Cisco ASA

Last updated

In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005. [1] It succeeded three existing lines of Cisco products:

Contents

The Cisco ASA is a unified threat management device which combines several network security functions. [3]

Reception and criticism

Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium-sized businesses. Early reviews indicated the Cisco GUI tools for managing the device were lacking. [4]

A security flaw was identified when users customized the Clientless SSL VPN option of their ASA's but was rectified in 2015. [5] Another flaw in a WebVPN feature was fixed in 2018. [6]

In 2017 The Shadow Brokers revealed the existence of two privilege escalation exploits against the ASA called EPICBANANA [7] and EXTRABACON. [8] [9] A code insertion implant called BANANAGLEE, was made persistent by JETPLOW. [10]

Features

The 5506W-X has a WiFi point included.

Architecture

The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities. [11] In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not. [11]

The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory. [11]

software versions [11]
major release7.07.17.28.08.18.28.38.48.58.68.79.09.19.29.39.49.59.69.79.89.9
released [12] 31 May 20056 Feb 200631 May 200618 Jun 20071 Mar 20086 May 20098 Mar 201031 Jan 20118 Jul 201128 Feb 201216 Oct 201229 Oct 20123 Dec 201224 Apr 201424 Jul 201430 Mar 201512 Aug 201521 Mar 20164 Apr 201715 May 20174 Dec 2017
end of life××××××××××××××
for 5505-5550YYYYYYYYY
for 5512-5585-XYYYYYYYYYYYY

Options

The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X can have an extra interface card added. [13]

The 5585-X has options for SSP. SSP stands for security services processor. [14] These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40 and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half width modules. [15]

On the low end models, some features are limited, and uncrippling happens with installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability. [13] Cisco AnyConnect is an extra licensable feature which operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads. [16]

Models

The 5505 introduced in 2010 was a desktop unit designed for small enterprises or branch offices. It included features to reduce the need for other equipment, such as an inbuilt switch, and power over Ethernet ports. [17] The 5585-X is a higher powered unit for datacenters introduced in 2010. [18] It runs in 32-bit mode on an Intel architecture Atom chip. [11]

Model5505 [19] 55105520 [19] 5540 [19] 5550 [19] 5580-20 [19] 5580-40 [19] 5585-X SSP10 [19] 5585-X SSP20 [19] 5585-X SSP40 [19] 5585-X SSP60 [19]
Cleartext throughput, Mbit/s 1503004506501,2005,00010,0003,0007,00012,00020,000
AES/Triple DES throughput, Mbit/s1001702253254251,0001,0001,0002,0003,0005,000
Max simultaneous connections10,000 (25,000 with Sec Plus License)50,000 (130,000 with Sec Plus License)280,000400,000650,0001,000,0002,000,0001,000,0002,000,0004,000,00010,000,000
Max site-to-site and remote access VPN sessions10 (25 with Sec Plus License)2507505,0005,00010,00010,0005,00010,00010,00010,000
Max number of SSL VPN user sessions252507502,5005,00010,00010,0005,00010,00010,00010,000
Model550555105520554055505580-205580-405585-X SSP105585-X SSP205585-X SSP405585-X SSP60

Cisco determined that most of the low end devices had too little capacity to include the features needed, such as anti-virus, or sandboxing, and so introduced a new line of next-generation firewalls called Firepower. These run in 64-bit mode. [11]

Models as of 2018 [13]
Model5506-X5506W-X5506H-X5508-X5512-X5515-X5516-X5525-X5545-X5555-X5585-X
Throughput Gb/s0.250.250.250.450.30.50.851.11.51.754-40
GB ports88486688886-8
Ten GB ports00000000002-4
Form factordesktopdesktopdesktop1 RU1 RU 1 RU1 RU1RU1RU1RU2RU

Related Research Articles

Virtual private network (VPN) is a network architecture for virtually extending a private network across one or multiple other networks which are either untrusted or need to be isolated.

The Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems. The system is a package of routing, switching, internetworking, and telecommunications functions integrated into a multitasking operating system. Although the IOS code base includes a cooperative multitasking kernel, most IOS features have been ported to other kernels, such as Linux and QNX, for use in Cisco products.

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates on smartcards through a PKCS#11 interface and on TPM 2.0.

VPN-1 is a firewall and VPN product developed by Check Point Software Technologies Ltd.

Vyatta is a software-based virtual router, virtual firewall and VPN product for Internet Protocol networks. A free download of Vyatta has been available since March 2006. The system is a specialized Debian-based Linux distribution with networking applications such as Quagga, OpenVPN, and many others. A standardized management console, similar to Juniper JUNOS or Cisco IOS, in addition to a web-based GUI and traditional Linux system commands, provides configuration of the system and applications. In recent versions of Vyatta, web-based management interface is supplied only in the subscription edition. However, all functionality is available through KVM, serial console or SSH/telnet protocols. The software runs on standard x86-64 servers.

Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network and a local area network or wide area network at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a LAN network interface controller (NIC), radio NIC, Wireless LAN (WLAN) NIC, and VPN client software application without the benefit of an access control.

<span class="mw-page-title-main">Computer appliance</span> Dedicated computer system

A computer appliance is a computer system with a combination of hardware, software, or firmware that is specifically designed to provide a particular computing resource. Such devices became known as appliances because of the similarity in role or management to a home appliance, which are generally closed and sealed, and are not serviceable by the user or owner. The hardware and software are delivered as an integrated product and may even be pre-configured before delivery to a customer, to provide a turn-key solution for a particular application. Unlike general purpose computers, appliances are generally not designed to allow the customers to change the software and the underlying operating system, or to flexibly reconfigure the hardware.

Check Point IPSO is the operating system for the 'Check Point firewall' appliance and other security devices, based on FreeBSD, with numerous hardening features applied.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

<span class="mw-page-title-main">Zeroshell</span> Linux distribution

Zeroshell is a small open-source Linux distribution for servers and embedded systems which aims to provide network services. Its administration relies on a web-based graphical interface; no shell is needed to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.

<span class="mw-page-title-main">Junos OS</span> Real-time operating system (RTOS) software

Junos OS is a FreeBSD-based network operating system used in Juniper Networks routing, switching and security devices.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

<span class="mw-page-title-main">Endian Firewall</span> Linux distribution

Endian Firewall is an open-source router, firewall and gateway security Linux distribution developed by the South Tyrolean company Endian. The product is available as either free software, commercial software with guaranteed support services, or as a hardware appliance.

<span class="mw-page-title-main">IPFire</span> Linux distribution

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.

<span class="mw-page-title-main">MikroTik</span> Company based in Riga, Latvia

MikroTik is a Latvian network equipment manufacturing company. MikroTik develops and sells wired and wireless network routers, network switches, access points, as well as operating systems and auxiliary software. The company was founded in 1996, and as of 2022, it was reported that the company employed 351 employees.

References

  1. Cisco press release Archived 2012-12-04 at the Wayback Machine quote: "Las Vegas (Interop) May 3, 2005 – Cisco Systems, Inc., today announced the availability of the Cisco ASA 5500 Series Adaptive Security Appliance s"
  2. Davis, David (19 February 2008). "Converting from old to new with the PIX to ASA Migration Tool". TechRepublic.
  3. Davis, David (30 June 2005). "Get to know Cisco's new security appliance: ASA 5500". TechRepublic. Retrieved 21 March 2018.
  4. "Cisco hits on firewall/VPN, misses on ease of use". May 2006. Retrieved 28 December 2012.
  5. Saarinen, Juha (February 20, 2015). "Unpatched Cisco ASA firewalls targeted by hackers". iTnews. Retrieved March 20, 2018.
  6. Saarinen, Juha (30 January 2018). "Cisco ASA VPN feature allows remote code execution". iTnews.
  7. "NVD - CVE-2016-6367". nvd.nist.gov. Retrieved 2020-07-13.
  8. "NVD - CVE-2016-6366". nvd.nist.gov. Retrieved 2020-07-13.
  9. "The Shadow Brokers EPICBANANA and EXTRABACON Exploits". Cisco Blogs. 2016-08-17. Retrieved 2020-07-13.
  10. "Equation Group Firewall Operations Catalogue". musalbas.com. Archived from the original on August 16, 2016.
  11. 1 2 3 4 5 6 "Intro to the Cisco ASA". research.nccgroup.com. 20 September 2017.
  12. "Cisco ASA New Features by Release". Cisco.
  13. 1 2 3 "Cisco ASA with FirePOWER Services Data Sheet". Cisco. 9 February 2018. Archived from the original on 3 April 2018. Retrieved 20 March 2018.
  14. Moraes, Alexandre M. S. P. (2011). Cisco Firewalls. Cisco Press. ISBN   9781587141119.
  15. "Cisco ASA 5585-X Stateful Firewall Data Sheet". Cisco. 7 June 2017. Archived from the original on 3 April 2018. Retrieved 20 March 2018.
  16. Carroll, Brandon (January 5, 2011). "Cisco AnyConnect vs. IPsec VPN: Licensing considerations". TechRepublic. Archived from the original on March 22, 2018. Retrieved March 21, 2018.
  17. "Cisco Expands Security". Network Computing. 9 July 2006.
  18. "Cisco's High-Performance ASA Appliance, New Version Of Anyconnect". Network Computing. 5 October 2010.
  19. 1 2 3 4 5 6 7 8 9 10 "Cisco ASA Model Comparison page" . Retrieved 2008-05-15.