Identity aware firewalling seems to be all the rage right now. Having the ability to make firewall policy decisions based on user and group information from Active Directory can have enormous benefits if used properly. The Cisco ASA recently acquired the identity aware firewalling ability with the release of 8.4.2 code. It works with Microsoft Active Directory, cut-through proxy and VPN authentications today for user/group to flow matching. This new feature allows you to write access control policies that take a source username or group membership as match criteria. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory, VPN or cut-through proxy login information and reports events based on the mapped user names instead of network IP addresses. This feature also allows you to use identity policies in service polices for things like IPS inspection, deep packet inspection, inspection engines, etc.
Here is an example of a user based access control rule:
The Cisco AD agent communicates with your ASA's to make this happen. You can have multiple ASA's talk to a single agent or vice-versa. This allows you to scale identity across domains, forests, and firewalls.
The other nice feature that released in 8.4.2 is the ability to use domain names instead of IP addresses. This means you can write a ACE that says source: www.cisco.com destination: www.amazon.com .
This feature helps simplify the readability of your ACL's and works great for domains that have multiple IP addresses associated with them. You cannot however enter a full URI like www.cisco.com/go/asa, so this feature will not take the place of a web filter.
You can upgrade to the latest code here www.cisco.com/go/asa
You'll also find the latest release notes here http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
If you have any questions on these features just post them.
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>
Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.