Hyper-V ConceptsIt's time to get familiar with Hyper-V Virtualization, virtual servers, virtual switches, virtual CPUs, virtual deployment infrastructure (VDI) and more.
Cisco’s Adaptive Security Appliance (ASA) Firewalls are one of the most popular and proven security solutions in the industry. Since the introduction of the PIX and ASA Firewall into the market, Cisco has been continuously expanding its firewall security features and intrusion detection/prevention capabilities to adapt to the evolving security threats while integrating with other mission-critical technologies to protect corporate networks and data centers.
In recent years, we’ve seen Cisco tightly integrate separate security technologies such as Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) within the ASA Firewall appliances in the form of hardware module add-ons (older 5500 series & newer 5500-X series) and, recently, software modules supported only by the newer ASA 5500-X series security appliances.
With the addition of the software or hardware module, customers are able to increase the firewall’s security and protection capabilities while at the same time simplifing security management and administration by dealing with a single firewall device instead of multiple firewall, IPS or IDS devices.
While this article covers the hardware modules available for the Cisco ASA 5500 Firewall series, upcoming articles will cover both software and hardware modules along with Cisco FirePOWER & FireSIGHT management services for the newer ASA 5500-X series.
Note: The Cisco ASA 5500 series hardware modules for ASA-5505, ASA 5510, ASA 5520 & ASA 5540 have been announced as End-of-Sale & End-of-Life. Modules below are no longer sold by Cisco, however, they will be fully supported until 30th of September 2018.
The ASA 5500 series Firewalls (ASA-5505, ASA 5510, ASA 5520, ASA 5540 etc) were the first security appliances with the capability to integrate hardware modules for enhanced security and threat protection.
To help target different markets and security requirements, Cisco split its hardware module offerings into two distinct categories:
Each hardware module card is equipped with its own CPU, RAM and Flash storage space, running a separate operating system that integrates with the ASA Firewall via its internal network ports.
Let’s take a brief look at each category.
The Content Security and Control Security Services module aims to cover corporate environments where comprehensive malware, advanced content filtering (including Web Caching, URL filtering, anti-phishing), and anti-spam filtering is required. This all-in-one hardware module solution is capable of providing a wealth of security and control capabilities essential for all size networks.
Following are the hardware modules supporting Content Security and Control Security Services:
The new Hyper-V virtualization features offered by Windows Server 2016 are planning to make major changes in the virtualization market. From Nested Hyper-V, revolutionary security, new management options to service availability, storage and more.
Learn all about the new hot virtualization features offered by Windows Server 2016 by attending the free webinar hosted by Altaro and presented by two Microsoft Cloud and Datacenter Managerment MVP’s Andy Syrewicze and Aidan Finn.
It’s a reality – Australia now has its own Official Cisco Data Center User Group (DCUG) and it’s growing fast! Originally inspired by Cisco Champions Chris Partsenidis and Derek Hennessy, the idea was fully backed by Cisco Systems as they happened to be looking to start up something similar on a global scale.
The idea was born in the morning hours of the 18th of March 2016 over a hot cup of coffee when Chris Partsenidis and Derek Hennessy met for the first time, after Cisco’s Live! in Melbourne Australia. Both Chris and Derek agreed that it was time to create a friendly professional Cisco community group that would gather Cisco professionals and encourage users to share knowledge and experience.
The proposal was sent to Lauren Friedman at Cisco Systems, who just happened to be working on a similar concept on a global scale. Lauren loved the idea and, with her help, Australia got its first official Cisco Data Center User Group!
Becoming part of the Melbourne Cisco Data Center User Group is absolutely free and, by joining, you’ll be part of Australia’s first official Cisco user group, which is currently the largest in the world!
The user group will catch up on the first Tuesday of every month at the The Crafty Squire at 127 Russell Street in Melbourne CBD. We’ll be located upstairs in Porter Place. Our first meeting will be on Tuesday June 7th 2016 and all meetings will take place between 17:30 and 19:30.
For the duration of the meeting, we’ll have free beer for all registered members, food and if we are lucky – free Cisco beer mugs! The mugs are actually on their way from the USA and we are hoping to have them in time before the meeting otherwise we’ll be handing them out during the following meeting.
Figure 1. The Porter Place - Crafty Squire
For more details about our regular meet ups and join our community, head over to the Cisco Data Center User Group page on Meetup.com.
We're really excited to start building a Data Center community in Melbourne so come along and join us!
Vendor Session: Infrastructure as Code and DevOps
Speaker: Chris Gascoigne - Technical Solutions Architect, Cisco Systems Melbourne, Australia
Chris Gascoigne is a Technical Solutions Architect with Cisco Systems working in the Australia/New Zealand Data Centre team. Chris has been with Cisco for nine years and specialises in Application Centric Infrastructure.
Community Session: GNS3 Connectivity
Speaker: Will Robinson - Senior Systems Engineer, Cube Networks
Will Robinson is a Senior Systems Engineer with Cube Networks and has extensive networking and data center experience. Will is an active community member and is the only Australian member of the NetAppATeam group.
Our previous article examined the benefits of Palo Alto Networks Firewall Single Pass Parallel Processing (SP3) architecture and how its combine with the separate Data and Control planes to boost firewall performance and handle large amounts of traffic without and performance impact. This article focuses on the traffic flow logic inside the Palo Alto Firewall and two unique features that separate it from the competition: Application-based policy enforcement (App-ID) & User Identification (User-ID).
For more Technical articles on Palo Alto Networks Firewalls, visit our Palo Alto Networks Firewall Section
The diagram below is a simplified version of the flow logic of a packet travelling through a Palo Alto Networks Next-Generation Firewall and this can be always used a reference to study the packet processing sequence:
Figure 1. Flow Logic of a packet inside the Palo Alto Networks Next Generation Firewall
Palo Alto Networks Next-Generation Firewalls works with the concepts of zones not interfaces, once a packet enters the firewall, the Palo Alto Networks Next-Generation Firewalls identifies from which zone the packet came and where it is destined to go. This is similar to Cisco IOS Routers Zone-based Firewalls and Cisco ASA Firewalls.
Users interested can also download for free the Palo Alto Networks document “Day in the Life of a Packet” found in our Palo Alto Networks Download section which explains in great detail the packet flow sequence inside the Palo Alto Networks Firewall.
App-ID and User-ID are two really interesting features not found on most competitors’ firewalls and really help set Palo Alto Networks apart from the competition. Let’s take a look at what App-ID and User-ID are and how they help protect the enterprise network.
App-ID is the biggest asset of Palo Alto Networks Next-Generation Firewalls. Traditional firewalls block traffic based on protocol and/or ports, which years ago seemed to be the best way of securing the network perimeter, however this approach today is inadequate as applications (including SSL VPNs) can easily bypass a port-based firewall by hopping between ports or using well-known open ports such as tcp-http (80) or tcp/udp-dns (53) normally found open.
A traditional firewall that allows the usage of TCP/UDP port 53 for DNS lookups, will allow any application using that port to pass through without asking second questions. This means that any application can use port 53 to send/receive traffic, including evasive applications like BitTorrent for P2P file sharing, which is quite dangerous:
Figure 2. Palo Alto Network’s App-ID effectively blocks unwanted BitTorrent traffic
With App-ID, Palo Alto Networks Next-Generation Firewalls uses multiple identification mechanisms to determine the exact identity of applications traversing the network. Following is the order in which traffic is examined and classified:
In this era of constantly pushing for more productivity and greater efficiency, it is essential that every resource devoted to web access within a business is utilised for business benefit. Unless the company concerned is in the business of gaming or social media, etc. it is unwise to use resources like internet/web access, and the infrastructure supporting it, for a purpose other than business. Like they say, “Nothing personal, just business”
With this in mind, IT administrators have their hands full ensuring management of web applications and their communication with the Internet. The cost of not ensuring this is loss of productivity, misuse of bandwidth and potential security breaches. As a business it is prudent to block any unproductive web application e.g. gaming, social media etc. and restrict or strictly monitor file sharing to mitigate information leakages.
It is widely accepted that in this area firewalls are of little use. Port blocking is not the preferred solution as it has a similar effect to a sledge hammer. What is required is the fineness of a scalpel to parse out the business usage from the personal and manage those business requirements accordingly. To be able to manage web application at such a level, it is essential to be able to identify and associate the request with its respective web application. Anything in line with business applications goes through, the rest are blocked.
This is where GFI WebMonitor excels in terms of delivering this level of precision and efficiency. It identifies access requests from supported applications using inspection technology and helps IT administrators to allow or block them. Hence, the administrators can allow certain applications for certain departments while blocking certain other applications as part of a blanket ban, thus enhancing the browsing experience of all users.
So, to achieve this, the process is to use the unified policy system of GFI WebMonitor. The policies can be configured specifically for application control or, within the same policy, several application controls can be combined using other filtering technologies.
Let’s take a look at the policy panel of GFI WebMonitor:
Figure 1. GFI WebMonitor Policy Panel interface. Add, delete, create internet access policies with ease (click to enlarge)