A different issue that slowed us is related to the list of trusted root certification authorities pre-loaded by Cisco. The ASA CX will engage in man-in-the-middle SSL decryption only if the server presents a certificate trusted by the ASA CX. Cisco doesn't release the list of CAs that it will trust, leaving you to guess and debug. Most of our tests were fine, but we did run into a few perfectly legitimate servers that the ASA CX wouldn't trust until we tracked down their CA and intermediate CA certificates. The lack of a list of CAs makes debugging hard, and there is no legitimate reason to keep this list secret — every other product with similar trust settings, such as Windows and Mac OS X, is happy to let you see and edit the list of trusted CAs.
The ASA CX did not fare well in our test of invalid certificates, potentially hiding revoked or incorrect certificates from the end user. When a server hands a certificate to the ASA CX as part of the SSL handshake, the ASA does not do full checks on that certificate. Then, it replaces the certificate with one that it creates — and any revocation information is lost. In simpler terms, the main mechanisms in place in the world of digital certificates and X.509 are not correctly implemented by the ASA CX, leading to a small but very significant vulnerability, especially in the world of spear-phishing attacks.
Next generation visibility and management
We found the ASA CX with Cisco Prime Security Manager (PRSM) provides outstanding visibility into application type and flow statistics, with a strong drill-down capabilities and a well-designed interface. However, ASA overall management is in rapid motion, and we found it difficult to evaluate the rest of the management interface.
The ASA's standard management interface, for those who don't want to use the command line interface, is ASDM (Adaptive Security Device Manager), a Java-based GUI that is used to handle most aspects of ASA configuration and management. ASDM has evolved into a stable and powerful product. ASDM isn't the most elegant interface for managing a firewall and is tightly tied to the command-line configurations it generates, but it's solid and gets the job done fairly quickly.
Prime is Cisco's new management interface, designed to work across security, switching and routing product lines. When managing firewalls, Cisco calls it PRSM, a web-based GUI that can be run either on-box directly on the ASA or on a separate management server. Although on-box operation is supported, we think that any manager with more than a single ASA CX should elect for a separate management appliance, even though there is an additional modest cost ($3,000 list price for five devices).
Sign up for CIO Asia eNewsletters.