Cisco ASA-1: Cisco ASA Features 

The Cisco ASA is the focus of the FIREWALL exam. Is the ASA a firewall? Yes. Is it more

than a firewall? Yes!

Even further, the ASA has many features that go beyond the basic firewall techniques, giving

it great versatility. A summary of the ASA features is presented in the following sections.

You should become familiar with these features, as you will need to be able to select

the appropriate ASA features and technologies on the exam, given some high-level design

criteria:

■

Stateful packet filtering engine: The SPF engine tracks connections and their

states, performing TCP normalization and conformity checks, as well as dynamic session

negotiation.

■

Application inspection and control: The AIC function analyzes application layer

protocols to track their state and to make sure they conform to protocol standards.

■

User-based access control: The ASA can perform inline user authentication followed

by Cut-through Proxy, which controls the access that specific users are allowed

to have. Once a user is authenticated, Cut-through Proxy also accelerates

inspection of a user’s traffic flows.

■

Session auditing: Accounting records can be generated for user-based sessions, as

well as for application layer connections and sessions.

■

Security Services Modules: The ASA platform supports several Security Services

Modules (SSM) that contain specialized hardware to offload processor-intensive security

functions. An ASA can contain one SSM, offloading either IPS or content security

services.

■

Reputation-based Botnet Traffic Filtering: An ASA can detect and filter traffic

involved with botnet activity on infected hosts. The Botnet Traffic Filter database

Feature Limitation

Protocol analysis and normalization Not available for all protocols or applications.

Deep and thorough content analysis Analysis might take too long for real-time traffic.

Access control over Layers 3 through 7 —

Can be permissive or restrictive Can require configuration on the clients.

 

 

■

Category-based URL filtering: An ASA can leverage an external URL filtering

server to enforce acceptable use policies and control user access to various types of

web services.

■

Cryptographic Unified Communications (UC) proxy: When Cisco Unified Communications

traffic must pass through an ASA, the ASA can be configured as an authorized

UC proxy. The ASA can then terminate and relay cryptographically

protected UC sessions between clients and servers.

■

Denial-of-service prevention: An ASA can leverage traffic-control features like

protocol normalization, traffic policing, and connection rate controls to minimize

the effects of denial-of-service (DoS) attacks.

■

Traffic correlation: The threat detection feature examines and correlates traffic

from many different connections and sessions to detect and block anomalies stemming

from network attacks and reconnaissance activity.

■

Remote access VPNs: An ASA can support secure VPN connections from trusted

users located somewhere on an untrusted network. Clientless SSL VPNs can be used

to offer a secure web portal for limited remote access to users, without requiring

VPN client software. For complete secure network access, full tunneling of all user

traffic is supported with either SSL VPNs or IPsec VPNs, which require VPN client

software. 

Site-to-site VPNs: An ASA can support IPsec VPN connections between sites or

enterprises. Site-to-site or LAN-to-LAN VPN connections are usually built between

firewalls or routers at each location. Site-to-site VPNs are covered in the

 

■

High availability failover clustering: Two identical ASA devices can be configured

to operate as a failover pair, making the ASA security functions redundant in case of

a hardware failure.

■

Redundant interfaces: To increase availability within a single ASA, interfaces can

be configured as redundant pairs so that one is always active, while the other takes

over after an interface hardware failure.

■

EtherChannel: Multiple ASA interfaces can be aggregated or bundled together as a

single logical interface. By connecting an EtherChannel between an ASA and a

switch, you can scale the bandwidth and offer additional redundancy.

■

Traffic and policy virtualization: An ASA can be configured to operate multiple

virtual instances or security contexts, each acting as an independent firewall. Each

virtual context has its own set of logical interfaces, security policies, and administrative

control.

■

Rich IP routing functionality: An ASA can forward traffic onto the local networks

connected to each of its interfaces without any additional IP routing information. It

can also be configured to use static routes or a dynamic routing protocol such as

RIPv1, RIPv2, EIGRP, and OSPF to make more complex routing decisions.

■

Powerful Network Address Translation (NAT): As an ASA inspects and forwards

packets, it can apply a rich set of NAT functions to alter source and destination addresses.

■

Transparent (bridged) operation: An ASA can be configured to operate as a transparent

firewall, effectively becoming a secure bridge between its interfaces. Transparent

firewall mode allows an ASA to be wedged into an existing network without

requiring any readdressing of the network.

■

Integrated DHCP, DDNS, and PPPoE: An ASA can be configured to act as a

DHCP client or a PPP over Ethernet (PPPoE) client to obtain a dynamic IP address for

its interfaces from the network, and as a Dynamic DNS (DDNS) client to record information

for hostname-to-address resolution. As well, an ASA can act as a DHCP server

to offer IP addressing services to other hosts on the network.

■

IPv6 support: An ASA can be configured to operate natively in an IPv6 network.

■

IP multicast support: An ASA can leverage the Internet Group Management Protocol

(IGMP) and the Protocol Independent Multicast (PIM) protocol to participate in

handling IP multicast traffic.

■

Management control and protocols: An ASA supports several different methods

of management control, including a console port, Telnet, Secure Shell (SSH), Secure

HTTP (HTTPS), and Simple Network Management Protocol (SNMP; Versions 1, 2c,

and 3). A dedicated out-of-band management port is also available. An ASA can send

event notifications using SNMP traps, NetFlow, and syslog.

■

Simple software management: An ASA supports a local file system and remote

file transfers for software upgrades. Software upgrades can be performed manually,

automatically, or in a zero-downtime fashion on a failover cluster of ASAs.

■

Configuration flexibility and scalability: Security policies and rules can be configured

using reusable objects. Through the Modular Policy Framework (MPF), security

features can be configured and applied in a flexible and versatile manner.

■

Cisco Security Management Suite: Multiple ASAs can be managed from the

Cisco Security Management Suite for ease of administration.