Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
2
Replies

Anyone doing Identity Firewalling?

Go to solution
NeilRerup
Level 1
Level 1

‎05-13-2014 09:02 AM - edited ‎03-11-2019 09:11 PM

Hey Folks,

I was reviewing the capabilities of the Cisco ASA 5585x Firewalls and I noticed that they have the ability to tie Identities to Firewall Rules. I had a lengthy conversation with a technical Cisco resource and understand the capability (which is very interesting). But I also found out it seems to have been available for quite a while. Which surprised me considering I've been around the block a time or two.

So it begs the question - why isn't this more widely known and used? So I thought I'd see if I could talk to anyone that has implemented Identity Firewalling and see what they have found to be the pros and cons.

Has anyone implemented Identity Firewalling? If so, what has been the impact to operations and to performance from what you've seen? If you could let me know, I'd appreciate it.

 

Neil Rerup

BC Hydro Enterprise Security Architect

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Niemann
Level 3
Level 3

‎12-24-2015 07:37 AM

I think you use CDA (Context Directory Agent) for this purpose.  It gets configured to query domain controllers and creates a cache of User ID to IP mappings which the ASA (and WSA) can query for identity information.  I use it for WSA and the problem I've seen is getting the DCs configured per the setup instructions for CDA.  Our AD admins had issues with this on 2k8 and 2k12 DCs.  Once the DC is configured properly to handle CDA queries, it seems to work pretty well.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
David Niemann
Level 3
Level 3

‎12-24-2015 07:37 AM

I think you use CDA (Context Directory Agent) for this purpose.  It gets configured to query domain controllers and creates a cache of User ID to IP mappings which the ASA (and WSA) can query for identity information.  I use it for WSA and the problem I've seen is getting the DCs configured per the setup instructions for CDA.  Our AD admins had issues with this on 2k8 and 2k12 DCs.  Once the DC is configured properly to handle CDA queries, it seems to work pretty well.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-24-2015 08:37 AM

+1 on what David said.

I've deployed CDA for a couple of customers. It works fine once you get AD to allow it to do its queries. The only issue I've faced is that Server 2012 (and MS updates to it) can be very finicky about allowing an external tool to query it properly.

Cisco hasn't given the CDA product much love though - they have been focusing a lot of attention on ISE as the identity source. That's all well and good for those customers with ISE but that's a minority of the installed base.

You can similarly use User Identity with FirePOWER services and the Sourcefire User Agent. I've found it a bit more agreeable when working with AD environments. It's a pretty lightweight user agent that runs on Windows (doesn't have to be on the DC).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card