Cisco ASA Upgrade Adds Identity Firewalling

Identity aware firewalling seems to be all the rage right now. Having the ability to make firewall policy decisions based on user and group information from Active Directory can have enormous benefits if used properly. The Cisco ASA recently acquired the identity aware firewalling ability with the release of 8.4.2 code. It works with Microsoft Active Directory, cut-through proxy and VPN authentications today for user/group to flow matching. This new feature allows you to write access control policies that take a source username or group membership as match criteria. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory, VPN or cut-through proxy login information and reports events based on the mapped user names instead of network IP addresses. This feature also allows you to use identity policies in service polices for things like IPS inspection, deep packet inspection, inspection engines, etc.

Here is an example of a user based access control rule:

The Cisco AD agent communicates with your ASA's to make this happen. You can have multiple ASA's talk to a single agent or vice-versa. This allows you to scale identity across domains, forests, and firewalls.

The other nice feature that released in 8.4.2 is the ability to use domain names instead of IP addresses. This means you can write a ACE that says source: http://www.cisco.com/ destination:http://www.amazon.com/ .
This feature helps simplify the readability of your ACL's and works great for domains that have multiple IP addresses associated with them. You cannot however enter a full URI like www.cisco.com/go/asa,so this feature will not take the place of a web filter.

You can upgrade to the latest code here www.cisco.com/go/asa
You'll also find the latest release notes herehttp://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

If you have any questions on these features just post them.