The Modern Firewall

The firewall landscape is fairly cluttered these days. To make things more confusing, most devices in this class offer a very similar feature set. The most common features people look for in a firewall are dynamic nat, static nat, firewall rules, site to site vpn's and vpn server functionality. Almost every firewall vendor offers these features leading most network admins to get the cheapest device thinking that they are all the same.

For some people, this strategy works. But I would argue that these people are most likely running networks that are either extremely small with very few applications, minimal bandwidth, and just generally use the firewall to access the internet. I won't address those networks here. For the rest of us running modern networks under 250 users the requirements for the internet edge device (firewall) have changed to include the following…

• Clientless vpn's: Sometimes referred to as ssl vpn's, these vpn's allow users to connect from outside the network from anywhere securely to get to their applications.
  
• Advanced Authentication: As networks have grown, it is no longer effective or secure, to have local user accounts on devices. Users must be authenticated centrally and the best way is to authenticate against Active Directory (assuming you are running an A.D. domain). I can't tell you how many times I've looked at network devices only to see user accounts that nobody knew who they were for.
  
• Advanced application inspection: Applications have gotten more complex today. SIP witch is a protocol used for voice/video needs more than just standard nat translations for it to work. SIP puts network addresses inside the data portion of the packet, so when the packet passes through the firewall and nat is applied the application at the remote end of the connection still sees the private address thereby breaking the connection. Firewalls need to be able to see past the packet headers and translate those addresses as well.
  
• Malware prevention: Everybody (anyone with any sense) runs anti-virus on their desktops but we have seen that this doesn't stop everything. We tend to blame the anti-virus products but it's not all their fault. Malware has become very complex today and can circumvent many detection mechanisms. Obviously we need an effective product that has a balance between usability and protection but I don't think that is the complete solution and I don't think deploying additional software on workstations is effective either as it makes management complex and depends on the workstation having all those applications running and updated for it to be secure. What happens if you need to shut the software down for some reason or if you deploy a new pc that hasn't been updated yet? You are exposed! Today's firewalls need to have the ability to do some malware detection/prevention at the edge.
  
• Guest user access: Everyone has clients that need internet access. Most people just provide them with the key to their network with the expectation that they will just use the internet. You have also just handed them the keys to the front door. Networks have to be able to support secured logical partitions that allow guests to get to the internet without access to any corporate resources.
  
• Mobility support…
  
  • Devices configured with dns names to access applications often break when they connect inside the firewall from the lan side. Almost every mobile phone today has the wifi capability and I have read articles that predict that the primary device for accessing the internet will be the mobile phone in a very short time. Users will want use their applications on their devices even when inside the network and they are going to expect even better reliability and performance.
    
  • Remote phones: With the increase of voip deployments (they will become the standard in the very near future), users will expect to be able to take their phone anywhere and connect it up and have it work just like they were in the office.
    
• Availability: Internet access is more important for business and bandwidth is cheaper. Therefore it is now an affordable option for even small businesses to have redundant internet access. I see a lot of bonded T1's out there backed up by cable/dsl internet access. Firewalls need to be able to handle this automatically with no IT intervention.
  
• Management & Monitoring: With increased emphasis placed on the internet, network admins will need to be able to easily manage and see what's going on in the firewall for troubleshooting, capacity planning, and security. Some networks will need to capture all logs/events at the internet edge for compliance reasons depending on the industry.
  
• Throughput! We have seen steady increases in internet bandwidth connectivity both due to the need for B2B applications and the general lower cost of bandwidth. This trend will continue at least in the short term. Firewalls will need to still be able to perform running the same services at higher rates.
  

As I mentioned before, there are many vendors out there that offer products that support all or most of these requirements. I have heard that Juniper has a very solid product and Sonicwall has improved but I will focus on Cisco here. The PIX firewall appliance, the predecessor of the ASA, was a solid firewall and offered tremendous reliability and consistent performance. But I was never really impressed with it as having much in the way of "bells and whistles". The ASA 5500 series has changed that. This is an impressive appliance that is very well thought out from a hardware & software design perspective. The software configuration and management is consistent across all the models and is much closer to IOS making management that much easier for those Cisco admins out there. Combined with, in my opinion, one of the best support programs in the industry providing true 24x7 support this device is very compelling and can easily justify any upgrade.

On the hardware side, the 5505 comes with 8 switch ports, 2 of which are poe capable. These would be used for access points or phones. The device supports vlans and the switch ports can be configured as access ports or trunks. Guest vlans can be configured for wired ports and when used with Cisco access points, you can create a second wireless network for guest access on the same access point as your production network. The 5505 has an expansion slot that currently supports an Intrusion Prevention (IPS) module that can provide inline attack prevention. Cisco also offers a licensable feature (Botnet Filter) that does dns inspection against known malware sites preventing access to those sites through the firewall. Between these two features, you can provide a fair amount of security at the network edge. One or multiple ports can be configured for redundant WAN connections.

The 5510 supports 4 physical interfaces. In contrast to the 5505 they are not switch ports but are actual separate interfaces that can be assigned ip addresses. Great for datacenters, shared hosting environments, handling redundant wan connections or providing transparent firewall services. Optionally, 2 of the ports can be converted to gigabit through a license upgrade. There is also a separate management port if required. The device also has an SSM slot that supports various modules providing Content Security (web & av) or IPS services.

If you have a CallManager/CallManager Express voice platform, you can easily leverage the Phone Proxy license to allow phones to connect to the CallManager securely from the internet without requiring any special vpn's setup. This is huge both for users and admins. The same applies for the ssl vpn's. Mobility is further enhanced by translating dns requests for public names to private ip addresses making the switch from 3G to wifi simple without breaking applications. SIP trunks will work from any application, pbx or video conference system.

In summary, the ASA 5500 series addresses several evolving issues at the internet edge that we all face today. It is a solid platform with feature set that continues to grow and the business case can be made for upgrading now.

For further technical information and comparisons please visit Cisco site at http://www.cisco.com/go/asa

Game Changing Features with Cisco Voice

Cisco has been in the voice game for a while now and is now the #1 IP PBX vendor in the world. There is literally thousands of features rolled up in the Cisco voice solutions portfolio. Sifting through them can be quite a challenge. Below are the features that I consider to be "game changers". I define a game changer as being a feature that is not current requirement by the organization but would considerably change the way the organization works in positive way effecting users to be more productive and offer better service/responsiveness.

MeetMe Conferencing: This enables a user to setup his own conference bridge to host a voice conference. Participants then dial in directly from either inside or outside the firm. This can provide significant cost savings as most firms can easily spend $500-$1,000 in conferencing monthly.

Single Number Reach (aka Voice Connect): Rings the desk phone and cell phone simultaneously. The call can be picked up on either and passed back and forth seamlessly. This feature can be controlled with access lists and schedules to control what calls reach the mobile number. The original caller id is preserved so that you know who is calling even on your mobile phone.

Voicemail transcription (aka SpeechView): Typically users receive a copy of their voicemail via email to their smartphone, however, there is no way to tell if it is important or not unless they listen to the message. This feature sends a voicemail with the voicemail transcribed in the message with the voicemail as an attachment. This is especially valuable when the user is not in a position to listen to voicemail but might be able to read a message on their smartphone.

WebEx Connect: This is a small application that is licensed on a per user basis and is a SAAS offering from WebEx. It provides instant messaging, desktop sharing, click to call, and can even be used to start a WebEx Meeting. Advanced configuration also allows it to function as a softphone. This service can be federated meaning that it can be used to connect to other instant messaging clients. Auditing can be configured to address security concerns.

UC Phone Proxy: This feature enables users to connect a Cisco ip phone to any internet connection and register the phone securely with the CCM/CME. Calls are encrypted for security. Takes less than 5 minutes to provision on the administrative end and gives new meaning to "home is where you hang your hat". Very valuable for execs and mobile users or contractors that setup shop temporarily in foreign offices. (Cisco ASA required)

Personalized Auto Attendant: Voicemail boxes can be configured to support caller input so that a caller might have the option to reach an administrative assistant directly.

What’s the difference between CallManager and CallManager Express

Many people have asked me the difference between Cisco CallManager (CCM) and Cisco CallManager Express (CME). The answer is not that complicated but can be somewhat confusing and understandably so. Most software companies offer an "Express" version of their software where they have reduced the feature set or scalability of the product and therefore the price to make it more viable for smaller businesses. However, in this case, these two products are entirely different platforms, each with their own strengths.

CallManager is a server based product, now referred to by Cisco as an "appliance". It's basically an HP or IBM server with the a hardened Linux OS with the CallManager software bundled into it. Appliance is a good description of it since you basically just manage it through the web interface and even if you were to login to it at the console level you would only get the customized administrative shell with no access to the underlying OS.

CallManager Express on the other hand is IOS based meaning that it runs on a router, specifically any of the ISR 2800/3800 or the ISR-G2 2900/3900 series routers. They are really amazing boxes as they can literally bundle all network & voice services into one platform. For example, you could deploy a small office with Firewall/VPN/DHCP/PBX/Voicemail/Switching in one box and even throw in redundant WAN connections if you were so inclined. They support traditional PSTN connectivity such as PRI/FXO as well as IP trunks such as SIP or H323. Multiple offices can be interconnected providing 4 digit dialing between sites/offices or for least cost call routing.

Both of these products have been on a very aggressive development roadmap. CallManager is now the IP PBX of choice for enterprises or anyone with a Cisco network. It has the full complement of enterprise features with the scalability and redundancy you would expect. It is really impressive. Similarly, CME has come a long way since it's early days where it did very little other than provide basic voice services (dial tone). It can now provide a full set of features including Single Number Reach, advanced call routing, advanced conferencing, and supplementary services. Both systems use the same phones and provide similar user experience.

The primary difference is in scalability and redundancy. CallManager was designed for the large enterprise market. The system can be designed with multiple levels of redundancy for call routing and fail over such that there would be no single point of failure and could survive multiple failures if that level was required. CallManager are deployed in clusters and can support up to 30,000 phones per cluster. Clusters can be inter-connected to provide a seamless voice system. CME on the other hand was designed to be a single site solution and it excels at that. Some enterprises actually use a combination of the two solutions and inter-connect them with IP trunks. It is also very good for some businesses where network management is localized vs. centralized.

Feature wise the CallManager is king. Administrators have very granular control over call routing. Since we are in the IP world the CallManager software is developed much faster. Cisco makes some additional products (Presence Server/WebEx Connect/Meeting Place/PC based Attendant Console) that can integrate into the CallManager to provide enhanced services. And that goes for third-party software as well. This is a weakness of CME, there is very little additional software support for it.

One exception to this today is a relatively new product called CallManager Business Edition which is an appliance (server) but has limited scalability (500 phones and 20 sites). It is a single server solution and has a price point lower than a CallManager cluster and just a little bit more than CME.

So your choice of these options will be based on design and features required. The design should be put together by whoever is in the role of the network architect while the features should be addressed by the Systems Administrators. Both these individuals should work together and solicit input from managers and executives. The reality in small businesses is that these roles are often rolled up into one person. On the plus side, all of these options upgrade smoothly into the next level. For example a CME router would just turn into a voice gateway and a Business Edition appliance could upgrade the software to CallManager providing an unparalleled level of investment protection.

Cisco's recommendation for any customer is to consult with Cisco Partner and that is a sound strategy.