Customers have to get the trust with NGN Firewalls, so we have to present it somehow without interfering the production traffic. We can do this during a POC (Proof of concept) by integrating it in the network just like we implemented an IDS in the past.
The purpose is to present in reports what the ngn firewall could have blocked and what could have caused if it would have been implemented in inline mode as the routing instance in the upper level network segment (distribution or core levels).
To get the work done we can use span ports on the cisco switches. I know the ngn firewalls can work in virtual wired mode and we can set every possible block rules in signatures antivirus feature and other features to alert only but thats too complicated and the first impression should not start with an unexpected block.
Back to the span port from cisco. Its is very flexible and can be accomplished any kind for network scenario. The following topology is an example how-to let firewall analyse just some ports or if required a whole vlan in the network, with one important requirement:
aggregate the analysed network to one point of the network so that one firewall can get all the important traffic from different layer 2 locations.
And this is called RSPAN. It can be used over multiple switches. like in the topology below:
In the example topology above we monitor on the first 2 switches only some ports (on presentation zone and facility zone switches) and on the 3rd switch we monitor a complete vlan that is the vlan 120 (application and middleware zone).
As you see the RSPAN session destination is not on those switches (it cant be actually if you use RSPAN), its on a remote switch where the NGN Firewall is connected.
The remote SPAN session has a dedikated vlan, that is the vlan 100. Over that vlan the switch forwards every RX, TX packets.
On the upper switch in RSPAN session we set the source to that vlan 120 and set the session destination to the swithc port what the NGN Firewall is connected. Here is the example config:
! presentaion zone switch
conf t
vlan 100
remote-span
exit
monitor session 1 source interface fa0/14 both
monitor session 1 destination remote vlan 100
! facility zone switch
conf t
vlan 100
remote-span
exit
monitor session 1 source interface fa0/4 both
monitor session 1 destination remote vlan 100
! application and middleware zone switch
conf t
vlan 100
remote-span
exit
monitor session 1 source vlan 120
monitor session 1 destination remote vlan 100
! distribution switch
conf t
vlan 100
remote-span
exit
monitor session 1 source remote vlan 100
monitor session 1 destination interface fa0/5 That’s it, but never forget the sizing of the traffic and avoid overloading the destination port on the upper switch thats another bad mistake can happen on a production enviroment. Keep your eyes on it.
We have to activate on the firewall a rule with every possible features (in trial period we can have all of it.) and let it listen to the traffic and identify malicious traffic and generate logs and reports for at least a month.
If the reporting capability is not part of the product dont worry get one for free with Elastic Search Filebeat and a simple rsyslog server. About the I am writing another post.
itsecworks 
Posted on March 31, 2021
0