Device Security Master

By:
Mehtab Rohela
Muhammad Taha
 Table Of Contents

 Introduction………………………3
 Features …………………….........6
 Application ..………………….…14
 Capability………………………..16
 Working…………………….........19
Introduction
• (Cisco Adaptive Security Appliance) A family of network
security devices from Cisco that provide firewall,
intrusion prevention (IPS) and virtual private network
(VPN) capabilities. Is was Introduced in 2005.

• Cisco ASA is used for secure any organization’s devices

because ASA Firewall has a capability to monitor
incoming and outgoing traffic and it has also option to
deny or permit any external network devices to access
internal network.
Continue……

In brief, Cisco ASA is a security device that combines

firewall, antivirus, intrusion prevention, and virtual
private network (VPN) capabilities. It provides proactive
threat defense that stops attacks before they spread
through the network.
Features
Cisco ASA is a multipurpose firewall appliance, which means
that it supports many additional features besides packet
filtering. Here is a list of some features supported by ASA:
• packet filtering – packet filtering using standard and
extended ACLs.

• Stateful inspection, also known as dynamic packet filtering,

is a firewall technology that monitors the state of active
connections and uses this information to determine which
network packets to allow through the firewall.

• Network Address Translation (NAT) – ASA supports inside

and outside NAT, and both static and dynamic NAT and PAT.
• Application inspection – ASA can be configured to listen in
on conversations between devices on one side and devices
on the other side of the firewall and dynamically allow the
communication between them.
• DHCP – ASA can serve as a DHCP server and distribute
network parameters to other devices in the network.
• VPN – ASA can act as a VPN server.
• AAA – ASA supports a variety of AAA server types.
• Routing – ASA can be used as a router and supports routing
protocols such as RIP, EIGRP or OSPF.
• High availability – it is possible to use two ASAs in a high-
availability failover combination to protect against a
single point of failure.
Firewall Modes
The ASA runs in two different firewall modes: Routed and
Transparent.
In routed mode, the ASA is considered to be a router hop in
the network.
In transparent mode, The term bump-in-the-wire (BITW)
refers to a communications device which can be inserted into
existing (legacy) systems to enhance the integrity,
confidentiality, or reliability of communications
User Base Authentication
Using AAA server, Cisco ASA provides authentication support for
protocols like HTTP, HTTPS, FTP, SSH etc..
Modular Policy Framework
ASA provides deep packet inspection for protocols like HTTP,
DNS, ICMP, FTP, H.323 etc..using MPF ( Modular Policy
Framework ).
ASA also supports some of the QoS functionality such as Traffic
policing, shaping, connection limit etc. using MPF.
• VPN
A virtual private network (VPN) extends a private network across
a public network, and enables users to send and receive data across
shared or public networks as if their computing devices were directly
connected to the private network.

• VPN Load Balancing

Using VPN load balancing, Cisco VPN Clients can be shared across
multiple ASA units without user intervention.
It is Cisco Proprietary Feature of Cisco ASA firewalls.
• Multi-Context Firewall
Using this feature, a physical firewall can be configured with
multiple virtual firewalls all in one box.
All context maintains their own sets of configuration and acts as
separate firewalls.
• Web Base Management
The Cisco ASA can be configured using CLI and using ASDM, it
can also be managed via GUI.

• ASA Clustering
ASA clustering lets you group multiple ASAs together as a
single logical device. A cluster provides all the convenience
of a single device (management, integration into a network)
while achieving the increased throughput and redundancy of
multiple devices
• Dynamic Routing protocol support
As of version 9.x, Cisco ASA now supports dynamic routing
protocols such as RIP, EIGRP, OSPFv2.

• Firepower services
Cisco’s new next generation firewall includes the ability to do
intrusion prevention, advanced malware protection, URL
filtering, and application visibility and control all together in
one single consolidated appliance.
• Advance Malware Protection (AMP) –
Cisco ASA provides support for Next-Generation firewall
features which can provide protection advanced malware
protection in a single device as the classic firewall features
are combined with NGFWs features.
• Modular Policy Framework (MPF) –
MPF is used to define policies for different traffic flows. Its
used in ASA to utilize advanced firewall features like QOS,
Policing, prioritizing etc.
For using MPF, we define Class-map for identifying the type
of traffic, policy-map for identifying what action should be
taken like prioritize and service-policy for where it should be
applied.
Application
Your small offices or branch locations require the best network
security available. An integrated solution that is easy to deploy and
manage improves IT efficiency. Affordable pricing and the ability to
scale as necessary are other important product benefits. You get all
that and more with the Cisco®ASA 5505 Adaptive Security Appliance
Firewalls. These firewalls are used and trusted by small and midsize
businesses with one or a few locations.
An ASA is valuable and flexible in that it can be used as a security
solution for both small and large networks.
Capability
Enterprise class security. Cisco MultiScale®performance, The
ability to deliver multiple security services at scale.
Unprecedented services flexibility. Modular scalability.
Feature extensibility. Lower deployment and operational
costs. All of these features and benefits add up to
tremendous value in the Cisco ASA 5505 Adaptive Security
Appliance. Available models deliver the same proven level of
security that protects the networks of some of the largest
and most security-conscious companies in the world.
Nowadays IOS router has a lot of the firewall functionality,
however, configuring the FW feature on IOS router can be
quite complex comparatively to a dedicated firewall.
IOS router would have more advanced feature on routing
protocols, while compared to FW which has limited feature
on routing protocols. When comparing firewall feature sets,
ASA would be more superior.

All in all, the complexity of configuring IOS FW has normally

made people choose ASA firewall over IOS router as a
firewall device.
FW and VPN throughput would normally be better on ASA
compared to when you are running it on IOS router.
Working
Firewalls use stateful filtering to keep track of all incoming and
outgoing connections. They are also able (depending on the
firewall) to inspect up to layer 7 of the OSI model, looking into
the payload of applications.
They also use security zones where traffic from a high security
level is permitted to go to a lower security level. Traffic from a
low security level to a higher security level will be denied,
exceptions can be made with access-lists.
Firewalls protect inside networks from unauthorized access by users on
an outside network. A firewall can also protect inside networks from
each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need
to be available to an outside user, such as a web or FTP server, you can
place these resources on a separate network behind the firewall,
called a demilitarized zone(DMZ).The firewall allows limited access to
the DMZ, but because the DMZ only includes the public servers, an
attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside
networks(for example, access to the Internet),by allowing only certain
addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the
outside network is in front of the firewall, the inside
network is protected and behind the firewall, and a DMZ,
while behind the firewall, allows limited access to
outside users. Because the ASA lets you configure many
interfaces with varied security policies, including many
inside interfaces, many DMZs, and even many outside
interfaces if desired, these terms are used in a general
sense only.