How's that firewall looking?
We started our testing by reviewing the ASA CX's basic firewall capabilities. As the great-grandchild of Cisco's PIX and VPN Concentrator 3000 series, the ASA remains a significant presence in many enterprises. When we tested the ASA as an end-user VPN concentrator with the AnyConnect Secure Mobility Solution v3.0 two years ago, we knew enterprise network managers would be happy — Cisco delivered solid client support across multiple platforms, end-point posture assessment, integration with their WSA web security gateways and solid performance.
Although we didn't dive deep into this part of the ASA, things haven't changed, and the ASA still looks great as a VPN concentrator for remote access.
For this review, we tested firewall features in 10 areas and found a mixed bag with strong plusses and a few minuses.Unfortunately, our biggest complaint is in the most important part of any basic firewall: policy management. The core ASA firewall has to filter traffic before it gets to the next-generation application controls, making policy management important. We found this part of the ASA policy, called ACLs (access control lists), to be problematic.
The ASA is unusual among enterprise firewalls because it's not zone-based (although Cisco IOS firewall is), which means that any deployment with more than two interfaces (or security zones) can get very complicated, very quickly. For example, to build our policy which differentiated between three types of trusted users, servers and the Internet, we had to write more rules than one would use in a zone-based firewall, in some cases defining two rules in different directions on different interfaces to cover the same traffic. This is rules to cover both traffic going into an interface and traffic going out of the same interface — a strange way of thinking that takes a while to get used to and, more importantly, leads to larger rule sets.
The larger the rule set, the more likely it is to have an error, and the more difficult it is to understand. Since the default behavior for the core firewall is "drop everything" and the next-generation firewall is "permit everything," you don't want anything to percolate up to the next-generation part that you're not comfortable with.
The ASA's lack of integration of VPN access controls with other ACLs is also a complicating factor that can lead to human error in networks where the same ASA is used both for VPN and standard firewalling. Our advice: don't do that, at least not in any complicated network. These devices are inexpensive enough that you can get one for remote access and a another one for firewalling and avoid potential security problems at very little cost.
Sign up for CIO Asia eNewsletters.