As I sit here 34,000 feet up in the air right now, I’m deciding to deviate slightly from the NAC discussion and bring up something very new and interesting, namely changes with Cisco Security Products. It seems there have been some pretty big changes internally to Cisco, including Business Unit rearrangements and new code releases which have been pretty exciting.
Last Friday, Cisco released their latest flavor of the ASA code 8.2(1). As with all the other tech geeks, I immediately ran out and started playing with the code. Some good and some not so good restrictions have come to light with this release.
The first thing I noticed was that there is currently a slight disconnect with CSM, meaning that some of the newer features included in 8.2 are not yet readily available within CSM. I had a chance to talk to the CSM BU (business unit) a few weeks ago and they mentioned a tighter interaction between the BU’s moving forward to combat the delta in technologies between the BU’s.
So, on with some of the cool features. I noticed in the release notes and also in the commandline that Netflow is now supported. The commands look to be the same as IOS and this feature was a long time waiting.
Another difference you’ll notice is the licensing. Seems that has changed the VPN licensing for the AnyConnect. First off, the old license you had will still work so don’t be alarmed. Documentation is stating that the new “Essentials” licensing is the full Anyconnect client with the following exceptions:
- No CSD (including HostScan/Vault/Cache Cleaner)
- No clientless SSL VPN
- Optional Windows Mobile Support
So I’m not too sure if buying an Essentials license is an improvement as it seems like it is hindering operations by removing support of the above mentioned technologies. Seems that this new form of licensing replaces the following full SSL VPN license, shared SSL VPN license, VPN Flex SSL VPN license (which is the shared SSL VPN Server license), and Advanced Endpoint Assessment license. Cisco has more details on their License Feature Page.
Along with this new licensing, brings about new share licensing server which allows you to load licenses on a single ASA acting as the server and allowing other ASAs to borrow licenses on an as-needed basis.
And, hey! We finally got SNMP v3 on our main security device. This flavor of SNMP in the ASA supports the typical hashes and encryption sets including DES. 3DES and AES.
There are a few more features, including double authentication for your PCI compliant networks out there and the Botnet Traffic Filter allowing blacklisting of networks or host IP’s on a collaborative type system (license required).
So basically, we are finally getting the code we’ve been waiting for. However it does lack some feature components such as GRE/VPN, DMVPN, GET VPN better QOS (LLQ) like we can do on the IOS devices, and removal of the requirement for hardware matching between failover peers (AIP-SSMs get costly). How about VPN support with multi-contexts and therefore A/A Failover? Well, maybe next time.
Author: Jim Thomas