We have been using ASA firewalls for years now, and we know it is a great firewall. But, over the years threats evolved and needs for something more than just a traditional firewall emerged. The ASA is considered a traditional firewall and what does this mean is that it does its stuff on layers three and four of the OSI model. There are some ways for us to peek into application layer using MPF, so we could, for example, recognize some application by using that very same MPF and drop it, but anyone who has done this knew what hell this could be. And when application changes its behavior, we were back in the lab. Not to mention lack of IPS capabilities, antivirus scanning and so on.
While Cisco was doing nothing with the regard to this matter, other vendors were more than active and came out with pretty good solutions. I guess that Cisco did realize the need of having something more than just an ASA, so they came up with modules. These modules contained some of capabilities that ASA desperately needed. In the first generation of ASA appliances, we had hardware modules that we inserted into ASA and that module contained a software with functionality such as IPS. In second generation we had a SSD disk drive instead of hardware module, but the basic idea stayed the same: it contained the software that implemented new functionality.
Whether the module is hardware or software based or it is IPS or CX, it operates the same way. ASA receives the traffic, sends it to the module, the module inspects the traffic. If everything is ok, module returns the traffic to the ASA and the traffic is on its way. If something is wrong with the traffic flow, the module sends ASA instruction to drop it. Here is the example of traffic flow:
The hardware module looks like this:
And software module, like I said, is implemented on a SSD disk drive inserted in the ASA appliance:
The data center ASAs use different kind of hardware module with SSD drives:
Today ASA can support three types of modules: cxsc, ips and sfr. With te cxsc module we would make our ASA not to be just a traditional firewall, but instead the Next Generation or NG firewall. We could control traffic flow not only using L3/L4 parameters, but we could do so using usernames instead of source IPs, for example. We also could drop traffic going to certain URLs, block certain applications and so on. It also has some IPS capabilities built into it. The ips module does intrusion detection and prevention. Finally, the sfr module can do kinda all that cxsc and ips do combined and more.
Not to be confused, only one module can run on one ASA at the time. So if we had, for example, ips module and we wanted sfr module, we had to remove the ips module first.
In the following blogs we will cover in more details the newest member of ASA modules, the sfr module or FirePOWER module as it is called.
Thanks for reading.