Full Cisco Firewall Hands-On Guide PDF
The ASA (Adaptive Security Appliance) is a network security product that is a part of Cisco’s Advanced Network Firewall portfolio.
A network Firewall is a hardware or software device that sits usually at the edge of a network and provides security by allowing or denying traffic based upon a set of pre-configured rules.
In large corporate network environments, you can also place a network firewall within your internal LAN in order to provide segmentation of private LAN IP subnets (e.g you can isolate servers LAN from users LAN for example).
The Cisco ASA was a replacement for the Cisco PIX firewall and is an advanced firewall which is capable of carrying out more advanced services than the older PIX firewall was capable of.
How Does the ASA Firewall Work
Let’s explain briefly what the core network firewall functionality is for the Cisco ASA. A network firewall is based on Stateful packet inspection, which I will explain below.
A stateful network firewall, such as the Cisco ASA, typically uses stateful packet inspection to prevent unauthorised traffic from entering the network from the outside or prevent unauthorised traffic from being passed between security zones internally within a network.
A stateful firewall keeps track of all the sessions that have been initiated from user devices inside the network and allows the responding traffic from outside the network to pass through to the initiating device.
Stateful packet inspection checks an access control list to see if the source or destination IP address (and/or ports) of the incoming packet is allowed access to the network or not.
The Cisco ASA has many physical interfaces which can be further divided into “sub-interfaces” using VLANs.
Each one of these firewall interfaces is connected to a “security zone” which is basically a Layer 3 subnet. All hosts inside this security zone (subnet) will have as gateway the IP address configured on the ASA firewall interface.
This means that all traffic from the specific security zone going out to other networks (zones) will pass through the ASA which will impose its firewall controls to the traffic.
A Cisco ASA is able to carry out the following services in addition to the core Stateful Packet Inspection functionality:
Cisco ASA Main Core Security Features
Packet filtering also known as Deep packet inspection goes much further than simply matching IP addresses to an allowed list.
Packet filtering is able to determine what protocol is being used such as TCP, UDP, RTP etc and which application is sending this traffic.
This enables much more complex rules to be created and instead of only being able to block traffic based on source or destination IP addresses, rules can now be created to block traffic based on the protocol being used or to block a particular application.
NAT / PAT
Network Address Translation and Port Address Translation are used to translate the IP address of the source device from a private IP address range to a public IP address range.
This has a number of benefits. Firstly, the actual IP address of the sending device is disguised because all the destination machine ever sees is the public IP address that has been substituted at the firewall and not the original private address.
The second benefit is that many devices can access the internet using the single public IP address which saves on Public IP address use.
Port Address Translation (PAT) allows the firewall to assign each device with a different port number which are mapped so that when the destination server responds to the public IP address the firewall knows which internal IP address originally sent the request and is able to forward on the packet.
SSL / IPSec VPN
An ASA firewall is able to create an encrypted channel between the corporate network and another device located on a different network.
The Virtual Private Network (VPN) tunnel protects all the traffic that is flowing from external devices to the corporate network over the public internet.
This allows remote users to securely access data from outside of the corporate network using IPSec or SSL encryption protocols.
Moreover, a site-to-site IPSec VPN can create a secured and encrypted connection between two distant private LAN networks over the Internet.
This allows for a cheap and secure connectivity solution between two or more LAN networks without leasing expensive dedicated WAN links between the two sites.
Cisco Firepower Main Security Features
Cisco Firepower is a separate product line that has been acquired by Cisco to provide many additional cybersecurity services such as Intrusion Prevention, DDOS prevention, Anti-malware, Anti-virus, mail scanning, URL filtering and dynamic security intelligence through Cisco TALOS which is a cybersecurity community that was created by Cisco.
A Firepower appliance is known as a Next Generation Security product and can be added to a network as a dedicated Firepower appliance or as a hardware module installed within a Cisco ASA.
An ASA with Firepower is able to provide the standard firewall services and also the enhanced security services of a Firepower device which makes these ASA’s Next Generation Firewalls.
Many of the security features offered by the Firepower module are activated by purchasing different levels of licensing which are available as a subscription service that is renewed on a yearly basis.
|Subscription You Purchase||Smart Licenses You Assign in Firepower System|
|TC||Threat + URL Filtering|
|TM||Threat + Malware|
|TMC||Threat + URL Filtering + Malware|
|URL||URL Filtering (can be added to Threat or used without Threat)|
|AMP||Malware (can be added to Threat or used without Threat)|
An ASA device that is running Firepower services is not managed by ASDM software. A Firepower device or cluster of Firepower devices is managed by another piece of software which is called the Cisco Secure Firewall Management Centre or SFMC (Formerly Firepower Management Centre or FMC).
The SFMC is a web-based security administration centre that is used for applying network security policies and configuration of the Firepower Threat Device (FTD) sensors or Firepower modules that are spread throughout a network.
Unlike ASDM, the FMC is not installed on a standard Windows or Mac OSX computer but is added to the network as a dedicated appliance or as a Virtual machine on a Hypervisor such as VMware ESXi.
The software can then be accessed from any device which has a web browser by navigating to the URL of the SFMC.
The following additional services are provided by the Firepower Module installed in a Cisco ASA or as a dedicated device:
An Intrusion Prevention System (IPS) works by scanning the incoming and outgoing traffic and comparing the traffic patterns to a baseline or against a signature database of known attack vectors.
A baseline is the normal amount of traffic that flows in and out of the network from all the different network sources.
When there is a deviation from this normal baseline such as an unusually large amount of data being uploaded from an internal system then an alert can be activated in SFMC to make the security team aware of a potential network breach. Automatic action can also be taken by the ASA to block this traffic.
Content filtering or URL filtering is performed by the ASA to block web content that is deemed inappropriate by the company’s security policy.
This web filtering is very CPU intensive so its important to ensure an ASA model with the correct hardware specifications are chosen for filtering traffic on a large network.
Many applications produce traffic signatures that can be recognized by the Firepower ASA and filtered as required.
It is even possible for the ASA to block specific parts of an application but not the entire application. For example, it is possible to block Facebook games but not the entire Facebook application.
The ASA filters the incoming traffic and checks for a match to known malware signatures. If a match is found the traffic flow can be blocked preventing the malware from spreading throughout the network. Anti-malware filtering can be crucial in preventing the spread of ransomware.
An anti-virus mechanism is another service that the Firepower ASA employs to prevent malicious traffic from reaching internal users.
Like the anti-malware process the traffic is filtered and matched against known virus signatures and blocked before the virus is able to spread.
The Cisco ASA is able to use the power of the cybersecurity community to better protect enterprise networks. The ASA is able to prevent outgoing connections to a blacklist of known malicious domains that is constantly updated from the intelligence gathered by Cisco Talos.
As soon as a new malicious domain is confirmed the ASA blacklist is updated which helps to prevent Zero-day attacks.
What is Adaptive Security Device Manager (ASDM)
Traditional PIX firewalls only had the ability to be configured via the command line which meant that only Engineers experienced with command line configuration could setup or make changes to the firewall.
The Cisco ASA can be configured by the command line or through a graphical user interface called the Adaptive Security Device Manager or ASDM.
The ASDM software is a Java based application which needs to be installed on a Windows or Mac OSX computer which can then be used to remotely manage multiple ASA devices. The ASDM software image is placed also on the Cisco ASA flash drive.
ASDM make the day-to-day maintenance of the firewall easier as you are able to make configuration changes, view and filter connections, view charts and statistics or perform upgrades of the operating system remotely with the click of a mouse rather than by connecting through the CLI.
Current Cisco ASA models
- ASA-5505- End of sale
- ASA-5510 – End of Sale
- ASA-5506-X – Desktop / Rack Mountable Unit
- ASA-5506H-X – Desktop / Rack Mountable Unit
- ASA-5508-X– 1 RU Rack Mountable Unit
- ASA-5516-X– 1 RU Rack Mountable Unit
- ASA-5525-X– 1 RU Rack Mountable Unit
- ASA-5545-X– 1 RU Rack Mountable Unit
- ASA-5555-X– 1 RU Rack Mountable Unit
- ASA-5585-X– 2 RU Rack Mountable Unit
- ASAv – Virtual machine software which is installed on a VMware server.
The standard ASA without Firepower services has now become end of sale and the ASA is now sold with Firepower installed as standard. The X in the model’s name denotes that this model has a Firepower Module installed.
Competitors to Cisco ASA
Cisco ASA with Firepower services is a premium security product for Enterprise Networks and according to gartner.com there are only three direct competitors to these Cisco products. They are Palo Alto, Fortinet and Checkpoint.
Palo Alto next generation firewalls provide similar features to Cisco ASA firewalls through their PAN-OS operating system.
The Palo Alto firewalls, and firewall clusters can be managed by their Firewall management system known as Panorama.
Fortinet has a very large range of firewall models aimed at every size network from entry level to cloud datacentres. These firewalls run the Fortigate operating system.
Fortinet is one of the fast-growing security firms worldwide and they manufacture all kinds of security products, such as firewalls, antivirus, email security, SIEM, WiFi etc.
Checkpoint have taken a unified approach to network security through a suite of products that include Next Generation Firewalls known as the Infinity architecture.
This architecture is made up of five sections which are Quantum, Cloudguard, Harmony and Infinity Vision which surrounds their Security Intelligence center known as Infinity Threat Cloud. Checkpoint has a large offering of 15 different Firewall models.