Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco asa 5500 series adaptive security appliances


Published on

Cisco asa 5500 series adaptive security appliances

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cisco asa 5500 series adaptive security appliances

  1. 1. Cisco ASA 5500 Series Adaptive Security AppliancesProduct HistoryThere used to be a saying in the IT industry that "you wouldnt get sacked for buyingIBM"; whilst that may be somewhat dated the same could be said for Ciscoequipment nowadays. There are plenty of alternative vendors providing firewallsolutions with many similar features and at a lower price but the industry standard isstill Cisco. The Cisco PIX range of firewall/NAT devices was originally launched in 1995but the models most readers are likely to encounter are the 501, 506 and 515 whichwere launched in 2002. They were finally discontinued in 2008; their longevity wasmainly down to their use of the PIX OS which enabled new features to be providedvia firmware upgrade without the need for major hardware updates. Although theCisco ASA range was launched in 2005 and aligned as a replacement for the PIX rangeCisco users tend to resist change and so ASAs have only started to becomewidespread in the last couple of years.The original release versions of the ASA officially combined the separate firewall,VPN and IPS (Intrusion Prevention Systems) functionality of several Cisco devices,although the current PIX OS at the time (version 7.x) supported all these features. Infact the ASA range started life running PIX7.0 and only diversified with the release ofversion ASA8.0 which moved back in line with the main Cisco IOS by using theircustomized Linux based kernel.For users from a UNIX background this makes Cisco devices use of text files for allconfiguration settings reassuringly familiar but for those from a Windowsbackground it can seem impossibly complex. Cisco attempted to address this firstwith the PIX by introducing the PIX Device Manager, a Java based GUI front-end forthe PIX OS; however a frustrating number of bugs tended to drive admins back to thecommand line for any advanced configuration. Fortunately they started from scratchwith the ASA and designed the ASDM (Adaptive Security Device Manager), again aJava based management console but this time one that allows you to do virtually allthe configuration without having to resort to a text editor. The latest ASA version isnow 8.2 and ASDM is on version 6.1:
  2. 2. Cisco ASDM dashboard viewCisco ASA ModelsThere are six main models in the ASA range, from the basic 5505 branch office modelup to the 5580 datacenter versions; a full comparison is available on the Ciscowebsite here. Although this article will concentrate on the 5505 and 5510 models thebasic feature set is in fact fairly consistent across the range, the main differencesbeing in the maximum traffic throughput handled by each model and thenumber/type of interfaces.At the most basic level the ASA is a transparent or routed firewall/NAT device, thismeans it is designed to sit between your LAN and the Internet; one interface(normally known as "outside") will be connected to your Internet access device andone or more interfaces (e.g. "inside" and "DMZ") will connect to your internalnetworks. This enables the ASA to inspect and control all traffic passing betweenyour network and the Internet, exactly what it does with that traffic is the clever bit.Cisco ASA 5510
  3. 3. The ASA5510 is intended to be a single device solution to your Internet securityrequirements and with its 300Mbps throughput and 9,000 firewall connections persecond capacity will be suitable for most office deployments. The key features will becovered in more detail later but in brief these are; firewall/NAT, SSL/IPsec VPN,content security and intrusion prevention. It has five 10/100Mbps ports, by defaultthese provide one outside (Internet) interface, one management and three internalnetwork interfaces but they are fully reconfigurable and also support vLANing forfurther network subdivision if required. Functionality can be upgraded via a SecurityServices Module port which provides support for additional Content Security andIntrusion Prevention features.Cisco ASA 5505The Cisco ASA5505 is intended for small or branch office and teleworkerdeployments, often in conjunction with a 5510 or higher model at the head office towhich it will establish a secure VPN, whilst providing full security for other Internettraffic. The device has 8 10/100Mbps Ethernet ports, including 2 with Power overEthernet support suitable for PoE devices such as IP phones or cameras, so it can beused as single unit solution for the smaller office. Key differences compared to the5510 are the reduced support for VPN connections (only 10 but upgradeable to 25with license), only 3 vLANs (25 with Security Plus license) and only a slot for theoptional Security Services Card so there is no option for the advanced ContentSecurity services.Key Features of Cisco ASA FirewallsFirewall
  4. 4. All ASA models include a fully featured policy based firewall and routing enginewhich allows you complete control of which traffic you allow in and out of yournetwork. Layer 2/3 firewalling allows you to specify which hosts are allowed accessthrough the ASA and also to perform Network Address Translation to map internalhosts to public IP addresses. Layer 7 firewall goes several steps further and alsoallows you to define access policies based on application and protocol type,providing extremely granular control over Internet access and protection againstadvanced types of network attack. Unlike many competitors firewalls the ASAspolicy and interface based approach to access control gives you complete controlover traffic leaving your network as well as incoming, for example allowing you torestrict Instant Messaging use to only your approved client application. Deep packetinspection goes beyond simply analysing the protocol and port of the attemptedconnection to discover the application behind it making it virtually impossible forusers to circumvent company IT policies.SSL & IPsec VPNEven the Cisco ASA 5505 includes full support for IPsec and SSL VPN endpoints,providing highly encrypted tunnels for office to office and remote user to officeconnections. The basic license for all ASAs allows IPsec VPN connections up to themaximum supported on each model but only includes two SSL VPN licenses, to allowfor testing before deployment. The 5505 will support up to 25 simultaneous VPNconnections, whilst the 5510 supports a maximum of 250 - these can be anycombination of IPsec or SSL, and site to site or remote client types.IPsec VPNs are commonly deployed between Cisco VPN devices for site to siteconnections, or initiated by client software on the remote workers computer.Included with all ASA license bundles is the Cisco AnyConnect VPN client, withversions available for all major operating systems; Windows 2000 up to Windows 7,Mac OS X (10.4/5), Linux Intel kernel 2.6.x and even Windows Mobile 5.0/6.0/6.1 .Cisco AnyConnect provides several improvements over the basic IPsec functionalitybuilt into those operating systems, key features are: DTLS protocol support to help minimize latency for applications such as VoIP Support for SSL tunneling to ensure connectivity even through restrictive proxies and firewalls (if web browsing is possible then so is a VPN connection) Advanced encryption and wide range of authentication protocols, including
  5. 5. two factor smartcard/token based Flexible IP tunneling for consistent user experience with features such as connection retention, ensuring the mobile user retains connectivity through disconnections, reboots and standby/hibernation.Ciscos SSL VPN makes supporting mobile and remote users even simpler, by usingthe same protocol as that used for secure web sites a VPN connection is availableanywhere the user can browse the web. The SSL VPN can be initiated via an ActiveXor Java control so no client has to be pre-installed on the users system, all they haveto do is browse to the website and provide the necessary credentials.Intrusion PreventionCiscos Intrusion Prevention System goes beyond the standard firewall functions toanalyse data packets for known and potential threats, including malware, networkintrusion and application exploitation. This ensures maximum network security byintercepting undesirable traffic before it reaches the internal network whilst regularautomatic signature updates maintain protection against new threats. IPS support isan optional feature that can be added via the purchase of an AIP SSC (upgrade card)for the ASA5505 or an AIP SSM (upgrade module) for the ASA5510. The AIP SSM hasall the standard features of the AIP SSC but with increased throughput capacity(150Mbps/9k connections per second vs 75Mbps/4k cps) and support for GlobalCorrelation and Day Zero attack anomaly prevention. Global Correlation involvesmuch more than regular signature updates, using a real time connection with theCisco Security Intelligence Operations infrastructure to monitor the current threatstatus Internet wide, identifying and preventing fast spreading threats as theyhappen. Day Zero Attack Prevention analyzes your normal network behaviors so itcan detect anomalous behavior representing potential threats and block it, evenbefore official detection signatures have been released.AIP-SSC Intrusion Prevention System upgrade card for ASA5505Content SecurityContent Security is not available on the ASA5505 but can be added to the ASA5510with the purchase of the CSC-SSM module. This provides a comprehensive range ofnetwork security and control features including: Malware scanning using Trendlabs protection to scan both Internet and email traffic and eliminate viruses, worms and other threats such as spyware.
  6. 6. Anti-spam to remove unsolicited commercial emails Anti-phishing protects against spoofed identity attacks and prevents users disclosing confidential information inappropriately Comprehensive web access protection; all traffic is scanned so protection cannot be bypassed, e.g. through employees using personal webmail services which would not usually be protected by corporate email protection URL filtering and content protection - gives you full control over which employees can access what, definable by categories and content, again applying to all web access so undesirable content can be blocked whether on a website, in an email or in a file download.CSC-SSM licenses are available in several different options according to the numberof users supported and the feature set; basic licenses support Anti-virus andAnti-spyware while the advanced licensed add URL & Content filtering, Anti-spamand Anti-phishing. Security updates are provided by Trendlabs and licensed on ayearly subscription basis.Ciscos ASA range greatly extends the usual definition of a firewall to provide acomplete network perimeter security solution, and with the 5505 and 5510 modelswhat used to be "enterprise only" features are now available to the SMEnetwork. Having said that several of these features are not included with the basicdevice package; they have to be purchased as separate licenses, which is importantto bear in mind when comparing costs. However this does allow you to tailor thedevice to your requirements, so you only pay for features as and when you needthem.With the ASDM GUI Cisco have gone a long way to reduce the complexities ofconfiguration and management that used to be the hallmark of their appliances sodeployment should be within the capabilities of most network admins too. The nextarticle in this series will cover the basics of ASA setup and administration using theASDM interface.More Cisco ASA and Firewall Tutorials:VLAN Sub-Interfaces on Cisco ASA 5500 Firewall ConfigurationCisco ASA Firewall LicensingCisco ASA 5500 Family, Key Component of the Cisco Secure Borderless NetworkHow to Configure Cisco ASA 5505 Firewall?