VPN enhancements for ASA/PIX version 7 include the following, in summary:
Filter Clients by OSThis new ASA/PIX version 7 enhancement enables you to limit the clients that can connect to your system by operating system and version, which means you can ensure that clients connecting to you network have security patches in place to satisfy your host security policy. You can see this feature in ASDM by navigating to the following panel:
IKE DoS ProtectionThis feature disables the sending of SCSI Parallel Interface (SPI) messages in the clear, reducing the possibility that these messages can be intercepted and used as a denial-of-service (DoS) attack against the security appliance. Client-Friendly RebootThis new ASA/PIX version 7 feature waits until all VPN clients have terminated before rebooting the ASA/PIX. You can see this feature in ASDM by navigating to the following panel:
Same Interface Packet TurnaroundThis new ASA/PIX version 7 feature allows VPN clients terminating on the same interface to talk to each other, essentially creating hub-and-spoke secure client communication. Previous operating systems versions would not let you reroute VPN traffic out the same interface. This resulted in you needing to have another device on the inside of your security appliance and required complex configuration and rerouting back to the outside of your network. With this new feature, this is handled automatically for you. You can see this feature in ASDM by navigating to the following panel:
"Are You There" Functionality for Popular Firewalls and CSAThis new ASA/PIX version 7 feature enables you to configure the security appliance to require that a client connecting via a VPN tunnel must have certain security software installed before connectivity is established. This requirement is especially critical for VPN clients because they are coming into your network from the outside where they can easily pick up worms, viruses, and other malicious software. |