Sep 24 2009

Cisco ASA Aids Security

Agencies embrace Cisco Adaptive Security Appliance for a blend of virtual private network and firewall functions.
Cisco ASA Aids Security
Windows 7: Securing Removable Drives
Unified Threat Management
SonicWall UTM
Fighting Off Future Attacks

For the Helix Water District, IT security is a matter of public safety. The Supervisory Control and Data Acquisition network that runs the public utility must remain isolated to guard against breaches.

Alan Clark, IS manager for the California agency, wanted to add a firewall between the SCADA and IT network for better protection. He and his team rolled out in August a Cisco Adaptive Security Appliance 5510 combination firewall and virtual private network. Now, any users who want to go between the IT and SCADA networks must go through the Secure Sockets Layer VPN.

In addition to isolating the SCADA system, the beefed-up security provides additional protection against terrorists or other threats unique to vital government organizations. "All the servers have to be in a secure room, we have more alarms, infrared surveillance cameras at remote sites and motion sensors, for example," says Pat Rutan, network administrator for the water utility.

Pat Rutan (left) and Alan Clark of the Helix Water District use a virtual private network to guard the flow of the organization's traffic.

Photo credit: Max Dolberg

State and local government organizations such as the Helix Water District are simplifying security by turning to multitasking appliances that do the job of several devices. For instance, the Cisco ASA 5500-series unified threat management devices offer optional modules for antivirus or intrusion prevention. Such deployments ease the burden of managing multiple devices.

Testing the Waters

The Cisco ASA 5510 is the second device that the Helix Water District deployed. The first was installed this spring to complement the Microsoft Internet Security & Acceleration (ISA) Server the agency uses.

"We started experiencing a lot of VPN connectivity issues and needed a VPN gateway," Clark says. "We brought in the ASA gateway to perform that function."

The district has about 150 employees in three locations. Many of them require remote access to the network from the field or while working from home. "Some are testing water, some are managing distribution systems to the pumps and valves, and some are part of construction crews that are out there," Clark says. "Most just need access to certain resources in the internal network so that it speeds things up for them and the customers."

Depending on the particular model, the Cisco ASA supports maximum connections per second of between 4,000 and 150,000.

The ASA 5510 has proved to be a good fit for Helix Water District. IT gives workers the client to install and skirts the challenge of issuing certificates. "It makes it a much more secure connection and solution," Clark says.

"I definitely recommend the ASA," says Rutan. Berbee set up the first device for the district and helped train the IT staff. Using that knowledge, the team was able to set up the second ASA device on its own.

She says she knew nothing about Cisco firewalls, but for anyone familiar with Cisco switches and routers, "it's real easy to pick up. It's very easy to maintain and make changes."

Firewall manufacturers are now integrating multiple security functions, such as antivirus, antispam and content filtering, on top of what used to be just a firewall and VPN device, according to Joel Snyder, a senior partner at consultancy Opus One. With the Cisco 5500 Series ASA, optional unified threat management features such as antivirus and intrusion prevention are implemented through coprocessors. The advantage of this enterprise approach is "it doesn't have the performance slowdown you might get if you just threw AV or IPS on the normal CPU," he says.

Snyder says the Cisco ASA is well suited for small and medium organizations, as well as certain enterprise deployments. "Anyone who is an old PIX customer will find it cost-effective to shift to the ASA," Snyder says. "It's also useful for environments where you really want to have that single vendor solution."

Both were the case for the state of Oregon, which recently swapped out Cisco PIX firewalls with the Cisco 5505 ASA devices at more than 60 remote offices.

Al Grapoli, network, security and voice services manager for the Oregon State Data Center, notes the state is a Cisco shop, and the manufacturer provided the best upgrade path. "The most common use for the ASAs today is for site-to-site VPNs," he says. Oregon separately runs Cisco's Intrusion Prevention Systems, so currently doesn't need IPS functionality on the devices.

Rolling out the appliances to so many remote locations took about a year. "As with most new devices that you want to add to the system, I recommend thorough testing beforehand," he says. Having an IT staff that was already familiar with the PIX command line interface was a plus.

Once Oregon worked past some initial deployment challenges, the devices have proved effective. "They have certainly eased management at the remote offices," Grapoli says.


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT