In the ASA CX, application control is straightforward and simple: "block" or "allow." There are no other options, such as redirecting to a warning page or sending an alert (although this could be done by scanning the logs). With that in mind, we dove in and started testing the ability of the ASA CX to dive deep into applications.
Compared to our test of other NGFW appliances a year ago, the ASA CX did surprisingly well with a 60% identification and block rate, essentially tying with our top performer (SonicWALL) and narrowly edging our second-best performer, Check Point.
The ASA CX has nice granularity for many applications. For example, with LinkedIn, the ASA CX lets you allow most of LinkedIn, but block job searches or posts. In some cases, the ASA CX divides applications into multiple categories — for example, there are five LinkedIn applications and 10 Facebook ones. In popular applications, the ASA CX let us focus on more specific application behaviors, such as posting vs. reading or uploading vs. downloading. The design is well thought-out from a security manager's perspective trying to map a security policy to a firewall rule set.
Failure to identify and block applications can come from two sources: bugs, or just not supporting the application in the first place. With the ASA CX, we found a little of each. For example, with Skype, the ASA CX just didn't work if we engaged in any type of evasion.
In our case, we evaded the Skype filter using the oh-so-stealthy "wait for a few minutes" uber-hacker technique. While the ASA CX blocked Skype initially, if we simply waited a few minutes, calls would go through. In other cases, such as H.323 conferencing, Microsoft Exchange, and Sophos anti-virus updates, the ASA CX didn't work at all even though these applications were part of its repertoire.
Our testing from a year ago was all based on laptop clients, both Mac and Windows. With the ASA CX, though, we added a new twist by trying handheld devices for two commonly mentioned applications: Facebook and LinkedIn. The ASA CX didn't do its job when we used the native applications to connect to these services.
We did see that the ASA CX team learned from the mistakes of their peers. For example, in our testing last year we were able to work around all the other next-generation firewalls attempts to block Google Mail by simply using the basic HTML interface. That trick didn't work with the ASA CX, which stubbornly blocked us no matter what we tried.
The ASA CX also was fully IPv6 aware, and if it blocked an application on IPv4, the same block worked with IPv6, whether we used a laptop or an iPad.
Sign up for CIO Asia eNewsletters.