Implementing the Cisco Adaptive Security Appliance (ASA)
Cisco over the years has had a dedicated firewall appliance. Many years ago, it was a device named the PIX. As technology improved, a new device was created that leveraged all the features of the PIX and added some new ones. This new device is the Adaptive Security Appliance (ASA).
ASA Features and Services
Cisco offers firewall solutions using a firewall-enabled Integrated Services Router (ISR) or using the Cisco Adaptive Security Appliance (ASA) comprehensive firewall solution. The ASA is a primary component of the Cisco Secure Borderless Network and provides superior scalability, a broad range of technology and solutions, and effective always-on security.
The ASA combines the following features into one platform:
Stateful Firewall (or Stateful filtering)
An ASA provides stateful firewall services tracking the TCP or UDP network connections traversing it. Only packets matching a known active connection are allowed by the firewall; others are rejected.
Simple packet filtering normally represents an access list. The ASA supports both standard and extended access lists. The most significant difference between an access list on an ASA versus an access list on a router is that the ASA never ever uses a wildcard mask. Instead, it just use the real mask in the access control list (ACL) .
The ASA can listen in on conversations between devices on one side and devices on the other side of the firewall. The benefit of listening in is so that the firewall can pay attention to application layer information.
Network Address Translation (NAT)
The ASA supports inside and outside NAT, and both static and dynamic NAT and PAT, including Policy NAT, which is only triggered based on specific matches of IP addresses or ports. There is also the ability to perform NAT exemption (for example, specifying that certain traffic should not be translated). This comes in handy if you have NAT rules that say everybody who is going from the inside networks out to the Internet should be translated, but at the same time you have a virtual private network (VPN) tunnel to either a remote user or a remote network. Any traffic from the inside network going over the VPN tunnel in most cases should not be translated, so you set up an exemption rule that says traffic from the inside networks to the destinations that are reachable via the VPN tunnels should not be translated. The policy that indicates that traffic should not be translated is often referred to as NAT zero.
The ASA can act as a Dynamic Host Configuration Protocol (DHCP) server or client or both.
The ASA supports most of the interior gateway routing protocols, including RIP, EIGRP, and OSPF. It also supports static routing.
An object group is a configuration item on the ASA that refers to one or more items. In the case of a network object group, it refers to one or more IP addresses or network address ranges. The benefit of an object group is that a single entry in an access list could refer to an object group as the source IP or destination IP address in an individual access control entry (a single line of an access list), and the ASA logically applies that entry against all the IP addresses that are currently in the object group.
Botnet traffic filtering
A botnet is a collection of computers that have been compromised and are willing to follow the instructions of someone who is attempting to centrally control them (for example, 10,000 machines all willing [or so commanded] to send a flood of ping requests to the IP address dictated by the person controlling these devices).
The ASA works with an external system at Cisco that provides information about the Botnet Traffic Filter Database and so can protect against this.
Layer 3 or Layer 2 implementation
An ASA device can operate in one of two modes:
Routed Mode or Layer 3 implementation
• The traditional mode for deploying a layer 3 firewall, which has IP addresses assigned to each of its routable interfaces.
• Two or more interfaces that separate Layer 3 networks.
• The ASA is a router hop in the network and can perform NAT between connected networks.
• Supports multiple interfaces, and each interface is on a different subnet and requires an IP address on that subnet.
Transparent Mode or Layer 2 firewall
The actual physical interfaces receive individual IP addresses, but a pair of interfaces operate like a bridge. Traffic that is going across this two-port bridge is still subject to the rules and inspection that can be implemented by the ASA. The ASA can still perform application layer inspection and stateful filtering. This mode is referred to as a “bump in the wire.”
• The ASA requires only one management IP address configured in global configuration mode.
• Does not support dynamic routing protocols, VPNs, quality of service (QoS), or DHCP Relay.
The ASA can operate as either the head-end or remote-end device for VPN tunnels.
When using IPsec, the ASA can support remote-access VPN users and site-to-site VPN tunnels.
When supporting Secure Sockets Layer (SSL) , it can support the clientless SSL VPN and the full AnyConnect SSL VPN tunnels (which hand outreparte IP addresses to remote VPN users, similar to the IPsec remote VPN users).
SSL is a very upcoming and popular option for VPNs and is only used for remote access, not for site-to-site VPNs.
• The security appliance supports two failover configurations: Active/Active Failover or Active/Standby.
• Use active/standby failover configuration to provide device redundancy.
• Use active/active failover to configure load balance.
• The active ASA pass traffic, while the other (standby) don’t pass traffic.
• Both ASAs must have identical software, licensing, memory, and interfaces.
The use of authentication, authorization, and accounting (AAA) services, either locally or from an external server such as Access Control Server (ACS) , is supported.
Most ASA models support basic intrusion prevention system (IPS) features.
A single ASA can be partitioned into multiple virtual devices called security contexts.
Each context is an independent device, with its own security policy, interfaces, and administrators.
Most IPS features are supported except VPN and dynamic routing protocols.
Threat control Along with integrated IPS features, additional antimalware threat control capabilities are provided by adding the Content Security and Control (CSC) module.
A Client attempting to access Server resources must first be authenticated using the Microsoft Active Directory.
Full IPS features are provided by integrating special hardware modules with the ASA architecture.
– The Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM) is for the ASA 5540 device.
– The Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC) is for the ASA 5505 device.