Cisco ASA-1: Cisco ASA Features
The Cisco ASA is the focus of the FIREWALL exam. Is the ASA a firewall? Yes. Is it more
than a firewall? Yes!
Even further, the ASA has many features that go beyond the basic firewall techniques, giving
it great versatility. A summary of the ASA features is presented in the following sections.
You should become familiar with these features, as you will need to be able to select
the appropriate ASA features and technologies on the exam, given some high-level design
criteria:
■
Stateful packet filtering engine: The SPF engine tracks connections and their
states, performing TCP normalization and conformity checks, as well as dynamic session
negotiation.
■
Application inspection and control: The AIC function analyzes application layer
protocols to track their state and to make sure they conform to protocol standards.
■
User-based access control: The ASA can perform inline user authentication followed
by Cut-through Proxy, which controls the access that specific users are allowed
to have. Once a user is authenticated, Cut-through Proxy also accelerates
inspection of a user’s traffic flows.
■
Session auditing: Accounting records can be generated for user-based sessions, as
well as for application layer connections and sessions.
■
Security Services Modules: The ASA platform supports several Security Services
Modules (SSM) that contain specialized hardware to offload processor-intensive security
functions. An ASA can contain one SSM, offloading either IPS or content security
services.
■
Reputation-based Botnet Traffic Filtering: An ASA can detect and filter traffic
involved with botnet activity on infected hosts. The Botnet Traffic Filter database
Feature Limitation
Protocol analysis and normalization Not available for all protocols or applications.
Deep and thorough content analysis Analysis might take too long for real-time traffic.
Access control over Layers 3 through 7 —
Can be permissive or restrictive Can require configuration on the clients.
■
Category-based URL filtering: An ASA can leverage an external URL filtering
server to enforce acceptable use policies and control user access to various types of
web services.
■
Cryptographic Unified Communications (UC) proxy: When Cisco Unified Communications
traffic must pass through an ASA, the ASA can be configured as an authorized
UC proxy. The ASA can then terminate and relay cryptographically
protected UC sessions between clients and servers.
■
Denial-of-service prevention: An ASA can leverage traffic-control features like
protocol normalization, traffic policing, and connection rate controls to minimize
the effects of denial-of-service (DoS) attacks.
■
Traffic correlation: The threat detection feature examines and correlates traffic
from many different connections and sessions to detect and block anomalies stemming
from network attacks and reconnaissance activity.
■
Remote access VPNs: An ASA can support secure VPN connections from trusted
users located somewhere on an untrusted network. Clientless SSL VPNs can be used
to offer a secure web portal for limited remote access to users, without requiring
VPN client software. For complete secure network access, full tunneling of all user
traffic is supported with either SSL VPNs or IPsec VPNs, which require VPN client
software.
Site-to-site VPNs: An ASA can support IPsec VPN connections between sites or
enterprises. Site-to-site or LAN-to-LAN VPN connections are usually built between
firewalls or routers at each location. Site-to-site VPNs are covered in the
■
High availability failover clustering: Two identical ASA devices can be configured
to operate as a failover pair, making the ASA security functions redundant in case of
a hardware failure.
■
Redundant interfaces: To increase availability within a single ASA, interfaces can
be configured as redundant pairs so that one is always active, while the other takes
over after an interface hardware failure.
■
EtherChannel: Multiple ASA interfaces can be aggregated or bundled together as a
single logical interface. By connecting an EtherChannel between an ASA and a
switch, you can scale the bandwidth and offer additional redundancy.
■
Traffic and policy virtualization: An ASA can be configured to operate multiple
virtual instances or security contexts, each acting as an independent firewall. Each
virtual context has its own set of logical interfaces, security policies, and administrative
control.
■
Rich IP routing functionality: An ASA can forward traffic onto the local networks
connected to each of its interfaces without any additional IP routing information. It
can also be configured to use static routes or a dynamic routing protocol such as
RIPv1, RIPv2, EIGRP, and OSPF to make more complex routing decisions.
■
Powerful Network Address Translation (NAT): As an ASA inspects and forwards
packets, it can apply a rich set of NAT functions to alter source and destination addresses.
■
Transparent (bridged) operation: An ASA can be configured to operate as a transparent
firewall, effectively becoming a secure bridge between its interfaces. Transparent
firewall mode allows an ASA to be wedged into an existing network without
requiring any readdressing of the network.
■
Integrated DHCP, DDNS, and PPPoE: An ASA can be configured to act as a
DHCP client or a PPP over Ethernet (PPPoE) client to obtain a dynamic IP address for
its interfaces from the network, and as a Dynamic DNS (DDNS) client to record information
for hostname-to-address resolution. As well, an ASA can act as a DHCP server
to offer IP addressing services to other hosts on the network.
■
IPv6 support: An ASA can be configured to operate natively in an IPv6 network.
■
IP multicast support: An ASA can leverage the Internet Group Management Protocol
(IGMP) and the Protocol Independent Multicast (PIM) protocol to participate in
handling IP multicast traffic.
■
Management control and protocols: An ASA supports several different methods
of management control, including a console port, Telnet, Secure Shell (SSH), Secure
HTTP (HTTPS), and Simple Network Management Protocol (SNMP; Versions 1, 2c,
and 3). A dedicated out-of-band management port is also available. An ASA can send
event notifications using SNMP traps, NetFlow, and syslog.
■
Simple software management: An ASA supports a local file system and remote
file transfers for software upgrades. Software upgrades can be performed manually,
automatically, or in a zero-downtime fashion on a failover cluster of ASAs.
■
Configuration flexibility and scalability: Security policies and rules can be configured
using reusable objects. Through the Modular Policy Framework (MPF), security
features can be configured and applied in a flexible and versatile manner.
■
Cisco Security Management Suite: Multiple ASAs can be managed from the
Cisco Security Management Suite for ease of administration.
No comments:
Post a Comment