Object Groups in the ASA/FWSM/PIX

I can’t believe I haven’t talked about object-groups yet.  I had a whole other blog entry written up, and, when I went to link things over, I realized I couldn’t find an intro to it.  Here it goes.

Welcome to the modern world.  A world of wonder.  A world of quickly-advancing technology.  A world where clusters of machines sit behind load balancers for scalability and availability.  A world where those clusters need access to other clusters.  A world where your firewall rulebase gets so big that it’s unreadable without some help.

Enough with the drama already.  I would say I hate the cheesy stuff, but I think my whole blog is nothing but cheesy stuff, right?  To the point.  Enterprise firewall configurations can get quite large with ACLs applied in different directions to different interfaces.  Our ACL entries number in the 6000 range, but the firewall we’re running says we’re only at 5% utilization in the ACLE memory space. That means that our not-top-of-the-line firewall is designed to handle 120k lines of ACLs.  That can be quite a handful to configure by hand.  There may be an easier-to-maintain solution, though.

Let’s say you have a cluster of servers behind your CSM that all need to access a database.   Since there’s a nice ASA, FWSM, or PIX between the servers and database (as there should be), you have to open up access for this connection.  Let’s say that you have four servers with the IPs of 192.168.100.101-104 that need access to 10.10.10.1 on the mySQL port (TCP/3306).

Where are your remarks?  Why don’t you document something for once in your life?

Anyway, that’s easy, right.  Four configuation lines isn’t so bad, but some of the server admins come to you one day and tell you that the company actually marketed the new web app and that tey are adding 37 more servers to the cluster.  Now the 37 new servers need the same rules, right?  The server dudes also tell you that, since the app has grown so much, the DBAs have set up a split-read-write scenario where the current database handles the reads and a new database handles the writes.  That’s 78 new rules (37 to the old and 41 for the new).  That’s a lot of rules.

Object-groups to the rescue.  An object-group is a logical group of objects (duh!) that you can use to create ACLEs.  You can create a group of hosts, a group of network, or a group of ports.  For our example, let’s create an object-group that includes all the hosts in the new huge cluster.

What do we do with it, though?  You treat it (almost) just like it was a host in an ACL.  Remember we wanted to open access to the old database on TCP/3306, right?

If you do a show access-list LIST1 now, you’ll see that a new rules has been added for each object in the object-group.  It should look something like this.

Notice that the firewall created 41 rules for you out of your one configured line, but now the rules are indented. The indention means that the rules is generated automagically instead of by hand. Since you can only take out rules that you put in by hand, so you can’t take out the line allowing 192.168.100.123 access; it’s an all-or-nothing scenario.  Be aware of that.

You can use object-group for ports, too.  Let’s add to our example and say that the cluster will need to access the memcached instance on the database server as well.  Those processes run on TCP ports 15000 – 15100.

First we build an object-group for the ports we need.

Now let’s apply it to the ACL.

What does the ACL look like now?  Well, it’s a Duesenberg.

That’s a lot of ACL entries for one configuration line, isn’t it? Let’s see. 102 ports times 41 servers is 4182 lines in the ACL. You can see how might be to your advantage to use object-groups at times.

Send any candy corn questions my way.

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages. If you have any questions, the best way to contact me is through Twitter at @aconaway.

More Posts

Follow Me:
Twitter

6 comments for “Object Groups in the ASA/FWSM/PIX

Leave a Reply

Your email address will not be published.