ASA recommended security levels in a data center

k.abillama · ‎07-23-2010

Hello,

I'm designing a network where have 5580 ASAs in a Data center that will act as gateways for all business units in my DC.

I need to know what are the recommended security levels ( Database Servers, Users, Application servers) to benefit from all inspection and stateful ASA features knowing I won't use NATing in my enviroment

Regards

Panos Kampanakis · ‎07-23-2010

Security levels are used to define how secure the zone is considered. The less secure a zone is the lower the security level. And by definition you cannot flow from low to higher security levels without allowing it explicitly.

So I would put users in a lower security level, and then server on higher levels. I would set DB and App zone levels based on if you want DB servers to talk to App servers by default or not.

I hope it helps.

PK

k.abillama · ‎07-23-2010

Hello,

That's what I thought first but then I thought of putting users in higher security levels since they'll always be initiatng the connection( this way i'd take advantage of dynamic ports being opened for return traffic from higher to lower security zones, no?) will I lose in tems of inspection engine?

Regards

Panos Kampanakis · ‎07-24-2010

No, inspections will still inspect statefully.

You can also apply ACLs to explicity allow what someone is allowed to reach and talk to.

Levels are to provide granularity and set the security levels between zones.

PK

k.abillama · ‎07-26-2010

Thx for the useful info!

IF servers are dynamically opening ports for specific applications in return to client requests, should I use the established command or placing users in lower security levels can do the job?

Regards