Cisco ASA Configuration in Software

Drawer Data Matrix in Software Cisco ASA Configuration

All the security appliances implement a very basic form of intrusion detection and prevention systems (IDS and IPS respectively) The ASAs, however, support a full-blown implementation of IDS/IPS with the add-on Advanced Inspection and Prevention (AIP) SSM modules (AIP-SSM for short) These cards support the full functionality of Cisco s 4200 series sensors, including the detection and prevention of the following: Application and operating system attacks, including web, e-mail, and DNS attacks External attacks from hackers Internal attacks from disgruntled employees Zero-day exploits Internet worms (through the use of anomaly detection techniques)

The security appliances support a handful of network attack prevention features: Threat detection TCP normalization Connection limits and timeouts IP spoofing prevention

With threat detection, the appliance monitors the rate of dropped packets and security events, which can be caused by matches on ACL deny statements, receiving invalid packets, exceeding connection limits (total connections and TCP connections that don t complete the initial three-way handshake), detecting denial of service attacks, receiving suspicious ICMP packets, overloading interfaces, detecting a reconnaissance scan, and many other factors When a threat is detected, a log message is generated The TCP normalization feature lets you specify matching criteria that identify abnormal TCP packets, which the security appliance drops when detected TCP normalization is implemented using the Modular Policy Framework (MPF, discussed in 10) TCP normalization can identify and prevent inconsistent TCP retransmissions by validating TCP checksums, allowing or dropping TCP segments that exceed the maximum segment size (MSS), limiting the number of out-of-order packets for a connection, dropping SYN segments with data, and handling many other abnormalities with TCP transmissions Cisco supports a TCP Intercept feature that allows you to place limits on the number of complete and/or half-open connections A half-open connection is one that has not completed the initial three-way handshake: SYN, SYN/ACK, and ACK This feature can be used to defeat or greatly limit the effect of a TCP SYN flood attack

1:

IP spoofing, where the source address has been changed, can be detected and prevented using ACLs However, Cisco supports a feature called Reverse Path Forwarding (RPF) that provides a more efficient process, where the appliance does a reverse-route lookup examines the source address and compares it with the routing table entries to determine if the source address is coming from an interface it is expected to be connected to Network attack prevention features are discussed in more depth in 24

The ASAs are one of Cisco s newer security products, introduced in May 2005 along with the version 70 operating system update The ASA 5510, 5520, and 5540 were the first ASAs Since then, three new models were added to the product line the 5505, 5550, and 5580 and four revisions of the software have been introduced version 71, 72, 80, and 81 The following sections will discuss the ASA models you can purchase as well as the licensing method Cisco uses to control the features that are activated on the security appliances NOTE As of the writing of this book, the ASA 5580s support 81 the remainder of the ASA and PIX security appliances support up to 80

Unlike the PIX security appliances, which were originally designed on a PC-/serverbased Intel architecture, the ASAs are designed on a proprietary hardware architecture A few reasons are behind this change in philosophy: Because the PIXs are based on an Intel PC/server architecture, it is possible to build your own box and run Cisco s software on this (even though this is illegal) Cisco wants to make sure that you run only their software on their hardware; therefore, the ASAs hardware has been customized to address this and other issues Using a generic motherboard limits the capabilities of the appliances By custom designing the ASAs, Cisco has created a much more flexible, faster, and more capable product

The remainder of this section will provide an overview of the ASA models NOTE Since the PIXs are end-of-sale (EOS), their architecture and capabilities are not discussed in this book Suffice it to say, however, that the ASAs by far outperform the PIXs and have more capacity than the PIXs Likewise, the ASAs are the replacement of the Cisco VPN 3000 concentrators, which are also EOS