The Cisco 7600 router is in my opinion one of the most versatile High End routing machines on the planet!! It is one of my favorite networking devices. If you take a look at Cisco website under the Routers Product Category, you will notice that the 7600 can be used in Data Centers, in Service Provider networks, in WAN aggregation or as Internet Edge router. In Service Providers can be used as Provider Edge (PE) in IP MPLS networks aggregating many Customer Edge (CE) router devices. Its modularity and high port capacity allows the 7600 to work as both Layer2 aggregation and as Layer3 high performance router.

In Service Provider networks one of the main concerns of network administrators is to protect the networking infrastructure from Denial of Service attacks. These DoS attacks are actually the most serious and popular security threat against Service Providers. Botnets are frequently the main source of such attacks. ICMP flooding, UDP flooding, spoofed addresses DoS, SYN attacks etc are a few examples of DoS or DDos (Distributed Denial of Service) attacks. Fortunately the Cisco 7600 router has many robust features and mechanisms to protect itself from such attacks.

In the company that I work (Service Provider) we have already implemented several security protection features on 7600 which are really effective against DoS attacks. A summary of the DoS protection mechanisms on 7600 follows below:

• Security Access Control Lists (ACL): Applied on interfaces to block traffic at Layer3/4 layers.
• QoS Rate Limiting: Using class-maps and policy-maps you can apply rate limiting to specific type of traffic (e.g ICMP)
• uRPF (unicast Reverse Path Forwarding): protects against spoofing attacks.
• Traffic Storm Control: Protects against broadcast storm attacks.
• TCP Intercept: Protects against SYN attacks.
• Hardware-Based Rate Limiters: Work on PFC3 engines. These rate limiters protect the MSFC routing engine from various packets that can overload its CPU (configured with the mls rate-limit command)
• Control Plane Policing (CoPP)::Again used for protection of the MSFC routing engine by applying rate limiting to packets that flow from the data plane to the control plane.

Of course in addition to the above you must not forget other important security mechanisms such as strong password policy, proper Authentication and Accounting, logging, SNMP security, Routing Protocols security (MD5 authentication in OSPF, BGP etc) etc. All of these technical issues must be based on a thorough and carefully written security policy.

On March 8, 2010 Cisco announced the newest Cisco ASA 5500 firewall software version 8.3. This is a release with the most radical changes compared to the previous releases since version 7.x. The most important change regarding configuration is the way Network Address Translation (NAT) is implemented. Also, another big change regarding hardware is that you will need a serious memory upgrade to be able to run this software. Let’s see some important points about this release below:

Network Address Translation changes

NAT is disabled by default on Cisco ASA however is one of the most important mechanisms that almost all firewall administrators use. The majority of network implementations make use of private IP addressing inside the Enterprise network and then employee Network Address Translation to translate their private IP addresses into publicly routable addresses in order to access the Internet. The task of NAT is usually carried by the border firewall. NAT in Cisco ASA 8.3 has been completely redesigned compared with previous versions. It is now configured under a network object.

ASA versions prior to 8.3

To configure dynamic NAT: Use the nat (internal interface name) command to specify the internal addresses to be translated together with the global (outside interface name) command to specify the mapped IP pool which all internal addresses will be translated to.

To configure static NAT: Use the static (internal if, external if) command to specify the static mapping between an internal host/network and an external public host/network.

ASA version 8.3

Now forget everything you know about NAT configuration. In this version, NAT is implemented using network objects. Basically you create a network object which defines the Real IP/Network to be translated (e.g the internal LAN network) and inside the network object you can use a nat statement which specifies whether the translation will be dynamic or static together with the Mapped IP/network. The Cisco ASA Firewall Fundamentals – 2nd edition ebook describes all details about the NAT differences in 8.3 version.

Memory upgrade changes

The downside of the new ASA version is that it requires significant memory upgrade for ASA models up to 5540 (5505, 5510, 5520, 5540). Newest ASA units purchased after February 2010 will have the minimum memory required by 8.3 version, however if you already have an older unit running a version prior to 8.3 then you will need to purchase extra memory if you want to upgrade to 8.3.
The minimum memory requirements for ASA 8.3 are the following:

My opinion about the new version

What I see in the new version is an attempt from Cisco to move away from the “Interface based” policy implementation and adopt a more “global based” or “object based” approach. The policy enforcement in Cisco ASA firewalls is mostly based on the “interface” concept. Access lists are applied to interfaces, modular policy framework configurations are applied to interfaces (and globally also), Network Address Translation is implemented based on interfaces, security levels are configured per interface etc etc. On the other hand, some competitor vendors (like Checkpoint for example) are based on “object based” approach with a “global policy” concept which is applied on objects irrespective of interfaces. Hmm, I think Cisco is moving towards the Checkpoint firewall approach . Well, it’s not a bad thing to adopt some concepts from your competitors to make you even better.

Regarding upgrading to the new version, I would not recommend it for the time being. The older ASA versions (7.x, 8.0, 8.1, 8.2) are so stable and reliable that I would not rush to change them on my security infrastructure for the moment. Also, the extra memory required for older units is another prohibitive factor for upgrading now.

Cisco supports several types of VPN implementations on the ASA but they are generally categorized as either “IPSec Based VPNs” or “SSL Based VPNs“. The first category uses the IPSec protocol for secure communications while the second category uses SSL. SSL Based VPNs are also called WebVPN in Cisco terminology. The two general VPN categories supported by Cisco ASA are further divided into the following VPN technologies.

IPSec Based VPNs:

• Lan-to-Lan IPSec VPN: Used to connect remote LAN networks over unsecure media (e.g Internet). It runs between ASA-to-ASA or ASA-to-Cisco Router.
• Remote Access with IPSec VPN Client: A VPN client software is installed on user’s PC to provide remote access to the central network. Uses the IPSec protocol and provides full network connectivity to the remote user. The users use their applications at the central site as they normally would without a VPN in place.

SSL Based VPNs (WebVPN):

• Clientless Mode WebVPN: This is the first implementation of SSL WebVPN supported from ASA version 7.0 and later. It lets users establish a secure remote access VPN tunnel using just a Web browser. There is no need for a software or hardware VPN client. However, only limited applications can be accessed remotely.
• AnyConnect WebVPN: A special Java based client is installed on the user’s computer providing an SSL secure tunnel to the central site. Provides full network connectivity (similar with IPSec remote access client). All applications at the central site can be accessed remotely.

From the description above you can understand that the AnyConnect WebVPN technology combines the best from both IPSec based VPNs and SSL based VPNs. It offers full network connectivity to the remote user without having to install a dedicated VPN software like the IPSec remote access client. The AnyConnect VPN client is a lightweight Java client (around 3MB) which can be installed or uninstalled from the remote user’s PC dynamically.

The ASR 9000 has 6 times more capacity and is 4 times faster than any other router in the same category. It is able to transmit data at a rate of 6.4 terabits per second. What does this mean? It means that it is capable of transmitting 200 dvd video / sec or 250.000 mp3s / sec or 500.000 e-books / second. Therefore, the bandwidth capacity of the ASR 9000 router is 10 times of the Cisco ASR 1000. For example, the ASR 9000 supports 100 megabits per second (Mbps) to homes, compared to common legacy E1 or T1 connections which used to have around 1.5 to 2 Mbps.

«We really believe that the IP (Internet Protocol) traffic on the Internet will be growing by 46% annually up to 2012 while the bulk of traffic, about 90%, will be consumed by video,” said Pankaj Patel, senior vice president who manages the company’s relationships with telecommunications carriers.

The ASR 9000 has innovative technology for proactive management of video signals which are particularly difficult. It can repair and offer an excellent image quality and performance for HDTV and other video services, state executives of Cisco. It is ideal for companies such as AT & T and Verizon because they offer more and faster Internet video to mobile phones and for the PC consumers.

As a corollary, the company adds that the ASR 9000 operates 40% more effectively than other competing products, helping to save the planet and saving money for the network operators.

So far, some of the largest telecommunications companies in the world, including Softbank Corp. Japan have signed for the acquisition of such devices. The ASR 9000 router is using the same operating system as the Cisco CRS – 1 that transmits data with rate of 92 trillion bits per second and which now ‘runs’ for more than 200 telecommunication operators in the high speed lanes of the world wide web. When the Cisco launched CRS-1 in 2004, some analysts said that these heavy duty network machines (weighing 2,300 pounds and having a height of 7 feet) did not satisfied customers’ wishes. They even predicted that the San Jose company will not sell more than 50 units. Pankaj however stated that Cisco now sells at least 50 such routers per week. Last year, the company earned 39 billion U.S. dollars just from the sales of ASR routers.

Glen Hunt, an analyst at Current Analysis said that Cisco’s new router will cost providers at least $ 80,000. The ASR 9000 can be installed close to homes and business premises of consumers. This model took 4 years to get out to production and had cost $200 million U.S. dollars. According to Ray Mota, director of sales strategy of Synergy Research Group, the ASR 9000 will fill a gap in the production chain of Cisco and will help the San Jose company to maintain its market share. Cisco competes with companies like Alcatel – Lucent and Juniper Networks in the sales of routers. However, Cisco controls 59% of the market compared with Alcatel – Lucent controlling 15% and 14% for Juniper.