Leveraging Cisco ASA: Modular Policy Framework

Leveraging Cisco ASA: Modular Policy Framework

The Cisco ASA security appliance integrates a firewall, antivirus software, intrusion detection, and a virtual private network (VPN) into a single unit. It allows for proactive threat defense, preventing attacks from propagating over the network.

⭐ Cisco ASA Modular Policy Framework 👇

When establishing network and security policies with the Cisco ASA appliance, the Modular Policy Framework offers more flexibility and granularity. For instance, the MPF method may be used to apply TCP connection limitations to particular traffic flows, apply Quality of Service (prioritization) for voice traffic, apply rate-limiting to certain remote access VPN connections, apply deep packet (Layer 7) inspection to certain traffic flows, etc.

Cisco ASA: Modular Policy Framework
Fig 1.1-Cisco ASA: Modular Policy Framework

The process of establishing MPF involves first utilizing a Class-Map to identify the traffic (traffic matching), then a Policy-Map to apply actions to the matched traffic, and lastly a Service-Policy to activate the entire policy on an interface or globally.

⭐ Step 1: Class Map📜

Class Map: The class-map is used to identify a traffic flow on which we want to apply policies. You may create two different kinds of class maps: Layer 3/4 and Layer 7. This chapter will discuss just Layer 3 and Layer 4 class maps. 

This type of class map matches traffic using IP addresses, protocols, ports, and other Layer 3–4 components of the communication flow. A Layer7 Class Map, on the other hand, matches traffic based on the characteristics of the application.

⭐ Step 2: Policy Map📜

Policy-Map: After a Class-Map determines the traffic flow, a Policy-Map is used to apply specific actions (or policies) to the specified class of traffic. 

A policy-map could be used to limit the maximum number of TCP connections to a Web Server on the DMZ to a specified amount. Another example of a policy-map is giving speech packets between two locations high priority. An administrator can construct a Layer 3/4 Policy-Map or a Layer 7 Policy-Map in the same way that he or she can establish a Class-Map.

⭐ Step 3: Service Policy📜

Service-Policy: On an interface or throughout the appliance, the defined policy framework is applied using the Service-Policy component. One Service-Policy is supported globally and by each interface on the Cisco ASA appliance.

Leveraging Cisco ASA: Modular Policy Framework
Fig 1.2- Leveraging Cisco ASA: Modular Policy Framework

⭐ Default Settings on ASA Appliance🔄

A class-map that matches the default-inspection-traffic is preconfigured on an out-of-the-box Cisco ASA equipment. The "show run class-map" command allows you to see the configuration's default class-map.

Matching of several default apps and protocols on their default ports is indicated by the special designation "default-inspection-traffic."

CiscoASA_NDNA(config)# show run class-map
CiscoASA_NDNA(config)# show run policy-map

Some of the default applications and the port used on 
Cisco ASA Appliance when you will run the class map or policy map.

Leveraging Cisco ASA: Default Apps
Fig 1.3- Leveraging Cisco ASA: Default Applications and Ports

The Cisco ASA inspects the majority of the apps and protocols listed above in its default configuration. For instance, a Control connection on port 21 and a Data connection on port 20 are used during an FTP communication between an FTP client and server via the Cisco ASA

Since the return FTP data traffic is on port 20, while the original connection is on port 21, a stateful firewall would typically not let such a communication to get through. 

The Cisco ASA will examine the FTP traffic using the "default-inspectiontraffic" mechanism and the "inspect" command under the Global policy map configuration to ensure that both the control and the data connection flows pass through without any issues.

Continue Reading...

More on Cisco ASA...

No comments