Re: ASA context cascading ,any Real World design reason for from Dan Shechter on 2012-08-14 (Ccielab archives 08/2012)

From: Dan Shechter <danshtr_at_gmail.com>
Date: Tue, 14 Aug 2012 14:41:13 +0300

True.

But unfortunately, I have seen many cascading firewall configurations with
the same firewall/os/patch level.

HTH,
Dan #13685 (RS/Sec/SP)
The CCIE troubleshooting blog: http://dans-net.com
Bring order to your Private VLAN network: http://marathon-networks.com

On Tue, Aug 14, 2012 at 2:15 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:

> There is one reason that does not apply though: to have a different set of
> bugs/exploits (independent vulnerability set ?).
>
> :)
> I could not resist.
> -Carlos
>
> Dan Shechter @ 14/08/2012 08:06 -0300 dixit:
>
>> Jeremy,
>>
>> The same reasons for cascading physical firewalls apply to cascading
>> logical (contexts) firewalls.
>>
>> For example:
>>
>> - Two different departments need to control access, so only if both
>>
>> firewalls permit the packets then the traffic will flow. Much like
>> using
>> dual locks.
>> - To protect from human configuration errors, firewalls are cascaded
>> and
>>
>> policy must be configured twice to allow traffic through.
>> - One firewall to connect the whole network to the internet, and
>> several
>>
>> other firewalls to protect each sub network. Which is a combination
>> of the
>> two above
>> - Fun at CCIE lab... ;)
>>
>>
>>
>> HTH,
>> Dan #13685 (RS/Sec/SP)
>> The CCIE troubleshooting blog: http://dans-net.com
>> Bring order to your Private VLAN network: http://marathon-networks.com
>>
>>
>>
>> On Tue, Aug 14, 2012 at 8:15 AM, jeremy co <jeremy.cool14_at_gmail.com>
>> wrote:
>>
>> Hi ,
>>>
>>> Im just wondering if someone can guide me if there is any real world
>>> implementation of cascaded context has been deployed, or any reason of
>>> going through such a complexity.
>>>
>>>
>>> Thanks
>>>
>>> Jeremy
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ______________________________**______________________________**
>>> ___________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>

-- 
Best regards,
Dan
Blogs and organic groups at http://www.ccie.net

Received on Tue Aug 14 2012 - 14:41:13 ART

This archive was generated by hypermail 2.2.0 : Sat Sep 01 2012 - 08:41:18 ART