Skip Links

Cisco ASA Upgrade Adds Identity Firewalling

User and group based policies

By jheary on Thu, 10/27/11 - 3:01pm.

Identity aware firewalling seems to be all the rage right now. Having the ability to make firewall policy decisions based on user and group information from Active Directory can have enormous benefits if used properly. The Cisco ASA recently acquired the identity aware firewalling ability with the release of 8.4.2 code. It works with Microsoft Active Directory, cut-through proxy and VPN authentications today for user/group to flow matching. This new feature allows you to write access control policies that take a source username or group membership as match criteria. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory, VPN or cut-through proxy login information and reports events based on the mapped user names instead of network IP addresses. This feature also allows you to use identity policies in service polices for things like IPS inspection, deep packet inspection, inspection engines, etc.

Here is an example of a user based access control rule:

The Cisco AD agent communicates with your ASA's to make this happen. You can have multiple ASA's talk to a single agent or vice-versa. This allows you to scale identity across domains, forests, and firewalls.

The other nice feature that released in 8.4.2 is the ability to use domain names instead of IP addresses. This means you can write a ACE that says source: destination: .
This feature helps simplify the readability of your ACL's and works great for domains that have multiple IP addresses associated with them. You cannot however enter a full URI like, so this feature will not take the place of a web filter.

You can upgrade to the latest code here
You'll also find the latest release notes here

If you have any questions on these features just post them.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.