ASA Limitations?

SephStorm · December 2015

Hey all,

I'm wondering, for those who run ASA's in an enterprise environment, do you think it has limitations that limit your ability to secure your enterprises? I don't think ASA is a NGFW product so I don't know if it has the features one might want, I know something that I valued was GEO-loc blocking which last time I did research was not easy on ASA's. So I figure there are other things they aren't good at.

networker050184 · December 2015

Depends on what your needs are. Kind of difficult to make a blanket statement as they can certainly be more than capable in the right set up.

Mike-Mike · December 2015

it seems to me that less and less people are using them. I know in my limited job search in my area, it is rare that I see a company using them. Mostly checkpoint, some Palo Alto in there too.

chrisone · December 2015

I am pro cisco but once I started dabbling with palo alto and checkpoint, it seems like those two have more to offer. Cisco acquiring source fire and integrating them into the ASA was a huge plus. However I have not played with source fire yet and can't compare it to the palo alto or checkpoint at this moment. I like Palo Alto most out of all those three.

Iristheangel · December 2015

I guess this can turn into a "Most people don't know what the ASA and Firepower devices can do" thread.... I'm doing a bit of a blog series about this right now and going through a lot of it in my security lab and Zero 2 Hero Security class on the weekends.

I'm using an ASA 5506 right now in my lab with Firepower services enabled.
Here's the ASA in the managed Devices menu:

I can create Geolocation-blocks and policies easily in my Access Control policy or block just a certain subnet, VLAN, user group, zone, ISE attributes, etc from contacting certain countries or locations:

I can also do URL filtering based on URL, category, reputation, etc for all, certain subnet, VLAN, user group, zone, ISE attributes, etc:

I can block certain pre-defined ports or add ports to be blocked for all, certain subnet, VLAN, user group, zone, ISE attributes, etc:

I can block pre-existing applications defined by OpenAppID (over 3000+ defined apps - I think most NGFWs are at 2000) or create a custom application and make rules based on it:

Iristheangel · December 2015

I can create file rules for Malware - blocking it, doing a cloud lookup, checking the metadata of the file as well, sandboxing (Dynamic Analysis - this is actually now integrated with Threatgrid as well in v6.0), etc. I can also store files if I would like and have the files checked later in case the disposition changes:

I can also discover users, hosts and applications on my network:

I can add SSL Decryption rules - Though I wouldn't advise putting SSL decrypt on ANY firewall since that's a resource hog and PFS will bit you in the butt:

I can also create DNS rules where I can block DNS requests for known or specified malicious servers or divert it to a Sinkhole (honeypot or other server you want to direct it to) for further testing and investigation:

Also I can create multiple IPS policies using Sourcefire/Snort that we all love and know in the industry and apply multiple Intrusion policies to the same device for specific rules:

This cool thing about the IPS is that it looks at the hosts, OSes, applications, etc and potential vulnerabilities that they could have and gives you the option to "Generate Recommendations" for IPS rules based on those potential vulnerabilities. At that point, you can either apply the rules or test them out by having them generate alerts only so you can check to make sure that you aren't getting false positives.

Iristheangel · December 2015

In my lab, I also have ISE integrated with Firepower/Sourcefire so I can pull identity information and other attributes to give further context and create policies on my firewall based on these attributes:

Even a step above, you can create mitigation rules using a remediation module. Say for example, if a malware disposition is found after download, you can create a rule to quarantine that host and ISE can blackhole it while you have time to act:

You can also integrate it with AMP for Endpoints and not only see some additional information but check a file trajectory after it enters the network. So you'll see patient zero (first infected host), how it spreads, how the file changes from there, etc:

So yeah... cool stuff. If your ASA is super old and not an X series, I guess you would be right that it can't do any NGFW stuff But then again, you're talking about a 10 year old firewall at that point. Might as well say that you're upset about the Pix not having NGFW capabilities either

As far the ASA-X series though, I have a feeling there's going to be some bigger hardware in town. If you look at the lower firewalls, they've been refreshed in the last year (5506-X, 5508-X and 5516-X) and there's a big new player that's out: http://www.cisco.com/c/en/us/products/collateral/security/firepower-9300-security-appliance/datasheet-c78-734869.html
(Drool at the 9300)

SephStorm · December 2015

Thanks Iris,

Unfortunately I suspect that older devices are in place. We'll see.

chrisone · December 2015

Great write up by Iris. The ASA GenX are heavy duty along with the firepower features. It is a game changer for cisco and feature for feature it stands up with Palo and checkpoint.

Iristheangel · December 2015

Yep. Pretty cool stuff. Sourcefire/Firepower beat out all the other competitors in the last NSS Labs Competitive Firewall Test and AMP beat out everyone else in the NSS Labs latest Breach Detection Systems (BDS) test. Pretty cool stuff but I guess marketing needs to work a little harder if people still think of ASAs in the CLI

chrisone · December 2015

I still want to take that course you are taking for cisco security

ahhh so little time!

Iristheangel · December 2015

I just don't sleep anymore. The combination of my ADHD, having toys to play with and so much to learn fuels my day

ASA Limitations?

Comments