05-13-2014 09:02 AM - edited 03-11-2019 09:11 PM
Hey Folks,
I was reviewing the capabilities of the Cisco ASA 5585x Firewalls and I noticed that they have the ability to tie Identities to Firewall Rules. I had a lengthy conversation with a technical Cisco resource and understand the capability (which is very interesting). But I also found out it seems to have been available for quite a while. Which surprised me considering I've been around the block a time or two.
So it begs the question - why isn't this more widely known and used? So I thought I'd see if I could talk to anyone that has implemented Identity Firewalling and see what they have found to be the pros and cons.
Has anyone implemented Identity Firewalling? If so, what has been the impact to operations and to performance from what you've seen? If you could let me know, I'd appreciate it.
Neil Rerup
BC Hydro Enterprise Security Architect
Solved! Go to Solution.
12-24-2015 07:37 AM
I think you use CDA (Context Directory Agent) for this purpose. It gets configured to query domain controllers and creates a cache of User ID to IP mappings which the ASA (and WSA) can query for identity information. I use it for WSA and the problem I've seen is getting the DCs configured per the setup instructions for CDA. Our AD admins had issues with this on 2k8 and 2k12 DCs. Once the DC is configured properly to handle CDA queries, it seems to work pretty well.
12-24-2015 07:37 AM
I think you use CDA (Context Directory Agent) for this purpose. It gets configured to query domain controllers and creates a cache of User ID to IP mappings which the ASA (and WSA) can query for identity information. I use it for WSA and the problem I've seen is getting the DCs configured per the setup instructions for CDA. Our AD admins had issues with this on 2k8 and 2k12 DCs. Once the DC is configured properly to handle CDA queries, it seems to work pretty well.
12-24-2015 08:37 AM
+1 on what David said.
I've deployed CDA for a couple of customers. It works fine once you get AD to allow it to do its queries. The only issue I've faced is that Server 2012 (and MS updates to it) can be very finicky about allowing an external tool to query it properly.
Cisco hasn't given the CDA product much love though - they have been focusing a lot of attention on ISE as the identity source. That's all well and good for those customers with ISE but that's a minority of the installed base.
You can similarly use User Identity with FirePOWER services and the Sourcefire User Agent. I've found it a bit more agreeable when working with AD environments. It's a pretty lightweight user agent that runs on Windows (doesn't have to be on the DC).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide