Highlighting 5 NEW lesser known PIX/ASA Firewall Features

The 8.0.2 software release for the PIX and ASA platforms was a big one! My guess is you haven’t had the time, or the inspiration, to read through the release notes and drill into the configuration guide to find all of the new features you now get with the 8.0.2 code release. Fret not, I am here to help! (A little anyway) I won’t cover the major SSLVPN features in 8.0 since you’re probably already somewhat familiar with the huge updates to PIX/ASA SSLVPN features. Instead, here are 5 NEW 8.0.2 features that are less well known but that you’ll probably be interested in:

  • EIGRP Routing Support – The ASA adds EIGRP routing protocol support to the previous routing support list of RIP and OSPF. This has been a long awaited feature for many. And yes, EIGRP md5 authentication is supported. How many of you run a routing protocol on your firewall? If you don’t why not?
  • Packet Capture Wizard now in ASDM GUI – The packet capture feature has been in the PIX/ASA code for a while now but only for CLI. With the new ASDM 6.0 version there is now a very slick GUI packet capture wizard. It allows you to pick up to two interfaces you want to capture from and optionally assign a traffic match ACL to the capture. Once the capture is stopped it can then cross launch your favorite packet decoder, like wireshark, to display and decode the PCAP formatted capture file. Capture files then can be downloaded and saved to your local host in either ASCII or PCAP format. This little wizard makes troubleshooting a lot easier.
  • Assigning remote access VPNs to different internal VLANs – This feature allows you to VLAN tag VPN traffic at the group or user level. So for example you could direct VPN clients that are a member of the business-partner group onto inside VLAN 100. And all VPN clients in the employees group could be tagged with internal VLAN 200. Now with true traffic separation possible internally you can implement all sorts of useful security measures on a threat level basis. One that comes to mind is NAC Appliance. For example, NAC Appliance could be put inline for only certain VLANs and not others.
  • Enhancments to Service Objects – You can now create a single Service Object that includes multiple protocols, like TCP, UDP, and ICMP. For example, this allows you to create a single object called server-traffic and put in it services like TCP/80, TCP/443, UDP/53, ICMP/echo.
  • Advanced Threat Detection feature – This feature does a bunch of things. It detects and alerts on activity that might be related to a Denial of Service attack or Scanning reconnaissance. Optionally, the ASA can automatically shun/block hosts that are detected as a scanning threat. Threat detection also can gather threat statistics for display on the new Firewall Dashboard inside the ASDM GUI. Top 10 graphs, charts, and lists for things like access list hits, services most used, and top IP SRC and IP DST hosts are tracked.
  • NAT support in transparent firewall mode – Prior to 8.0.2, if you used your ASA/PIX in transparent bridge mode instead of traditional layer 3 routed mode then you could not NAT traffic. Starting in 8.0.2 you can now NAT traffic even when in transparent mode. Very cool indeed!
  • Virtual IPS Sensor support on the IPS module -- If your ASA is equipped with a SSM-AIP IPS sensor module running 6.0 code you can now virtualize it. This means you that if you virtualize your firewall into multiple contexts you can assign a specific virtual sensor to each context. Each virtual sensor stands by itself with its own security policy, signature policy, tuning criteria, etc just like a firewall context does. To quote from the Cisco documentation, “You can assign each context or single mode adaptive security appliance to one or more virtual sensors, or you can assign multiple security contexts to the same virtual sensor.”

Yes I can count, that makes 7 new features, not 5 like I promised. What can I say, I’m all about giving you more than you bargained for ;). So, what do you think of these new features? Were you aware of these features already? Any features I didn’t highlight that you think are worth noting? For more info see the Cisco docs at http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html The opinions and information presented here are my personal views not those of my employeer.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in