ASA Technology Update

ASA Technology Update

For those of you who have taken the ASA course with me in the past (8.0 and earlier) this article will serve as a brief introduction to a few of the new features that Cisco has released recently that I thought you may be interested in. This may also prove helpful to those who have not taken the course but administer or are considering using the Cisco ASA 5500 series firewalls.


SNMP V3
Over the last several years when the topic of Simple Network Management Protocol (SNMP) was discussed by security engineers or auditors, the best practice was said to be disabling it. While this is not always an option due to the loss of functionality from a management perspective, it often proved to be a necessity from a security standpoint due to the lack of encryption of management traffic. While routers and switches have supported this functionality for quite some time it has just recently surfaced on the ASA.

As of version 8.2 of the ASA, SNMP V3 is supported, including support of DES, 3DES, and AES for protection of management data. This is great news to those of you who are required to support SNMP yet also expected to pass annual security audits. The only question that remains is whether or not your monitoring software supports SNMP V3.

Botnet Traffic Filter

Another very exciting feature released in the 8.2 release is the Botnet Traffic Filter. This new technology enables the ASA to monitor both inbound and outbound traffic and compare the external IP addresses and hostnames to a dynamic database of offensive IP addresses and domain names. Essentially, after purchasing the license for this feature (30 day trial available) your firewall gains insight to the latest known locations of botnet control points, SPAM distribution points, and other known hostile hosts.

The Cisco Security Intelligence Operations Group maintains this real-time blacklist. The CSIOG is comprised of hundreds of engineers and researches analyzing terabytes of data each day and building a global correlation rule set. Cisco has leveraged technologies that were originally part of the Ironport product (SenderBase) and is know referring to that technology as SensorBase

Imagine a scenario where a spear-phishing attack is used against an accountant or board-level executive. An attack that incorporates a new 0-day PDF exploit is run, which bypasses your antivirus, and the agent attempts to connect to a control point in Russia. If the control point is hosted in a known hostile net block, the ASA can prevent this connection from establishing and send a notification to the administrator of the attempted communication. This makes for a much happier ending that that of which you’ve been reading in the news stories lately.

AnyConnect Essentials

AnyConnect Essentials is a new licensing option for SSL VPN client on the ASA. With the introduction of SSL VPN, Cisco began charging “per connection fees” for remote VPN connections. This came as a shock to many of you who were accustomed to connecting as many users as the box allowed with IPSec and having never given a thought to licensing. The default WebVPN license on the ASA is 2 concurrent WebVPN users, each additional user requires additional licensing.

The traditional WebVPN licensing is a fairly cost prohibitive option for many of the customers I’ve spoken with, however it was only required if you were using WebVPN. The traditional IPSec VPN connections either site-to-site or remote access worked just as before with no licensing fees. The problem is that Cisco did not release a Windows 7 or a 64-bit windows IPSec client, which means for each remote user that has a 64 bit OS, you will need to have a license for each user if they will be connected to the ASA at the same time.

With the AnyConnect Essentials licensing you can purchase a reduced cost license that allows client-based users to build VPN connections if using the AnyConnect client. In other words, if you want to use the web portal (clientless) or support Cisco Secure Desktop you will need the traditional (more expensive) licenses. If you simply need to those 64bit Windows hosts to connect remotely while using a software client you can purchase the AnyConnect Essentials license (less expensive)

For those of you with Apple hardware running snow leopard (10.6) you will be relieved to know that even though you have a 64bit operating system there is built-in support for Cisco IPSec remote access, so you will not have to purchase any additional licensing or even install additional software as it’s built directly into the operating system (although a bit hidden). Simply add a new network interface, select VPN under interface and select CiscoIPSec under VPN Type. There is no need to launch a 3rd party application as done in the past.


Netflow (8.1)

Technically NetFlow support was introduced in 8.1, however I still consider it a very exciting, and relatively new feature. Also I’ve found that many administrators are not aware of it and it’s something I think you all should be using. As you may already know, Cisco Systems developed NetFlow as a way to export information regarding IP flows for detailed monitoring and auditing of network traffic. A flow is essentially the combination of the following pieces of information

• Source & destination IP address
• Source & destination port number
• IP protocol number
• Ingress interface
• Type of service

I like to compare NetFlow data to the detailed information that my cellular provider gives me each month on my bill. I can see whom I communicated with, how long I communicated to them, the times that the communication took place, and how Iwe communicated (whether it was a phone call or a text message). NetFlow is not a full IPlog or capture of all data, it is simply information about the flows of data. We collect these flows and then build detailed reports and statistics from data such as: when are your peak traffic hours, what are your top protocols, which are your top talkers, who’s moving the most data, which protocols or ports were seen today for the first time(botnet communication detection) etc.

NetFlow data is extremely useful to administrators, not only does it serve into a window of current network conditions, but once archived to a database you can gain insight to how long certain hosts have been communicating (days, weeks years) and how often. If there is a host that has been compromised and we see that it’s been communicating with a command & control point we can do a query against all recorded traffic and determine if other hosts are communicating with that same control point, how long this has been occurring, what data has been leaked etc.

It is my opinion that NetFlow collection could be useful to you, and while the full capabilities of NetFlow would be impossible to cover in this short article, I can only suggest you investigate these capabilities in the future. It may also be helpful to know that the ASA exports in a format called NetFlow V9 (or NetFlow Secure Event Logging). Without going into the differences in the different formats, I wanted to point out that the collector you use (central logging point) must support NetFlow V9. NetFlow V9 is not widely supported, however Plixar has a free product called Scrutinizer, which supports the ASA and NetFlow V9. I’ve used scrutinizer and I’m very happy with the results. Many of you will also be happy to know that Scrutinizer has a free version.