Saturday, May 30, 2015

Security Levels in Cisco ASA

ASA Security Levels are used to define how traffic initiated from one interface is processed. When configuring an ASA with no access-list applied on any of the interface, no access lists are required for traffic from a high security level interface to go through a low security level interface, but the other way around low security level to higher security level is not possible unless we configure an access-list that permits this traffic.

The higher the security level, the more trusted the interface is. Each interface on the ASA is a security zone so by using these security levels we have different trust levels for our security zones.

User can manually assign security level for an interface with the command “security-level <level>”

Here are a couple of examples of security levels:

•  Security level 0: This is the lowest security level on the ASA and by default it is assigned to the “outside” interface. Since there is no lower security level this means that traffic from the outside is unable to reach any of our interfaces unless we permit it within an access-list.

•  Security level 100: This is the highest security level on our ASA and by default this is assigned to the “inside” interface (LAN). Since this is the highest security level, by default it can reach all the other interfaces.

•  Security level 1 – 99: We can create any other security levels that we want, for example we can use security level 50 for our DMZ. This means that traffic is allowed from our inside network to the DMZ (security level 100 -> 50) and also from the DMZ to the outside (security level 50 -> 0). Traffic from the DMZ however can’t go to the inside (without an access-list) because traffic from security level 50 is not allowed to reach security level 100. You can create as many security levels as you want…

•  Same Security level: Traffic between interfaces with the same security level is not allowed. For example, if you have an interface called “DMZ1” with security level 50 and another one called “DMZ2” with the same security level 50 then traffic between the two will be dropped. You can change this behavior with the global command "same-security-traffic permit inter-interface".







Leave your comment below


5 comments:

  1. It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. security company

    ReplyDelete
  2. Your content is very impressive and thanks for sharing this article. it’s very useful.
    Really this is a very useful blog.
    servicenow demo

    ReplyDelete