This is part 3 of the virtual firewalls review. We will take a look at Cisco Security Contexts
http://netleets.com/...ritycontext.htm
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Cisco Virtual Firewalls review
Started by
desperado618
, Nov 10 2008 11:55 AM
1 reply to this topic
#1
desperado618
-
- Members
-
- 31 posts
Private First Class
Posted 10 November 2008 - 11:55 AM
Netleets.com. It Security news and information in plain English.
#2
Marts McFly
-
- Second Lieutenant
-
- 591 posts
Second Lieutenant
Posted 10 November 2008 - 03:25 PM
Not a bad article. I am new to the concept of virtual firewalls. It makes sense. But i have a few questions...
I assume that when you are running in multi mode or have more than one context... you can't route traffic between the two? Because the article states one of the advantages is you can have overlapping networks using the same physical firewall but the contexts split them up. Then how to the clients on contextA reach clients on contextB? It can't because the IP addresses are the same and routing is a layer 3 function. So as the article shows the example of CompanyA acquiring CompanyB... and CompanyB having the same IP scheme, a security context will resolve the problem by separating the two (VLANing in a sense). But then how do they communicate? You can't route between two identical networks.
EDIT: Just went and read up more about it here ( http://www.informit....e.aspx?p=426641 ). Seems i am right. If you share the interfaces between contexts... so making it a virtual firewall, the destination IP address of a packet must be unique if you want to traverse the context into the other network. So in essence... I don't believe this is beneficial for say, a large WAN environment where you could do the same thing using VLANs. I do see how it is beneficial for a NOC or ISP or someone serving multiple customers in the same location (as the author stated haha)
I assume that when you are running in multi mode or have more than one context... you can't route traffic between the two? Because the article states one of the advantages is you can have overlapping networks using the same physical firewall but the contexts split them up. Then how to the clients on contextA reach clients on contextB? It can't because the IP addresses are the same and routing is a layer 3 function. So as the article shows the example of CompanyA acquiring CompanyB... and CompanyB having the same IP scheme, a security context will resolve the problem by separating the two (VLANing in a sense). But then how do they communicate? You can't route between two identical networks.
EDIT: Just went and read up more about it here ( http://www.informit....e.aspx?p=426641 ). Seems i am right. If you share the interfaces between contexts... so making it a virtual firewall, the destination IP address of a packet must be unique if you want to traverse the context into the other network. So in essence... I don't believe this is beneficial for say, a large WAN environment where you could do the same thing using VLANs. I do see how it is beneficial for a NOC or ISP or someone serving multiple customers in the same location (as the author stated haha)
Certified Information Systems Security Professional (CISSP)
T: http://twitter.com/Marts_McFly
B: http://www.backtosecurity.com
T: http://twitter.com/Marts_McFly
B: http://www.backtosecurity.com
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
