since the vast majority of configuration
|
|
0:12:28
|
probably 95% or more
|
|
0:12:30
|
are not supported in the transparent
|
|
0:12:32
|
mode that is supported in routed mode
|
|
0:12:35
|
that means that when you change between these mode
|
|
0:12:38
|
the vast majority of the config is just going to be deleted
|
|
0:12:42
|
so if you are working on a routing mode firewall and you accidentally issued the firewall transparent
|
|
0:12:47
|
You are going to break 90%
|
|
0:12:49
|
class of the configuration
|
|
0:12:51
|
so you want to make sure that you are already saving your config
|
|
0:12:55
|
often so that if you accidentally do type this command
|
|
0:12:58
|
you can revert back to whatever backup of the configuration that you do have
|
|
0:13:04
|
but otherwise if you are going to use the transparent firewall mode
|
|
0:13:08
|
you want to make sure that you issued this command first
|
|
0:13:11
|
before you make anyother changes
|
|
0:13:13
|
So if I assign names to the interfaces and
|
|
0:13:17
|
security levels and IP addresses
|
|
0:13:19
|
as soon as I issue the firewall transparent command
|
|
0:13:21
|
its going to undo all of these other options
|
|
0:13:28
|
so once the firewall is in transparent mode
|
|
0:13:31
|
we will then need to enable the physical link so we will say no shut down
|
|
0:13:34
|
because they are in the administratively down state by default
|
|
0:13:38
|
then just like in routing mode we need to assign them names
|
|
0:13:42
|
with the nameif command, so what the inside interface whats the outside interface
|
|
0:13:46
|
and then assign them the security levels
|
|
0:13:50
|
now keep in mind when we use the keyword nameif inside
|
|
0:13:54
|
thats automatically going to give us security level 100
|
|
0:13:58
|
or any other nameif if we say nameif outside, nameif DMZ
|
|
0:14:02
|
those are automatically going to be security level 0
|
|
0:14:06
|
So you may not neccessarily
|
|
0:14:08
|
need to actually issue the security level command
|
|
0:14:11
|
as long as the security level number is actually assigned in the interface
|
|
0:14:15
|
and we could see that quickly, we are to just look at the
|
|
0:14:18
|
the show run interface
|
|
0:14:23
|
then last hop we would want to assign
|
|
0:14:25
|
an address for management
|
|
0:14:28
|
assuming that the we will want to acces the ASA remotely either through
|
|
0:14:31
|
telnet or SSH with ASTM
|
|
0:14:34
|
this address is then going to be
|
|
0:14:35
|
in global configuration
|
|
0:14:39
|
so it is not bound to an individual link
|
|
0:14:42
|
its kind of like a logical VLAN interface that you see on a catalyst switch
|
|
0:14:47
|
works being applied
|
|
0:14:49
|
to all of the different
|
|
0:14:50
|
broadcast domains, so all of the different layer 2 segments
|
|
0:14:55
|
Now the actual manual traffic we will then still need to go a step further
|
|
0:14:59
|
and actually tell the ASA
|
|
0:15:01
|
where we are going to allow telnet
|
|
0:15:02
|
from, or where we are going to allow SSH from
|
|
0:15:05
|
if it does not allow remote access
|
|
0:15:08
|
for management automatically
|
|
0:15:11
|
Now in a case that your platform also has a dedicated management interface
|
|
0:15:16
|
which is essentially is any of the platform 5510 or above
|
|
0:15:20
|
you can use an interface that is inside
|
|
0:15:23
|
an interface that is outside
|
|
0:15:25
|
and then the dedicated management interface
|
|
0:15:28
|
for access to the management IP
|
|
0:15:32
|
we cannot use more than two interfaces
|
|
0:15:34
|
for reaching the ??
|
|
0:15:36
|
has to be just the inside and the outside
|
|
0:15:42
|
Now in addition to support in just the normal bridging between the interfaces
|
|
0:15:46
|
as of release 802
|
|
0:15:49
|
Network Address Translation is also
|
|
0:15:51
|
supported in the transparent firewall mode
|
|
0:15:55
|
now this is going to be a little bit different than it is in routed mode
|
|
0:15:59
|
because remember that the inside
|
|
0:16:02
|
and the outside devices are now going to be on the same IP subnet
|
|
0:16:07
|
So if we were using the transparent firewall
|
|
0:16:10
|
as last hop device between our router
|
|
0:16:13
|
and then our ISP
|
|
0:16:14
|
the router and the provider edge router
|
|
0:16:17
|
so whatever the default gateway is, those are going to be on the same IP subnet
|
|
0:16:21
|
So the transparent firewall is not routing between the segments
|
|
0:16:25
|
So, if we from our edge router
|
|
0:16:28
|
wanted to a Network Adress Translation or in the case of ASA do the Network Adress Translation
|
|
0:16:34
|
if we are translating to a pool
|
|
0:16:36
|
that is not the subnet
|
|
0:16:39
|
that is actually between
|
|
0:16:41
|
the inside and the outside interface
|
|
0:16:44
|
then the ASA is going to need to know how do I actually route to get to there
|
|
0:16:49
|
because its not going to know based on just the CAM table
|
|
0:16:52
|
where the MAC addresses that are associated with that particular address range are
|
|
0:16:57
|
so are they on the inside interface or are they on the outside interface
|
|
0:17:01
|
so even though we are technically not routing the traffic
|
|
0:17:05
|
we would need to tell it where is this particular pool
|
|
0:17:08
|
existing, is it on the inside or on the outsdie
|
|
0:17:11
|
now for translating for same subnet is
|
|
0:17:14
|
as is already there, on the inside and the outside
|
|
0:17:17
|
then we don't have to worry about this
|
|
0:17:19
|
its only when we are translating to a different pool
|
|
0:17:23
|
thats not the same as the addresses already assigned
|
|
0:17:28
|
now the next segment we would need to potentially worry about here
|
|
0:17:31
|
is for any type of layer2 arp
|
|
0:17:34
|
spoofing attack
|
|
0:17:36
|
that the firewall could then be vulnerable to
|
|
0:17:40
|
now as I mentioned in transparent firewall mode
|
|
0:17:43
|
we are going to be forwarding all arp request
|
|
0:17:45
|
so this is arp from the inside out
|
|
0:17:48
|
and from the outside in
|
|
0:17:51
|
because the layer 3 routing devices they need to resolve each other's IP addresses
|
|
0:17:55
|
to the layer 2 MAC addresses
|
|
0:17:58
|
So ASA has to allow inside out and outside in
|
|
0:18:02
|
now the problem with this
|
|
0:18:04
|
is that there are certain types of network attacks
|
|
0:18:07
|
where do you came impersonate someone else's MAC addresses
|
|
0:18:11
|
on the link
|
|
0:18:12
|
that's known as an ARP spoofing attack
|
|
0:18:16
|
Now we will get into this in more detail when we get into the network attack session
|
|
0:18:20
|
section
|
|
0:18:21
|
but this is related to, what is known as a layer 2 'man in the middle' attack
|
|
0:18:26
|
that would trying to get traffic to redirect
|
|
0:18:29
|
to somewhere that is not the legitimate destination
|
|
0:18:33
|
where there is some sort of attacker between the inside and the outside
|
|
0:18:36
|
they are trying to redirect all the traffic to them first
|
|
0:18:39
|
so either they can drop it just like a basic layer 2 denial of service attack
|
|
0:18:43
|
or generally to snip the traffic
|
|
0:18:46
|
to see passwords or whatever other information is in the actual packet payload
|
|
0:18:52
|
Now in order to preven this
|
|
0:18:55
|
the transparent firewall supports something thats known as the ARP inspection process
|
|
0:18:59
|
Now ARP inspection
|
|
0:19:02
|
essentially is going to have static IP address
|
|
0:19:05
|
to MAC address mapings
|
|
0:19:08
|
so in other words just static ARP entries
|
|
0:19:10
|
that are going to be checked
|
|
0:19:11
|
as the ARP packets are recieved on the inside going out
|
|
0:19:15
|
or from the outside coming back in
|
|
0:19:19
|
now if there is a match
|
|
0:19:20
|
for the MAC address that is in static mapping
|
|
0:19:24
|
but the IP address is wrong
|
|
0:19:26
|
or the other way round, or the IP address is matched but the MAC address is wrong
|
|
0:19:30
|
we are going to drop that ARP request or that ARP reply
|
|
0:19:35
|
Now if there is not a match
|
|
0:19:38
|
we can manually tel it to
|
|
0:19:40
|
drop that ARP request or to forward it
|
|
0:19:42
|
depending on how restrictive we want to be on the segment
|
|
0:19:47
|
we will take a look at some examples of it
|
|
0:19:50
|
when the ARP inspection is working
|
|
0:19:52
|
then we will change the MAC addresses of the devices of the segment
|
|
0:19:56
|
we will see how it violates
|
|
0:19:58
|
the ARP inspection
|
|
0:20:00
|
then we can choose whether we are going to allow the traffic going through or drop the packet
|
|
0:20:07
|
So the configuration for this ARP spoofy is fairly staight forward
|
|
0:20:11
|
we would just specify on what particular interface
|
|
0:20:14
|
does that IP address and MAC address pairing exists
|
|
0:20:18
|
where in this case we are saying on the inside interface
|
|
0:20:21
|
to the IP address 1.2.3.4
|
|
0:20:24
|
should resolve to the MAC address
|
|
0:20:26
|
1123456789abc
|
|
0:20:31
|
then we can choose when ARP inspection is on
|
|
0:20:34
|
do we either want to flood the unknown matches
|
|
0:20:38
|
So the ones do not match the static
|
|
0:20:40
|
entries that we configure
|
|
0:20:42
|
or do we not want to flood them
|
|
0:20:45
|
which is essentially is running secure ARP under sec
|
|
0:20:48
|
so if we said ARP inspection inside enable no flood
|
|
0:20:52
|
it means its only going to allow
|
|
0:20:54
|
hosts that have our MAC address
|
|
0:20:57
|
and IP address associations
|
|
0:20:59
|
to be result on the link
|
|
0:21:04
|
Now again this is not
|
|
0:21:05
|
for the actual traffic forwarding
|
|
0:21:08
|
this is just for the address resolution protocol request
|
|
0:21:12
|
so it technically does not someone
|
|
0:21:14
|
stop someone from doing a
|
|
0:21:16
|
layer 2 spoofing of the MAC address
|
|
0:21:19
|
it simply stops them from doing a ARP packet
|
|
0:21:24
|
So its known as a unsolicitated reply, or ?? ?? ARP
|
|
0:21:29
|
that is used to poison someone's ARP cache on the link
|
|
0:21:32
|
thats what this is trying to prevent
|
|
0:21:35
|
Now, there is a separate problem
|
|
0:21:37
|
they can exist on this layer 2 segments
|
|
0:21:39
|
thats related to the
|
|
0:21:42
|
actual transit of the MAC addresses
|
|
0:21:44
|
not the resolution of the IP addresses to the MAC addresses
|
|
0:21:50
|
Now normally when we running in transparent mode
|
|
0:21:53
|
the ASA is going to learn the MAC addresses like a normal transparent bridge
|
|
0:21:57
|
so like your catalyst switches as a packet comes in
|
|
0:22:01
|
if it does not know the destination MAC address
|
|
0:22:04
|
its going to flooded out all other ports that are in that broadcast domain
|
|
0:22:09
|
Now in the case of the ASA there is only two links on transparent firewall, there is inside and there is outside
|
|
0:22:15
|
so if a packet comes in the inside
|
|
0:22:18
|
and the ASA doesnot knows the destination MAC address
|
|
0:22:22
|
its going to flooded on the outside link
|
|
0:22:25
|
then if a packet comes in on the outside
|
|
0:22:28
|
and our ACL exception say its allowed to go in
|
|
0:22:32
|
we don't know the destination MAC address we are going to have flood that
|
|
0:22:38
|
now again one of the potential problems with this
|
|
0:22:41
|
is that the flooding of the MAC addresses
|
|
0:22:43
|
and the fact that the CAM table or the MAC address table is dynamic by nature
|
|
0:22:48
|
at least its open to layer to spoofing attack
|
|
0:22:52
|
So the ASA has no way to guarantee
|
|
0:22:54
|
that this IP address and the this MAC address association is actually legitimate
|
|
0:22:58
|
where this MAC address is really supposed to be on the inside
|
|
0:23:01
|
versus being on the outside
|
|
0:23:05
|
So, in order to prevent against this type of attack
|
|
0:23:08
|
we can disable the MAC address learning process and we can essentially just replace this
|
|
0:23:13
|
with static CAM entries or static MAC address table entries
|
|
0:23:17
|
that are going to help to prevent any type of unauthorised hosts on this segment
|
|
0:23:23
|
So if I know for example that I only have one router on the inside and one router on the outside
|
|
0:23:30
|
If I would have put static MAC address entries
|
|
0:23:33
|
for the inside router on the inside interface
|
|
0:23:36
|
and the outside router on the outside interface
|
|
0:23:39
|
that would implicitly deny
|
|
0:23:42
|
any other host from sending traffic from inside out or from outside in
|
|
0:23:47
|
because we are stopping the ability of the CAM table to be able to learn MAC addresses dynamically
|
|
0:23:53
|
its basically the same as doing static routing for layer 3
|
|
0:23:57
|
but we are doing static bridging based on the MAC addresses
|
|
0:24:03
|
so the configuration for this would simply going to specify
|
|
0:24:07
|
what is the MAC address thats supposed to be in the CAM table
|
|
0:24:11
|
and where is this located is it on the inside interface or the outside interface
|
|
0:24:15
|
then we could tell the ASA to disable
|
|
0:24:18
|
that dynamic learning of addresses either on the inside or the outside
|
|
0:24:23
|
so the first step is going to prevent any type of
|
|
0:24:26
|
layer 2 spoofing attack against the MAC addresses
|
|
0:24:29
|
the second step would prevent any unauthorize
|
|
0:24:32
|
layer 2 host from being on that link
|
