• Kiếm tiền với Hostinger

    Kiếm Tiền Cùng Hostinger

    Bạn đang tìm kiếm cách kiếm thêm thu nhập online? Hãy tham gia ngay chương trình Affiliate của Hostinger! Với mỗi khách hàng đăng ký thông qua liên kết của bạn, bạn sẽ nhận được khoản hoa hồng hấp dẫn.

    Hostinger cung cấp các dịch vụ lưu trữ web (hosting) chất lượng cao với mức giá cạnh tranh, giúp bạn dễ dàng giới thiệu và thu hút người dùng.

    Đừng bỏ lỡ cơ hội tuyệt vời này để tăng thêm thu nhập thụ động.

    Tham Gia Ngay

Configure PVLAN (Private VLAN) on Cisco ASA 5505 (5506) DMZ zone

TigerDao

Administrator
Thành viên BQT
ASA 5505 (5506) is the only model with an 8-port switch embedded in the device. All interfaces of the ASA5505 (5506) are Layer2 switch ports and as such they support a number of features that you can find on Cisco switches. One of these features is called “Private VLAN”.

The concept of “Private VLAN” is very useful in a DMZ environment. Here’s how it can be used: Suppose you have a firewall with an External interface connected to the Internet, an Internal interface connected to a secure LAN, and a DMZ Interface connected to the active subnet. hosts some publicly accessible server (e.g. Web Server, Email Server, etc.). The DMZ servers are all on the same subnet. Therefore, if one of the DMZ servers is compromised, an attacker can easily use this compromised server as a “stepping stone” to access other servers in the DMZ.

The above situation can be minimized by using “Private VLAN”. By designating each DMZ switch port as “Private VLAN”, hosts in the DMZ will not be allowed to communicate with each other.

You can learn about Private VLAN (PVLAN) here:

See the diagram below

(IMG)


Let’s say we have an ASA5505 (5506) with three Security Zones:

  • Outside Zone: Interface E0/0 in VLAN 10
  • Inside Zone: Interface E0/1 in VLAN 20
  • DMZ Zone: Interfaces E0/2, E0/3 in VLAN 30

Note: in the DMZ we have 2 publicly accessible servers (Web Server and Email Server) which both belong to the same Layer2 VLAN (VLAN30) under Layer3 subnet (10.0.0.0/24).

If “Private Vlans” is not configured, then if the Web or Email server is attacked, the attacker can also access the other DMZ server. With Private VLAN, the Web Server and Email Server cannot communicate with each other even though they are on the same VLAN belonging to the same subnet. However, all other zones (external and internal) can access the DMZ zone (and vice versa) without any problems.

Configuration (Configuration):

We will only look at the configuration related to Private VLAN settings as follows.

ASA5505(5506) (config)# interface ethernet 0/0

ASA5505(5506) (config-if)# switchport access vlan 10

ASA5505(5506) (config-if)# no shutdown

ASA5505(5506) (config-if)# interface ethernet 0/1

ASA5505(5506) (config-if)# switchport access vlan 20

ASA5505(5506) (config-if)# no shutdown

ASA5505(5506) (config-if)# interface ethernet 0/2

ASA5505(5506) (config-if)# switchport access vlan 30

ASA5505(5506) (config-if)# no shutdown

ASA5505(5506) (config-if)# switchport protected

ASA5505(5506) (config-if)# interface ethernet 0/3

ASA5505(5506) (config-if)# switchport access vlan 30

ASA5505(5506) (config-if)# no shutdown

ASA5505(5506) (config-if)# switchport protected

Command “switchport protected” configures specific physical ports to “Private VLAN”. All ports configured as Private Vlans cannot communicate with each other.

Thank you for following this article.

Xem tiếp...
 
Top