Cisco ASA Firewall

Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium businesses.

The firewall is the barrier between a trusted and untrusted network, often used between your LAN and WAN. It’s typically placed in the forwarding path so that all packets have to be checked by the firewall, where we can drop or permit them.

Architecture

The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities. In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files include a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not.

The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory.

Options

The 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X can have an extra interface card added

The 5585-X has options for SSP. SSP stands for security services processor. These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40, and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half-width modules.

On the low-end models, some features are limited, and uncrippling happens with the installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability. Cisco AnyConnect is an extra licensable feature that operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads.

Stateful filtering

Firewalls, like routers can use access-lists to check for the source and/or destination address or port numbers. Most routers, however, don’t spend much time at filtering…when they receive a packet, they check if it matches an entry in the access list and if so, they permit or drop the packet. That’s it.

No matter if they receive a single packet or thousands, each packet is treated individually and we don’t keep track of packets we have seen before or not. This is called stateless filtering.

Firewalls, on the other hand, use stateful filtering. They keep track of all incoming and outgoing connections. Here are some examples:

A computer on the LAN uses its email client to connect to a mail server on the Internet. The client will start the connection with a TCP three-way handshake, which the firewall sees. The firewall will keep track of this connection and when the mail server responds, the firewall will automatically permit this traffic to return to the client.

A web server is sitting behind a firewall, it’s a busy server that accepts an average of 20 new TCP connections per second from different IP addresses. The firewall keeps track of all connections, once it sees a source IP address that is requesting more than 10 new TCP connections per second, it will drop all traffic from this source IP address, preventing a DoS (Denial of Service).

Who this course is for:

• IT students, Anyone who wants to change the carrier