Cisco ASAPIX Security Appliance Overview

Cisco ASA/PIX Security Appliance Overview

The ASA/PIX Security Appliance is a multipurpose security device designed to provide protection against many different security threats. The ASA/PIX Security Appliance is unique in that you can use it as a perimeter device, and it can handle many of the layers of the tradition defense-in-depth model.

The ASA/PIX Security Appliance has many functions that protect your network. This book addresses the following specific functions:

• Denial-of-service protection

• Traffic filtering

• Interface isolation (DMZ deployment)

• Stateful traffic inspection

• Application inspection

• User authentication

• Intrusion prevention

• Secure management

• Event logging

Denial-of-Service Protection

The ASA/PIX Security Appliance uses various technologies to determine whether a distributed denial-of-service/denial-of service (DDoS/Dos) attack is launched against the security appliance. In general, it determines whether invalid data flows are being sent to the ASA/PIX Security Appliance leaving half-open connects. If so, the security appliance determines which attempted flows are invalid and cleans them up so that the appliance hardware resources are available to do the intended job of securing the network.

Traffic Filtering

The ASA/PIX Security Appliance uses access control lists (ACLs) to determine which protocols should be let into and out of the security appliance. The ACLs ensure that users on your inside network can access the Internet while keeping Internet traffic from entering into your network unless you explicitly allow access.

Interface Isolation (DMZ Deployment)

The ASA/PIX Security Appliances have multiple interfaces that you can dedicate to isolating Internet servers. This topology is often referred to as a demilitarized zone (DMZ). This feature is significant because, as discussed in earlier chapters, Internet servers are often the devices that hackers attack. If hackers want to get to hosts or devices on the inside of the network, and they compromise a host on the DMZ, they still face getting through the security appliance to get to the inside devices.

Stateful Traffic Inspection

Stateful inspection means that the security appliance keeps track of connections going in and out. This monitoring capability is significant because it enforces the concept that only traffic sourced from the inside of a security appliance or explicitly allowed with an ACL will be let back through the appliance. Stateful inspection keeps possible malicious traffic sourced from the Internet from traversing the security appliance and helps secure your inside network from application-level attacks.

Application Inspection

Application inspection has two functions in the ASA/PIX security appliance, as follows:

• Protocol-compliance enforcement Ensures that network traffic adheres to the protocol specifications, which helps to protect against applications that might be using protocols such as HTTP to do other functions. For example, programs such as point-to-point file-sharing applications and messaging applications that tunnel traffic through HTTP are recognized and their network traffic is blocked.

• Modify certain packets to ensure that this traffic can properly traverse the network Sometimes, traffic that transverses an ASA/PIX Security Appliance to the Internet causes problems because the inside address of a source machine is embedded deep within a packet and the source IP address of the packet changes before it is sent to the Internet. Application inspection monitors for this scenario and inserts the correct return traffic into the TCP packet. Without inspection capabilities, traffic such as voice traffic, FTP, SQL, and some video-streaming protocols might not find its way back to its source device.

User Authentication

The ASA/PIX Security Appliance can authenticate protocols that are let through the security appliance such as Telnet, FTP, and HTTP. If you elect to authenticate users using these protocols, they must enter a username and password before traffic can cross the security appliance. If users enter the correct set of authentication credentials, they are allowed to access the requested service. If the username and password are not entered or entered incorrectly, users are denied access and the access attempt is logged to your security appliance syslog server. The ASA/PIX Security Appliance also offers several options for authenticating users who are managing the security appliance.

Intrusion Prevention

The Cisco ASA/PIX Security Appliance uses a set of well-known attack signatures to determine whether attack traffic is attempting to traverse the security appliance. You can configure the security appliance to either drop the attack traffic it finds or report the traffic to a syslog server. In addition, the security appliance enables you to write custom access service policy that enforces protocol compliance on certain traffic traversing the appliance.

Secure Management

The ASA/PIX Security Appliance uses two secure methods to manage the appliance from the network: Secure Shell (SSH) or Hypertext Transport Protocol Secure (HTTPS). Although you do learn in this book how to configure SSH, all the configurations herein use ASDM, which uses HTTPS to secure its connection to the device. The ASA/PIX Security Appliance also has built-in management support for Telnet and HTTP. Because these protocols pass traffic, including usernames and passwords, in clear text, which makes it easy for someone to steal access credentials, these methods are not recommended.

Event Logging

Many different levels of logging are available on the ASA/PIX Security Appliance. This book uses syslog with the output destined for the ASDM application. Along with providing vital information regarding the status of your appliance, syslog makes troubleshooting the security appliance much more user friendly. ASA/PIX Security Appliance syslog enables you to identify possible network attacks and helps you perform attack analysis.