Cisco ASA

In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005.[http://newsroom.cisco.com/dlls/2005/prod_050305.html Cisco press release] {{Webarchive|url=https://web.archive.org/web/20121204055135/http://newsroom.cisco.com/dlls/2005/prod_050305.html |date=2012-12-04 }} quote: "Las Vegas (Interop) May 3, 2005 – Cisco Systems, Inc., today announced the availability of the Cisco ASA 5500 Series Adaptive Security Appliance s" It succeeded three existing lines of Cisco products:

Cisco PIX, which provided firewall and network address translation (NAT) functions, ended its sale on July 28, 2008.{{cite web|last1=Davis|first1=David|title=Converting from old to new with the PIX to ASA Migration Tool|url=https://www.techrepublic.com/blog/data-center/converting-from-old-to-new-with-the-pix-to-asa-migration-tool/|website=TechRepublic|language=en|date=19 February 2008}}
Cisco's IPS 4200 Series, which worked as an intrusion prevention system (IPS).
Cisco VPN 3000 Series Concentrators, which provided virtual private networking (VPN).

The Cisco ASA is a unified threat management device which combines several network security functions.{{cite web|last1=Davis|first1=David|title=Get to know Cisco's new security appliance: ASA 5500|url=https://www.techrepublic.com/article/get-to-know-ciscos-new-security-appliance-asa-5500/|website=TechRepublic|accessdate=21 March 2018|language=en|date=30 June 2005}}

Reception and criticism

Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium-sized businesses. Early reviews indicated the Cisco GUI tools for managing the device were lacking.{{Cite web | last = | first = | title = Cisco hits on firewall/VPN, misses on ease of use | url = http://www.networkworld.com/reviews/2006/050106-cisco-test-asa.html | publisher = | date = May 2006| accessdate = 28 December 2012 }}

A security flaw was identified when users customized the Clientless SSL VPN option of their ASA's but was rectified in 2015.{{cite news|last1=Saarinen|first1=Juha|title=Unpatched Cisco ASA firewalls targeted by hackers|url=https://www.itnews.com.au/news/unpatched-cisco-asa-firewalls-targeted-by-hackers-400713|accessdate=March 20, 2018|work=iTnews|date=February 20, 2015}}

Another flaw in a WebVPN feature was fixed in 2018.{{cite news|last1=Saarinen|first1=Juha|title=Cisco ASA VPN feature allows remote code execution|url=https://www.itnews.com.au/news/cisco-asa-vpn-feature-allows-remote-code-execution-482111|work=iTnews|date=30 January 2018}}

In 2017 The Shadow Brokers revealed the existence of two privilege escalation exploits against the ASA called EPICBANANA{{Cite web|title=NVD - CVE-2016-6367|url=https://nvd.nist.gov/vuln/detail/CVE-2016-6367|access-date=2020-07-13|website=nvd.nist.gov}} and EXTRABACON.{{Cite web|title=NVD - CVE-2016-6366|url=https://nvd.nist.gov/vuln/detail/CVE-2016-6366#vulnCurrentDescriptionTitle|access-date=2020-07-13|website=nvd.nist.gov}}{{Cite web|date=2016-08-17|title=The Shadow Brokers EPICBANANA and EXTRABACON Exploits|url=https://blogs.cisco.com/security/shadow-brokers|access-date=2020-07-13|website=Cisco Blogs|language=en-US}} A code insertion implant called BANANAGLEE, was made persistent by JETPLOW.{{cite web|title=Equation Group Firewall Operations Catalogue|url=https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html|archive-url=https://web.archive.org/web/20160816194336/https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html|url-status=dead|archive-date=August 16, 2016|website=musalbas.com}}

Features

The 5506W-X has a WiFi point included.

Architecture

The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities. In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not.

The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory.

class="wikitable" \| ! ! !colspan=19 \|software versions
major release \|7.0 \|7.1 \|7.2\|\|8.0\|\|8.1\|\|8.2\|\|8.3\|\|8.4\|\|8.5\|\|8.6\|\|8.7\|\|9.0\|\|9.1\|\|9.2\|\|9.3\|\|9.4\|\|9.5\|\|9.6\|\|9.7\|\|9.8\|\|9.9
released{{cite web\|title=Cisco ASA New Features by Release\|url=https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html\|website=Cisco}} \|31 May 2005 \|6 Feb 2006 \|31 May 2006\|\|18 Jun 2007\|\|1 Mar 2008\|\|6 May 2009\|\|8 Mar 2010\|\|31 Jan 2011\|\|8 Jul 2011\|\|28 Feb 2012\|\| 16 Oct 2012 \|29 Oct 2012\|\|3 Dec 2012\|\|24 Apr 2014\|\|24 Jul 2014\|\|30 Mar 2015\|\|12 Aug 2015\|\|21 Mar 2016\|\|4 Apr 2017\|\|15 May 2017\|\|4 Dec 2017
end of life \|× \|× \|× \|\|× \|\|× \|\|× \|\|× \|\|× \|\|× \|\|× \|\|× \|\|× \|\| \|\| \|\|× \|\|\|\| × \| \|\| \|\| \|\|
for 5505-5550 \| \| \|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\| \|\| \|\| \|\|Y \|\|Y \|\|Y \|\| \|\| \|\| \|\| \|\| \|\|
for 5512-5585-X \| \| \| \|\| \|\| \|\| \|\| \|\| \|\| \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y \|\|Y

class="wikitable"

!colspan=19 |software versions

major release

|7.0

|7.1

|7.2||8.0||8.1||8.2||8.3||8.4||8.5||8.6||8.7||9.0||9.1||9.2||9.3||9.4||9.5||9.6||9.7||9.8||9.9

released{{cite web|title=Cisco ASA New Features by Release|url=https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html|website=Cisco}}

|31 May 2005

|6 Feb 2006

|31 May 2006||18 Jun 2007||1 Mar 2008||6 May 2009||8 Mar 2010||31 Jan 2011||8 Jul 2011||28 Feb 2012|| 16 Oct 2012

|29 Oct 2012||3 Dec 2012||24 Apr 2014||24 Jul 2014||30 Mar 2015||12 Aug 2015||21 Mar 2016||4 Apr 2017||15 May 2017||4 Dec 2017

end of life

|×

|× ||× ||× ||× ||× ||× ||× ||× ||× ||× || || ||× |||| ×

| || || ||

for 5505-5550

|Y ||Y ||Y ||Y ||Y ||Y || || || ||Y ||Y ||Y || || || || || ||

for 5512-5585-X

| || || || || || || ||Y ||Y ||Y ||Y ||Y ||Y ||Y ||Y ||Y ||Y ||Y ||Y

Options

The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X can have an extra interface card added.

The 5585-X has options for SSP. SSP stands for security services processor.{{cite book|last1=Moraes|first1=Alexandre M. S. P.|title=Cisco Firewalls|date=2011|publisher=Cisco Press|isbn=9781587141119|url=https://books.google.com/books?id=-fbGYL8jsYEC|language=en}} These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40 and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half width modules.{{cite web|title=Cisco ASA 5585-X Stateful Firewall Data Sheet|url=https://cisco-apps.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html|website=Cisco|language=en|date=7 June 2017|access-date=20 March 2018|archive-date=3 April 2018|archive-url=https://web.archive.org/web/20180403174015/https://cisco-apps.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-730903.html|url-status=dead}}

On the low end models, some features are limited, and uncrippling happens with installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability. Cisco AnyConnect is an extra licensable feature which operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads.{{cite web|last1=Carroll|first1=Brandon|title=Cisco AnyConnect vs. IPsec VPN: Licensing considerations|url=https://www.techrepublic.com/blog/data-center/cisco-anyconnect-vs-ipsec-vpn-licensing-considerations/|website=TechRepublic|language=en|date=January 5, 2011|access-date=March 21, 2018|archive-date=March 22, 2018|archive-url=https://web.archive.org/web/20180322142815/https://www.techrepublic.com/blog/data-center/cisco-anyconnect-vs-ipsec-vpn-licensing-considerations/|url-status=dead}}

Models

The 5505 introduced in 2010 was a desktop unit designed for small enterprises or branch offices. It included features to reduce the need for other equipment, such as an inbuilt switch, and power over Ethernet ports.{{cite web|title=Cisco Expands Security|url=https://www.networkcomputing.com/storage/cisco-expands-security/1694608310|website=Network Computing|language=en|date=9 July 2006}}

The 5585-X is a higher powered unit for datacenters introduced in 2010.{{cite web|title=Cisco's High-Performance ASA Appliance, New Version Of Anyconnect|url=https://www.networkcomputing.com/careers/ciscos-high-performance-asa-appliance-new-version-anyconnect/2074262048|website=Network Computing|language=en|date=5 October 2010}} It runs in 32-bit mode on an Intel architecture Atom chip.{{cite web|title=Intro to the Cisco ASA|url=https://research.nccgroup.com/2017/09/20/cisco-asa-series-part-one-intro-to-the-cisco-asa/|website=research.nccgroup.com|date=20 September 2017 }}

class="wikitable"
Model !5505 {{cite web \| url=http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html \| title=Cisco ASA Model Comparison page \| accessdate=2008-05-15}} !5510 !5520 !5540 !5550 !5580-20 !5580-40 !5585-X SSP10 !5585-X SSP20 !5585-X SSP40 !5585-X SSP60
Cleartext throughput, Mbit/s \| 150 \| 300 \| 450 \| 650 \| 1,200 \| 5,000 \| 10,000 \| 3,000 \| 7,000 \| 12,000 \| 20,000
AES/Triple DES throughput, Mbit/s \| 100 \| 170 \| 225 \| 325 \| 425 \| 1,000 \| 1,000 \| 1,000 \| 2,000 \| 3,000 \| 5,000
Max simultaneous connections \| 10,000 (25,000 with Sec Plus License) \| 50,000 (130,000 with Sec Plus License) \| 280,000 \| 400,000 \| 650,000 \| 1,000,000 \| 2,000,000 \| 1,000,000 \| 2,000,000 \| 4,000,000 \| 10,000,000
Max site-to-site and remote access VPN sessions \| 10 (25 with Sec Plus License) \| 250 \| 750 \| 5,000 \| 5,000 \| 10,000 \| 10,000 \| 5,000 \| 10,000 \| 10,000 \| 10,000
Max number of SSL VPN user sessions \| 25 \| 250 \| 750 \| 2,500 \| 5,000 \| 10,000 \| 10,000 \| 5,000 \| 10,000 \| 10,000 \| 10,000
Model !5505 !5510 !5520 !5540 !5550 !5580-20 !5580-40 !5585-X SSP10 !5585-X SSP20 !5585-X SSP40 !5585-X SSP60

class="wikitable"

Model

!5505 {{cite web | url=http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html | title=Cisco ASA Model Comparison page | accessdate=2008-05-15}}

!5510

!5520

!5540

!5550

!5580-20

!5580-40

!5585-X SSP10

!5585-X SSP20

!5585-X SSP40

!5585-X SSP60

Cleartext throughput, Mbit/s

| 150

| 300

| 450

| 650

| 1,200

| 5,000

| 10,000

| 3,000

| 7,000

| 12,000

| 20,000

AES/Triple DES throughput, Mbit/s

| 100

| 170

| 225

| 325

| 425

| 1,000

| 2,000

| 3,000

| 5,000

Max simultaneous connections

| 10,000 (25,000 with Sec Plus License)

| 50,000 (130,000 with Sec Plus License)

| 280,000

| 400,000

| 650,000

| 1,000,000

| 2,000,000

| 1,000,000

| 2,000,000

| 4,000,000

| 10,000,000

Max site-to-site and remote access VPN sessions

| 10 (25 with Sec Plus License)

| 250

| 750

| 5,000

| 10,000

| 5,000

| 10,000

Max number of SSL VPN user sessions

| 25

| 250

| 750

| 2,500

| 5,000

| 10,000

| 5,000

| 10,000

Model

!5505

!5510

!5520

!5540

!5550

!5580-20

!5580-40

!5585-X SSP10

!5585-X SSP20

!5585-X SSP40

!5585-X SSP60

Cisco determined that most of the low end devices had too little capacity to include the features needed, such as anti-virus, or sandboxing, and so introduced a new line of next-generation firewalls called Firepower. These run in 64-bit mode.

;Models as of 2018{{cite web|title=Cisco ASA with FirePOWER Services Data Sheet|url=https://cisco-apps.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html|website=Cisco|accessdate=20 March 2018|language=en|date=9 February 2018|archive-date=3 April 2018|archive-url=https://web.archive.org/web/20180403234625/https://cisco-apps.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html|url-status=dead}}

class="wikitable"
Model !5506-X !5506W-X !5506H-X !5508-X !5512-X !5515-X !5516-X !5525-X !5545-X !5555-X !5585-X
Throughput Gb/s \|0.25\|\|0.25\|\|0.25\|\|0.45\|\|0.3\|\|0.5\|\|0.85 \|1.1 \|1.5 \|1.75 \|4-40
GB ports \|8\|\|8\|\|4\|\|8\|\|6\|\|6\|\|8\|\|8\|\|8 \|8 \|6-8
Ten GB ports \|0 \|0 \|0 \|0 \|0 \|0 \|0 \|0 \|0 \|0 \|2-4
Form factor \|desktop\|\|desktop\|\|desktop\|\|1 RU\|\|1 RU\|\|1 RU\|\|1 RU \|1RU \|1RU \|1RU \|2RU

class="wikitable"

Model

!5506-X

!5506W-X

!5506H-X

!5508-X

!5512-X

!5515-X

!5516-X

!5525-X

!5545-X

!5555-X

!5585-X

Throughput Gb/s

|0.25||0.25||0.25||0.45||0.3||0.5||0.85

|1.1

|1.5

|1.75

|4-40

GB ports

|8||8||4||8||6||6||8||8||8

|6-8

Ten GB ports

|2-4

Form factor

|desktop||desktop||desktop||1 RU||1 RU||1 RU||1 RU

|1RU

|2RU

References

External links

[http://www.cisco.com/go/asa Cisco ASA 5500 Series Adaptive Security Appliances]
[http://www.cisco.com/en/US/solutions/ns170/tac/security_tac_podcasts.html Cisco TAC Security Podcast - ASA troubleshooting information]

Category:Server appliance

Category:Lua (programming language)-scriptable hardware

Category:Cisco products

Category:Computer network security