Cisco Firewall Architecture
•The ASA gives superior Stateful Firewall and VPN concentrator capability in one device.
•Some ASA Models combine IPS-SSM module or an included content material protection module.
•ASA Firewalls consist of many superior features:
- Multiple protection context ( virtualized firewalls)
- Transparent ( layer 2) firewall operation
- IPsec VPN
- SSL VPN
- And many different features
Stateful inspection Overview
Unlike Simple packet clear out out which take a look at an appropriate supply address , vacation spot address, and ports, ASA Adaptive Security Algorithm takes into attention the country of packet:
- New connection
First packet of the consultation is going thru consultation control route that performs:
• Access listing take a look at
• Route Lookup
• Allocate NAT Translation (XLATES)
• Establish consultation withinside the speedy route
• Control Plane Path is a Layer 7 inspection engines that cope with protocols which have or extra channels.
ASA doesn’t want to re-take a look at packets because maximum matching packets undergo speedy route in each directions:
•IP checksum verification
•TCP series variety take a look at
• Nat translations primarily based totally on present sessions
• Layer3 and four header adjustment
ASA creates a connection country statistics which use additionally speedy route for UDP and different connectionless protocols .
Some mounted consultation packets should maintain to undergo consultation control route like HTTP packets that require content material filtering or superior inspection is configured.
•cisco firewall models
- Routed: ASA is taken into consideration to be a router hop withinside the network
- Transparent: ASA acts like a stealth firewall and isn't always taken into consideration a router hop ( firewall is invisible to attackers).
Cisco Firewall Models
•PIX(EOL in 2012)
- PIX 501/506
- SOHO application. Not supported via way of means of the SOC
- ASA 5505/5510/5520/5540/5550
•FWSM (firewall offerings module)
- A blade in a 6500 collection chassis switch .