ASA 5505 (5506) is the only model with an 8-port switch embedded in the device. All interfaces of the ASA5505 (5506) are Layer2 switch ports and as such they support a number of features that you can find on Cisco switches. One of these features is called “Private VLAN”.
The concept of “Private VLAN” is very useful in a DMZ environment. Here’s how it can be used: Suppose you have a firewall with an External interface connected to the Internet, an Internal interface connected to a secure LAN, and a DMZ Interface connected to the active subnet. hosts some publicly accessible server (e.g. Web Server, Email Server, etc.). The DMZ servers are all on the same subnet. Therefore, if one of the DMZ servers is compromised, an attacker can easily use this compromised server as a “stepping stone” to access other servers in the DMZ.
The above situation can be minimized by using “Private VLAN”. By designating each DMZ switch port as “Private VLAN”, hosts in the DMZ will not be allowed to communicate with each other.
You can learn about Private VLAN (PVLAN) here:
See the diagram below
Let’s say we have an ASA5505 (5506) with three Security Zones:
- Outside Zone: Interface E0/0 in VLAN 10
- Inside Zone: Interface E0/1 in VLAN 20
- DMZ Zone: Interfaces E0/2, E0/3 in VLAN 30
Note: in the DMZ we have 2 publicly accessible servers (Web Server and Email Server) which both belong to the same Layer2 VLAN (VLAN30) under Layer3 subnet (10.0.0.0/24).
If “Private Vlans” is not configured, then if the Web or Email server is attacked, the attacker can also access the other DMZ server. With Private VLAN, the Web Server and Email Server cannot communicate with each other even though they are on the same VLAN belonging to the same subnet. However, all other zones (external and internal) can access the DMZ zone (and vice versa) without any problems.
Configuration (Configuration):
We will only look at the configuration related to Private VLAN settings as follows.
ASA5505(5506) (config)# interface ethernet 0/0
ASA5505(5506) (config-if)# switchport access vlan 10
ASA5505(5506) (config-if)# no shutdown
ASA5505(5506) (config-if)# interface ethernet 0/1
ASA5505(5506) (config-if)# switchport access vlan 20
ASA5505(5506) (config-if)# no shutdown
ASA5505(5506) (config-if)# interface ethernet 0/2
ASA5505(5506) (config-if)# switchport access vlan 30
ASA5505(5506) (config-if)# no shutdown
ASA5505(5506) (config-if)# switchport protected
ASA5505(5506) (config-if)# interface ethernet 0/3
ASA5505(5506) (config-if)# switchport access vlan 30
ASA5505(5506) (config-if)# no shutdown
ASA5505(5506) (config-if)# switchport protected
Command “switchport protected” configures specific physical ports to “Private VLAN”. All ports configured as Private Vlans cannot communicate with each other.
Thank you for following this article.
Xem tiếp...