Cisco ASA
In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005.[1] It succeeded three existing lines of popular Cisco products:
- Cisco PIX, which provided firewall and network address translation (NAT) functions, ended its sale on July 28, 2008.[2]
- Cisco's IPS 4200 Series worked as intrusion prevention systems (IPS).
- Cisco VPN 3000 Series Concentrators, which provided virtual private networking (VPN).
The Cisco ASA is a unified threat management device, combining several network security functions in one box.[3]
Reception and criticism
Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium businesses. Early reviews indicated the Cisco GUI tools for managing the device were lacking.[4]
A security flaw was identified when users customized the Clientless SSL VPN option of their ASA's but was rectified in 2015.[5] Another flaw in a WebVPN feature was fixed in 2018.[6]
In 2017 The Shadow Brokers revealed the existence of two privilege escalation exploits against the ASA called EPICBANANA[7] and EXTRABACON.[8][9] A code insertion implant called BANANAGLEE, was made persistent by JETPLOW.[10]
Features
The 5506W-X has a WiFi point included.
Architecture
The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities.[11] In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not.[11]
The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory.[11]
software versions[11] | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
major release | 7.0 | 7.1 | 7.2 | 8.0 | 8.1 | 8.2 | 8.3 | 8.4 | 8.5 | 8.6 | 8.7 | 9.0 | 9.1 | 9.2 | 9.3 | 9.4 | 9.5 | 9.6 | 9.7 | 9.8 | 9.9 |
released[12] | 31 May 2005 | 6 Feb 2006 | 31 May 2006 | 18 Jun 2007 | 1 Mar 2008 | 6 May 2009 | 8 Mar 2010 | 31 Jan 2011 | 8 Jul 2011 | 28 Feb 2012 | 16 Oct 2012 | 29 Oct 2012 | 3 Dec 2012 | 24 Apr 2014 | 24 Jul 2014 | 30 Mar 2015 | 12 Aug 2015 | 21 Mar 2016 | 4 Apr 2017 | 15 May 2017 | 4 Dec 2017 |
end of life | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |||||||
for 5505-5550 | Y | Y | Y | Y | Y | Y | Y | Y | Y | ||||||||||||
for 5512-5585-X | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
Options
The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X can have an extra interface card added.[13]
The 5585-X has options for SSP. SSP stands for security services processor.[14] These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40 and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half width modules.[15]
On the low end models, some features are limited, and uncrippling happens with installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability.[13] Cisco AnyConnect is an extra licensable feature which operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads.[16]
Models
The 5505 introduced in 2010 was a desktop unit designed for small enterprises or branch offices. It included features to reduce the need for other equipment, such as an inbuilt switch, and power over Ethernet ports.[17] The 5585-X is a higher powered unit for datacenters introduced in 2010.[18] It runs in 32 bit mode on an Intel architecture Atom chip.[11]
Model | 5505[19] | 5510 | 5520[19] | 5540[19] | 5550[19] | 5580-20[19] | 5580-40[19] | 5585-X SSP10[19] | 5585-X SSP20[19] | 5585-X SSP40[19] | 5585-X SSP60[19] |
---|---|---|---|---|---|---|---|---|---|---|---|
Cleartext throughput, Mbit/s | 150 | 300 | 450 | 650 | 1,200 | 5,000 | 10,000 | 3,000 | 7,000 | 12,000 | 20,000 |
AES/Triple DES throughput, Mbit/s | 100 | 170 | 225 | 325 | 425 | 1,000 | 1,000 | 1,000 | 2,000 | 3,000 | 5,000 |
Max simultaneous connections | 10,000 (25,000 with Sec Plus License) | 50,000 (130,000 with Sec Plus License) | 280,000 | 400,000 | 650,000 | 1,000,000 | 2,000,000 | 1,000,000 | 2,000,000 | 4,000,000 | 10,000,000 |
Max site-to-site and remote access VPN sessions | 10 (25 with Sec Plus License) | 250 | 750 | 5,000 | 5,000 | 10,000 | 10,000 | 5,000 | 10,000 | 10,000 | 10,000 |
Max number of SSL VPN user sessions | 25 | 250 | 750 | 2,500 | 5,000 | 10,000 | 10,000 | 5,000 | 10,000 | 10,000 | 10,000 |
Model | 5505 | 5510 | 5520 | 5540 | 5550 | 5580-20 | 5580-40 | 5585-X SSP10 | 5585-X SSP20 | 5585-X SSP40 | 5585-X SSP60 |
Cisco determined that most of the low end devices had too little capacity to include the features needed, such as anti-virus, or sandboxing, and so introduced a new line called next generation firewall. These run in 64 bit mode.[11]
Models as of 2018.[13]
Model | 5506-X | 5506W-X | 5506H-X | 5508-X | 5512-X | 5515-X | 5516-X | 5525-X | 5545-X | 5555-X | 5585-X |
---|---|---|---|---|---|---|---|---|---|---|---|
Throughput Gb/s | 0.25 | 0.25 | 0.25 | 0.45 | 0.3 | 0.5 | 0.85 | 1.1 | 1.5 | 1.75 | 4-40 |
GB ports | 8 | 8 | 4 | 8 | 6 | 6 | 8 | 8 | 8 | 8 | 6-8 |
Ten GB ports | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2-4 |
Form factor | desktop | desktop | desktop | 1 RU | 1 RU | 1 RU | 1 RU | 1RU | 1RU | 1RU | 2RU |
References
- ↑ Cisco press release quote: "Las Vegas (Interop) May 3, 2005 – Cisco Systems, Inc., today announced the availability of the Cisco ASA 5500 Series Adaptive Security Appliance s"
- ↑ Davis, David (19 February 2008). "Converting from old to new with the PIX to ASA Migration Tool" (in en). https://www.techrepublic.com/blog/data-center/converting-from-old-to-new-with-the-pix-to-asa-migration-tool/.
- ↑ Davis, David (30 June 2005). "Get to know Cisco's new security appliance: ASA 5500" (in en). https://www.techrepublic.com/article/get-to-know-ciscos-new-security-appliance-asa-5500/. Retrieved 21 March 2018.
- ↑ "Cisco hits on firewall/VPN, misses on ease of use". May 2006. http://www.networkworld.com/reviews/2006/050106-cisco-test-asa.html. Retrieved 28 December 2012.
- ↑ Saarinen, Juha (February 20, 2015). "Unpatched Cisco ASA firewalls targeted by hackers". iTnews. https://www.itnews.com.au/news/unpatched-cisco-asa-firewalls-targeted-by-hackers-400713. Retrieved March 20, 2018.
- ↑ Saarinen, Juha (30 January 2018). "Cisco ASA VPN feature allows remote code execution". iTnews. https://www.itnews.com.au/news/cisco-asa-vpn-feature-allows-remote-code-execution-482111.
- ↑ "NVD - CVE-2016-6367". https://nvd.nist.gov/vuln/detail/CVE-2016-6367.
- ↑ "NVD - CVE-2016-6366". https://nvd.nist.gov/vuln/detail/CVE-2016-6366#vulnCurrentDescriptionTitle.
- ↑ "The Shadow Brokers EPICBANANA and EXTRABACON Exploits" (in en-US). 2016-08-17. https://blogs.cisco.com/security/shadow-brokers.
- ↑ "Equation Group Firewall Operations Catalogue". https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html.
- ↑ 11.0 11.1 11.2 11.3 11.4 11.5 "Intro to the Cisco ASA". 20 September 2017. https://research.nccgroup.com/2017/09/20/cisco-asa-series-part-one-intro-to-the-cisco-asa/.
- ↑ "Cisco ASA New Features by Release". https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html.
- ↑ 13.0 13.1 13.2 "Cisco ASA with FirePOWER Services Data Sheet" (in en). 9 February 2018. https://cisco-apps.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html. Retrieved 20 March 2018.
- ↑ Moraes, Alexandre M. S. P. (2011) (in en). Cisco Firewalls. Cisco Press. ISBN 9781587141119. https://books.google.com/books?id=-fbGYL8jsYEC.
- ↑ "Cisco ASA 5585-X Stateful Firewall Data Sheet" (in en). 7 June 2017. https://cisco-apps.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html.
- ↑ Carroll, Brandon (January 5, 2011). "Cisco AnyConnect vs. IPsec VPN: Licensing considerations" (in en). https://www.techrepublic.com/blog/data-center/cisco-anyconnect-vs-ipsec-vpn-licensing-considerations/.
- ↑ "Cisco Expands Security" (in en). 9 July 2006. https://www.networkcomputing.com/storage/cisco-expands-security/1694608310.
- ↑ "Cisco's High-Performance ASA Appliance, New Version Of Anyconnect" (in en). 5 October 2010. https://www.networkcomputing.com/careers/ciscos-high-performance-asa-appliance-new-version-anyconnect/2074262048.
- ↑ 19.0 19.1 19.2 19.3 19.4 19.5 19.6 19.7 19.8 19.9 "Cisco ASA Model Comparison page". http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html. Retrieved 2008-05-15.
External links
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco TAC Security Podcast - ASA troubleshooting information
Original source: https://en.wikipedia.org/wiki/Cisco ASA.
Read more |