Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
7
Replies

Cisco ASA 5505

Go to solution
nikuhappy2010
Level 1
Level 1

‎07-31-2008 07:17 PM - edited ‎03-11-2019 06:23 AM

Hi, We have deployed ASA 5505 in our production network and using 1 MB dedicated ISP line and now going to upgrade 6 MB. As I think that Cisco ASA doesn't support IPS feature so I would know is there any problem we can face in future as per security concerned. All other models of ASA has IPS feature but through Cisco ASA 5505, is it possible that our organisation network not fully secured. Please suggest...Thnaks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dhananjoy chowdhury
Level 5
Level 5
In response to nikuhappy2010

‎08-02-2008 12:23 AM

Hi,

In this case it is difficult to say Yes or No.

Instead I would say yes, because there could be many vulnerabilities / exploits over SQL port which are not in my knowledge or may be the experts. Everyday lots of new vulnerabilities are being discovered, so you cannot be sure that you are 100% secure.

Considering your case you have only SQL port allowed from Web server to the DB server, now if the attacker has exploited a script (ASP/JSP) which connects to the DB, he can easily play with the data on your Db server and so on.

With ASA 5505, its not supported.

You can go for AIP module with ASA 5510 and above. Check this page for more details.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

View solution in original post

0 Helpful
7 Replies 7

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎07-31-2008 08:00 PM

You're correct only ASA5505 does not support IPS modules, I think it all comes down to how you engineer your security parameter with respect to inside private network, separate public access server farms from your inside network such as DMZs, for sensitive networks from within inside network provide them with private vlans , yes with firewall you have protection, you can however provide another layer for filtering using a router in front of firewall, also implement some type of syslog server to capture fw logs for analysis, firewall logs can be long but that is what we all have to check and look for blocked threads.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

HTH

Jorge

Jorge Rodriguez
0 Helpful

Go to solution
nikuhappy2010
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-31-2008 08:19 PM

With ASA 5505, how much the network can be secured in % without IPS. Is it possible for the hacker to do something wrong and use the network resources without IPS. As I am sure I have implemented all configuration which seems fine in security terms. With the current scenario and I replace FW into 5510 then what would be the difference between current network and 5510 FW network in security terms. Please suggest...

0 Helpful

Go to solution
nikuhappy2010
Level 1
Level 1
In response to nikuhappy2010

‎08-01-2008 08:13 PM

??

0 Helpful

Go to solution
dhananjoy chowdhury
Level 5
Level 5
In response to nikuhappy2010

‎08-01-2008 11:15 PM

Suppose this is the scenario,

You have a Web server in your DMZ and you have allowed http access to this web server from th Internet.

Now on your ASA firewall, you have access list allowing http traffic to the Web server.

So from the firewall point of view you have restricted the access only on http/port 80.

Now may be your web server is misconfigured, vulnerable to SQL injection attacks,

may be there are some loopholes in the published web pages (ASP/JSP etc.), and so on. The attacker may make use of any of these vulnerabilities to knock down your web server via the http port.

In this case to detect / prevent this kind of attacks you need IPS.

So I would say both FW and IPS are required to be deployed in your network to make your network more

secure but I would not say 100% secure.

Hope this helps.

0 Helpful

Go to solution
nikuhappy2010
Level 1
Level 1
In response to dhananjoy chowdhury

‎08-01-2008 11:47 PM

Thanks I appreciate...Well, the all web servers are in DMZ Zone and the DB Server are located in the inside network. Now is it possible that hacker could do something wrong via Web to DB. We have just opened sql port to access from web to DB. We have already placed ASA 5505 into production, now is there any way so that we use IPS feature as well. Thanks

0 Helpful

Go to solution
dhananjoy chowdhury
Level 5
Level 5
In response to nikuhappy2010

‎08-02-2008 12:23 AM

Hi,

In this case it is difficult to say Yes or No.

Instead I would say yes, because there could be many vulnerabilities / exploits over SQL port which are not in my knowledge or may be the experts. Everyday lots of new vulnerabilities are being discovered, so you cannot be sure that you are 100% secure.

Considering your case you have only SQL port allowed from Web server to the DB server, now if the attacker has exploited a script (ASP/JSP) which connects to the DB, he can easily play with the data on your Db server and so on.

With ASA 5505, its not supported.

You can go for AIP module with ASA 5510 and above. Check this page for more details.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

0 Helpful

Go to solution
nikuhappy2010
Level 1
Level 1
In response to dhananjoy chowdhury

‎08-02-2008 12:41 AM

Thanks...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card