Security Levels

While the previous concept is always explained in any discussion of ASA, something that often goes unsaid is this: any resulting return traffic also passes freely through the firewall, unless some configuration prevents it. Simply, if all traffic into the network was the result of outgoing requests from trusted hosts, no need would exist for any additional PIX configuration. Figure 19-1 shows a two-interface firewall and the unassisted traffic flow patterns.

Figure 19-1: A two-interface firewall showing data traffic flows

Security Levels 1 to 99

In addition to inside and outside interfaces, a firewall can have one or more protected interfaces connected to shared resources such as web servers. The resulting connections are referred to as DMZ networks or bastion networks, while the devices are referred to as DMZ hosts or bastion hosts.

ASA security levels 1 to 99 are used for the DMZ interfaces. If the PIX device has a single, protected DMZ interface, the security level would be configured between the inside and outside levels, such as 50. Figure 19-2 shows the interfaces just described. Packets originating from the inside interface could flow freely to the DMZ and reply packets could return to the inside interface. Packets originating in the DMZ that aren’t a part of a session originating from the inside interface, couldn’t travel to the inside interface without configuration assistance.

Figure 19-2: PIX security levels with a DMZ interface

DMZ originating packets can travel freely to the outside and can receive reply packets without additional configuration. This is particularly useful for servers, such as e-mail, DNS, and content servers, which must periodically communicate with the outside world.

Multiple protected DMZ interfaces are becoming more common as a way of offering varied levels of security for different types of shared resources. If multiple DMZ interfaces are used, it’s important to plan the security level assignments to make sure security flows properly. If two DMZ interfaces have the same security level, no traffic would flow between the interfaces without special configuration in both directions.

The following output shows an example of configuring four DMZ interfaces:

Pix(config)# write terminal
   (lines omitted)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security80
nameif ethernet3 dmz2 security60
nameif ethernet4 dmz3 security40
nameif ethernet5 dmz4 security20
hostname Pix
   (lines omitted)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
   (lines omitted)
ip address outside 1.1.1.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip address dmz1 192.168.2.1 255.255.255.0
ip address dmz2 192.168.3.1 255.255.255.0
ip address dmz3 192.168.4.1 255.255.255.0
ip address dmz4 192.168.5.1 255.255.255.0

Because any traffic inbound from a low-security level interface to a higher security level interface is blocked by the ASA, configuring the device to allow for any exceptions is necessary. Combinations of the static command and access control lists (ACLs), or conduits, are used to allow these specific flows. Static commands are discussed in the upcoming section “Static Alone Is Not Enough” and ACLs are discussed in the section “Access Control Lists.”

Remember, this discussion is about holes punched through the firewall, each of which represents a vulnerability for the firewall device and protected networks behind them. Therefore, it’s only advisable to create these holes if they’re specifically allowed by the security policy. An example might be to allow outside users to access the organization’s web server on a protected DMZ. In this case, it’s important that the resulting hole allows controlled access to the appropriate DMZ, but not to the inside network.