Thursday, 9 September 2021

Simplified Insertion of Cisco Secure Firewall with AWS Route Table Enhancement

Cisco Secure Firewall provides industry-leading firewall capabilities for Amazon Virtual Private Cloud (VPC)and resources deployed inside. Customers use these firewalls to protect north-south and east-west traffic.

Typically, we provide north-south traffic inspection in AWS infrastructure by deploying a load balancer and adding firewalls behind it. Another approach uses Amazon VPC Ingress Routing to steer traffic to Cisco Secure Firewalls.

Since the AWS VPC Ingress Routing feature launched, we’ve waited for a similar feature for east-west traffic inspection, as a route in a routing table couldn’t be more specific than the default local route. Figure 1 below illustrates when the VPC range is 10.82.0.0/16, it is impossible to add a more specific route for 10.82.100.0/24 & 10.82.200.0/24.

Cisco Secure Firewall, Cisco Security, Cisco Learning, Cisco Career, Cisco Guides, Cisco Learning, Cisco Preparation, Cisco Study Material
Figure 1 – Cisco Secure Firewall in Amazon VPC (more specific route not allowed)

However, as of today, AWS launched a new feature that enables adding a more specific route in the Amazon Route Table. This feature provides functionality to send and inspect traffic between subnets in a VPC, as shown in Figure 2 below.

Cisco Secure Firewall, Cisco Security, Cisco Learning, Cisco Career, Cisco Guides, Cisco Learning, Cisco Preparation, Cisco Study Material
Figure 2 – Cisco Secure Firewall in Amazon VPC (more specific route allowed)
 
The route table in Figure 3 is associated with a trusted subnet and has a route for an untrusted subnet pointing to the trusted interface (Elastic Network Interface – ENI-B) of the Cisco Secure Firewall.

Cisco Secure Firewall, Cisco Security, Cisco Learning, Cisco Career, Cisco Guides, Cisco Learning, Cisco Preparation, Cisco Study Material
Figure 3- AWS Route Table Associated with Trusted Subnet

The route table in Figure 4 is associated with an untrusted subnet and it has a route for trusted subnet pointing to the untrusted interface (ENI-A) of the Cisco Secure Firewall.

Cisco Secure Firewall, Cisco Security, Cisco Learning, Cisco Career, Cisco Guides, Cisco Learning, Cisco Preparation, Cisco Study Material
Figure 4- AWS Route Table Associated with Untrusted Subnet

Related Posts

0 comments:

Post a Comment