Recently, Cisco released their latest version of Adaptive Security Appliance (ASA) 5500 software release 8.2. This new version has some new features that I wanted to share with you so that you will know what to expect when you upgrade your ASA firewall. These features include IPv6 support for ASDM and transparent firewall, Botnet Traffic Filter, SNMPv3, IPv6 IPS 6.2 support, among others.
I used to not be a big fan of the Cisco PIX firewalls. I got my first taste of PIX back in 1997 and that bitter aftertaste lasted until Cisco introduced the ASA in 2005. Since then I have been impressed with the features of the ASA firewall and its ease of setup. I especially like its IPv6 capabilities. Other aspects of the ASA that I like are the ease of high-availability configuration, multiple context configuration, integrated SSL-VPN, packet trace capabilities, and the ASDM graphical interface.
For the past few years I have been deploying 8.0 for many clients but ASA release 8.1 was only supposed to be used on the ASA 5580s. ASA release 8.2 was scheduled to ship in Q1 CY2009, so it is now available for purchase and download from CCO. The great thing about ASA release 8.2 is that it will run on any ASA 5500 model. Before you download it and install it you should probably read the ASA 5500 8.2 Software Release Product Bulletin, the Frequently Asked Questions (FAQ), and the Release Notes. There is also a short CiscoTV video about the new features in release 8.2.
Botnet Traffic Filter is a new feature that looks for botnet command and control traffic that may contain Personally Identifiable Information (PII), passwords, or credit card data that is being sent by malware infected computers through the firewalls. The firewall checks the destination of the information to determine if it is on a list of bad sites. This database of botnet control domains is maintained by the Cisco Security Intelligence Operations Center and is automatically downloaded if you have a license for this feature. The Botnet Traffic Filter is not intended to be a substitute to other perimeter or internal defenses for protection of malware but a complimentary solution as part of a defense in depth and diversity of defense architecture. Cisco has a whitepaper that describes this in more detail.
The weaknesses in SNMPv1/v2 have been widely known for many years. That is why it is beneficial to strive to configure SNMPv3 on devices to be able to secure the information exchanges with DES, 3DES, or AES and to authenticate what information may be retrieved from the SNMP agent. Finally with release 8.2 we can use SNMPv3 to authenticate and secure this management protocol. NetFlow Security Event Logging (NSEL) was an 8.1 feature that has now been added to 8.2. It uses NetFlow v9 to send flow-create, flow-teardown, and flow-denied messages to a NetFlow collector. NSEL will also send a subset of the syslog messages as events through NetFlow.
TCP state bypass is another 8.2 feature where the firewall will disable its TCP inspection for certain traffic types. This is useful when there are asymmetric traffic flows that will cause the ASA to reset the connection because the ASA is only inspecting one direction of the traffic. By bypassing the way the ASA handles the TCP connection state you are introducing some risk to your configuration. This feature is enabled with the “set connection advanced tcp-state-bypass” command.
ASA release 8.2 now supports ASDM communication over IPv6. Previously ASDM communication could only take place over IPv4 but now you can specify an IPv6 address as the device to contact. You just need to be sure to use braces around the address entered into the ASDM-IDM launcher so that it follows the RFC2732 format.
Alternatively you can use a web browser to communicate with the ASA via HTTPS with an IPv6 address. In the URL you must also follow the RFC2732 URL format.
Once you launch ASDM you can perform any configuration that you have been accustomed to when using IPv4.
IPv6 Transparent Firewall is a new 8.2 feature where the firewall can behave like a layer-2 transparent firewall (bump-in-the-wire). Even though the transparent firewall feature has existed for many years for IPv4, release 8.2 adds support of IPv6 addressing in transparent firewall mode. I was able to set this up in the lab and verify that it works well. Here is an example of an ASA 5500 configured for transparent mode with both IPv4 and IPv6. This configuration is for an ASA 5505 so it uses VLAN interfaces for the security levels and interface names and then globally there are management IPv4/IPv6 addresses configured. Please don’t follow the policy configuration that I show here because this is just a simple test of a firewall policy that allows all traffic to flow through it (very insecure). Also, please note that some configuration commands have been removed for brevity.
ASA5500# sh run : Saved : ASA Version 8.2(1) ! firewall transparent hostname ASA5500 names ! interface Vlan1 description Inside interface nameif inside security-level 100 ! interface Vlan2 description Outside interface nameif outside security-level 0 ! interface Ethernet0/0 description Outside interface switchport access vlan 2 ! interface Ethernet0/1 description Inside interface ! access-list FULLIP extended permit tcp any any access-list FULLIP extended permit udp any any access-list FULLIP extended permit icmp any any access-list FULLIP extended permit ip any any logging enable logging asdm informational ip address 192.168.11.1 255.255.255.0 ipv6 address 2001:db8:11::1/64 ipv6 access-list FULLIPv6 permit tcp any any ipv6 access-list FULLIPv6 permit icmp6 any any ipv6 access-list FULLIPv6 permit udp any any ipv6 access-list FULLIPv6 permit esp any any ipv6 access-list FULLIPv6 permit icmp any any ipv6 access-list FULLIPv6 permit ah any any ipv6 access-list FULLIPv6 permit ip any any access-group FULLIP in interface inside access-group FULLIPv6 in interface inside access-group FULLIP in interface outside access-group FULLIPv6 in interface outside http server enable http 192.168.11.0 255.255.255.0 inside http 2001:db8:11::/64 inside ssh 192.168.11.0 255.255.255.0 inside ssh 2001:db8:11::/64 inside ssh timeout 60 ssh version 2 . . .
Cisco ASA release 8.2 also provides support for AIP modules running IPS Sensor Software version 6.2 release and passing of IPv6 traffic to the IPS SSM and SSC modules. Previously, ASAs were not capable of sending the IPv6 traffic to an internal IPS 6.2 module. Now, this means that the ASA can hand the IPv6 traffic to the AIP module. Previously I wrote about the IPv6 capabilities in IPS version 6.2 and now all these features are available on the embedded IPS 6.2 modules in an ASA.
Cisco has also introduced the Advanced Inspection and Protection Security Services Card 5 (AIP SSC-5) which works in an ASA 5505. This card supports up to 75 Mbps of IPS traffic inspection and supports the same signatures as the larger AIP IPS SSM modules. Jamey Heary wrote a recent NetworkWorld Cisco Subnet blog article on new SSC-5.
There are other features included in release 8.2 so you may want to check the release notes to find out all the new goodies available.