|
|
|
FIPS and Common Criteria certifications |
The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level 2 FIPS 140-2 validation for the Cisco ASA series, which includes the Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X, and the ASA Services Module. The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which provides the basis for a specific Target of Evaluation (TOE) of the Cisco ASA and VPN platform solutions. |
|
Support for IPsec LAN-to-LAN tunnels to encrypt failover and state link communications |
Instead of using the proprietary encryption for the failover key (the failover key command), you can now use an IPsec LAN-to-LAN tunnel for failover and state link encryption. Note Failover LAN-to-LAN tunnels do not count against the IPsec (Other VPN) license. We introduced or modified the following commands: failover ipsec pre-shared-key , show vpn-sessiondb . |
Additional ephemeral Diffie-Hellman ciphers for SSL encryption |
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:
- DHE-AES128-SHA1
- DHE-AES256-SHA1
These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS ). When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Secrecy. See the following limitations:
- DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the SSL server.
ciscoasa(config)#
ssl server-version tlsv1 sslv3
ciscoasa(config) #
ssl
client-version any
- Some popular applications do not support DHE, so include at least one other SSL encryption method to ensure that a cipher suite common to both the SSL client and server can be used.
- Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure Desktop, and Internet Explorer 9.0.
We modified the following command: ssl encryption . Also available in 8.4(4.1). |
|
Support for administrator password policy when using the local database |
When you configure authentication for CLI or ASDM access using the local database, you can configure a password policy that requires a user to change their password after a specified amount of time and also requires password standards such as a minimum length and the minimum number of changed characters. We introduced the following commands: change-password, password-policy lifetime , password-policy minimum changes , password-policy minimum-length , password-policy minimum-lowercase , password-policy minimum-uppercase , password-policy minimum-numeric , password-policy minimum-special , password-policy authenticate enable , clear configure password-policy , show running-config password-policy . Also available in 8.4(4.1). |
Support for SSH public key authentication |
You can now enable public key authentication for SSH connections to the ASA on a per-user basis. You can specify a public key file (PKF) formatted key or a Base64 key. The PKF key can be up to 4096 bits. Use PKF format for keys that are too large to for the ASA support of the Base64 format (up to 2048 bits). We introduced the following commands: ssh authentication . Also available in 8.4(4.1); PKF key format support is only in 9.1(2). |
AES-CTR encryption for SSH |
The SSH server implementation in the ASA now supports AES-CTR mode encryption. |
Improved SSH rekey interval |
An SSH connection is rekeyed after 60 minutes of connection time or 1 GB of data traffic. We introduced the following command: show ssh sessions detail . |
Support for Diffie-Hellman Group 14 for the SSH Key Exchange |
Support for Diffie-Hellman Group 14 for SSH Key Exchange was added. Formerly, only Group 1 was supported. We introduced the following command: ssh key-exchange . Also available in 8.4(4.1). |
Support for a maximum number of management sessions |
You can set the maximum number of simultaneous ASDM, SSH, and Telnet sessions. We introduced the following commands: quota management-session , show running-config quota management-session , show quota management-session . Also available in 8.4(4.1). |
The default Telnet password was removed |
To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet. Note : The login password is only used for Telnet if you do not configure Telnet user authentication (the aaa authentication telnet console command). Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed. The login password is also used for Telnet sessions from the switch to the ASASM (see the session command). For initial ASASM access, you must use the service-module session command, until you set a login password. We modified the following command: passwd . Also available in 9.0(2). |
|
Support for Power-On Self-Test (POST) |
The ASA runs its power-on self-test at boot time even if it is not running in FIPS 140-2-compliant mode. Additional tests have been added to the POST to address the changes in the AES-GCM/GMAC algorithms, ECDSA algorithms, PRNG, and Deterministic Random Bit Generator Validation System (DRBGVS). |
Improved pseudo-random number generation (PRNG) |
The X9.31 implementation has been upgraded to use AES-256 encryption instead of 3DES encryption to comply with the Network Device Protection Profile (NDPP) in single-core ASAs. |
Support for image verification |
Support for SHA-512 image integrity checking was added. We modified the following command: verify . Also available in 8.4(4.1). |
Support for private VLANs on the ASA Services Module |
You can use private VLANs with the ASASM. Assign the primary VLAN to the ASASM; the ASASM automatically handles secondary VLAN traffic. There is no configuration required on the ASASM for this feature; see the switch configuration guide for more information. |
CPU profile enhancements |
The cpu profile activate command now supports the following:
- Delayed start of the profiler until triggered (global or specific thread CPU%)
- Sampling of a single thread
We modified the following command: cpu profile activate [ n-samples ] [ sample-process process-name ] [ trigger cpu-usage cpu% [ process-name ]. Also available in 8.4(6). |
|
DHCP relay servers per interface (IPv4 only) |
You can now configure DHCP relay servers per-interface, so requests that enter a given interface are relayed only to servers specified for that interface. IPv6 is not supported for per-interface DHCP relay. We introduced or modified the following commands: dhcprelay server (interface config mode), clear configure dhcprelay , show running-config dhcprelay . |
DHCP trusted interfaces |
You can now configure interfaces as trusted interfaces to preserve DHCP Option 82. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the ASA DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the ASA will drop that packet by default. You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface. We introduced or modified the following commands: dhcprelay information trusted , dhcprelay informarion trust-all , show running-config dhcprelay . |
|
ASA 5585-X support for network modules |
The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can install one or two of the following optional network modules:
- ASA 4-port 10G Network Module
- ASA 8-port 10G Network Module
- ASA 20-port 1G Network Module
Also available in 8.4(4.1). |
ASA 5585-X DC power supply support |
Support was added for the ASA 5585-X DC power supply. Also available in 8.4(5). |
Support for ASA CX monitor-only mode for demonstration purposes |
For demonstration purposes only, you can enable monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected. Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a service policy in monitor-only mode. The traffic-forwarding interface sends all traffic directly to the ASA CX module, bypassing the ASA. We modified or introduced the following commands: cxsc { fail-close | fail-open } monitor-only , traffic-forward cxsc monitor-only . |
Support for the ASA CX module and NAT 64 |
You can now use NAT 64 in conjunction with the ASA CX module. We did not modify any commands. |
|
Support for NetFlow flow-update events and an expanded set of NetFlow templates |
In addition to adding the flow-update events, there are now NetFlow templates that allow you to track flows that experience a change to their IP version with NAT, as well as IPv6 flows that remain IPv6 after NAT. Two new fields were added for IPv6 translation support. Several NetFlow field IDs were changed to their IPFIX equivalents. For more information, see the Cisco ASA Implementation Note for NetFlow Collectors . |
|
EtherType ACL support for IS-IS traffic (transparent firewall mode) |
In transparent firewall mode, the ASA can now pass IS-IS traffic using an EtherType ACL. We modified the following command: access-list ethertype { permit | deny } is-is . Also available in 8.4(5). |
Decreased the half-closed timeout minimum value to 30 seconds |
The half-closed timeout minimum value for both the global timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection. We modified the following commands: set connection timeout half-closed , timeout half-closed . |
|
IKE security and performance improvements |
The number of IPsec-IKE security associations (SAs) can be limited for IKE v1 now, as well as IKE v2. We modified the following command: crypto ikev1 limit . |
The IKE v2 Nonce size has been increased to 64 bytes. There are no ASDM screen or CLI changes. |
For IKE v2 on Site-to-Site, a new algorithm ensures that the encryption algorithm used by child IPsec SAs is not higher strength than the parent IKE. Higher strength algorithms will be downgraded to the IKE level. This new algorithm is enabled by default. We recommend that you do not disable this feature. We introduced the following command: crypto ipsec ikev2 sa-strength-enforcement . |
For Site-to-Site, IPsec data-based rekeying can be disabled. We modified the following command: crypto ipsec security-association . |
Improved Host Scan and ASA Interoperability |
Host Scan and the ASA use an improved process to transfer posture attributes from the client to the ASA. This gives the ASA more time to establish a VPN connection with the client and apply a dynamic access policy. Also available in 8.4(5). |
Clientless SSL VPN: Windows 8 Support |
This release adds support for Windows 8 x86 (32-bit) and Windows 8 x64 (64-bit) operating systems. We support the following browsers on Windows 8:
- Internet Explorer 10 (desktop only)
- Firefox (all supported Windows 8 versions)
- Chrome (all supported Windows 8 versions)
See the following limitations:
– The Modern (AKA Metro) browser is not supported. – If you enable Enhanced Protected Mode, we recommend that you add the ASA to the trusted zone. – If you enable Enhanced Protected Mode, Smart Tunnel and Port Forwarder are not supported.
- A Java Remote Desktop Protocol (RDP) plugin connection to a Windows 8 PC is not supported.
Also available in 9.0(2). |
Cisco Secure Desktop: Windows 8 Support |
CSD 3.6.6215 was updated to enable selection of Windows 8 in the Prelogin Policy operating system check. See the following limitations:
- Secure Desktop (Vault) is not supported with Windows 8.
Also available in 9.0(2). |
|
NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count. |
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP. This data is equivalent to the show xlate count command. Also available in 8.4(5). |
|
Flow-update events have been introduced to provide periodic byte counters for flow traffic. You can change the time interval at which flow-update events are sent to the NetFlow collector. You can filter to which collectors flow-update records will be sent. We introduced or modified the following commands: flow-export active refresh-interval , flow-export event-type . Also available in 8.4(5). |