Remember the person in
my last post who asked me to describe a load balancer? They came back and asked about ASAs. I’m not sure if they really wanted to know, or if they just liked to see me lose my cool and say something really over the top. Regardless, they caught me on another one of “those” days, so I answered:
“In many superhero movies, there's a scene where the protagonist—your typical scrawny, pale, 98 lb. nebbish—goes into The Thing (tm) (magical cave, an alien infuser, a wormhole, an IRS audit meeting, you know, something REALLY horrible) and comes out as The Hero: buff, courageous, tall, buff, invulnerable, and most of all, buff. If you threw a garden-variety router into a magical alien wormhole IRS infuser cave, it would come out as an ASA.”
Can routers connect to external networks? Of course they can. That's what they do. Can routers block traffic? Well, sure. You can carefully set up your rules and make sure everything is locked down nice and tight.
But if you want those external connections to terminate in the same place where you set and manage your security, a router is not your best choice. If you have an ever-changing kaleidoscope of malicious traffic that you need to quickly react to, you’d have a hard time keeping up if all you had was a router.
This is where an ASA comes in. An ASA is an advanced all-in-one device that performs several complex, related, critical functions.
- They serve as the termination point for VPNs, whether those VPNs are established by a mobile workforce using an application on their laptop, phone, or tablet; or as a permanent point-to-point link between your company and a vendor, cloud service, or remote site with limited connection options
- They provide an interface to manage a comprehensive access control list (ACL)—fixed rulesets for traffic both inside and outside the company
- They offer both Intrusion Detection (ID) and Intrusion Protection (IP) services, watching the traffic for patterns that indicate an attack and alerting or modifying rules on the fly to keep you and your network safe
Organizations will not have many of this type of device, but even if there's only one, it is an extremely essential piece of equipment.
That said, an ASA looks a lot like a router when viewed through the lens of a monitoring solution. So that's typically what you see. You will get the health of the primary device (the chassis), basic statistics for the interfaces, or at least the physical and logical ones.
What’s wrong with that? As you can probably already guess, the answer is "just about everything."
When it comes to monitoring ASAs, the kinds of information you absolutely must have include:
- The number of active connections to the machine, and the rate that devices are connecting, disconnecting, or failing to complete a connection
- The state and statistics of the fixed and mobile VPN connections
- The firewall rules on the system
- The status and performance of the IDS and IPS services