Cisco ASA
In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005,[1] that succeeded three existing lines of popular Cisco products:
- Cisco PIX, which provided firewall and network address translation (NAT) functions ended sale on 28 July 2008.[2]
- Cisco IPS 4200 Series, which worked as intrusion prevention systems (IPS).
- Cisco VPN 3000 Series Concentrators, which provided virtual private networking (VPN).
The Cisco ASA is a unified threat management device, combining several network security functions in one box.[3]
Reception and criticism
Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium businesses.[4] Early reviews indicated the Cisco GUI tools for managing the device were lacking.[5]
A security flaw was identified when users customized the Clientless SSL VPN option of their ASA's but was rectified in 2015.[6] Another flaw in a WebVPN feature was fixed in 2018.[7]
In 2017 The Shadow Brokers revealed the existence of two privilege escalation exploits against the ASA called EPICBANANA[8] and EXTRABACON.[9][10] A code insertion implant called BANANAGLEE, was made persistent by JETPLOW.[11]
Features
The 5506W-X has a WiFi point included.
Architecture
The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities.[12] In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not.[12]
The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory.[12]
software versions[12] | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
major release | 7.0 | 7.1 | 7.2 | 8.0 | 8.1 | 8.2 | 8.3 | 8.4 | 8.5 | 8.6 | 8.7 | 9.0 | 9.1 | 9.2 | 9.3 | 9.4 | 9.5 | 9.6 | 9.7 | 9.8 | 9.9 |
released[13] | 31 May 2005 | 6 Feb 2006 | 31 May 2006 | 18 Jun 2007 | 1 Mar 2008 | 6 May 2009 | 8 Mar 2010 | 31 Jan 2011 | 8 Jul 2011 | 28 Feb 2012 | 16 Oct 2012 | 29 Oct 2012 | 3 Dec 2012 | 24 Apr 2014 | 24 Jul 2014 | 30 Mar 2015 | 12 Aug 2015 | 21 Mar 2016 | 4 Apr 2017 | 15 May 2017 | 4 Dec 2017 |
end of life | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |||||||
for 5505-5550 | Y | Y | Y | Y | Y | Y | Y | Y | Y | ||||||||||||
for 5512-5585-X | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
Options
The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X can have an extra interface card added.[14]
The 5585-X has options for SSP. SSP stands for security services processor.[15] These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40 and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half width modules.[16]
On the low end models, some features are limited, and uncrippling happens with installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability.[14] Cisco AnyConnect is an extra licensable feature which operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads.[17]
Models
The 5505 introduced in 2010 was a desktop unit designed for small enterprises or branch offices. It included features to reduce the need for other equipment, such as an inbuilt switch, and power over Ethernet ports.[18] The 5585-X is a higher powered unit for datacenters introduced in 2010.[19] It runs in 32 bit mode on an Intel architecture Atom chip.[12]
Model | 5505[20] | 5510 | 5520[20] | 5540[20] | 5550[20] | 5580-20[20] | 5580-40[20] | 5585-X SSP10[20] | 5585-X SSP20[20] | 5585-X SSP40[20] | 5585-X SSP60[20] |
---|---|---|---|---|---|---|---|---|---|---|---|
Cleartext throughput, Mbit/s | 150 | 300 | 450 | 650 | 1,200 | 5,000 | 10,000 | 3,000 | 7,000 | 12,000 | 20,000 |
AES/Triple DES throughput, Mbit/s | 100 | 170 | 225 | 325 | 425 | 1,000 | 1,000 | 1,000 | 2,000 | 3,000 | 5,000 |
Max simultaneous connections | 10,000 (25,000 with Sec Plus License) | 50,000 (130,000 with Sec Plus License) | 280,000 | 400,000 | 650,000 | 1,000,000 | 2,000,000 | 1,000,000 | 2,000,000 | 4,000,000 | 10,000,000 |
Max site-to-site and remote access VPN sessions | 10 (25 with Sec Plus License) | 250 | 750 | 5,000 | 5,000 | 10,000 | 10,000 | 5,000 | 10,000 | 10,000 | 10,000 |
Max number of SSL VPN user sessions | 25 | 250 | 750 | 2,500 | 5,000 | 10,000 | 10,000 | 5,000 | 10,000 | 10,000 | 10,000 |
Model | 5505 | 5510 | 5520 | 5540 | 5550 | 5580-20 | 5580-40 | 5585-X SSP10 | 5585-X SSP20 | 5585-X SSP40 | 5585-X SSP60 |
Cisco determined that most of the low end devices had too little capacity to include the features needed, such as anti-virus, or sandboxing, and so introduced a new line called next generation firewall. These run in 64 bit mode.[12]
Models as of 2018.[14]
Model | 5506-X | 5506W-X | 5506H-X | 5508-X | 5512-X | 5515-X | 5516-X | 5525-X | 5545-X | 5555-X | 5585-X |
---|---|---|---|---|---|---|---|---|---|---|---|
Throughput Gb/s | 0.25 | 0.25 | 0.25 | 0.45 | 0.3 | 0.5 | 0.85 | 1.1 | 1.5 | 1.75 | 4-40 |
GB ports | 8 | 8 | 4 | 8 | 6 | 6 | 8 | 8 | 8 | 8 | 6-8 |
Ten GB ports | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2-4 |
Form factor | desktop | desktop | desktop | 1 RU | 1 RU | 1 RU | 1 RU | 1RU | 1RU | 1RU | 2RU |
References
- Cisco press release Archived 2012-12-04 at the Wayback Machine quote: "Las Vegas (Interop) May 3, 2005 – Cisco Systems, Inc., today announced the availability of the Cisco ASA 5500 Series Adaptive Security Appliance s"
- Davis, David (19 February 2008). "Converting from old to new with the PIX to ASA Migration Tool". TechRepublic.
- Davis, David (30 June 2005). "Get to know Cisco's new security appliance: ASA 5500". TechRepublic. Retrieved 21 March 2018.
- "What is Cisco ASA? Cisco ASA Overview". Retrieved 28 December 2012.
- "Cisco hits on firewall/VPN, misses on ease of use". Retrieved 28 December 2012.
- Saarinen, Juha (February 20, 2015). "Unpatched Cisco ASA firewalls targeted by hackers". iTnews. Retrieved March 20, 2018.
- Saarinen, Juha (30 January 2018). "Cisco ASA VPN feature allows remote code execution". iTnews.
- "NVD - CVE-2016-6367". nvd.nist.gov. Retrieved 2020-07-13.
- "NVD - CVE-2016-6366". nvd.nist.gov. Retrieved 2020-07-13.
- "The Shadow Brokers EPICBANANA and EXTRABACON Exploits". Cisco Blogs. 2016-08-17. Retrieved 2020-07-13.
- "Equation Group Firewall Operations Catalogue". musalbas.com.
- "Intro to the Cisco ASA". www.nccgroup.trust.
- "Cisco ASA New Features by Release". Cisco.
- "Cisco ASA with FirePOWER Services Data Sheet". Cisco. 9 February 2018. Retrieved 20 March 2018.
- Moraes, Alexandre M. S. P. (2011). Cisco Firewalls. Cisco Press. ISBN 9781587141119.
- "Cisco ASA 5585-X Stateful Firewall Data Sheet". Cisco. 7 June 2017.
- Carroll, Brandon (January 5, 2011). "Cisco AnyConnect vs. IPsec VPN: Licensing considerations". TechRepublic.
- "Cisco Expands Security". Network Computing. 9 July 2006.
- "Cisco's High-Performance ASA Appliance, New Version Of Anyconnect". Network Computing. 5 October 2010.
- "Cisco ASA Model Comparison page". Retrieved 2008-05-15.