Cisco Adaptive Security Appliance (ASA)

Main article: Firewall

Cisco ASA (Adaptive Security Appliance) is a series of hardware firewalls developed by Cisco Systems.

He is the heir to the following device lines:

• Cisco PIX Firewalls;
• Cisco IPS 4200 intrusion detection systems;
• Cisco VPN 3000 VPN Concentrators.

Like PIX, ASAs are based on x86 processors. Starting with version 7.0, the PIX and ASA use the same operating system images (but the functionality depends on which device it is running on).

The functionality depends on the license type, which is determined by the serial number entered. The command line interface resembles (but does not repeat) the Cisco interface. IOS You can manage your device via telnet, SSH, web interface, or Cisco Security Manager.

Opportunities

• Interconnecting with connection status;
• In-depth analysis of application layer protocols;
• Translation of network addresses;
• IPsec VPN;
• SSL VPN (connection to the network via a web interface);
• Dynamic routing protocols (RIP, EIGRP, OSPF).
• ASAs do not support tunneling protocols (such as GRE) and policy-based routing.

For the first time in the industry, Cisco ASA offers context-sensitive firewall and rule enforcement features. This takes into account the local context (using Cisco TrustSec), global context (using Cisco Security Intelligence Operations), and mobile data (using Cisco AnyConnect). All this allows Cisco ASA customers to gain a complete understanding of their network infrastructure, improve information security, and develop optimal policies that comply with business rules. Users, applications, data, reputations, devices, current states, threats, destinations, sources, and locations are just some components of the multi-party, end-to-end context that Cisco ASA considers. This allows customers to expand their existing trusted firewall infrastructure and grow it to meet the dynamic needs of the enterprise and its employees.

Continuing to develop its well-known Cisco SecureX information security strategy, Cisco has equipped the world's most popular Cisco Adaptive Security Appliance firewall with the new Cisco ASA CX functionality (context-sensitive information security solution) This solution takes the Cisco ASA platform far beyond the capabilities available for today's "next generation" firewalls, allowing for much better threat detection and very flexible configuration of access rules for different applications. Cisco ASA CX enables network administrators to determine which devices and users have the right to gain some type of access to network resources, as well as to more than a thousand applications and 75 thousand micro-applications.

Cisco ASA CX - Next-Generation Context-Sensitive Information Security Solution This solution expands the ASA platform, raising the industry bar for transparency and depth of detail of control systems even higher. Cisco ASA CX recognizes more than a thousand applications such as Facebook, Google +, LinkedIn, Twitter and iTunes, and divides them into more than 75 thousand micro-applications. Then all micro-applications are reduced to easy-to-understand categories, which allows firewall administrators to easily allow or deny access to certain parts of a "large" application (for example, Facebook micro-applications are divided into categories "business," "community," "education," "entertainment," "games," etc.). As a result, IT departments are able to provide users with access to more applications, minimizing the number of absolute prohibitions.

Cisco ASA CX leverages the extensive context-sensitive Cisco SecureX Framework network security architecture across unified access networks, edge networks, enterprise and data center networks, and cloud network segments. This architecture is fully supported by Cisco information security products and services. Cisco ASA CX is different from all other firewalls. Only this solution uses SecureX to gain full access to intelligent network functions and aggregate data coming from the LAN using Cisco AnyConnect Secure Mobility, and to obtain near-real-time hacker threat information from the Cisco Security Intelligence Operation Global Center (Cisco SIO), which continuously provides Cisco customers with the highest level of protection.

This solution enables network administrators to install devices and applications with high levels of security and manageability. Administrators get clear information about the type of device, the operating system installed on it, the location of the device, and the current level of security.

2022

Fix a dangerous vulnerability that reveals the RSA key

Cisco eliminated vulnerability the high level of danger affecting ON Adaptive Security Appliance (ASA) and. Firepower Threat Defense (FTD) This became known on August 11, 2022. The CVE-2022-20866 error with a CVSS score of 7.4 is due to a disadvantage in the processing of RSA keys on ASA and FTD devices. Even an invalid or corrupted RSA key can decrypt device traffic.

If successfully used, the error may allow an unauthorized attacker to remotely obtain a private RSA key that he can use to decrypt device traffic or impersonate Cisco ASA/FTD devices.

According to the Cisco security bulletin, this vulnerability occurs due to a logical error when the RSA key is stored in memory on a hardware platform performing hardware cryptography. An attacker can exploit this vulnerability and conduct an attack over a third-party channel using the Lenstra algorithm. RSA keys in vulnerable versions of the software can be vulnerable to theft, regardless of where they were generated.

The vulnerability affects Cisco products using the vulnerable Cisco ASA software (9.16.1 and higher) or Cisco FTD (7.0.0 and higher), which perform hardware cryptographic functions:

• ASA 5506-X with FirePOWER Services;
• ASA 5506H-X with FirePOWER Services;
• ASA 5506W-X with FirePOWER Services;
• ASA 5508-X with FirePOWER Services;
• ASA 5516-X with FirePOWER Services;
• Firepower 1000 Series Next-Generation Firewall
• Firepower 2100 Series Security Appliances
• Firepower 4100 Series Security Appliances
• Firepower 9300 Series Security Appliances
• Secure Firewall 3100

If the key was configured for use at any time, Cisco said, it is also possible that the private RSA key was passed to the attacker. Because of this vulnerability, Cisco ASA or FTD device administrators may need to remove corrupted or vulnerable RSA keys and possibly revoke any certificates associated with those keys.

The Cisco Security Incident Response Team (PSIRT) found no evidence of exploiting a flaw in attacks, although information about this vulnerability has already been published. Cisco security guidelines provide additional information about vulnerable configurations and compromise indicators for patched versions of Cisco ASA or ^[1]].

Fix a vulnerability that allows an attacker to enter the internal network

A Cisco ASA vulnerability could allow an attacker to enter the internal network. This became known on May 25, 2022.

Cisco has released a software update that fixes this vulnerability.

Cisco has fixed a heap overflow vulnerability (CVE-2022-207372, 8.5 on the CVSS 3.0 scale) in the Cisco Adaptive Security Appliance (ASA) 3, discovered by Positive Technologies researcher Nikita Abramov. The vulnerability allows an authenticated attacker to cause a denial of service (DoS) state on a vulnerable device or gain access to its memory, which may contain confidential information.

If the attacker has access to a client remote access tool SSL VPN built into the Cisco ASA, then he can use this tool to form a special type of requests and send them further to the site controlled by the attacker. A certain sequence of such requests can lead to leak to the contents of Cisco ASA memory, which in turn can contain confidential ones, data such as cookies or sessions of active users, part of the configuration data, usernames and them passwords , and much more. With this information, you can, for example, get to another subnet or even access the administrator panel. The vulnerability also allows Cisco ASA to malfunction by deactivating, in particular, the remote access tool for all firewall users, "said Nikita Abramov[2] vulnerability[3]

2021: Addressing a denial of service vulnerability

Positive Technologies On May 7, 2021, it announced the discovery of two vulnerabilities software in the Adaptive Security Appliance and Firepower Threat Defense hardware. firewalls Cisco The prevalence of these vulnerabilities is extremely large, they affect, according to the company, hundreds of thousands of devices.

The main danger is the ability to send a specially formed packet, which will cause a denial of service to the firewall, - notes Nikita Abramov. - Along the way, the device will be rebooted, and users will lose the opportunity to get into the internal network of the organization (for example, through a VPN connection), which can greatly affect business processes in a pandemic. The number of devices exposed to these vulnerabilities is comparable to the amount of hardware affected by the CVE-2020-3259 error, which was detected on 220,000 devices.

The attack does not require any additional rights, access, or authorization. It is enough to send a certain request along a certain path. According to the expert, the danger threatens any organization that uses vulnerable devices to provide employees with access to internal resources (through VPN).

Both errors, CVE-2021-1445 and CVE-2021-1504, received a score of 8.6 on the CVSS 3.1 scale, which corresponds to a high level of danger. From a technical point of view, these are logical errors, they often arise due to the inattention of the developer, due to insufficient code testing at the development stage.

To eliminate vulnerabilities, you must follow the recommendations specified in the official notification of Cisco. In the event of a successful attack, one way to identify signs of penetration is to use class systems SIEM that allow you to identify suspicious behavior, register an incident and promptly stop the advance of attackers within the corporate network.

2020

Fix a vulnerability that allows you to access the device's web interface

July 23, 2020 Positive Technologies reported that her expert Mikhail Klyuchnikov revealed a dangerous vulnerability firewall Cisco in ASA. With its help, a remote unauthorized attacker can gain access to files that relate to the web interface of the device, which is fraught with disclosure of confidential. information Cisco has released an update that fixes this bug and recommends installing the patch as soon as possible.

The vulnerability, which received a CVE-2020-3452 identifier and a rating of 7.5 on the CVSSv3 scale, refers to a high level of danger. The error exists due to insufficient validation of input data. It is enough for an attacker to send a specially crafted HTTP request to gain access to the file system (RamFS), which stores data in RAM. An attacker can potentially read some files related to WebVPN, which can contain information such as Cisco ASA users' WebVPN configuration, bookmarks, cookies, web content and HTTP URLs, "said Positive Technologies expert Mikhail Klyuchnikov.

To fix the vulnerability, you must upgrade the Cisco ASA to the latest version.

Eliminating Two Remote Vulnerabilities

On May 8, 2020, Positive Technologies announced that its experts Mikhail Klyuchnikov and Nikita Abramov identified and helped eliminate two critically dangerous vulnerabilities in the Cisco ASA firewall. Their operation may lead to the fact that company employees will not be able to connect to a VPN or an attacker will penetrate the corporate network. Cisco has released updates: Positive Technologies recommends installing them as soon as possible.

Since the beginning of January 2020, the number of Cisco ASAs available from the Internet and vulnerable, on which you can disable the VPN or intercept the user ID for access to the enterprise's internal network in one minute, has increased by 30% - from 170 thousand to more than 220 thousand. Almost half of these devices are in the United States (47%). This is followed by the United Kingdom (6%), Germany and Canada (4%), Japan and Russia (2% each). According to the results of the survey conducted by the source, Cisco VPN leads as a means of organizing remote access in large Russian companies: 28% of respondents noted the use of this software.

The first vulnerability with CVE-2020-3187 ID was rated 9.1, which means a critical level of danger. Its operation does not require high qualifications from an attacker. Using a vulnerability in WebVPN, an unauthorized external attacker can conduct DDoS-attacks simply deleting files from the system to Cisco ASA devices. These actions allow you to disable VPNs in the Cisco ASA. In addition, the error gives the attacker the ability to read some files related to the VPN web interface.

Blocking a VPN threatens to violate many. business processes For example, the connectivity of branches in a distributed corporate network may be broken, email ERP other key systems may also stop working. Another problem is the possible unavailability of internal resources for employees working. remotely This is extremely dangerous, since many companies coronavirus are switching or have already switched to remote work in connection with the outbreak, "said Mikhail Klyuchnikov, an expert at Positive Technologies, who identified the vulnerability.

The second vulnerability in Cisco ASA, discovered by Mikhail Klyuchnikov and Nikita Abramov, was rated 7.5 (CVE-2020-3259). Its operation allows you to read some parts of the device's heap memory and get the current session ID of the user connected to the Cisco VPN. Using the client for Cisco VPN, an attacker can specify a stolen session ID and log on to the organization's internal network. In addition, other sensitive information can be stored in Cisco ASA memory to help with further attacks, such as usernames, email addresses, and certificates. This vulnerability can also be implemented remotely and does not require authorization.

Positive Technologies experts note that to fix the vulnerability, you need to update the Cisco ASA to the latest version. Also, companies can use application-level firewalls to block a possible attack. For example, PT Application Firewall detects and blocks the operation of CVE-2020-3187 out of the box: the system should be put into the mode of blocking dangerous requests for real-time protection. With the latest update, PT Application Firewall also detects and blocks attacks through the CVE-2020-3259 vulnerability. For timely detection of such vulnerabilities in the infrastructure, it is recommended to use automated vulnerability scanners, in particular MaxPatrol 8.

Positive Technologies emphasizes that insufficient attention to eliminating these vulnerabilities, coupled with the overall increase in the number of remote desktops vulnerable to BlueKeep (CVE-2019-0708), significantly increases the chances of attackers to carry out successful attacks aimed at accessing confidential information, to business-critical networks and systems (including technology networks, ATM management networks, processing, 1C servers).

2017: Elvis-Plus expands ASA 5500 support services

On July 19, 2017, ELVIS-PLUS announced the expansion of the range of services provided and offered certification and technical support services for ASA 5500 series firewalls manufactured by Cisco Systems.

The current requirements of the regulator oblige the applicant organization to support and update the software throughout the life cycle of the product. At the same time, foreign suppliers must distribute their updates through the local resources of Russian legal entities^[4].

ELVIS-PLUS has the necessary powers and competencies, is ready to provide customers with services for organizing certification tests of Cisco ASA5500 series firewalls in the certification system, FSTEC Russia as well as timely operational support software and updates related to identified vulnerabilities.

By trusting the certification of our company, customers will not only significantly reduce their time and financial costs associated with obtaining documents that allow the use of these products to protect confidential information, but will also receive a guaranteed and timely service for obtaining updates aimed at neutralizing vulnerabilities found in the product. Sergei Akimov, Deputy General Director of ELVIS-PLUS

2016: Russian FSTEC certificate for Cisco ASA series extended

In the summer of 2016, the certificate was renewed FSTEC of Russia according to the "series" scheme for a new version ON for the Cisco ASA platform, which allows you to install advanced FirePOWER security functionality on it. Certification was carried out by the testing laboratory "."SATEL

The updated Cisco ASA Firewall Certificate 2934 5500-X confirmed that the latest version of Cisco's flagship network security product (9.6) met the requirements of the FSTEC guidance document "Computing Tools. Firewalls. Protection against unauthorized access to information. Indicators of protection against unauthorized access to information "according to the 3rd class of protection.

Cisco Firepower multifunctional services installed on the Cisco ASA 5500-X platform block 99.2% of threats. Only the Cisco ASA device with FirePOWER Services, which includes advanced security functionality (next-generation firewall, next-generation intrusion prevention and malware control systems, vulnerability scanner, etc.), demonstrated such high security efficiency during independent testing of next-generation firewalls manufactured by NSS Labs in 2015.

2014: Cisco ASA 5500 with FirePOWER features

On September 16, 2014, Cisco introduced the industry's first threat-focused firewall, the Cisco ASA with FirePOWER features.

Cisco ASA 5500 with FirePOWER Features

Cisco ASA 5500 with FirePOWER Features

With the industry's first firewall Cisco new generation of threat-oriented (ITU), companies will have a new tool to protect against sophisticated threats. Cisco ASA with FirePOWER features provides complete context awareness and dynamic security mechanisms that are essential for automated threat assessment, analytics correlation, and security optimization to protect all networks. Uniting The Cisco ASA 5500 robust firewall with application control and next-generation intrusion prevention (IPS) developed by Sourcefire and enhanced protection against malicious code Advanced Malware Protection (AMP), Cisco has created a comprehensive solution for protection throughout the attack lifecycle.

Cisco ASA with FirePOWER features is an adaptive, threat-oriented solution that provides superior tiered protection and delivers capabilities not available to previous next-generation ITUs. Until now, next-generation ITUs have focused on policies and application management and have not been able to combat modern and zero-day attacks.

Cisco ASA with FirePOWER features takes a completely different approach based on transparency, threat orientation, and platform operations:

• Transparency means full awareness of the context (users, mobile devices, client applications, virtual machine interactions, vulnerabilities, threats, URLs, and other important telemetry data). Users get enterprise-class management capabilities at their disposal - dashboards and detailed reports on detected hosts, suspicious applications, threats and indicators of compromise, which makes network activity absolutely transparent.
• Targeting threats. Cisco ASA with FirePOWER features next-generation leading intrusion prevention systems for full protection against known and current threats, as well as AMP to combat zero-day attacks and targeted attacks. Cisco CSI's Big Data Analytics, Continuous Analysis, and Intelligent Ecosystem of Collective Information Security provide detection, blocking, tracking, analysis, and recovery capabilities to protect against the full range of known and unknown threats.
• Platform operation. Cisco ASA with FirePOWER features integrates firewall, application management, and leading next-generation intrusion prevention, as well as advanced threat detection and recovery capabilities in a single device. This integration allows you to strengthen the protection of the corporate information system, while reducing its complexity and maintenance costs. The new solution simplifies the information security architecture and saves network resources (there are fewer security devices to deploy and control, and additional subscriptions can be purchased to expand functionality).

Cisco ASA with FirePOWER provides comprehensive threat protection and truly helps companies deal with the most serious security risks - today's threats and zero-day threats.

Cisco ASA with FirePOWER features provides unrivaled monitoring and continuous analysis capabilities to detect modern, multidirectional threats, simplifying and automating the process of responding to known and unknown types of malicious code. Users receive holistic, practical indicators of compromise that accelerate threat investigation and remediation using retrospective data. In addition, built-in features are available to assess the area of incident response and automatically update detection policies.

These capabilities are provided by an enterprise-class firewall with connection status control, VPNs, clustering mechanisms, and application-level management. Shared, these components implement next-generation CE-specific threat detection policies to optimize information security. Integration with open source solutions such as Snort, OpenAppID, and ClamAV allows customers to easily configure security features to protect any application from new or known threats as quickly as possible.

2012

Cisco ASA 5500-X

The ASA family of devices information security Cisco includes ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X models optimized for installation in the edge segments of networks that provide access Internet to both small and large enterprises. Given the context with the Cisco SecureX Framework architecture, these devices support many information security services without installing additional hardware modules, operate at multi-gigabit speeds, provide a wide range of interfaces, and have redundant power supplies - all enclosed in a compact 1RU package. As an option, a wider and deeper network protection is offered using integrated cloud and virtualized information security software services supported by the Cisco SIO Network Threat Analysis Center.

In September 2012, Cisco announced new information security solutions designed to protect data centers from threats arising from the transition to a more consolidated and virtualized environment. In addition, the new solutions will provide customers with the benefits of new cloud business models. All announced solutions expand the capabilities of data center technicians and information security specialists in terms of comprehensive protection of powerful data centers and mobile employees.

Announced: New highly scalable software for the world's most common firewall Cisco Adaptive Security Appliance (ASA); ASA virtualized network displays for a multi-user environment Intrusion Prevention System (IPS) for data centers and new enhancements for the Cisco AnyConnect Secure Mobility Client, which support the stringent requirements of employees seeking to improve their mobility and productivity.

Virtualization and cloud computing can be called a "megatrend," causing profound changes in data centers. This "megatrend" has an impact on all aspects of the operation of data centers - from IT services to business models and architectures. The right attitude to such trends gives businesses such advantages as reducing capital expenditures and using new opportunities to develop and increase the efficiency, flexibility and scalability much needed in the era of globalization. By announcing these solutions, Cisco helps information security systems solve a number of important tasks, including meeting the requirements of rapidly changing high-performance virtual and cloud infrastructures, increasingly complex networks, strict legislative and regulatory requirements, and employees who bring their home devices to work.

Based on the fact that in order to reliably protect unified data centers, information security systems must be tightly integrated into the network, Cisco advocates the unification of network policies in the physical and virtual worlds. It is also necessary to protect communications between virtual machines and access to applications from fixed and mobile clients. This approach to security became absolutely necessary after customers thought about the transition to cloud computing and the introduction of a more flexible corporate culture that gives employees the opportunity to work on any device. The latest Cisco products fully support this approach.

The Cisco ASA 5500-X firewall (Cisco ASA 5512/5515/ 5525/5545/5555/5585 models) received a three-year FSTEC certificate in the summer of 2013. This device is recognized as meeting the requirements of the guidance document "Computer Tools. Firewalls. Protection against unauthorized access to information. Indicators of protection against unauthorized access to information "according to the 3rd class of protection.

Certification was carried out according to the "series" scheme by the testing laboratory of ZAO DOCUMENTARY SYSTEMS. As a result, in the future, buyers of Cisco ASA firewalls will 5500-X reduce the time and financial costs of obtaining documents that allow their use to protect confidential information. The applicant for certification is Verkom LLC.

Cisco ASA 9.0

This update increases platform performance to the level required by powerful data centers, supporting firewall bandwidth up to 320 Gb/s and IPS up to 60 Gb/s. Now this platform supports up to 1 million connections per second and 50 million simultaneous connections, while eight times the competing solutions in terms of density.

The Cisco ASA 9.0 platform allows a customer to pay for resources gradually, as the system scales and virtual machine traffic grows, eliminating large capital payments during the initial stages of the project. Scaling is achieved through clustering, allowing IT professionals to manage the ASA stack as a single logical device.

The platform takes into account the context, which allows you to maintain transparency and manageability at a qualitatively new level. It supports TrustSec group labels and network identification and shielding functions, which increase transparency and allow you to set more accurate and detailed rules (policies) on the network. The platform supports multi-user and cloud security.

The Cisco ASA 9.0 platform integrates well with the Cisco Cloud Web Security solution (formerly ScanSafe), enabling deep content scanning without compromising ASA firewall performance.

And finally, this platform supports advanced features of perfectly secure remote access over IPv6 channels with minimal performance damage, as well as next-generation encryption, including NSA 'Suite B' cryptographic algorithms.

Cisco ASA 1000V Basic ASA Technology Optimized for Virtual and Cloud

This ASA firewall is specifically designed for multi-user virtual and cloud infrastructures. Unlike competing offerings, it goes beyond a conventional physical ASA device running on a virtual machine, giving the customer unprecedented flexibility and increased resource efficiency.

One instance of ASA can 1000V protect multiple worker threads that run different information security policies on different ESX hosts. This reduces installation complexity and increases the scalability of this solution in a heterogeneous environment.

This solution protects the edge segments of the customer's network and divides the network into perfectly secure segments, maintaining complete information security in a physical, virtual, and cloud environment (both private and public) with a proven firewall.

The solution includes industry-leading switchboard Cisco Nexus® 1000V. This solution complements the functions of the Cisco Virtual Security Gateway (VSG) and forms a comprehensive system for protecting virtual and cloud infrastructures.

The Cisco ASA Firewall is now available not only as a hardware solution, but also as an independent virtual machine. Cisco ASA 1000V Cloud Firewall is specially optimized to maintain the security of multi-user infrastructures, Cisco ASA 1000V is able to ensure the reliable functioning of physical, virtual and cloud infrastructures in the complex.

Using proven Adaptive Security Appliance (ASA) technologies, the Cisco ASA 1000V screen targets virtual and cloud environments. It differs from the usual "iron" ASA just by its virtuality, which manifests itself in high availability and independence from the infrastructure. Going beyond the standard ASA device running on a virtual machine, Cisco ASA 1000V provides special management flexibility and increased resource efficiency, which, together with the recognized stability of ASA technologies and wide functionality, distinguishes Cisco ASA 1000V from competing offers.

The Cisco Virtual Security Gateway (VSG) network traffic control tool used ensures security in multi-user environments, gateway functionality, and protection against network attacks. Its functions are complemented by the Cisco Nexus 1000V switch, integration with which allows you to ensure the security of several VMware ESX hosts at once, which increases scalability in a heterogeneous environment and simplifies installation.

Cisco ASA 1000V Firewall also uses Cisco Virtual Network Management Center, with the following benefits:

• Rapid, scale-out deployment with a dynamic, security-profile-based, template management policy
• Increased management flexibility through the XML API, which helps ensure software integration with third-party management tools
• Manage the appropriate network interfaces, servers, and security administrators together.

By dividing the network into secure segments and covering edge areas, Cisco ASA 1000V guarantees comprehensive information security for a physical, virtual, and cloud environment based on a proven firewall.

Cisco IPS 4500 Series Intrusion Prevention System (IPS) for Data Center

This system delivers the highest performance and density in the industry - 10Gb/s per rack - as well as the highest application protection efficiency in the data center. The system is specifically designed for data centers. It protects critical data center resources with a compact (2RU) IPS device with excellent performance and density.

This solution allows you to easily integrate intrusion prevention (IPS) functions into a wide variety of networks and provide interaction with existing network elements. It allows you to make effective decisions to contain threats by taking into account the context of IPS and the reputation of networks.

Notes