Cisco ASA Identity Firewall

Cisco ASA Identity Firewall

What is Cisco ASA Identity Firewall?

Traditionally, Cisco ASA policies and rules are enforced mainly using an Access Control List (ACL) which allows or denies access to certain network resources based on the source/destination IP addresses and port numbers. For example, lets say we want source IP 10.1.1.1 to be able to access server with IP 10.2.2.2 and port 80. We would create an entry on an ACL which states explicitly that the specific source IP is allowed access to the specific destination IP at port 80.

Now, from Cisco ASA version 8.4(2) the concept of Identity Firewall is introduced. Basically, the new feature enables the firewall to allow or deny access to network resources based on the username identity instead of a simple source IP address. For example, now we can create a rule that says user “john” can access server 10.2.2.2 at port 80. As you can see, the new feature introduced the concept of “user-based authentication” instead of pure IP based authentication.

The way this feature works is to integrate Cisco ASA with Microsoft Active Directory. A special Active Directory Agent software needs to be installed on a server (usually installed on the AD itself). This agent provides username to IP address mappings to the ASA. So, when user “john” logs in to AD, the agent will obtain the IP address of the computer that john is using (i.e 10.1.1.1 to be consistent with our example above).

So, ASA will know that user john has IP address 10.1.1.1 and will apply network rules accordingly.
Other Network Firewalls such as Fortinet, Checkpoint, Palo Alto etc have been offering the user-based authentication feature for a long time now. Cisco is catching up eventually on this as well.

Source:- http://www.networkstraining.com/