Cisco ASA Firewall, Protect your Server with a Dedicated Cisco firewall
Gigenet utilizes Cisco's firewall services module (FWSM) to provide instant firewall activation and simple management through a secure web interface.
High Performance, High Scalability,
- Gbps throughput per module
- 100,000 connections per second
- 1,000,000 concurrent connections
- Single port or VLAN spanning
Best-In Class Features
- Time-tested Cisco PIX operating system
- PIX Device Manager GUI
- Transparent Layer(2) Firewalls
- Rich stateful inspection for web, VOIP
The Cisco firewall services module is designed to recognize and filter the following types of traffic:
- Core services: HTTP, FTP, ESMTP, DNS, ICMP, TCP, UDP
- Voice over IP (VoIP) / Unified Communication services: SIP, SCCP, H.323, RTSP, TAPI/JTAP, GTP
- Application/operating system services: LDAP/ILS, SunRPC, XDMCP, TFTP
More about Cisco ASA 5500 Series Adaptive Security Appliances
There are six main models in the ASA range, from the basic 5505 branch office model up to the 5580 datacenter versions; a full comparison is available on the Cisco website here: Cisco ASA 5500 Series Adaptive Security Appliances
Although this article will concentrate on the 5505 and 5510 models the basic feature set is in fact fairly consistent across the range, the main differences being in the maximum traffic throughput handled by each model and the number/type of interfaces.
At the most basic level the ASA is a transparent or routed firewall/NAT device, this means it is designed to sit between your LAN and the Internet; one interface (normally known as "outside") will be connected to your Internet access device and one or more interfaces (e.g. "inside" and "DMZ") will connect to your internal networks. This enables the ASA to inspect and control all traffic passing between your network and the Internet, exactly what it does with that traffic is the clever bit.
The ASA5510 is intended to be a single device solution to your Internet security requirements and with its 300Mbps throughput and 9,000 firewall connections per second capacity will be suitable for most office deployments. The key features will be covered in more detail later but in brief these are; firewall/NAT, SSL/IPsec VPN, content security and intrusion prevention. It has five 10/100Mbps ports, by default these provide one outside (Internet) interface, one management and three internal network interfaces but they are fully reconfigurable and also support vLANing for further network subdivision if required. Functionality can be upgraded via a Security Services Module port which provides support for additional Content Security and Intrusion Prevention features.
The ASA5505 is intended for small or branch office and teleworker deployments, often in conjunction with a 5510 or higher model at the head office to which it will establish a secure VPN, whilst providing full security for other Internet traffic. The device has 8 10/100Mbps Ethernet ports, including 2 with Power over Ethernet support suitable for PoE devices such as IP phones or cameras, so it can be used as single unit solution for the smaller office. Key differences compared to the 5510 are the reduced support for VPN connections (only 10 but upgradeable to 25 with license), only 3 vLANs (25 with Security Plus license) and only a slot for the optional Security Services Card so there is no option for the advanced Content Security services.
All ASA models include a fully featured policy based firewall and routing engine which allows you complete control of which traffic you allow in and out of your network. Layer 2/3 firewalling allows you to specify which hosts are allowed access through the ASA and also to perform Network Address Translation to map internal hosts to public IP addresses. Layer 7 firewall goes several steps further and also allows you to define access policies based on application and protocol type, providing extremely granular control over Internet access and protection against advanced types of network attack. Unlike many competitor's firewalls the ASA's policy and interface based approach to access control gives you complete control over traffic leaving your network as well as incoming, for example allowing you to restrict Instant Messaging use to only your approved client application. Deep packet inspection goes beyond simply analysing the protocol and port of the attempted connection to discover the application behind it making it virtually impossible for users to circumvent company IT policies.
SSL & IPsec VPN
Even the ASA 5505 includes full support for IPsec and SSL VPN endpoints, providing highly encrypted tunnels for office to office and remote user to office connections. The basic license for all ASAs allows IPsec VPN connections up to the maximum supported on each model but only includes two SSL VPN licenses, to allow for testing before deployment. The 5505 will support up to 25 simultaneous VPN connections, whilst the 5510 supports a maximum of 250 - these can be any combination of IPsec or SSL, and site to site or remote client types.
IPsec VPNs are commonly deployed between Cisco VPN devices for site to site connections, or initiated by client software on the remote worker's computer. Included with all ASA license bundles is the Cisco AnyConnect VPN client, with versions available for all major operating systems; Windows 2000 up to Windows 7, Mac OS X (10.4/5), Linux Intel kernel 2.6.x and even Windows Mobile 5.0/6.0/6.1 . Cisco AnyConnect provides several improvements over the basic IPsec functionality built into those operating systems, key features are:
- DTLS protocol support to help minimize latency for applications such as VoIP
- Support for SSL tunneling to ensure connectivity even through restrictive proxies and firewalls (if web browsing is possible then so is a VPN connection)
- Advanced encryption and wide range of authentication protocols, including two factor smartcard/token based
- Flexible IP tunneling for consistent user experience with features such as connection retention, ensuring the mobile user retains connectivity through disconnections, reboots and standby/hibernation.
Cisco ASA Firewalls: 5505, 5510, 5520, 5540, 5580, the full Cisco PIX Firewall family, FWSM, CSM, Cisco VPN Routers etc.
Cisco VPN: VPN 3000 Series Concentrators, VPN blades, Site-to-Site VPN, Remote Access VPN, Cisco SSL VPN etc.
Cisco IPS: 4200 series, IDSM-2 blade, Cisco IOS IPS, Shunning, IPS Manager, IDM, AIP-SSM, HIPS (CSA) etc.
Cisco MARS: MARS 20, MARS 50, MARS 100, integration with IPS and CSA, reports, queries, local / global set ups etc.
Identity Management: Cisco ACS, RADIUS, TACACS+, 802.1x, LDAP, OTP, RSA, certificates, biometrics etc.
Router & Switch Security: Access-Lists, VLAN maps, TCP Intercept, Lock-and-Key, Anti Spoofing, CBAC, IOS Firewall etc.
Network Admission Control (NAC): In-band, out-of-band, clean access client, ACS integration, 3rd. party integration etc.