Chapter 9. Security Contexts

This chapter covers the following topics:

• Architectural overview

• Configuration of security contexts

• Deployment scenarios

• Monitoring and troubleshooting

The virtual firewall methodology enables a physical firewall to be partitioned into multiple standalone firewalls. Each standalone firewall acts and behaves as an independent entity with its own configuration, interfaces, security policies, routing table, and administrators. In Cisco ASA, these virtual firewalls are known as security contexts.

The following are some example scenarios in which security contexts are useful in network deployments:

• You act as a service provider and you want to provide firewall services to customers. However, you do not want to purchase additional physical firewalls for each customer.

• You manage an educational institution and you want to segregate student networks from faculty networks for improved security using one physical security appliance.

• You administer a large enterprise with different departmental groups, and each department wants to implement its own security policies.

• You have overlapping networks in your organization and you want to provide firewall services to all of those networks without changing the addressing scheme.

• You currently manage many physical firewalls and you want to integrate security policies into one physical firewall.

In Figure 9-1, SecureMe, an enterprise headquartered in Chicago, has a Cisco ASA providing firewall services to two of its customers. To implement a cost-effective solution, SecureMe has configured two security contexts in the security appliance: CustA for Customer A and CustB for Customer B. Each customer can manage and administer its own security context without interfering with the other context. On the other hand, the security appliance administrator manages the system execution space, which is discussed in the next section.

Figure 9-1. Security Contexts in the ASA

[View full size image]

In this figure, each horizontal dotted box represents a security context that has a Cisco ASA inspecting and protecting the packets going through it, while the vertical box represents the physical Cisco security appliance with multiple security contexts.