VPN Enhancements

VPN enhancements for ASA/PIX version 7 include the following, in summary:

• Filter clients by operating system and version

• IKE DoS protection

• Client-friendly reboot

• Same interface packet turnaround (a.k.a. traffic U-turn on an interface)

• "Are you there" functionality for popular personal firewalls and CSA

Filter Clients by OS

This new ASA/PIX version 7 enhancement enables you to limit the clients that can connect to your system by operating system and version, which means you can ensure that clients connecting to you network have security patches in place to satisfy your host security policy.

You can see this feature in ASDM by navigating to the following panel:

Configuration > Features > VPN > Group Policy > Add/Edit > IPSec > Client Access Rules

IKE DoS Protection

This feature disables the sending of SCSI Parallel Interface (SPI) messages in the clear, reducing the possibility that these messages can be intercepted and used as a denial-of-service (DoS) attack against the security appliance.

Client-Friendly Reboot

This new ASA/PIX version 7 feature waits until all VPN clients have terminated before rebooting the ASA/PIX.

You can see this feature in ASDM by navigating to the following panel:

Configuration > Features > VPN > IKE > Global Parameters

Same Interface Packet Turnaround

This new ASA/PIX version 7 feature allows VPN clients terminating on the same interface to talk to each other, essentially creating hub-and-spoke secure client communication.

Previous operating systems versions would not let you reroute VPN traffic out the same interface. This resulted in you needing to have another device on the inside of your security appliance and required complex configuration and rerouting back to the outside of your network. With this new feature, this is handled automatically for you.

You can see this feature in ASDM by navigating to the following panel:

Configuration > Features > VPN > General > VPN System Options

"Are You There" Functionality for Popular Firewalls and CSA

This new ASA/PIX version 7 feature enables you to configure the security appliance to require that a client connecting via a VPN tunnel must have certain security software installed before connectivity is established. This requirement is especially critical for VPN clients because they are coming into your network from the outside where they can easily pick up worms, viruses, and other malicious software.