As of late, Cisco ASA releases have become, shall we say, complicated. For ASA models 5505, 5510, 5520, 5540, 5580, and 5585-X, the latest version supported on these platforms has been ASA 8.4(5). And, for ASA models 5512-X, 5515-X, 5525-X, and 5545-X the only supported ASA version has been 8.6(1). 8.6(1) did not have feature parity with 8.4(5), and was hardware dependent. Let’s not forget about lonely ASA 8.7(1.1), which is only supported on the ASA 1000v, and the ASA Services Module (ASASM) whose only supported version has been 8.5(1).
|ASA OS||ASDM||ASA Model:||ASASM||ASA 1000v|
|ASA 5505||ASA 5510, 5520, 5540||ASA 5550||ASA 5580||ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X||ASA 5585-X|
|ASA 8.4(5)||ASDM 7.0(2).||YES||YES||YES||YES||No||YES||No|
|ASA 8.5(1)||ASDM 6.5(1).||No||No||No||No||No||No||YES||No|
|ASA 8.6(1)||ASDM 6.6(1) and later. Recommended: 7.0(2).||No||No||No||No||YES||No||No||No|
|ASA 8.7(1.1)||ASDM 6.7(1).||No||No||No||No||No||No||No||YES|
|ASA 9.0(1)||ASDM 7.0(1) and later. Recommended: 7.0(2).||YES||YES||YES||YES||YES||YES||YES||No|
Oh my, what a tangled web we weave.
Enter 9.0. The latest Cisco ASA release represents not only a convergence in ASA versions, but also a significant leap forward on Cisco’s capabilities to address mobile and Data Center security. What’s so cool about this latest release?
For starters, ASA 9.0 is supported on all ASA versions, except the ASA 1000v. This will bring sanity to network security operations that have been trying to standardize across multiple ASA platforms within the organization.
More importantly, let’s discuss some of the newer features, why they’re important, and what they mean to you. While this isn’t a comprehensive list of the newer features, these are the ones that I consider game changes as part of the ASA 9.0 release.
New Feature: Next Generation Encryption (NGE) aka Suite B
Cryptography is always changing. It’s a cat and mouse game as some older cryptographic algorithms have been deprecated, broken, attacked, or just proven to be insecure. And steady advances in cryptography provide for stronger algorithms and larger key sizes. NGE technology satisfies current requirements for secure cryptographic algorithms, and key sizes that provide adequate security levels.
Today’s recommendations for security algorithms
|3DES||Encryption||Legacy||AES||Short key lifetime|
|RC4||Encryption||Legacy||AES||Key schedule is important|
|AES-CBC modeAES-GCM mode||EncryptionAuthenticated encryption||AcceptableNGE1||AES-GCM—||——|
|DH-768, -1024RSA-768, -1024DSA-768, -1024||Key exchangeEncryptionAuthentication||Avoid||DH-2048 (Group 14)RSA-2048DSA-2048||———|
|HMAC-MD5||Integrity||Legacy||HMAC-SHA-1||Short key lifetime|
|1. NGE = next generation encryption|
The NGE technology is important for a couple reasons. First, the obvious, it’s a more secure technology. The encryption algorithms of NGE represent more then 30 years of global advancement and evolution in cryptographic technology. It’s because of this strength that NGE is quickly becoming the de-facto standard for encryption requirements. In fact, the United States National Security Agency (NSA) has dubbed the exact same cryptographic algorithms used in NGE as Suite B, which are the specified set of cryptographic algorithms that devices must support to meet U.S. federal standards for cryptographic strength. When the right combination of these algorithms are used together, the security and integrity of confidential information can be ensured over untrusted networks.
Secondly, NGE boasts better efficiency with the use of Galois/Counter Mode (GCM). GCM is an authenticated encryption algorithm, which simultaneously provides confidentiality, integrity, and authenticity assurances on the data, and is used with symmetric key block ciphers such as AES. From a performance perspective, GCM is ideal for protecting packetized data, because it has minimum latency and minimum operational overhead. When coupled with AES (AES-GCM), Intel has demonstrated phenomenal performance results when using systems with 64-bit Intel processors that include the PCMULQDQ instruction set, highlighted for use with GCM.
I also wanted to put in a plug for IKEv2, which should not be taken trivially. IKE has inherent issues with configuration options and a lack of automatic negotiation. Configurations tend to be tedious, a bit complex, and difficult to troubleshoot. There have been significant improvement with IKEv2 including, standard mobility support, reliability and state management, simpler message exchange, and fewer cryptographic mechanisms.
Net net, NGE represents a giant stride forward regarding the safeguarding of confidential information with greater performance capabilities when using today’s modern-day 64-bit, multi-core systems. Which is important to note. The only systems in the ASA lineup that support NGE crypto at a hardware-level are the ASA 5500-X, 5580, and 5585-X. When using NGE with AnyConnect 3.1, AnyConnect Premium licenses are also required.
New Feature: Cisco Cloud Web Security (ScanSafe)
I want you to think of ScanSafe as that great web content filter in the cloud, literally. Wherever your user goes; it follows them around, ready to filter all the evil malware from their unsuspecting web flows. It has the capability to provide SaaS web security services for mobile customers (think Caribou Coffee) or customers that have locations where putting an on-premise proxy solution just doesn’t make sense for them (think distributed WAN with egress points)
With the ScanSafe connector on the ASA, the ASA transparently redirects selected HTTP and HTTPS traffic to the Cloud Web Security proxy servers (ScanSafe). The Cloud Web Security service will scan the content and either allow, block, or send a warning about the traffic based on policy to enforce acceptable use and protect users from evil.
Additionally, the ASA can optionally identify and authenticate users against an identity store, such as Active Directory, and send the encrypted credentials to Cloud Web Security. This allows the service to match the user against a specific policy to provide differentiated access, and user-based reporting.
For customers that have a distributed WAN environment where the remote sites have Internet connections secured by a Cisco ASA or a Cisco IOS router, this is a simple, cost-effective solution to provide content scanning, and malware filtering services without breaking the bank. By mitigating the need for an on-premise proxy solution, Cloud Web Security allows for a lower total cost of ownership by avoiding costs associated with deployment and maintenance of an on-premise solution. Additionally, as an organization’s business grows, Cloud Web Security offers a scalable approach to simply add security services to branch locations that are consistent with the broader organization’s unified security policy.
New Feature: ASA Clustering for the ASA 5580 and ASA 5585-X
Clustering allows you to group multiple ASAs together as a single logical device. Sound familiar switch jockeys? Similarly, an ASA cluster provides all the convenience of a single device, including management, integration into a network, while achieving the increased throughput and redundancy of multiple devices. Frankly, this isn’t really new as Cisco has been doing this with stackable switches for quite some time, and Juniper has similar capability on their firewalls.
That said, what is interesting here, is the fact that Cisco is able to stack up to 8 Cisco ASA 5585-60 security appliances in single cluster, and break the 100 Gbps barrier (TCP) and approach 200 Gbps (UDP). That’s serious firewall horsepower, and should give them a competitive position in Data Center’s seeking highly scalable platforms requiring maximum throughput and capacity.
As one can imagine, there is a significant amount of effort that would need to be devoted to the design of an ASA cluster as the configuration is not a trivial task. Be sure to do your homework on this one before you roll up your sleeves.
New Feature: Cisco TrustSec Integration
If you haven’t heard of TrustSec, then I suspect you may have been hiding under a rock. TrustSec is code for an identity-based network that is able to apply differentiated access to exactly the right type of user and device. Kind of like Joe from accounting gets access to accounting resources on his corporate asset regardless if he attaches through wireless, wired, or he’s sitting at the Caribou Coffee down the street. But if Joe jump’s on his iPad he got for Christmas, maybe he gets guest Internet and access to a VDI solution to deliver a desktop to the iPad. The big picture here is that the network just does this – it adapts to the context of the user to deliver a cohesive security policy.
Unlike a traditional approach to securing the network, TrustSec relies on a combination of user and endpoint attributes to make role- and identity-based access control decisions. At the heart of this approach, is the idea that policy enforcement is topology-independent. It really doesn’t matter if we’re talking wired, wireless, or VPN. The network is the platform. Enforcement is more of a function of the roles of the source and destination devices or applications, and their relationship between each other.
With the ASA 9.0 release, Cisco has integrated the Cisco ASA platform directly into the TrustSec domain. This gives the ASA capability to tag or interrogate every packet entering or existing the Cisco TrustSec domain via the ASA with a Secure Group Tag (SGT). The tagging helps trusted devices within the TrustSec domain identify the source of the packet and enforce security policies along the data path. For customers that have already implemented Cisco Identity Services Engine (ISE); they will find and appreciate the feature-rich introduction of TrustSec into the ASA and will likely find added-benefit to leveraging their existing security investment.
Other New and Noteworthy Updates:
- Numerous and significant IPv6 updates.
- Added support for Citrix Mobile Receiver, which will provide secure remote access for Citrix Receiver applications running on mobile devices to XenApp and XenDesktop VDI servers through the ASA.
- Site-to-Site VPN now supported in multi-context mode.
- Mixed mode support for multi-context mode.
- Dynamic routing protocols now supported in multi-context mode.
- ASASM now supports VPN.
The ASA 9.0 Documentation Set can be found here.