Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5505

Hi, We have deployed ASA 5505 in our production network and using 1 MB dedicated ISP line and now going to upgrade 6 MB. As I think that Cisco ASA doesn't support IPS feature so I would know is there any problem we can face in future as per security concerned. All other models of ASA has IPS feature but through Cisco ASA 5505, is it possible that our organisation network not fully secured. Please suggest...Thnaks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco ASA 5505

Hi,

In this case it is difficult to say Yes or No.

Instead I would say yes, because there could be many vulnerabilities / exploits over SQL port which are not in my knowledge or may be the experts. Everyday lots of new vulnerabilities are being discovered, so you cannot be sure that you are 100% secure.

Considering your case you have only SQL port allowed from Web server to the DB server, now if the attacker has exploited a script (ASP/JSP) which connects to the DB, he can easily play with the data on your Db server and so on.

With ASA 5505, its not supported.

You can go for AIP module with ASA 5510 and above. Check this page for more details.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

7 REPLIES

Re: Cisco ASA 5505

You're correct only ASA5505 does not support IPS modules, I think it all comes down to how you engineer your security parameter with respect to inside private network, separate public access server farms from your inside network such as DMZs, for sensitive networks from within inside network provide them with private vlans , yes with firewall you have protection, you can however provide another layer for filtering using a router in front of firewall, also implement some type of syslog server to capture fw logs for analysis, firewall logs can be long but that is what we all have to check and look for blocked threads.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

HTH

Jorge

New Member

Re: Cisco ASA 5505

With ASA 5505, how much the network can be secured in % without IPS. Is it possible for the hacker to do something wrong and use the network resources without IPS. As I am sure I have implemented all configuration which seems fine in security terms. With the current scenario and I replace FW into 5510 then what would be the difference between current network and 5510 FW network in security terms. Please suggest...

New Member

Re: Cisco ASA 5505

??

Re: Cisco ASA 5505

Suppose this is the scenario,

You have a Web server in your DMZ and you have allowed http access to this web server from th Internet.

Now on your ASA firewall, you have access list allowing http traffic to the Web server.

So from the firewall point of view you have restricted the access only on http/port 80.

Now may be your web server is misconfigured, vulnerable to SQL injection attacks,

may be there are some loopholes in the published web pages (ASP/JSP etc.), and so on. The attacker may make use of any of these vulnerabilities to knock down your web server via the http port.

In this case to detect / prevent this kind of attacks you need IPS.

So I would say both FW and IPS are required to be deployed in your network to make your network more

secure but I would not say 100% secure.

Hope this helps.

New Member

Re: Cisco ASA 5505

Thanks I appreciate...Well, the all web servers are in DMZ Zone and the DB Server are located in the inside network. Now is it possible that hacker could do something wrong via Web to DB. We have just opened sql port to access from web to DB. We have already placed ASA 5505 into production, now is there any way so that we use IPS feature as well. Thanks

Re: Cisco ASA 5505

Hi,

In this case it is difficult to say Yes or No.

Instead I would say yes, because there could be many vulnerabilities / exploits over SQL port which are not in my knowledge or may be the experts. Everyday lots of new vulnerabilities are being discovered, so you cannot be sure that you are 100% secure.

Considering your case you have only SQL port allowed from Web server to the DB server, now if the attacker has exploited a script (ASP/JSP) which connects to the DB, he can easily play with the data on your Db server and so on.

With ASA 5505, its not supported.

You can go for AIP module with ASA 5510 and above. Check this page for more details.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

New Member

Re: Cisco ASA 5505

Thanks...

282
Views
0
Helpful
7
Replies
CreatePlease login to create content