Tuesday, 8 July 2008

Cisco Object-Group and how to use them

PIX and ASA firewall are very powerful tools but the Access list seem to get longer and long with all the services and hosts and this puts a load on the CPU to check it and the memory to store it so what can we do.

Well Cisco have been very nice to us in giving us a way to take those long ACL (Access Control Lists) and make the shorter. The way they’ve done this is by using objects, now an object represents a set of things such as a service or hosts and/or even a network mask.

Enough of the talk it’s time for an example this is how an old ACL looks commonly.

access-list outsite_in extended permit tcp any host 209.165.201.10 eq www
access-list outsite_in extended permit tcp any host 209.165.201.12 eq www
access-list outsite_in extended permit tcp any host 209.165.201.14 eq www
access-list outsite_in extended deny ip any any


Now as you can see of each server is listed and this can become both messy and unclear after a while as after you’ve listed just six or seven services the list can become very large and almost unreadable when trying to trouble shoot it.

So what they have done is given us the ability to reference the service and host as groups of services/hosts and as a result can put them into just one line.

Object-group network DMZ_Web_Servers
Network-object host 209.165.201.10
Network-object host 209.165.201.12
Network-object host 209.165.201.14
Network-object host 209.165.200.0 255.255.255.0


Now we have an object we can use in the access list that will equals all of these host is one short list.

access-list outside_in extended permit tcp any object-group DMZ_Web_Servers eq www

As you can see the access list is much shorter and also because the groups can have logical names it’s much quicker to find the problem list or missing object, now there are more than one kind of object group as well as you can see from the next few examples there is the ICMP object.

object-group icmp-type icmp-allowed
icmp-object echo
icmp-object time-exceeded


There is the protocol object and tagged with is also an example of how you can group the services together so that one object in this case proto_grp_2 also allows proto_grp_1 as its nested inside it.

object-group protocol proto_grp_1
protocol-object udp
protocol-object ipsec


object-group protocol proto_grp_2
protocol-object tcp
group-object proto_grp_1


There is the service object these are port objects really they allow you to use ports to be opened we will see later how we can use these with other groups to open up the port on many items at once.

object-group service eng_service tcp
group-object eng_www_service
port-object eq ftp
port-object range 2000 2005


There is the network object for you common or garden hosts and subnet masks.

object-group network sjc_eng_ftp_servers
network-object host sjc.eng.ftp.servcers
network-object host 172.23.56.194
network-object 192.1.1.0 255.255.255.224


And just to show these can all be nested too here is another example of a nested group with network objects.

object-group network sjc_ftp_servers
network-object host sjc.ftp.servers
network-object host 172.23.56.195
network-object 193.1.1.0 255.255.255.224
group-object sjc_eng_ftp_servers


In this next example a object that contains both groups is given access to www and the two nested groups are then given there own access as well such as SMTP and FTP.

object-group network host_grp_1
network-object host 192.168.1.1
network-object host 192.168.1.2


object-group network host_grp_2
network-object host 172.23.56.1
network-object host 172.23.56.2


object-group network all_hosts
group-object host_grp_1
group-object host_grp_2


access-list grp_1 permit tcp object-group host_grp_1 any eq ftp
access-list grp_2 permit tcp object-group host_grp_2 any eq smtp
access-list all permit tcp object-group all_hosts any eq www


As you've seen what would have been 6 lines have be reduced to 3 lines in the end access, but we can do better.

Lastly we a use many objects into just one access list to get all the services and node the permission they need without writing long and complicated access list as an example this grouping enables the access list to be configured in one line instead of 24 lines. Instead with the grouping the access list configuration looks like this.

object-group network remote
network-object host kqk.suu.dri.ixx
network-object host kqk.suu.pyl.gnl


object-group network locals
network-object host 172.23.56.10
network-object host 172.23.56.20
network-object host 172.23.56.194
network-object host 172.23.56.195


object-group service eng_svc
port-object eq www
port-object eq smtp
port-object range 25000 25100


access-list acl permit tcp object-group remote object-group locals object-group eng_svc

This concludes our lesson for the day but remember the shorter and more efficient the access list the lower the load on the CPU and Memory of the firewall.

Sunday, 6 July 2008

Geographical Computer Networks

Today we are going to talk about geographical computer networks; these are among some of the most complex networks however the underlying structure is the same as any other network.

There are two network models Centralized and Regional sites.

We are going to cover QoS, Proxy’s and Round Robin DNS, most of the information needed to so this I have covered in previous postings.

Centralized has an ease of management and backup but is often slower for users then Regional sites and in addition it puts an overhead on WAN links as all requests are traveling via the WAN and this also leads to a single point of failure if the WAN link stops working.

Redundancy: Server are in a highly stable environment. However they are dependent on WAN links to users.
Availability: Using clusters and Load Balancing 99.99% up time can be guaranteed
Performance: Is good for local site or sites with strong links but many Regional site will perform poorly.

Regional Sites make use of local resources but cost more in administration time because of the complexity of the solution, however but making use of Round Robin DNS to find the closed resource.

Redundancy: Not dependent on local hardware as traffic can be moved to WAN link should local hardware fail. However larger number of servers needed.
Availability: Using nested named resource gives 99.97% uptime with always on resource being online.
Performance: Is good for users as load is balanced between resources both local and remote.


WAN Network optimization
WAN links between sites can become loaded with a large number of unneeded packets most common among these are NetBIOS broadcasts, UDP packets for this reason you should be sure of the traffic that is need and passing over your WAN links

By using WINS and blocking broadcast traffic on your routers you can reduce the UDP packet load however services and applications that use UDP normally such as VoIP and Streaming applications can be protected on the LAN with QoS and TCP trunk being sent over the WAN a good example of this can be found on Cisco site
http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/hhv3pn.html


SQL Geo Network
One of the biggest problems is Microsoft SQL server as yet there is still no geographical solution for data replication the closest at the moment is Microsoft SQL 2005 Merge replication, this can be used to create fault tolerant solution where by each production server hosts a read/write copy of the database. The databases are kept in sync using SQL Server 2005 peer-to-peer replication. Applications connect to the SQL cluster through the production interface using a host name that will distribute and load balance traffic between the nodes.

Redundancy: There is a copy of the database on each of the different servers. If one node of the cluster becomes unavailable, the other nodes automatically pick up the traffic.
Availability: Each server can be taken out of the cluster individually so maintenance can be performed without causing the database to become unavailable.
Performance: Application calls to a database are load balanced between the four nodes of the cluster. Balancing the load should result in better performance during times of increased activity.
Ideally you should have two servers in large Regional Sites so that if there is a fault on one the load is not sent over the WAN to the next nearest site unless needed as the WAN link is primarily used for replication traffic.


Round robin DNS
Is often used for balancing the load of geographically-distributed Web servers. For example, a company has one domain name and three identical web sites residing on three servers with three different IP addresses. When one user accesses the home page it will be sent to the first IP address. The second user who accesses the home page will be sent to the next IP address, and the third user will be sent to the third IP address. In each case, once the IP address is given out, it goes to the end of the list. The fourth user, therefore, will be sent to the first IP address, and so forth.

In windows 2003 Round robin DNS such can be used to matching the request to nearest subnet http://support.microsoft.com/kb/842197 so that traffic remains with local resources first.
However word of warning this will place more load on your DNS servers so make use you have enough of the to take the load.


Hardware Consolidation
The Consideration is the amount of hardware and cost centralized solutions have fewer server and therefore lower administration costs but the hardware is often costs more as I higher fault tolerances is needed.

The fewer the number of servers the lower the administration cost so in this example I have used only 3 physical servers as the Active Directory server Web and ISA server are all virtual servers while the SQL servers are two physical servers.

Personally I think that you can use one blade centre to build a complete site however since you need a SAN for large storage the cost is more than most want to pay for a solution.