The ASA is designed as a single box solution to provide a baseline security for a network. ASA is a type of firewall, so it makes good sense to first define what a firewall is.
The original definition of a firewall is to stop the spread of fire. It is to isolate one compartment from another. This definition can be brought over to our hardware or software solution, describing how it can stop the spread of threats and to isolate different subnets. A firewall need not be a single device. A group of devices can also make up a firewall.
One of the most common designs of a firewall is the screened subnet. The screened subnet involves an Outside, Inside and a DMZ. The DMZ is then known as the screened subnet, where content from within is meant for public access. It is screened in the sense that it is not completely free. This is what a screened subnet looks like:
Typically there is a router in between the ISP and the ASA, but it is possible that the ASA connect directly to the ISP.
For firewalls, there are three types. The most basic is the packet filtering firewall where we statically define the sockets of the packet we want to permit or reject. Typically this is implemented through access-lists. This is easily cracked by hackers who know how to craft packets either through spoofing or fragmentation. This is also difficult to manage.
An ALG (Application Layer Gateway), or otherwise known as Proxy Server, works on layer 5 to 7. It serves as an interface between the client and the outside untrusted network. Examples are web proxy and HTTP proxies. A proxy server can authenticate and authorize. It is typically used for content security (e.g. restricting the user from visiting certain sites). For a proxy server, we have to ensure the security integrity of the server itself. This differs according to what operating systems you use. The disadvantage is that it is a single point of failure, and it is difficult to add new services as they are typically developed for specific purposes (e.g. HTTP traffic).
In the best of both worlds, we have the stateful packet filtering. A stateful packet filter combines the best of both worlds, using state tables and TCP proxy technologies. This is the default used by ASA and is the Cisco-recommended firewall type. When an inside host initiates a connection out, a new entry is added to the state table. Traffic from the outside host is only allowed back only if it has an active entry in the state table.
How the state table works is that it records the state of all connections. Aside from static sockets, the stateful firewall checks for the state of connections (sequence numbers, connection state, etc.). Each entry in the stateful table is known as a connection object. Cisco uses the Fast Path algorithm which allows much higher performance compared to proxy server and other firewall types.
When an ASA receives an ingress packet, it would ask a few questions. The first question it asks is: Is it a new connection? If it's a new connection, the packet will be matched across ACLs and XLATE tables. If the packet is permitted, a new connection object is established. The packet will be sent to the Fast Path. On the other hand, if the packet has a matching established connection object, it is immediately put to the Fast Path.
ASA stands for both Adaptive Security Appliance and Adaptive Security Algorithm. That is the algorithm used in PIX and ASA devices. ASA supports the following features:
-Stateful packet inspection
-User-based authentication (Cut-through proxy)
-Modular policy framework
-IPSec VPN and SSL VPN (WebVPN)
-IPS
-Content Security
-Security Contexts
-Transparent Firewalls (L2)
-Web-based Management
A cut-through proxy is also known as user-based authentication. This is done through a web-page, telnet or FTP connection. The authentication leverages on AAA.
MPF, or otherwise Modular Policy Framework, leverages on the MQC style policies. This gives us granular control over flows and allows modular use of existing policies for more efficient use of memory.
In MPF, we group traffic into flows using Class-Maps. In class-maps, we have multiple match statements to match access-lists, protocols, and so on.
Next, we use Policy-Maps to define what we want to do with the traffic flows. In policy-maps, we specify class-maps and the action to apply to the flows, such as Inspect, IPS, Police, Priority, etc.
Notice that I mentioned Police and Priority. These are QoS terms, and yes, you can implement QoS and access-control through the same mechanism.
The Service-Policy is then used to apply the policy-maps to either on a per-interface basis or globally.
IPS is implemented through SSM. SSM stands for Security Service Module and AIP (Advanced Inspection and Prevention) and CSC (Content Security and Control Security) modules are available.
The ASA can also be run in transparent mode, where it acts as a L2 bridge.
No comments :
Post a Comment