In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005. [1] It succeeded three existing lines of popular Cisco products:
The Cisco ASA is a unified threat management device, combining several network security functions in one box. [3]
Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium businesses. Early reviews indicated the Cisco GUI tools for managing the device were lacking. [4]
A security flaw was identified when users customized the Clientless SSL VPN option of their ASA's but was rectified in 2015. [5] Another flaw in a WebVPN feature was fixed in 2018. [6]
In 2017 The Shadow Brokers revealed the existence of two privilege escalation exploits against the ASA called EPICBANANA [7] and EXTRABACON. [8] [9] A code insertion implant called BANANAGLEE, was made persistent by JETPLOW. [10]
The 5506W-X has a WiFi point included.
The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities. [11] In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not. [11]
The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory. [11]
software versions [11] | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
major release | 7.0 | 7.1 | 7.2 | 8.0 | 8.1 | 8.2 | 8.3 | 8.4 | 8.5 | 8.6 | 8.7 | 9.0 | 9.1 | 9.2 | 9.3 | 9.4 | 9.5 | 9.6 | 9.7 | 9.8 | 9.9 |
released [12] | 31 May 2005 | 6 Feb 2006 | 31 May 2006 | 18 Jun 2007 | 1 Mar 2008 | 6 May 2009 | 8 Mar 2010 | 31 Jan 2011 | 8 Jul 2011 | 28 Feb 2012 | 16 Oct 2012 | 29 Oct 2012 | 3 Dec 2012 | 24 Apr 2014 | 24 Jul 2014 | 30 Mar 2015 | 12 Aug 2015 | 21 Mar 2016 | 4 Apr 2017 | 15 May 2017 | 4 Dec 2017 |
end of life | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |||||||
for 5505-5550 | Y | Y | Y | Y | Y | Y | Y | Y | Y | ||||||||||||
for 5512-5585-X | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X can have an extra interface card added. [13]
The 5585-X has options for SSP. SSP stands for security services processor. [14] These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40 and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half width modules. [15]
On the low end models, some features are limited, and uncrippling happens with installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability. [13] Cisco AnyConnect is an extra licensable feature which operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads. [16]
The 5505 introduced in 2010 was a desktop unit designed for small enterprises or branch offices. It included features to reduce the need for other equipment, such as an inbuilt switch, and power over Ethernet ports. [17] The 5585-X is a higher powered unit for datacenters introduced in 2010. [18] It runs in 32 bit mode on an Intel architecture Atom chip. [11]
Model | 5505 [19] | 5510 | 5520 [19] | 5540 [19] | 5550 [19] | 5580-20 [19] | 5580-40 [19] | 5585-X SSP10 [19] | 5585-X SSP20 [19] | 5585-X SSP40 [19] | 5585-X SSP60 [19] |
---|---|---|---|---|---|---|---|---|---|---|---|
Cleartext throughput, Mbit/s | 150 | 300 | 450 | 650 | 1,200 | 5,000 | 10,000 | 3,000 | 7,000 | 12,000 | 20,000 |
AES/ Triple DES throughput, Mbit/s | 100 | 170 | 225 | 325 | 425 | 1,000 | 1,000 | 1,000 | 2,000 | 3,000 | 5,000 |
Max simultaneous connections | 10,000 (25,000 with Sec Plus License) | 50,000 (130,000 with Sec Plus License) | 280,000 | 400,000 | 650,000 | 1,000,000 | 2,000,000 | 1,000,000 | 2,000,000 | 4,000,000 | 10,000,000 |
Max site-to-site and remote access VPN sessions | 10 (25 with Sec Plus License) | 250 | 750 | 5,000 | 5,000 | 10,000 | 10,000 | 5,000 | 10,000 | 10,000 | 10,000 |
Max number of SSL VPN user sessions | 25 | 250 | 750 | 2,500 | 5,000 | 10,000 | 10,000 | 5,000 | 10,000 | 10,000 | 10,000 |
Model | 5505 | 5510 | 5520 | 5540 | 5550 | 5580-20 | 5580-40 | 5585-X SSP10 | 5585-X SSP20 | 5585-X SSP40 | 5585-X SSP60 |
Cisco determined that most of the low end devices had too little capacity to include the features needed, such as anti-virus, or sandboxing, and so introduced a new line called next generation firewall. These run in 64 bit mode. [11]
Models as of 2018. [13]
Model | 5506-X | 5506W-X | 5506H-X | 5508-X | 5512-X | 5515-X | 5516-X | 5525-X | 5545-X | 5555-X | 5585-X |
---|---|---|---|---|---|---|---|---|---|---|---|
Throughput Gb/s | 0.25 | 0.25 | 0.25 | 0.45 | 0.3 | 0.5 | 0.85 | 1.1 | 1.5 | 1.75 | 4-40 |
GB ports | 8 | 8 | 4 | 8 | 6 | 6 | 8 | 8 | 8 | 8 | 6-8 |
Ten GB ports | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2-4 |
Form factor | desktop | desktop | desktop | 1 RU | 1 RU | 1 RU | 1 RU | 1RU | 1RU | 1RU | 2RU |