- July 25, 2015
- Posted by: Surender Kumar
- Category: Cisco ASA
Cisco ASA Functionality
Table of Contents
Cisco ASA offers a lot of functionalities and I have explained some of the most widely used ASA functionalities below:
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the others inside network. You can also control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited access to outside users.
A security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the ASA allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level) but not in reverse direction. You can apply actions to traffic to customize the security policy.
Security Policy section includes:
• Permitting or Denying Traffic with Access Lists
• Applying NAT
• Protecting from IP Fragments
• Using AAA for Through Traffic
• Applying HTTP, HTTPS, or FTP Filtering
• Applying Application Inspection
• Sending Traffic to the IPS Module
• Sending Traffic to the Content Security and Control Module
• Applying QoS Policies
• Applying Connection Limits and TCP Normalization
• Enabling Threat Detection
• Enabling the Botnet Traffic Filter
• Configuring Cisco Unified Communications
Cisco ASA can be used in 2 modes which are Routed Mode and Transparent Mode.
Routed Firewall Mode
In routed mode, the ASA is considered to be a router in the network. It can use OSPF or RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between contexts. The inside interface works as default gateway for client computers. The ASA acts as a router between connected networks, and each interface requires an IP address on a different subnet. This is the default working mode of Cisco ASA.
Transparent Firewall Mode
ASA in Transparent firewall mode, works a Layer 2 switch/bridge while still providing firewall benefits (intrusion prevention, packet inspection etc). In this mode ASA acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router to connected devices. Only management interface can receive an IP address when ASA is working in Transparent Mode. The ASA connects the same network between its interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network without having to make any change in network.
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.
However, a Stateful Firewall like the ASA, takes into consideration the state of a packet:
- Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
– Performing the access list checks
– Performing route lookups
– Allocating NAT translations
– Establishing sessions in the “fast path”
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP and SNMP.
- Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the “fast” path in both directions. The fast path is responsible for the following tasks:
– IP checksum verification
– Session lookup
– TCP sequence number check
– NAT translations based on existing sessions
– Layer 3 and Layer 4 header adjustments
For UDP or other connectionless protocols, the ASA creates connection state information so that it can also use the fast path.
Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.
A VPN is a secure connection across a public network (such as the Internet) that appears as a private connection. This secure connection is called a tunnel. The ASA uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination. The ASA invokes various standard protocols to accomplish these functions.
The ASA performs the following functions:
• Establishes tunnels
• Negotiates tunnel parameters
• Authenticates users
• Assigns user addresses
• Encrypts and decrypts data
• Manages security keys
• Manages data transfer across the tunnel
• Manages data transfer inbound and outbound as a tunnel endpoint or router
The ASA invokes various standard protocols to accomplish these functions.
You can partition a single ASA into multiple virtual devices, known as Security Contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS and management. Some features are not supported, including VPN and dynamic routing protocols.
In multiple context mode, the ASA includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs into the admin context, then that user has system administrator rights and can access the system and all other contexts.