Tuesday, March 31, 2009

Dual ISP Load Balancing Configuration

Security involves authentication, authorization, confidentiality, data integrity and availability. This document involves network availability. In this example we explore a high availability, load balancing solution for Internet redundancy. Although the example here is for dual Internet service providers the principles of this configuration could be applied in other situations where dual gateways are needed.

In a topology where dual ISP’s customer premise equipment provides an Ethernet port for connection to their service, configuring two static routes with or without metric won’t have the desired effect. Since your equipment connects to an Ethernet port, that connection will always appear to be up as long as you have a link light indicating layer one connectivity. Ethernet ports won’t lose the carrier signal typical with a serial connection so your data path will never fail over to the other configured static route.

In Cisco IOS versions 12.3T and 12.4 mainline object tracking features have been greatly improved and can now be applied to monitor the up/down status of interfaces. The solution contemplated in this article monitors ISP reachability by pinging a host on each of the ISPs networks that is only reachable through that ISPs interface. The ability to ping a host in the core of the ISPs network as opposed to pinging the ISPs gateway provides a means of monitoring that ISPs network health and not just the status of your local connection. The configuration presented here requires a Cisco IOS version of 12.3T or above.

In my own research I found many examples of solutions to this problem. Many of them I dismissed immediately because they were just plain flawed, others were not flexible or provided only failover capabilities without load balancing or were not compatible with the way I needed to provide address translation services. If you prefer just failover without load balancing add a metric to tracked default route for your backup ISP in the configuration below like this “ip route 0.0.0.0 0.0.0.0 10.10.10.1 200 track 123”.

The following configuration is in part the work of Josh Horton at blindhog,net and the original configuration can be seen here, http://www.blindhog.net/cisco-dual-internet-connections-without-bgp/. I’ve am making a similar configuration available here due the difficulty of finding this information on the Internet.

I have made some enhancements and at the expense of failover have provided a way to force certain traffic out a particular interface. I’ve also added a host specific route to the ping monitored host on each network. This assures that the host will be reachable when the router is powered up or service is reestablished and forces the ICMP ping packet out the interface we want to monitor. A host specific route also assures that the monitored host is only reachable through it’s network gateway.

version 12.4
!
hostname Router_Name
!
ip cef
!
!#### Establish sla monitors for use in tracking objects. These objects ####!
!#### are used to track reachability of a host on each ISPs network ####!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 10.10.10.10
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 10.20.20.10
ip sla monitor schedule 2 life forever start-time now
!
!#### Configure Tracking objects (referencing IP SLA monitor’s above) ####!
!
track 123 rtr 1 reachability
delay down 5 up 5
!
track 124 rtr 2 reachability
delay down 5 up 5
!
!#### Configure Interfaces for NAT, 'ip nat inside' and 'ip nat outside '####!
!
interface GigabitEthernet0/1
description Connect to firewall outside interface or inside networks
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
description ISP1 Internet Interface
ip address 10.10.10.2 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/3
description ISP2 Internet Interface
ip address 10.20.20.2 255.255.255.252
ip nat outside
!
!#### Configure gateway of last resort with tracking objects ####!
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 123
ip route 0.0.0.0 0.0.0.0 10.20.20.1 track 124

!#### Configure host specific routes for sla monitors. Without ####!
!#### these, tracking objects cannot recover after full failure. note ####!
!#### the ‘permanent’ keyword installed the route into the RIB ####!
!#### regardless of reachability ####!
!
ip route 10.10.10.10 255.255.255.255 10.10.10.1 permanent
ip route 10.20.20.10 255.255.255.255 10.20.20.1 permanent
!
!#### Configure additional routes for inside subnets not directly connected ####!
!
ip route [inside subnet / mask] GigabitEthernet0/1
ip route [inside subnet / mask] GigabitEthernet0/1
!
!#### Outbound dynamic NAT for each interface
with overload parameter ####!
!
ip nat inside source route-map ISP1_MAP interface GigabitEthernet0/2 overload
ip nat inside source route-map ISP2_MAP interface GigabitEthernet0/3 overload
!
!#### Additional static NAT for dedicated one to one NAT addresses and /or ####!
!#### tcp/udp port translations. Note first two statements translate SMTP (25) ####!
!
ip nat inside source static tcp 192.168.1.5 25 10.10.10.5 25 route-map ISP1_MAP extendable
ip nat inside source static tcp 192.168.1.5 25 10.20.20..5 25 route-map ISP1_MAP extendable
ip nat inside source static 192.168.226.5 71.151.39.129 route-map ISP2_MAP extendable
ip nat inside source static 192.168.226.6 71.151.39.130 route-map ISP2_MAP extendable
!
!####Configure a single ACL or an ACL for each interface if####!
!####needed to direct specific traffic to a specific interface####!
!####Both ACLs have the same permit statement but other####!
!####permit or deny statements can be added as required####!
!
ip access-list extended ISP1_ACL
remark ACL for ISP1 interface - permit or deny specific traffic on this interface / ISP
permit ip 192.168.226.0 0.0.0.255 any
!
ip access-list extended ISP2_ACL
remark ACL for Comacst interface - permit or deny specific traffic on this interface / ISP
permit ip 192.168.226.0 0.0.0.255 any
!
!####Configure route maps for reference in NAT statements####!
!####These route-maps direct NATs to appropriate interface####!
!
route-map ISP1_MAP permit 10
description associates outside NAT addresses with the correct interface
match ip address ISP1_ACL
match interface GigabitEthernet0/2
!
route-map ISP2_MAP permit 10
description associates outside NAT addresses with the correct interface
match ip address ISP2_ACL
match interface GigabitEthernet0/3
!
banner motd ^C
********************************************

SECURITY NOTICE

********************************************
This is a private secured computer system.
It is for authorized use only.
Users (authorized or unauthorized) have no
explicit or implicit expectation of privacy.
Any or all uses of this system and all
files on this system may be intercepted,
monitored, recorded, copied, audited,
inspected, and disclosed to authorized
site, law enforcement personnel, as well
as authorized officials of other agencies,
both domestic and foreign. By using this
system, the user consents to such
interception, monitoring, recording,
copying, auditing, inspection, and
disclosure at the discretion of site
personnel. All activity is logged
with your host name and IP address.
Unauthorized or improper use of this
system may result in civil and criminal
penalties. By continuing to use this
system you indicate your awareness of and
consent to these terms and conditions of
use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this
warning.


********************************************
^C





Monday, March 16, 2009

Identification, Naming Conventions and Color Coding

Or a Rose by any other name is hard to correctly identify

Technology is simple. Here’s a summary...

Scrape the tape,
Pop the top,
Twitch the switch,
Put what you got in the slot,
Load the code…

Well, Not exactly. There is a little more to it than that if you do it right.

Let’s start at the very beginning because that is the very first opportunity we have to make mistakes.


A naming convention, labeling practices, color coding and use of a change log and auditing methodology can help you stay organized, improve problem resolution times and minimize mistakes with security consequences.

Here’s how easily thing can get out control. I had been working with a client that has maintained two unconnected networks for internal production and Internet connectivity. The reasoning was straight forward and simple. If you’re not connected you can’t be compromised. I’ve been telling them for years that they would be more secure connected where hosts could stay patched and network access could be controlled, logged and audited. My time has finally come and I am replacing firewalls, reconfiguring the topology and adding redundant ISP services in preparation for the collapse of these networks into a single topology. During the process of testing the load balancing ISP NAT configuration I was very surprised to see inside addresses from the production network being translated on the outside of my new Internet firewall cluster. Remember these are totally isolated networks, or so they thought. Obviously things are not always as they seem. It would seem that similar switches in a common rack in a common wiring closet and same color patch cables have resulted in an inadvertent connection between the two systems. The production network gateway and DNS servers are logically isolated from the outside and provide no Internet resolution so the client was completely unaware of a potential security fiasco.

Practical Advice:


Label the cable, pathways and spaces.
Adopt a labeling and color coding standard such as the ANSI/TIA/EIA 606-A Administrative Standard and make your contractor, consultants and peers to use it religiously. You don’t have to adopt this standard verbatim but its principles should apply. Know where your horizontal cabling, backbone cables, grounding and bonding systems and telecommunication outlets terminate. Use a labeling convention that identifies the floor, closet, rack, panel and port for instance at each data outlet.

Example:


0047-1A-1A45
UTP cable originates in Building 047, Telecommunications Room 1A.in Rack #1, Patch Panel A, Port 45.

Manage your pathways, spaces and racks. This effort pays big dividends in reduced administration and improved problem resolution times down the road. Your cabling contractor should be very familiar with this standard and its principles.

Network Electronics, Routers and Switches:


Physically and logically label all devices with a naming convention that identifies it’s purpose or use and configure electronic port or interface labels to identify mission critical equipment connections.

Example of a Cisco configuration:

hostname CC50_InterValve
!
interface GigabitEthernet0/2
description Embark Internet Interface
!
interface serial0/2
description Crosstown Complex, circuit ID # FL-0000-2236472-XX

An exception to the descriptive electronic name would apply in the case of edge devices or those with publically routable addresses. Although “security by obscurity” ranks really low in terms of effective security strategies, Internet routers and firewalls and wireless devices, shouldn’t be named “bastion_host” or “super_secret_FW” or indicate the company name or specific location. These names imply a purpose and a challenge to the wrong people and may open the consultant to liability issues. Names like “SWI_Valve1” or “Gate_SB50” are far less interesting to an attacker.

Network Host Devices:

Here you can be a little less descriptive in the machine name opting for important but never changing information like the manufacturer, serial number or asset tag and acquisition date i.e “Dell_34672_07”. This naming convention does little help you locate the machine but PC and printers may move from person to person or be redeployed or repurposed into another department or division. Make use of the “Computer Description” field on the Windows Computer Name tab of the computer properties or similar “Comment” fields for other equipment. These fields can be easily changed when machines are moved, redeployed or repurposed and show up in the detail view of the network browser.

Name.......................Computer Description
HP_34672_07 ..........Bldg J, HR, Rm 102. Jackie M., ext 5427
Dell_222476_08 .......Bldg C, Lobby, Public Kiosk #1

Printers show up in the network browser the same way so they can be named similarly. In the installed printer applet in on individual Windows PCs, printers are named for their device driver by default but can be changed if necessary to a descriptive name for the end user like this.

Research_HP_LaserJet_4050N

Network Management:

There are an abundance of network management tools for every conceivable need imaginable. Some are free and some are commercial applications. Some are single purpose and some are feature rich but inevitably you will need the capability to perform an administrative task that is not supported by whatever you have. One of the best and most effective management tools for a large network deployment is an administrator with scripting skills. VBScript, KixTart, Windows script, AutoIT and numerous other languages are relatively simple to learn and offer the ability to rename, add comments, change or add device drivers, perform inventory etcetera.

ANSI/TIA/EIA 606-A Implementation Example-
http://net-services.ufl.edu/infrastructure/labelstandardhorizontal.htm

ANSI/TIA/EIA 606-A Standard quick reference- this is an expansive standard. Here is a summary.
http://74.125.47.132/search?q=cache:bzuzMHx14kwJ:www.flexcomm.com/library/606aguide.pdf+ansi/tia/eia+606a&cd=1&hl=en&ct=clnk&gl=us
KixTart Scripting Language-
http://www.kixtart.org