Secure Data Center – Cisco ACI, Secure Firewall, and Secure ADC Design Guide

Available Languages

Download Options

  • PDF
    (8.2 MB)
    View with Adobe Reader on a variety of devices
Updated:January 12, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (8.2 MB)
    View with Adobe Reader on a variety of devices
Updated:January 12, 2022
 

Abstract

This design guide details the secure data center solution based on the Cisco Application Center Infrastructure (ACI). The Cisco Secure Firewall and Cisco Secure Application Deliver Controller (ADC) solutions are used to secure access to the workloads in an ACI data center.

Target Audience

The target audience for this design guide are Solution Architects responsible for designing a secure data center and the implementation team responsible for deploying a secure data center.

Scope

In Scope

This design guide covers the following components:

     Cisco Application Centric Infrastructure (ACI)

     Cisco Secure Firewall (Firepower Threat Defense (FTD))

     Cisco Secure Application Delivery Controller (Radware Alteon)

Out of Scope

This design guide does not cover the following components:

     Cisco Secure Firewall (Application Security Appliance (ASA))

     Cisco Identity Services Engine

     Cisco Secure Access by Duo

     Cisco Secure Network Analytics (Stealthwatch Enterprise)

     Cisco Secure Cloud Analytics (Stealthwatch Cloud)

     Cisco Secure Workload (Tetration)

     Cisco Secure Endpoint (AMP for Endpoint)

SAFE Introduction

As your data flows from an increasing number of devices to your data center or private/public cloud, you must understand your data flow to be able to protect it. Cisco SAFE is an architectural approach that helps you visualize this transit of the data in terms of business flows, understand the attack surface associated with these flows and hence, devise appropriate capabilities to secure them. This framework provides complete guidance from the initial identification of business flows in an architecture for securing it and then deploying and validating the solution.

Cisco SAFE simplifies network security by providing solution guidance using the concept of ‘Places in the Network’ (PINs). This design guide is a recommended threat defense architecture for the Secure Data Center PIN.

A picture containing diagramDescription automatically generated

Figure 1.              Key to SAFE organizes the complexity of holistic security into PINs & Secure Domain

SAFE matches up defensive capabilities against the categories of threats today. SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding security capabilities, architectures, and designs. SAFE provides guidance that is holistic and understandable.

More information about how Cisco SAFE simplifies security, along with this and other Cisco Validated Designs (CVDs), can be found here.

Secure Data Center Business Flows

SAFE uses the concept of business flows to simplify the identification of threats and the selection of security capabilities necessary to protect the data flow. The two typical types of data flows in data center are north-south and east-west. North-south refers to data flow that enters or leaves the data center and east-west refers to the data flows within the data center. This solution focus is on the north-south data flow business use cases and the threats they present.

Two examples of north-south data flows are described below:

     In the first example, a clerk located at a branch is processing a credit card transaction on the payment application

     The second example, a field engineer working remotely is updating a work order on the workflow application

Graphical user interface, text, application, emailDescription automatically generated

Figure 2.              Secure Data Center Business Flows

Secure Data Center Attack Surface

The Secure Data Center solution protects workloads by applying security controls to the attack surface found in the data center. The attack surface in data center spans the business flows used by humans, devices, and the network.

Threats include rogue identity, infections, and advanced persistent threats allowing hackers the ability to take control of your devices and networks. Legacy remote administration access to devices (such as modems) adds additional risk. Zero-day vulnerability attacks can bypass existing controls and infect systems.

The threats represented in the example data flows include:

     Rogue: An unauthorized device on the network

     Infection: A file that has been infected by malware

     Network Breach: Unauthorized access to the network

A picture containing chartDescription automatically generated

Figure 3.              Secure Data Center Attack Surface

Solution Overview

Cisco’s security approach for the modern cloud applications allows companies to achieve:

     Improved resiliency to enable cloud availability and secure services

     Operational efficiency from automated provisioning, flexibility, and integrated security

     Advanced threat protection from Cisco TALOS – industry-leading threat intelligence to stay up to date, informed, and secure

What is our security approach?

Specific capabilities are necessary to protect the data center and build the appropriate layers of defense. These capabilities work together to create several layers of defense protecting the data center applications. The top priorities or the three pillars that we keep in mind while designing the secure data center solutions are:

     Visibility - Complete visibility of users, devices, networks, applications, workloads, and processes

     Segmentation - Reduce the attack surface by preventing attackers from moving laterally, with consistent security policy enforcement, application access control and micro-segmentation

     Threat Protection - Stop the breach by deploying multi-layered threat sensors strategically in the public cloud to quickly detect, block, and dynamically respond to threats

Threat Protection

Security Capabilities

Specific capabilities are necessary to protect the data center and build the appropriate layers of defense. These capabilities work together to create several layers of defense protecting the data center.

Icon

Threat

Icon

Capability

Security Solutions

 IconDescription automatically generated

Unauthorized access and malformed packets.

 IconDescription automatically generated

Firewall Segmentation

Cisco Secure Firewall (Firepower Threat Defense (FTD))

Application Security Appliance (ASA))

 IconDescription automatically generated

Attacks using worms, viruses, or other techniques.

 IconDescription automatically generated

Intrusion Prevention System (IPS)

Cisco Secure Firewall (Firepower Threat Defense (FTD))

 A picture containing text, clipartDescription automatically generated

Malware distribution across networks or between servers and devices.

 IconDescription automatically generated

Network Anti-Malware

Cisco Secure Firewall (Firepower Threat Defense (FTD))

Application Security Appliance (ASA))

 IconDescription automatically generated

Attack tools hiding in permitted applications.

 IconDescription automatically generated

Application Visibility Control (AVC)

Cisco Secure Firewall (Firepower Threat Defense (FTD))

 IconDescription automatically generated

Attacks against poorly developed applications and web vulnerabilities.

 IconDescription automatically generated

Web Application Firewall (WAF)

Cisco Secure Application Delivery Controller (Radware Alteon WAF)

 IconDescription automatically generated

Theft of unencrypted traffic.

 IconDescription automatically generated

TLS Encryption Offload

Cisco Secure Application Delivery Controller (Radware Alteon)

 IconDescription automatically generated

Attackers or malicious users accessing restricted information.

 Logo, iconDescription automatically generated

Identity/Authorization

Cisco Identity Services Engine (ISE)

Cisco Secure Access by Duo

Solution Architecture

Developing a defense-in-depth architecture requires identifying existing threats and applying appropriate security capabilities to thwart them.

The two business flows defined earlier are shown with the necessary security capabilities.

DiagramDescription automatically generated

Figure 4.              Secure Data Center business flows with capabilities

Reference Architecture

The Cisco Secure Data Center reference architecture is a solution that includes the best of Cisco’s products for a modern data center.

     The data center network is based on Cisco Application Centric Infrastructure (ACI)

     Cisco Secure Firewall (Firepower Threat Defense) protects the data center infrastructure

     Firepower Management Center (FMC) manages Cisco Secure Firewall and integrated services

     Advanced Malware Protection (AMP) for Networks on the Cisco Secure Firewall detects malware

     Secure Application Delivery Controller (Secure ADC) provides TLS offload and Web Application Firewall (WAF)

     Identity Services Engine (ISE) enables 802.1x authentication

 

Product information and capabilities will be discussed in the Implementation section below.

The secure data center architecture is illustrated in the figure below. The figure highlights the services and components discussed in this guide and their place in the network. The Edge connects the data center to Internet and cloud services, like Secure Endpoint Console. It also connects remote users to the data center with VPN services. The WAN connects the branch offices to the data center. The Internet and WAN are places in the network (PINs) that are outside of the data center. Refer to the SAFE Architecture Guides for details on other PINs. Within the data center, the Core connects the Services zone and Software Defined zone.

TimelineDescription automatically generated

Figure 5.              Secure Data Center Reference Architecture

Business Use Cases

The first business use case depicted below is a payment application for PCI compliance. The clerk is depicted by the green token is connected to the WAN from a branch office. The clerk is processing a sales transaction that includes a credit card and is accessing the payment application in the data center. The data flow enters the data center Core zone from WAN and is routed to the Software Defined zone. Software Defined zone refers to software defined segmentation, which is delivered by Cisco Application Centric Infrastructure (ACI).

The flow enters the ACI Leaf through a Layer 3 Out (L3Out), and an ACI Service Graph allow the flow through to the external Alteon. The Alteon Web Application Firewall inspects and the SSLi (TLS offload) decrypts the flow. The unencrypted flow is redirected by ACI to the Firepower for inspection. If the flow passes all inspections, it is returned to the ACI leaf switch and routed to the internal Alteon. The internal Alteon encrypts the flow and routes it back to ACI. ACI routes the flow to the HyperFlex servers hosting the application. If the flow fails inspection at any point, it is dropped by the inspecting appliance.

TimelineDescription automatically generated

Figure 6.              Business Use Case 1: Clerk processing a sales order transaction.

 

The second business use case depicted secures remote access for employees accessing an application in the data center. The field engineer is depicted by the blue token is accessing the data center using a VPN connection to submit a work order to the workflow application. The data flows from the Internet enters the Edge zone, where the VPN termination is handled by the Edge. The flow is routed to the distribution switch in the Services zone and then to the Core zone. The path from the core to the application is the same as the business use case 1.

Diagram, timelineDescription automatically generated

Figure 7.              Business Use Case 2: Field Engineer submit a work order

Network Topology

The network topology below illustrates the nodes in the Cisco ACI fabric. The fabric consists of two leaf nodes, two spine nodes and three Application Policy Infrastructure Controllers (APICs). Each leaf node connects to the two spine nodes and each APIC controller connects to the two leaf nodes. The leaf nodes do not direct connect to each other nor do the spine nodes. The leaf nodes act as the connection point for all servers, storage, physical or virtual L4-L7 service devices, and external networks. The spine nodes act as the high-speed forwarding engine between leaf nodes. The Cisco ACI fabric is managed, monitored, and administered by the Cisco APICs. Each node on the network, the Cisco ADC, Cisco Secure Firewall and Fabric Interconnect connects to both leaf nodes with port-channel interfaces. A secure overlay management network is implemented for out of fabric accessibility but is not depicted.

The purple design icons represent the product selected to provide the security capabilities required to protect the business use cases. Solid purple icons represent physical appliances, and the icons with the white background represent virtual appliances or software.

DiagramDescription automatically generated

Figure 8.              Network Topology

 

The table below lists the hardware models and software versions tested.

Component

Model

Version

ACI APICs

APIC-SERVER-L1

apic-5.1(3e)

ACI Spine Switches

N9K-C9504

n9000-15.1(3e)

ACI Leaf Switches

N9K-C93180YC-FX

n9000-15.1(3e)

Cisco Secure ADC Alteon

Alteon D-7612

32.6.3.0

Cisco Secure Firewall Management Center

Firepower Management Center Virtual Appliance VMWare

7.0.0.1-15

Cisco Secure Firewall

Firepower 9300 Security Appliance, one SM-36 Module

7.0.0.1-15

 

Implementation Main Components

Cisco Application Centric Infrastructure (ACI)

Cisco Application Centric Infrastructure (ACI) technology enables the integration of virtual and physical workloads in a programmable, multi-hypervisor fabric to build a multiservice or cloud data center. The Cisco ACI fabric consists of leaf and spine switches that are provisioned as a single entity to provide switching and routing functions. The Cisco ACI fabric consists of discrete components that operate as routers and switches, but it is provisioned and monitored as a single entity.

ACI Endpoint Groups (EPGs) and Contracts

Endpoints are devices that connect to the network directly or indirectly. They can be physical or virtual devices, such as servers, virtual machines, network attached storage, or clients on the internet. Cisco ACI uses Endpoint Groups (EPGs) to group endpoints that have common policy requirements, such as security or Layer 4 to Layer 7 services to simplify the management of security and services.

The fundamental security architecture of the ACI solution follows an allow-list model. A contract is a policy construct used to define communication between EPGs. Without a contract between EPGs, no communication is permitted between the EPGs by default.

EPGs provides and consumes contracts. In the figure below, the “External” EPG consumes the contract the “Services” EPG provides and the “Services” EPG consumes the contract the “WebSrv” EPG provides. An EPG can provide and consume the same contract.

A contract is not required to allow communication between endpoints in the same EPG. In the figure below, communication between EP1 and EP2 or between EP3 and EP4 is permitted without a contract.

A picture containing shapeDescription automatically generated

Figure 9.              Endpoint Groups and Contracts

 

An endpoint can belong to only one EPG. An endpoint can be physical, virtual or a container and can co-exist in the same EPG. Endpoints are assigned to EPGs based on EPG types:

     L3Out EPG - based on the IP subnet (longest prefix match)

     EPG - based on the leaf interface and Virtual LAN (VLAN) ID, or leaf interface and Virtual Extensible LAN (VXLAN)

     uSeg EPG (also called micro-EPG) - based on IP, MAC VM attributes such as VM name, or a combination of IP, MAC, and those attributes

 

ACI Service Graph

Cisco ACI enables the insertion of Layer 4 through Layer 7 (L4-L7) functions using a concept called a service graph. Using the service graph, Cisco ACI can redirect traffic between security zones to a firewall or a load balancer, without the need for the firewall or the load balancer to be the default gateway for the servers.

When inserting a load balancer into the network, it is important to understand the traffic flow. In a typical deployment, incoming and return flow must pass through the same load balancer. When a client sends a request to an application behind a load balancer, the client is sending the request to the load balancer VIP (Virtual IP address). The load balancer forwards the request to the server hosting the application with the client IP address as the source. If the server return flow bypasses the load balancer, the client will drop the traffic because the return flow source IP address (the server) is not the same IP address (load balancer VIP) the client sent the request to. The inbound and return flow are illustrated in the figure below.

DiagramDescription automatically generated

Figure 10.          Cisco ACI Service Graph and PBR

 

Three design options to insert a load balancer into the network are illustrated below. The load balancer is depicted as the Secure ADC in the diagram.

Design 1 is an inline design with the Secure ADC inside interface configured as the default gateway on the servers. All inbound and return traffic between the clients and servers traverses this path, so no SNAT or PBR required.

Design 2 is like design 1 with a router added between the Secure ADC and servers, making a “L3 Sandwich”. In this design, the router is the gateway for servers and removes the requirement for the Secure ADC to be the gateway for the servers. The servers can reside in different subnets. No SNAT or PBR is required.

Design 3 requires SNAT, PBR or Service Graph with PBR to redirect the return traffic to the Secure ADC. The advantage of this design is the flexibility to bypass the Secure ADC for select types of traffic.

Diagram, timelineDescription automatically generated

Figure 11.          Load balancer network design options

 

Refer to the Cisco ACI and Cisco Secure ADC Design Guide for more details on load balancer insertion.

Layer 3 Out (L3Out)

The ACI fabric is formed from multiple components such as bridge domains (BDs) and endpoint groups (EPGs) to provide Layer (L2) connectivity or default gateway functions for a group of endpoints within the fabric. Connecting to networks outside of the ACI fabric requires the configuration of a L3Out. The L3Out provides five key functions:

     Learn external routes via routing protocols (BGP, EIGRP, OSPF, and static routes)

     Distribute learned external routes (or static routes) to other leaf switches

     Advertise ACI internal routes (BD subnets) to outside ACI

     Advertise learned external routes to other L3Outs (Transit Routing)

     Allow traffic to arrive from or be sent to external networks via L3Out by using a contract

Cisco Secure Application Delivery Controller (ADC)

In this implementation, the Cisco Secure ADC has been added to provide application load balancing, SSL interception offloading and application security protection with the web application firewall which are integrated in the Cisco Secure ADC.

Cisco Secure ADC is a combination of hardware platforms and software, which deliver a rich set of application delivery capabilities with unmatched performance. It offers a complete set of Layer 4-7 services to ensure the availability, performance, and security of mission-critical applications on-premises and in cloud data centers. These extend to traffic redirection, content modification, persistency, redundancy, advanced health monitoring, and bandwidth management that optimizes the delivery of mission-critical applications. Cisco Secure ADC is designed to dynamically scale when necessary without hardware modifications. It can scale on demand, adding more throughput, services, and virtual ADC (vADC) instances, or by leveraging an external, scalable resource pool (such as server infrastructure) for compute-intensive NG services.

This document covers the SSL Interception inbound and Web Application Firewall capabilities of the Cisco Secure ADC. The additional capabilities listed below are out of scope of this document:

     SSL Interception outbound

     Application Performance Monitoring (APM)

     FastView Web Performance Optimization (WPO)

     Application Re-write

     Application Caching

     Application Protection

     Global Load Balancing

Refer to the Cisco Secure ADC Alteon Data Sheet for more information.

Cisco Secure Firewall

The Cisco Secure Firewall is an industry-leading intelligent security appliance. It provides threat protection, real-time contextual awareness and full stack visibility. The Cisco Secure Firewall is a highly effective and highly reliable next-generation firewall. Threat protection capabilities can be expanded to include Firepower NGIPS, Advanced Malware Protection (AMP) for Networks and URL Filtering.

The Firepower 4100 and 9300 appliances are designed for large campuses, high-performance data centers and service providers. The appliances can create separate logical firewalls for deployment flexibility, quickly inspect encrypted traffic, gain application visibility, detect and block network intrusions, deploy scalable VPNs, and provide integrated protection against DDoS attacks. The Cisco Secure Firewall can cluster devices for scaling performance and provide high availability.

Refer to the Cisco Secure Firewall product portfolio for more information.

Implementation Description

The Secure Data Center design implements security controls at different points in network to protect the workload. The Cisco Secure ADC Alteon and the Cisco Secure Firewall (Firepower 9300) appliances are examples of these controls. In this implementation, an Alteon is placed in front of the Firepower 9300 to offload the WAF and SSL decryption (SSL inspection (SSLi)) functions. A second Alteon is placed behind the Firepower 9300 to encrypt the traffic before forwarding to the servers. With the offload of those functions, the Firepower 9300 resources are dedicated to the firewall, AVC, file inspection, IPS and Identity based access control. This “sandwich” configuration provides visibility into encrypted traffic with minimal latency by offloading the SSLi function to purpose-built devices.

The Alteons operate in a two zones configuration, an outside zone and an inside zone. Each zone is a defined as a bridge domain and a subnet in ACI. The Firepower 9300 are configured as a high-availability (HA) pair and operates as a one-arm firewall that connects to a dedicated ACI bridge domain and subnet. The server connects to its own ACI bridge domain and subnet. The figure below illustrates the ACI bridge domains and subnets configuration.

The ACI Service Graph and PBR is the method selected to insert the Alteons and Firepower 9300 appliances into the network path. This method eliminates the need for additional routing and bridging configuration in the ACI fabric. It also eliminates the need for SNAT configuration on the Alteon appliance for the return flow.

DiagramDescription automatically generated with medium confidence

Figure 12.          Cisco ACI Service Graph

Traffic Flow through the Sandwich.

1 - The WAN data flow enters the ACI fabric through the L3Out Main from the Core. The flow is routed to the ALT-EXT outside interface.

2 - The ALT-Ext inspects (WAF policies) and decrypts (TLS-Offload) the inbound flow. The unencrypted flow is sent to the Alt-Ext BD gateway.

3 - The ACI fabric redirects the flow to the Firepower.

4 - The Firepower inspects the flow and routes it back to the ACI fabric.

5 - The ACI fabric routes the traffic to the internal Alteon outside interface.

6 - The internal Alteon encrypts the flow and routes it to ACI fabric.

7 - The ACI fabric routes the flow to the servers.

Implementation Steps

Cisco ACI Configuration

This section summaries the configuration of a tenant, the L3Outs, PBRs and the Service Graph.

Prerequisites: An ACI environment with basic configuration, dynamic routing enabled, and network ports configured. Refer to the SAFE Design Guide: Secure Data Center Cisco ACI Multi-Site Reference Design for detailed steps to configure the Cisco ACI environment.

Step 1. Add a tenant named TenantB and create a VRF named VRF-B. The remaining options are left as default.

TableDescription automatically generated

Step 2. Create the following bridge domains in VRF-B; Alt-Ext, Alt-Int, FTD-Data and Web-Srv. Under the L3 Configurations of each domain, config the gateway to route traffic between the bridge domains. L3Out Association is not required for the bridge domains because traffic remain within the ACI fabric.

A picture containing graphical user interfaceDescription automatically generated

Step 3. Create an Application Profile named Web-Services. Under the Web-Services Application profile, create the Application EPGs Alt-Ext, Alt-Int and Web-Srv and associate each to the corresponding bridge domain. The FTD does not required an EPG because traffic is redirected to it using a PBR.

Graphical user interfaceDescription automatically generated

Step 4. The ACI switch is the Area Border Router (ABR) connecting the Open Shortest Path First (OSPF) Area 0 and Area 1. The ACI switch peers with the Core switch and with the Alteons, Alt-Ext and Alt-Int.

DiagramDescription automatically generated

Figure 13.          OSPF Areas

 

Create two L3Outs, one named L3Out-Main to peer with the Core switch and one named L3Out-Alteon to peer with the two ADC Alteons. The L3Out-Alteon is configured with two interfaces, on to peer with ADC Alt-Ext and other to peer with the ADC Alt-Int.

Graphical user interface, textDescription automatically generated

L3Out-Main summary:

     VRF: Tenant-B

     OSPF Area ID: 0

     OSPF Area type: Regular Area

     Interface Type: SVI

     VLAN 1199

     External EPG: ExternalNet

 

L3Out-Alteon summary:

     VRF: Tenant-B

     OSPF Area ID: 1

     OSPF Area type: Stub Area

     Interface Type: SVI – This interface connects to the Alt-Ext

     VLAN 1194

     Interface Type: SVI – This interface connects to the Alt-Int

     VLAN 1192

     External EPG:

 

Step 5. Enable Route Control Enforcement Import on both L3Outs (error when enable only on one router)

Related image, diagram or screenshot

Step 6. Enable Import Route Control on all ext EPGs and export on L3Out-Main

 

Step 7. Configure L3Out-Main to import routes and export the ALT-Ext VIP route. Configure the L3out-Alteon to import the VIP route from each Alteon.

     L3Out-Main: Import route 0.0.0.0/0 (Extranet)

     L3Out-ALT-Ext: Import route10.22.91.11/32 (Alt-Ext) and delete route 0.0.0.0/0

     L3Out-Alt-Int: Import route 10.22.92.11/32 (Alt-Int) and delete route 0.0.0.0/0

A screenshot of a computerDescription automatically generated

Step 8. Create PBR for Alt-Ext, Alt-Int and FTD-Cluster - IP and MAC

Related image, diagram or screenshot

The Outside Alteon:

     Name: Alt-Ext

     MAC: 2C:B6:93:6E:54:00

     IP: 10.16.93.11

The Inside Alteon:

     Name: Alt-Int

     MAC: 2C:B6:93:6E:56:00

     IP: 10.16.91.11

The FTD Cluster:

     Name: FTD-Cluster

     MAC: 00:10:18:00:90:11

     IP: 10.18.90.11

 

 

Step 9. Create Device Firewall (FTD), Outside_LB (Alt-Ext) and Inside-LB (Alt-Int).

Note: The configuration of the ACI ports connected to these devices is not covered in this guide.

Related image, diagram or screenshot

 

Device Firewall Configuration

General

     Managed: No (uncheck box)

     Name: Firewall

     Service Type: Firewall

     Device Type: Physical

     Physical Domain: phys (select the domain specific to your environment)

     Context Aware: Single

     Function Type: Goto

Devices section:

     Name: FTD-Cluster

     Interfaces:

·      Name: One-Arm

·      Path: Select the ACI Leaf port(s) connected to the firewall

Cluster Interfaces section:

     Name: One-Arm

     Concrete Interfaces: FTD-Cluster/[One-Arm]

     Encap: vlan-1199 (enter the vlan specific to your environment)

Related image, diagram or screenshot

Device Outside Alteon Configuration

General

     Managed: No (uncheck box)

     Name: Outside-LB

     Service Type: ADC

     Device Type: Physical

     Physical Domain: phys (select the domain specific to your environment)

     Context Aware: Single

     Function Type: Goto

Devices section:

     Name: Alt-Ext

     Interfaces:

·      Name: Outside

·      Path: Select the ACI Leaf port(s) connected to the Alteon outside interface

·      Name: Inside

·      Path: Select the ACI Leaf port(s) connected to the Alteon inside interface

Cluster Interfaces section:

     Name: Outside

     Concrete Interfaces: Alt-Ext/[Outside]

     Encap: vlan-1194 (enter the vlan specific to your environment)

     Name: Inside

     Concrete Interfaces: Alt-Int/[Inside]

     Encap: vlan-1193 (enter the vlan specific to your environment)

Related image, diagram or screenshot

Device Inside Alteon Configuration

General

     Managed: No (uncheck box)

     Name: Inside-LB

     Service Type: ADC

     Device Type: Physical

     Physical Domain: phys (select the domain specific to your environment)

     Context Aware: Single

     Function Type: Goto

Devices section:

     Name: Alt-Int

     Interfaces:

·      Name: Outside

·      Path: Select the ACI Leaf port(s) connected to the Alteon outside interface

·      Name: Inside

·      Path: Select the ACI Leaf port(s) connected to the Alteon inside interface

Cluster Interfaces section:

     Name: Outside

     Concrete Interfaces: Alt-Ext/[Outside]

     Encap: vlan-1192 (enter the vlan specific to your environment)

     Name: Inside

     Concrete Interfaces: Alt-Int/[Inside]

     Encap: vlan-1191 (enter the vlan specific to your environment)

Related image, diagram or screenshot

 

Step 10.        Create a new Service Graph Template

     Service Graph Name: Services

     Graph Type: New Graph

     Filter After First Node: Allow All – This is for testing only not recommended for production

     Drag the available device from the left pane to the right pane to build the service graph. Start with Alt-Ext, closest to the consumer, follow by the FTDs and Alt-Int

     The Alteons are configured as two-arm devices

     The FTDs are in routed mode

     Enable Route Redirect on all devices

A picture containing graphical user interfaceDescription automatically generated

 

Step 11.        Edit the service graph policy to permit the health check from the Alt-Int to servers – change C4 Direct Connect to “True”

Related image, diagram or screenshot

Step 12.        Deployed Service Graph “Services”

Consumer: L3Out-Main ext EPG: ExternalNet

Provider: BD WebSrv

Contract: Ext-to-WebSrv;

 

Alt-Ext Information:

Contract: TenantB/Ext-To-WebSrv

Graph: TenantB/Services

Node: Alt-Ext

Device Cluster: Outside-LB

Load Balancer: two-arm

Policy-Based Redirect: true

 

Consumer Connector

Type: l3out

L3 Ext Network: TenantB/L3Out-Ateon/Alt-Ext

L3 Destination

(VIP): true

Service EPG

Policy: /

Cluster Interface: Outside

 

Provider Connector

Type: bd

BD: TenantB/Alt-Ext

L3 Destination

(VIP): true

Redirect Policy: svcCont/Alt-Ext

Service EPG

Policy: /

Cluster Interface: Inside

 

FTD Information:

Contract: TenantB/Ext-To-WebSrv

Graph: TenantB/Services

Node: FTD Device

Cluster: Firewall

Firewall: routed

Policy-Based Redirect: true

Consumer Connector Type: bd

BD: TenantB/FTD-Data

L3 Destination (VIP): true

Redirect Policy: svcCont/FTD-Cluster

Service EPG Policy: /

Cluster Interface: One-Arm

Provider Connector Type: bd

BD: TenantB/FTD-Data

L3 Destination (VIP): true

Redirect Policy: svcCont/FTD-Cluster

Service EPG Policy: /

Cluster Interface: One-Arm

 

Alt-Int Information:

Contract: TenantB/Ext-To-WebSrv

Graph: TenantB/Services

Node: Alt-Int

Device Cluster: Inside-LB Load

Balancer: two-arm

Policy-Based Redirect: true

Consumer Connector Type: l3out

L3 Ext Network: TenantB/L3Out-Ateon/Alt-Int L3

Destination (VIP): true

Service EPG Policy: /

Cluster Interface: Outside

Provider Connector

Type: bd

BD: TenantB/Alt-Int

L3 Destination (VIP): true

Redirect Policy: svcCont/Alt-Int

Service EPG Policy: /

Cluster Interface: Inside

Related image, diagram or screenshot

 

External Alteon Configuration

This section covers the following configurations:

     Configure data interfaces

     Create VIP

     Define Server group and health check

     Generate and assign a Self-signed certificate

 

This section covers the configuration of the ALT-Ext Alteon. The ports configuration is illustrated below.

A picture containing diagramDescription automatically generated

Figure 14.          ALT-Ext interface configuration

 

Step 1. Enable interface 7 through 10.

Navigate to Configuration > Network > Physical Ports > Port Settings

     Enable Port: Enable

     Port Settings > VLAN Tagging: Enable

     PVID: Leave as default of 1. When the VLANs are created in step 3, update the ports with the new PVIDs

 

Graphical user interface, application, tableDescription automatically generated

 

Step 2. Create a Link Aggregation Control Protocol (LACP) Group.

The Alteon uses Admin Key to define Link Aggregation Groups (LAG). This step creates two LAGs, the inside LAG with member ports 7 and 8 and the outside LAG with member ports 9 and 10.

Navigate to Configuration > Network > Layer 2 > Port Trunking > LACP Group

     LACP Group:Name: LACP

     LACP Ports: 7 and 8 (inside)

    LACP State: Passive

    Admin Key: 7

     LACP Ports: 9 and 10 (outside)

    LACP State: Passive

    Admin Key: 9

 

Graphical user interface, applicationDescription automatically generated

 

Step 3. Create two VLANs, one for the inside interface and one for the outside interface.

Navigate to Configuration > Network > Layer 2 > VLAN

Inside VLAN

     Enable VLAN

     VLAN ID: 1193

     VLAN Name: Inside

     VLAN Settings: Selected: Port 7 and 8

Outside VLAN

     Enable VLAN

     VLAN ID: 1194

     VLAN Name: Outside

     VLAN Settings: Selected: Port 9 and 10

 

TableDescription automatically generated with low confidence

 

Step 4. Assign ports to the new PVIDs.

Navigate to Configuration > Network > Physical Ports > Port Settings

     Assign ports 7 and 8 to PVID 1193

     Assign ports 9 and 10 to PVID 1194

 

Graphical user interface, application, tableDescription automatically generated

 

Step 5. Configure interface IP addresses. Network > Layer 3 > IP Interfaces

     Inside Interface

    Interface ID: 1

    Description: Inside

    IP Address:  10.16.93.11

    Mask: 255.255.255.0

    VLAN: 1193

     Outside Interface

    Interface ID: 2

    Description: Outside

    IP Address:  10.16.94.11

    Mask: 255.255.255.0

    VLAN: 1194

 

TableDescription automatically generated

 

Step 6. Configure the appliance default gateway.

Navigate to Configuration > Network > Layer 3 > Gateways

     Enable Gateway

     Gateway ID: 1

     IP address: 10.16.94.1

 

A picture containing text, screenshot, indoorDescription automatically generated

 

Step 7. Add static routes to the internal Alteon (ALT-Int) VIP 10.21.90.11/32.

Navigate to Configuration > Network > Layer 3 > Static Routes

     To ALT-Int VIP

    Destination IP: 10.22.90.11

    Mask: 255.255.255.255

    Gateway: 10.16.93.1

     To servers

    Destination IP: 10.18.201.0

    Mask: 255.255.255.0

    Gateway: 10.16.93.1

 

Graphical user interface, text, application, emailDescription automatically generated

 

Step 8. The Alteon outside physical interface (10.16.94.11) and VIP (10.22.92.11) are on different subnets. For traffic to reach the Alteon VIP, a route is required on ACI. OSPF is used in this implementation and enables the Alteon to peer with ACI to advertise the VIP route.

Navigate to Configuration > Network > Layer 3 >Dynamic Routing

Dynamic Routing:

     Router ID: 10.16.94.11

OSPF:

     Enable OSPF

     Areas:

    Enable Area

    Area Number: 2

    Area ID: 0.0.0.1

    Area Type: Stub

     Interfaces:

    Enable Interface

    Interface ID: 2

    Area Number: 1

     Host:

    Enable Host

    Host ID: 1

    IP Address: 10.22.92.11 This is the VIP address to advertise in OSPF.

    Area Number: 1

Switch to Monitoring to view the route table and check for OSPF routes.

Graphical user interface, text, application, emailDescription automatically generated

 

Step 9. Configure server group to monitor. The health check is monitoring the inside Alteon VIPs with a HTTP request.

Navigate to Application Delivery > Server Resources> Server Groups

Real Servers:

     Enable Real Server: Enabled

     Real Server ID: ALT-Int-VIP1

     Server IP Address: 10.22.91.11

Server Groups:

     Server Group ID: Inside-Alteon-Grp

     Real Servers:

    Add the ALT-Int-VIP1 from Available to Selected

     Group Settings:

    Health Check: HTTP

Graphical user interface, applicationDescription automatically generated

 

Step 10.        Create a private (self-signed) certificate. This certificate is used to establish a secure connection between the endpoint and the outside Alteon. In a production environment, using a public certificate is recommended.

Navigate to Application Delivery > SSL

     Enable SSL

     Certificate Repository:

    Add (+) a Certificate

    Certificate ID: ALT-Ext-Cert

    Type: Server Certificate

    Settings:

    Common Name: <server.domain.com>

    Add (+) a Key

    Certificate ID: ALT-Ext-Key

    Type: Key

Graphical user interface, text, application, emailDescription automatically generated

Internal Alteon Configuration

The steps to configure the internal Alteon is similar to the external Alteon with the following exceptions:

     IP addresses and VLANs are IP addresses

     Monitor the web servers

     No self-signed SSL certification is required

Step 1. Enable network interface 7 through 10.

Navigate to Configuration > Network > Physical Ports > Port Settings

     Enable Port: Enable

     Port Settings > VLAN Tagging: Enable

     PVID: Leave as default of 1. When the VLANs are created in step 3, update the ports with the new PVIDs.

Step 2. Create a Link Aggregation Control Protocol (LACP) Group.

Navigate to Network > Layer 2 > Port Trunking > LACP Group

The Alteon uses Admin Key to define Link Aggregation Groups (LAG). This step creates two LAGs, the inside LAG with member ports 7 and 8 and the outside LAG with member ports 9 and 10.

     LACP Group:Name: LACP

     LACP Ports: 7 and 8 (inside)

    LACP State: Passive

    Admin Key: 7

     LACP Ports: 9 and 10 (outside)

    LACP State: Passive

    Admin Key: 9

Step 3. Create two VLANs, one for the inside interface and one for the outside interface.

Navigate to Network > Layer 2 > VLAN

Inside VLAN

     Enable VLAN

     VLAN ID: 1191

     VLAN Name: Inside

     VLAN Settings: Selected: Port 7 and 8

Outside VLAN

     Enable VLAN

     VLAN ID: 1192

     VLAN Name: Outside

     VLAN Settings: Selected: Port 9 and 10

Step 4. Assign ports to the new PVIDs.

Navigate to Network > Physical Ports > Port Settings

     Assign ports 7 and 8 to PVID 1191

     Assign ports 9 and 10 to PVID 1192

Step 5. Configure interface IP addresses.

Navigate to Network > Layer 3 > IP Interfaces

Inside Interface

     Interface ID: 1

     Description: Inside

     IP Address:  10.16.91.11

     Mask: 255.255.255.0

     VLAN: 1191

Outside Interface

     Interface ID: 2

     Description: Outside

     IP Address:  10.16.92.11

     Mask: 255.255.255.0

     VLAN: 1192

Step 6. Configure the appliance default gateway.

Navigate to Configuration > Network > Layer 3 > Gateways

     Enable Gateway

     Gateway ID: 1

     IP address: 10.16.92.1

Step 7. Add static routes to the servers (10.18.201.0/24).

Navigate to Network > Layer 3 > Static Routes

Routes to application servers

     Destination IP: 10.18.201.0

     Mask: 255.255.255.0

     Gateway: 10.16.91.1

Step 8. Dynamic routing is required because the VIP and the outside interface are on diffident subnets. The dynamic routing enables the Alteon to advertise the VIP to the ACI and the WAN. The dynamic routing protocol selected for this implementation is OSPF.

Navigate to Configuration > Network > Layer 3 >Dynamic Routing

Dynamic Routing:

     Router ID: 10.16.92.11

OSPF:

     Enable OSPF

     Areas:

    Enable Area

    Area Number: 2

    Area ID: 0.0.0.1

    Area Type: Stub

     Interfaces:

    Enable Interface

    Interface ID: 2

    Area Number: 1

     Host:

    Enable Host

    Host ID: 1

    IP Address: 10.22.91.11 This is the VIP address to advertise in OSPF.

    Area Number: 1

Switch to Monitoring to view the route table and verify OSPF routes.

Step 9. Configure server group to monitor. The health check is monitoring the inside Alteon VIPs with a HTTP request.

Navigate to Configuration > Application Delivery > Server Resources>

Real Servers:

     Enable Real Server: Enabled

     Real Server ID: ALT-Int-VIP1

     Server IP Address: 10.22.91.11

 

Server Groups:

     Server Group ID: WebSrv

     Real Servers:

    Add the ALT-Int-VIP1 from Available to Selected

     Group Settings:

    Health Check: HTTP

 

Alteon AppWall+ (WAF) Configuration:

Verify that the Alteon appliance is licensed for the AppWall+ feature.

Graphical user interface, applicationDescription automatically generated

Step 10.        Allocate CPU resources to AppWall+

Navigate to Configuration > System > Core Allocation. On the Core Allocation tab, enter 2 for AppWall. Click Submit, Apply and Save.

A message displayed “The change will take effect after the next reboot.

Reboot the system by navigating to System > Reset/Shutdown > Reset and Confirm Reset.

 

Graphical user interface, text, application, emailDescription automatically generated

Step 11.        Enable the AppWall+ Service

Navigate to Configuration > Security > Web Security. On the Web Security tab, select Enable AppWall.

Click Submit, Apply and Save.

Step 12.        Create a Secured Web Application ID

Navigate to Configuration > Security Web > Secured Web Application. Click the + sign. On the Add New Secured Web Application tab, enter the following:

     Enable Secure Web Application: check

     Secure Web Application ID: Payment_ID

     Name: Payment

     AppWall service: Enable

     Operation Mode: Inline

     Click Submit, Apply and Save.

 

Graphical user interface, applicationDescription automatically generated

Step 13.        Assign Secure Application ID to VIP

Navigate to Configuration > Application Delivery > Virtual Services. Under Virtual Services of Selected Virtual Server, select the virtual service. Click the pencil to edit the virtual service. Click the HTTP tab and select Payment_ID for Secure Web Application. Click Submit, Apply and Save.

Graphical user interface, text, applicationDescription automatically generated

 

Graphical user interface, applicationDescription automatically generated

Step 14.        Create an Internal Security Page (Blocked Message)

The internal security page is displayed when unauthorized activity is detected, and the request is blocked. The page message is customizable and includes a case number for further investigation.

1 - Create a folder named SecurityPages and two files named InternalSecurityPage.html and ExternalSecurityPage.asp (not required for the test cases in this implementation). Use a text editor to add the content from Appendix D to each file.

2 - Create a zip of the folder SecurityPages.

3 - Login to the Radware Security Console https://<ADC-Mgmt-IP>/appwall-webui/ (ex. https://10.16.1.104/appwall-webui/) and navigate to Security Policy > <node name> Gateway > Web Applications > <web applications name> > <tunnel name> > <host>.

4 - In the Settings tab, select the Internal Security Page button and click Add Internal Security Page.

Graphical user interface, text, application, emailDescription automatically generated

Step 15.        In the pop-up window, click the Upload Directories and select the zip file created in step 2. From the drop-down menu, select the Directory and Page and click OK.

Graphical user interface, applicationDescription automatically generated

Step 16.        Click Submit, Apply and Save.

Cisco Firepower Management Center (FMC) and Firepower 9300 Configuration

This section summarizes the configuration of the FMC Access Control, Application Visibility and Control, IPS, and File Inspection policies.

Prerequisites:

     A configured installation of FMC with Directory Services integration

     FTDs configured in cluster mode and registered with FMC

Summary of steps:

     Define the network object Payment Application Servers -> ALT-Int-VIP

     Create the Intrusion policy

     Create File Inspection policy

     Select groups AD integration

     Create access control and apply the IPS policy, File Inspection policy, User Identity, Application filter and network objects

Step 1. Create a network object for the VIP

Navigate to Objects > Object Management a click Add Network > Add Object. Enter the information below and click Save.

     Name: ALT-Int-VIP

     Network: Host

     10.22.91.11

Graphical user interface, text, application, emailDescription automatically generated

Step 2. To create an Intrusion Policy, click Policies > Intrusion and Create Policy. In the Create Intrusion Policy popup window, enter the information below and click Save.

     Name: SDC_Intrusion_Policy

     Inspection Mode: Prevention

     Base Policy: Balanced Security and Connectivity

Graphical user interface, text, application, emailDescription automatically generated

To view or edit the policy, click Snort 2 Version. The policy screen displays the number of rules set to Disabled, Alert, Block and Overridden in the policy.

It also provides the ability to search rules by CVE, SID, Reference Info or Rule Message and edit the action for that rule. Details of the threat can be viewed by expanding the rule. For more details on Intrusion Policy and Snort 2, please refer appendix C.

Graphical user interface, text, application, emailDescription automatically generated

Step 3. Create File policy

Navigate to Policies > Malware and File. Click New File Policy and enter the name SDC File Policy and click Save.

     On the Rules tab, click Add Rule

    Application Protocol: HTTP

    Direction: Any

    Action: Block Malware

    Check Spero Analysis for MSEXE and Dynamic Analysis

    File Type Categories: Select all but exclude Multimedia

    Click Add and Save

     Add another rule to Multimedia, click Add Rule

    Application Protocol: HTTP

    Direction: Any

    Action: Block Malware

    Check Spero Analysis for MSEXE and Dynamic Analysis

    File Type Categories: Select Multimedia

    Click Add and Save

Graphical user interface, text, emailDescription automatically generated

Step 4. Identity Policy

Prerequisite: A configured realm

     Navigate to Policies > Identity and click New Policy. In the pop-up window, enter the name SDC Identity Policy and Click Save

     Click the pencil to edit the SDC Identity Policy

     Click Add Rule and enter the following:

    Name: Passive Authentication Rule

    Click Realm and Settings and select the preconfigured realm. Click Add.

Graphical user interface, text, application, emailDescription automatically generated

Step 5. Create an Access Rule

Navigate to Policies > Access Control and click New Policy.

In the pop-up window, enter the following:

     Name: SDC FTD Cluster

     Default Action: Block all traffic

     Target Devices: SDC-FTD-C1 and click Add to Policy

     Click Save

Click the pencil to edit the SDC FTD Cluster policy.  In the pop-up window, enter the following:

     Name: Retail Clerk

     Action: Allow

     Select the Networks tab:

    Networks: Select Branch_Networks and click Add to Source Networks

    Networks: Select ALT-Int-VIP and click Add to Destination.

     Select the Users tab:

    Available Realms: Select the SDC_Realm

    Available User: Select the Sales and click Add to Rule

     Select the Applications tab

    Available Applications: Select HTTP and HTTPS and click Add to Rule

    Available User: Select the Sales and Add to Rule

     Select the Inspection tab

    Intrusion Policy: SDC Intrusion Policy

    File Policy: SDC File Policy

     Select the Logging tab and check the following:

    Log at the Beginning of Connection

    Send Connection Events to Firepower Management Center

     Click Save

 

Repeat the previous steps to create a rule to permit the health check between the Alt-Ext and the Alt-Int

     Name: LB Health Check

     Networks:

    Source: Alt-Ext-Inside_Int

    Destination: Alt-Int-VIP

     Application: HTTP and HTTPS

     Logging: Check the following boxes

    Log at the Beginning of Connection

    Send Connection Events to Firepower Management Center

     Click Save

Graphical user interface, text, application, emailDescription automatically generated

Step 6. Navigate to Deploy > Deployment. Select the SDC-FTD-C1 and click Deploy

Validation Testing

Test Case 1 – Identity Access Control

Network users are visible in FMC through the realm integration with AD. In the following use cases, Ava is the clerk and Bob is the field engineer.

Graphical user interface, text, applicationDescription automatically generated

In this use case, the Hackazon site represents the sales order payment application. The policy in FMC allows members of the Sales group access to the sales site. The clerk is a member of the Sales group in AD and is allowed access to site.

Graphical user interface, websiteDescription automatically generated

The field engineer is not a member of the Sales group and is blocked by the Default Action Access Control of Block all traffic.

Graphical user interface, text, applicationDescription automatically generated

 

The FMC Connect Events log shows the clerk (Ava/10.9.110.101) was allowed to connect to the server and the field engineer (Bob/10.9.110.102) was blocked.

Graphical user interface, text, email, websiteDescription automatically generated

Test Case 2 - File Policy

The clerk attempts to upload a bitmap image which not permitted by policy.

Related image, diagram or screenshot

The upload was blocked.

Graphical user interface, text, application, emailDescription automatically generated

The FMC File Summary log shows the clerk (Ava/10.9.110.101) file upload was blocked by the Secure Firewall.

Graphical user interface, text, application, emailDescription automatically generated

Test Case 3 - Intrusion Prevention

The clerk attempts to upload a text file named Mal-Test.txt.

Graphical user interface, text, applicationDescription automatically generated 

The upload was blocked.

Graphical user interface, text, application, emailDescription automatically generated

The FMC Malware Summary log shows the file upload was blocked due to malware detected.

Graphical user interface, textDescription automatically generated

The threat detected is EICAR in the Mal-Test.txt.

Graphical user interface, text, applicationDescription automatically generated

Test Case 4 – Web Application Firewall

In this test case, a simple SQL injection is used to demonstrate the ADC WAF capability. The string ‘ OR 1=1 is entered as the username in an attempt to retrieve the complete list users from system.

Graphical user interface, applicationDescription automatically generated

The SQL injection attempt is detected and blocked by the Secure ADC. A case number is provided for further investigation.

Graphical user interface, text, application, email, TeamsDescription automatically generated

To review the case number, open a web browser and go to https://<SDC Management IP>/appwall-webui/. Navigate to Forensics > <node_va> Gateway > Security > Default View. Use the filter to search for the case number. Select the case in the right pane to view the case details such as which rule blocked the connection, the URI, parameter and parameter value.

Graphical user interface, application, tableDescription automatically generated

Appendix

Appendix A - Licensing

The following product licenses were used for the solution validation testing.

Alteon - Global, IP, SSL Inspection, AppWall+

APIC - Smart License: ACI_LEAF_BASE_10G

FMC – Smart License: FMCv, Base, Malware, Threat, URL Filtering, Secure Endpoint account

Appendix B - Acronyms

Acronym

Definition

ACL

Access Control List

ADC

Application Delivery Controller

AMP

Advanced Malware Protection

AMP4E

Advanced Malware Protection for Endpoints

ACI

ACI – Application Centric Infrastructure

APIC

Application Policy Infrastructure Controller

BD

Bridge Domain

EP

Endpoint

EPG

Endpoint Group

FDM

Firepower Device Manager

FMC

Firepower Management Center

FTD

Firepower Threat Defense

LACP

Link Aggregation Control Protocol

NGIPS

Next Generation Intrusion Prevention System

OSPF

Open Shortest Path First

PBR

Police Based Routing

PIN

Place in network

SNAT

Source Network Address Translation

TLS

Transport Layer Security

VIP

Virtual IP

 

Appendix C - References

Cisco SAFE

Cisco SAFE Main Site. Includes Overview, Architecture and Design Guides, Related Resources, and Toolkits

Cisco ACI

Cisco APIC product page. Includes Release Notes, Configuration Guides, Technotes, Installation and Upgrade guides.

Cisco Application Centric Infrastructure Policy-Based Redirect Service Graph Design White Paper

Service Graph Design with Cisco ACI (Updated to Cisco APIC Release 5.2) White Paper

ACI Fabric L3Out Guide

Cisco Secure ADC

Cisco Secure ADC: Alteon® Application Delivery Controller (ADC) Data Sheet

Cisco ACI and Cisco Secure ADC Design Guide

Cisco Secure Firewall

Cisco Firepower 9300 product page

Cisco Firepower Management Center documentations

Firepower Management Center

FMC Configuration Guide: Section File Polices and Advance Malware Protection

Appendix D – ADC Security Pages (Blocked Message)

Note:       Replace your@email.address with your notification email address when you create these files below.

The following is the content of the InternalSecurityPage.html file.

<HTML>

        <HEAD>

             <TITLE>Unauthorized Request Blocked</TITLE>

             <META HTTP-EQUIV="Content-Type" Content="text/html; charset=UTF-8">

             <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />

             <meta http-equiv="Pragma" content="no-cache" />

             <meta http-equiv="Expires" content="0" />

        </HEAD>

<BODY>

<BR>

<TABLE align=center cellpadding="0" cellspacing="0" border="0">

        <TR>

        </TR>

</TABLE>

<BR>

<TABLE width="700" align=center cellpadding="0" cellspacing="0" border="0">

    <TR>

             <TD width="60" align="left" valign="top" rowspan="3"></TD>

             <TD id="mainTitleAlign" valign="middle" align="left" width="*">

                    <H1>Unauthorized Activity Has Been Detected</H1>

             </TD>

        </TR>

        <TR><TD>&nbsp;</TD></TR>

        <TR><TD><DIV class="divider"></DIV><BR><BR></TD></TR>

        <TR><TD></TD>

            <TD>

<H3>You are seeing this page because we have detected unauthorized activity. If you think this was an error, please email our website security team with the following case number as the subject:

<script language="javascript"> if (window._event_transid !== undefined) document.write('<a href="mailto:your@email.address?Subject=Security Page - Case Number ' + window._event_transid + '&body=Case Description:">your@email.address</a>');else document.write('<a href="mailto:your@email.address?Subject=Security Page - Case Number N/A&body=Case Description:">your@email.address</a>'); </script>

<P>

<table border="0">

        <tr>

<td>Case Number:</td>

        <td><script language="javascript">if (window._event_transid !== undefined) document.write(window._event_transid);</script></td>                       

</tr>

        </table>

        </H3><BR><BR>

        </TD>

        </TR>

</TABLE>

</BODY>

<STYLE>

        body

        {

        font-family: "Segoe UI", "verdana" , "Arial";

        background-repeat: repeat-x;

        margin-top: 20px;

        margin-left: 20px;

        }

        h1

        {

        <!-- color: #FF0000;

        color2: #4465A2; -->

        font-size: 1.8em;

        font-weight: normal;

        vertical-align:bottom;

        margin-top: 7px;

        margin-bottom: 4px;

        }

 

h2 /* used for Heading in Main Body */

        {

        font-size: 0.9em;

        font-weight: normal;

        margin-top: 20px;

        margin-bottom: 1px;

        }

h3 /* used for text in main body */

        {

        font-size: 0.9em;

        font-weight: normal;

        margin-top: 10px;

        margin-bottom: 1px;

        }

.divider

        {

        border-bottom: #B6BCC6 1px solid;

        }

</STYLE>

</HTML>

The following is the content of the ExternalSecurityPage.asp file.

<%

'Response.CacheControl = "no-cache"

'Response.AddHeader "Pragma", "no-cache"

Response.Expires = -1

%>

<HTML>

        <HEAD>

<TITLE>Unauthorized Request Blocked</TITLE>

        </HEAD>

        <BODY>

        <BR><BR><BR>

        <TABLE width="700" align=center cellpadding="0" cellspacing="0" border="0">

        <TR>

        <TD width="60" align="left" valign="top" rowspan="3">

        <IMG src="/SecurityPage/Company_Logo.png">

        </TD>

<TD id="mainTitleAlign" valign="middle" align="left" width="*">

<H1>Unauthorized Activity Has Been Detected</H1>

</TD>

</TR>

<TR>

<TD>

&nbsp;

</TD>

</TR>

<TR>

<TD>

<DIV class="divider"></DIV>

<BR>

<BR>

</TD>

</TR>

<TR>

<TD>

</TD>

<TD>

<H3>

                          You are seeing this page because we have detected unauthorized activity. If you think this was an error, please email our website security team

        <a href="mailto:your@email.address?subject=Security Page - Case Number <%=Request.QueryString("_event_transid")%>&body=Case Description:">your@email.address</a>

with the following case number as the subject: <%=Request.QueryString("_event_transid")%>.

<P>

<table border="0">

<tr>

<td>Case Number:</td>

<td><%=Request.QueryString("_event_transid")%> </td>

</tr>

<tr>

<td>Your IP Address:</td>

<td><%=Request.QueryString("_event_clientip")%></td>

</tr>

<tr>

<td>Your Port Number:</td>

<td><%=Request.QueryString("_event_clientport")%></td>

</tr>

<tr>

<td>Attack Name:</td>

<td><%=Request.QueryString("_event_attackname")%></td>

</tr>

<tr>

<td>Threat Category:</td>

<td><%=Request.QueryString("_event_threatcategory")%></td>

</tr>

</tr>

</table>

</H3>

<BR>

<BR>

</TD>

</TR>

<TR>

</TD>

</TR>

</TABLE>

        </BODY>

        <STYLE>

body

{

font-family: "Segoe UI", "verdana" , "Arial";

background-image: url(/SecurityPage/background_gradient_red.jpg);

background-repeat: repeat-x;

margin-top: 20px;

margin-left: 20px;

}

 

h1

{

color: #FF0000;

color2: #4465A2;

font-size: 1.8em;

font-weight: normal;

vertical-align:bottom;

margin-top: 7px;

margin-bottom: 4px;

}

 

h2 /* used for Heading in Main Body */

{

font-size: 0.9em;

font-weight: normal;

margin-top: 20px;

margin-bottom: 1px;

}

 

h3 /* used for text in main body */

font-size: 0.9em;

font-weight: normal;

margin-top: 10px;

margin-bottom: 1px;

}

.divider

{

border-bottom: #B6BCC6 1px solid;

}

</STYLE>

</HTML>

Appendix E – Configuration Files on Github

The configuration files for the ACI Tenent-B and both Alteons are on Github.

https://github.com/cisco-security/Cisco-Validated-Designs/tree/master/safe-datacenter/ACI-ADC

 

Appendix F - Feedback

If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to ask-security-cvd@cisco.com

Learn more