On October 22, Cisco announced three vulnerabilities in the Cisco ASA 5500 series and PIX Firewall models running software versions 7.x and 8.x. ( See Cisco Security Advisory) The three security issues identified are the following:

• Windows NT Domain Authentication Bypass Vulnerability

Cisco ASA or PIX security appliances configured for IPSec or SSL-based remote access VPNs using Windows NT Domain Authentication are vulnerable because of a Windows NT Domain authentication issue.

• IPv6 Denial of Service Vulnerability

A specially crafted IPv6 packet may cause the Cisco ASA and Cisco PIX security appliances to reload. Devices that are running software version 7.2(4)9 or 7.2(4)10 and configured for IPv6 may be vulnerable. This vulnerability does not affect devices that are configured only for IPv4. Only packets that are destined to the device (not transiting the device) may trigger the effects of this vulnerability. These packets must be destined to an interface configured for IPv6.

• Crypto Accelerator Memory Leak Vulnerability

The Cisco ASA security appliances may experience a memory leak triggered by a series of packets. This memory leak occurs in the initialization code for the hardware crypto accelerator. Only packets destined to the device may trigger this vulnerability.

To fix the above security issues, the following Software releases must be used:

To upgrade the software image on either the PIX or ASA firewalls, use the copy tftp: flash: command, and then use boot system flash:/filename in Configuration Mode to instruct the firewall to boot from the new software image.

In addition to IPSEc VPN support, Cisco firewalls support also the SSL Web VPN technology for providing access to resources for remote users. The main difference between IPSEc VPN and SSL VPN is that the first one requires a VPN client installed on the user’s computer while the SSL VPN requires only a secure browser (HTTPs). Another difference is that IPSEc VPN provides full network connectivity to the central site for the remote user with the ability for the user to have full access to applications just like local LAN access. On the other hand, SSL VPN provides limited application access compared with IPSEc VPN. The applications that can be accessed by SSL VPN include Internal websites, Web-enabled applications, NT/Active Directory file shares, E-mail proxies, including POP3S, IMAP4S, and SMTPS, MS Outlook Web Access, and port forwarding access to some other TCP-based applications.
The diagram below shows a high level network topology for SSL VPN connectivity:

As you can see, the remote users can establish a secure SSL tunnel over the Internet and access application resources located in their central Enterprise LAN using a web browser (HTTPs).

Next we will describe how to enable SSL VPN on the firewall, and discuss how you can avoid a port conflict with ASDM (Web GUI management) when both are enabled on the same firewall interface.

Both SSL VPN and ASDM use the HTTPs protocol for communication which uses port 443 by default. If we need to enable ASDM management access on the same interface as SSL VPN (usually the “outside” interface), then we must change the listening port of either the SSL VPN or the ASDM. In our example below we will describe both scenarios.

A. Change the port of ASDM

ASA(config)# http server enable 444
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on port 444 while SSL VPN uses the default port 443. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address>:444 in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>

B. Change the port of SSL VPN

ASA(config)# http server enable
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on default port 443 while SSL VPN uses port 444. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address> in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>:444

Cisco has been supporting the standardized 802.3af power over ethernet feature since 2004. Catalyst switches with PoE are available as 10/100 PoE or even 10/100/1000 PoE. The Power over Ethernet feature is an excellent option for deployments of Cisco IP Phones. Wireless access points and security cameras can also be powered by PoE switches. The specific technology uses the Cat5/Cat6 ethernet cable to deliver power in addition to data, thus removing the need of using power adaptors for devices.

The following Cisco Models support PoE:

• 2960
• 3750
• 3560
• 4500
• 6500

One of the features of Access Control Lists on Cisco ASA firewalls (available also in IOS routers), is that you can schedule when a particular ACL entry is activated. That is, a specific access-list statement will remain disabled until a specific time range is reached. This is useful in cases where you want to allow traffic access to certain servers for specific time periods. Let us see the example below where we allow access to a DMZ FTP server during only working hours (weekdays 9am to 5pm).

To configure the time range follow the steps below:

1. ASA(config)# time-range name
2. ASA(config-time-range)# periodic days-of-the-week time to [days-of-the-week] time

The parameter “days-of-the-week” can take the following values:

• monday, tuesday, wednesday, thursday, friday, saturday, sunday
• weekdays
• daily
• weekend

The parameter “time” is in the format hh:mm

The configuration is as follows:
ASA(config)# time-range working-hours
ASA(config-time-range)# periodic weekdays 9:00 to 17:00
ASA(config)# access-list FTP-ACCESS extended permit tcp any host 199.1.1.1 eq ftp time-range working-hours
ASA(config)# access-group FTP-ACCESS in interface outside
ASA(config)# static (DMZ,outside) 199.1.1.1 10.0.0.1 netmask 255.255.255.255