cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
953
Views
60
Helpful
17
Replies

Many vulnerabilities found in Cisco ASAs. Is it a safe VPN solution?

Hello.

As can be seen in the following link Cisco Adaptive Security Appliance Software : List of security vulnerabilities (cvedetails.com)   ,there seems to exist many Cisco ASA vulnerability issues. My boss has asked me to report to him on whether our Cisco ASA 5525 and 1100 appliances are acceptable firewall solutions for our financial enterprise, or should we scrap these ASAs.

May you please advise?

Thank you.

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

All devices have vulnerabilities in general, you need to secure the device in various ways. especially in secure arena, its CI/CD process. all the time Monitor and deploy the fixes suggested by the Vendor. 

Coming back to your question. ASA going to fade from market soon, Cisco new Buzz works in VPN solution is, cisco secure Firewall ( aka Firepower)

choosing the right model is always is best looking at future growth.

1100 is a basic model so look at the features and connections.

there is a new model released  Cisco Secure Firewall 3K which is a good in price wise too. (there is no instance option for now)

Deploying a VPN with MFA is always the best practice. (using cisco any connect you can also add other advanced features to VPN, posture check, and others..) - all depends on what you looking to invest.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

17 Replies 17

balaji.bandi
Hall of Fame
Hall of Fame

All devices have vulnerabilities in general, you need to secure the device in various ways. especially in secure arena, its CI/CD process. all the time Monitor and deploy the fixes suggested by the Vendor. 

Coming back to your question. ASA going to fade from market soon, Cisco new Buzz works in VPN solution is, cisco secure Firewall ( aka Firepower)

choosing the right model is always is best looking at future growth.

1100 is a basic model so look at the features and connections.

there is a new model released  Cisco Secure Firewall 3K which is a good in price wise too. (there is no instance option for now)

Deploying a VPN with MFA is always the best practice. (using cisco any connect you can also add other advanced features to VPN, posture check, and others..) - all depends on what you looking to invest.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for your reply.

My understanding is that Firepower is software. Can the 1100 and 5525 ASAs install Firepower?

How can I know when these ASAs will reach end of life, end of support?

 

ASA  / and ASA  Models getting EOL, you can check below :

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/asa5525-5545-5555-series-3-yr-subscrip-eol.html

Firepower replacement of ASA models. If you buy Firepower appliance you can install ASA  code, but for Long term support, I would Migrate from ASA to Firepower

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

for L2L you can make ASA more secure for VPN  with using IKEv2 and RSA auth. 

@jmaxwellUSAF the FPR1100 appliances are acceptable as they support the very latest ASA software code (9.19) and FTD image (7.3). However the ASA 5525 only supports up to ASA version 9.14 and only up to FTD image 6.6.

Replace the ASA hardware with the newer firepower 1000, 2100, 3100 hardware.

Why do the 1100's support Firepower better than the 5525s?

Are the 1100s Newer than the 5525s?

@jmaxwellUSAF the Firepower hardware is the replacement for the ASA hardware. Go with the FPR hardware and replace the ASA hardware.

The firepower hardware can run either the ASA or FTD software image.

@jmaxwellUSAF also, as you want the hardware for a VPN solution, from ASA 9.19 and FTD 7.3 those software images support Dynamic VTI (dVTI) VPN tunnels - but the ASA hardware will not run ASA 9.19 or FTD 7.3, so if you want that functionality and the very latest software vulnerability fixes, replace the hardware with the firepower hardware.

Thank you for your replies. The ASAs OS' are running 9.14.3 , and device manager 7.16.1.150

I'm at a new job, and I am inexperienced with these ASAs. How do I know if these ASA's are actually executing Firepower code? How do I know if the IPS , IDS services are active?

@jmaxwellUSAF the fact you are using - "The ASAs OS' are running 9.14.3 , and device manager 7.16.1.150" - means you aren't using FTD software, you are using the ASA software image.

The ASA hardware can run ASA software with the Firepower module (this is optional), this supports IPS, URL filtering features on top of the ASA software features - but don't confuse that with the FTD image. From ASDM go to - Home > ASA FirePower Dashboard, to determine whether the Firepower module is in use and whether IPS is enabled.

Either way the ASA 5525 doesn't support the latest software version.

 

..

Thank you for your effort Rob.

For security reasons, My enterprise forbids use of the ASDM. How do I discover if the Firepower module is installed / in use?

@jmaxwellUSAF run the command "show module sfr" to determine the status of the firepower module. However you need to use ASDM to manage it, so if you aren't allowed to use ASDM there isn't much you can do with it.

The firepower module provides no VPN features, so it's no relevant as part of a VPN solution. The firepower module (if running) provides the Threat features (IPS etc) on top of the ASA software image.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: