The 7705 Service Aggregation Router High-density Multiservice (HM) platform offers robust security features through its integrated Application Assurance (AA) firewall. This stateful firewall provides enhanced protection against malicious attacks by extending Layer 3 and Layer 4 packet analysis capabilities of the AA Integrated Service Adapter (ISA). By monitoring each session’s state, the AA firewall empowers operators with granular control over network security. This functionality is crucial for Hm Multiservice deployments where safeguarding network traffic is paramount.
Stateful Inspection for Enhanced Security in HM Multiservice
Unlike traditional firewalls that only examine packet headers, the AA stateful firewall in HM Multiservice tracks the entire connection state. This allows it to identify malicious packets that might otherwise slip through. If a “deny” action is configured within a session filter, matching packets are dropped without creating any flow session state. This proactive approach prevents the establishment of potentially harmful connections. This comprehensive inspection is vital for HM Multiservice environments handling sensitive data.
Supported SAP Types for AA Firewall in HM Multiservice
The AA firewall functionality within HM Multiservice is available on several Service Access Point (SAP) types:
- VLLs (Epipes): Virtual Leased Lines provide point-to-point connections.
- VPLS: Virtual Private LAN Services enable multipoint-to-multipoint connectivity.
- IES/VPRN Interfaces: Internet Enhanced Services and Virtual Private Routed Networks offer secure and scalable VPN solutions.
Note: While the HM Multiservice AA firewall performs deep packet inspection at Layer 4 and below, application-level inspection above Layer 4 is not currently supported.
Configuring AA Firewall in HM Multiservice: Key Components
The 7450 ESS, 7750 SR, and VSR Multiservice ISA and ESA Guide provides detailed information on configuring the AA firewall. Key areas include:
- AA Overview: Understanding the fundamental concepts of Application Assurance, including inline policy enforcement and the stateful firewall service.
- AA System Architecture: This section delves into the AA ISA resource configuration, including ISA groups and packet processing mechanisms such as traffic diversion, identification, statistics, accounting, and AQP (Adaptive Queueing and Policing). It specifically addresses the role of the AA firewall within the system.
- Service Monitoring and Debugging: This section covers how to monitor firewall statistics and utilize debugging tools for troubleshooting.
- Configuring AA with CLI: Step-by-step instructions for using the Command Line Interface to configure various aspects of the AA firewall, including ISA groups, group policies, session filters, application groups, policers, and application QoS policies.
Enabling the AA firewall involves assigning an application profile to the desired SAP. This activates the firewall for all traffic to and from that specific SAP. Configuration commands vary depending on the SAP type (VLL, VPLS, IES, or VPRN).
HM Multiservice AA Firewall: Traffic Diversion and CLI Examples
Figure 1: AA FW Datapath
The diagram above illustrates how traffic is filtered and diverted to the AA ISA for inspection. This process applies to both bridged and routed configurations within HM Multiservice.
Subsequent sections provide detailed CLI examples for configuring ISA parameters, application assurance settings, application assurance group configurations, and service configurations for Epipes and VPRNs with the “aa_firewall” application profile enabled. These examples demonstrate the flexibility and granular control offered by the HM Multiservice AA firewall.
Enabling AA Firewall Event Logging in HM Multiservice
The provided CLI output showcases how to configure event logging for the AA firewall within an Epipe service on HM Multiservice. This allows administrators to track and analyze firewall activity for enhanced security monitoring.
This comprehensive overview highlights the key features and configuration aspects of the HM Multiservice AA Firewall, demonstrating its crucial role in securing network infrastructure.
