What Are Multi-Context Firewalls?

Cyber crime is impacting users across the globe. As individuals and businesses increasingly rely on internet-connected devices, malicious attackers continue to take advantage.

Now, more than ever, we need to be on high alert. The UK is far from immune to the impacts of cybercrime and is feeling the effects of various threats such as ransomware attacks, data breaches, and online fraud.

The CyberEdge 2022 Cyberthreat Defense Report (CDR) provides a breadth of insight into cyber security in countries all over the world. It found that in the UK, 81.4 percent of organizations had experienced at least one cyber attack in the year prior to the study, compared to 71.1 percent in the previous annual findings.

CyberEdge also investigated the rate at which companies were hit with ransomware attacks. Well over half (73 percent) of UK organizations dealt with a ransomware attack, a 15 percent rise on the previous year. 

UK organisations experienced an average of 788 weekly cyber attacks across 2022, marking a 77% increase from 2021. New figures from Check Point highlight the growing severity of cyber threats in 2022, with attacks surging by 38% compared to the previous year. The global volume of cyber attacks also reached an all-time high in the fourth quarter of the year with an average of 1,168 weekly attacks per organisation.  “Cyber attacks are increasing worldwide, with 38% more cyber attacks per week on corporate networking in 2022 compared to 2021,” said Omer Dembinsky, data group manager at Check Point. “Several cyber threat trends are all happening at once.” 

So, what should businesses be doing about this?

 Cyber security is one of our focus areas at Franklin Fitch and as a recruiter, I am frequently asked by service providers and large enterprises to find people with experience in multi-context firewalls. Quite often when I ask candidates if they have used them, the response is: “what is that? “or “I’ve never heard of it”. 

For me personally, a lot of my technical knowledge is gained from in-depth conversations with my candidates about how they use a specific piece of hardware and what benefits it brings. So, if you, like me, are wondering what multi-context firewalls are, read on and find out more.

Cisco ASA supports multiple firewall contexts, also called firewall multimode or multi-context mode. Multi-context mode divides a single ASA into multiple virtual devices, also known as security contexts. Each context operates a single device, independently from other security contexts. In routers, this is similar to Virtual Routing and Forwarding (VRF).   

When would you use multiple security contexts? 

• A network that requires more than one ASA

• A service provider that needs to offer a different security context to each customer

• An enterprise that needs to provide distinct security policies for each individual department or users and require a different security context for each one

When wouldn’t you use multiple security contexts? 

• When VPN Services are required such as remote access or site-to-site VPN tunnels

• If dynamic routing protocols are required

• If QoS is needed

• If multicast routing needs to be supported

• If threat detection is required

Context configuration files  

In multi-context mode, there are three types of configuration files:

• The system configuration – a standard single-mode configuration where the network administrator adds and manages the security contexts

• The admin context – no restrictions and can be used as any other security context

• The context configurations/user context – for each individual security context. They contain the security policies and interface configurations specific only to that context 

ASA Packet Classification  

Packets are also classified differently in multi-context firewalls. In multimode configuration, it is possible for interfaces to be shared between contexts, therefore the ASA must distinguish which packets need to be sent to each context. 

The ASA categorises packets based on three criteria:

• Unique interfaces – 1:1 pairing with a physical link or sub-interfaces (VLAN tags)

• Unique MAC addresses – shared interfaces are assigned Unique Virtual Mac addresses per virtual context, in order to alleviate routing issues, which complicates firewall management

• NAT configuration – if the use of unique MAC addresses is disabled, then the ASA uses the mapped addresses in the NAT configuration to classify packets. This isn’t very common

In certain cases, you may need to assign a unique MAC address to a shared interface in order to alleviate routing issues, which complicates the firewall management.  

Active/active failover 

Multi context mode offers active/active fail-over per context. Primarily forwards for an individual context and secondary for another. The security contexts divide logically into failure groups, with a maximum of two failure groups. There will never be two active forwarding paths at the same time.  

Important to consider 

In order to change from single mode to multiple mode or back, the commands must be done from the command line (CLI) and not via the ADSM GUI interface. When changing from single to multimode, the ASA will convert the running configurations into two files, creating a new system configuration file and an admin context file. The original system configuration file is not saved.   

By default, all security contexts have unlimited access to the ASA resources. Depending on the environment, resource management may need to be configured to limit some contexts that may be starving other contexts. This is done by configuring resource classes when assigning to contexts.  

Final thoughts

Multimode offers advantages in certain situations particularly for service providers or an enterprise with multiple departments that require individual security policies. The requirements should be carefully considered before implementing the solution. However, there are also limitations and whilst the number of physical devices you manage may decrease, the complexity of those device configurations may increase.

We offer a dedicated, specialized staff who can discuss your hiring needs if you are looking to hire for security positions or alternatively help you find the ideal role if you are searching for a security-based role. Click here to reach out to us right away.