What is the Cisco ASA-CX Context-Aware Cisco ASA-CX Context-Aware Security appliance and Cisco GLC-SX-MMD Prime Security Manager (PRSM) contain a denial of service (DoS) vulnerability in versions prior to 9.0.2-103. The Cisco ASA CX is a Security Services Processor (SSP) module that today runs on the ASA 5585-X model. It’s a beastly server-type device that has 12GB or 24GB or RAM, 600GB of RAID-1 disk space and 8GB of flash storage. The lower-end model can take up to 2Gbps throughput and the bigger brother can handle 5Gbps. It scans over 1000 applications and more than 75,000 “micro” applications to determine whether the user is listening to iTunes in the cloud or watching HD video on Youtube. The ASA CX also utilizes other products in the Cisco Secure-X portfolio to feed it information. The Cisco AnyConnect Secure VPN client allows the CX to identify traffic that isn’t HTTP-based, as right now the CX can only identify traffic via HTTP User Agent in the absence of AnyConnect. In addition, the Cisco Security Intelligence Operation (SIO) Manager can aggregate information from different points on the network to give the admins a much bigger picture of what is going on to prevent things such as zero-day attack outbreaks and malware infections. One of the nice new features of the ASA CX that’s been pointed out by Greg Ferro is the user interface for the CX module. Rather than relying on the Java-based ADSM client or forcing users to learn yet another CLI convention, Cisco decided to include a copy of the Cisco Prime Security Manager on-box to manage the CX module. This is arguably the best way for Cisco to have created an easy way for customers to easily utilize the features of the new CX module. Instead, with the CX Prime Security Manager interface, Cisco has allowed us to take a UI and apply it to the new features in the firewall module. In addition, we can forego the use of the on-box Prime instance and instead register the CX to an existing Prime installation for a single point of management for all our security needs. We’re sure that the firewall itself still needs to use ASDM for configuration and that the Prime instance is only for the CX module but this is still a step in the right direction. Common questions about the Cisco® ASA CX Q. What is Cisco® ASA CX Context-Aware Security? A. Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform by blending a proven, stateful inspection firewall with next-generation capabilities and a host of additional network-based security controls - for end-to-end network intelligence and streamlined security operations. Cisco ASA CX enables organizations to rapidly adapt to dynamic business needs while maintaining the highest levels of security. ASA CX delivers application and user ID awareness capabilities for enhanced visibility and control of network traffic, which is essential for next-generation firewalls. In addition, ASA CX enables administrators to control specific behaviors within allowed micro-applications, restrict web and web application usage based on reputation of the site, proactively protect against Internet threats, and enforce differentiated policies based on the user, device, role, and application type. Q. What are the benefits of Cisco ASA CX Context-Aware Security? A. Cisco ASA CX Context-Aware Security empowers enterprises to finally say Yes to applications, devices, and the evolving global workforce. Most next-generation firewalls differ from classic firewalls in that they can identify which applications are being requested and which user has requested them. While application and user awareness can be effective, with so much more happening in the network, these firewalls simply cannot provide the complete level of visibility and control administrators need to help them effectively manage their complex network security challenges. Cisco ASA CX Context-Aware Security is different. While ASA CX provides the application and user ID awareness that is essential for any next-generation firewall, it also delivers: • Granular application visibility and control, including behavior controls within allowed micro-applications • Reputation-based web security • Passive and active authentication • User device information • Near real-time threat protection Q. Does ASA CX protect against zero-day threats and other malware? A. Yes. ASA CX uses threat intelligence feeds from Cisco Security Intelligence SFP-10G-LR Operations (SIO), which employ the global footprint of Cisco security deployments (more than 2 million devices) to analyze 70 percent of the world's Internet traffic from email, IPS, and web threat vectors. The feeds are updated every three to five minutes for near-real-time protection from zero-day threats.
Related Articles -
Cisco, ASA-CX, Context-Aware,
|