• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Gestalt IT

Your Place For the Latest News in Enterprise IT

  • Exclusives
  • Tech Talks
  • Field Day
  • Favorites
  • *
  • Rundown
  • Gestalt News
  • Podcast

Accessing Security Insights with SolarWinds Network Insight For Cisco ASA

Access lists are a necessary evil of security. As much as we want to believe that the new world of machine learning (ML) and artificial intelligence (AI) are going to change the way that we think about security, the fact of the matter is that the simple access list is the quickest way of determining how is allowed to go where and who is denied from doing the same.

But access lists can be cumbersome. Every new entry in a list can cause problems. Every old access control entry (ACE) is a potential problem waiting to happen. The interaction between old and new can be a huge issue. This is especially true on firewalls like the Cisco ASA. In the past, the only reliable way to determine if an ACE is being trigged is to log the entire access control list (ACL) and hope for the best. But what if one of those important rules is only trigged occasionally? And how can we strip out the unnecessary lines without breaking everything?

Insightful Investigation

Enter SolarWinds Network Insight for Cisco ASA. SolarWinds Network Insight has already done a masterful job of helping untangle F5 BIG-IP application delivery controllers. The same tool is also available to help unwind the issues with Cisco ASA firewalls.

One of the key features of Network Insight for Cisco ASA is the ability to analyze complicated access lists and determine exactly what they are doing. Network Insight can detect the hit counts for each ACL and ACE and tell you which ones are trigger the most. They can also detect when one ACE is overriding another and short circuiting the processing of packets. This is especially important when the ACL for a firewall grows to hundreds of entries, or thousands in some cases.

With Cisco ASAs, named object groups can create even more confusion. Network Insight gives you the ability to decode those object groups and ensure the packets are being processed correctly. It can also detect so-called “shadow” rules, which involve the same packet having two entirely different processing rules. Which rule has the final effect on the packet? Network Insight can tell you that and help you determine whether or not a packet is being misrouted because of opposing rules.

The last ACL feature of Network Insight for Cisco ASA that is a life saver for security and network admins is the ability to do version tracking on ACLs. If you’ve ever stared at a multi-entry monster of an ACL and wondered who keeps adding ACEs and why they are strung out like a mess you have probably asked yourself why the Cisco ASA doesn’t do a better job of tracking these kinds of problems.

SolarWinds ensured that Network Insight was able to track changes ACLs over time. Each change is logged as a separate entity in the database to ensure that all changes can be tracked historically over time. You’re able to track a flurry of changes around the same time that the Internet access for the site went offline. You can also see which entries are erased and reconfigured the most. And you can keep an eye on troublesome applications and ensure that no changes over time have caused them to stop working correctly.

Bringing It All Together

Security is a hard job. When you break things in a firewall, the Internet stops working. When you misconfigure things you may not notice until you’ve been breached. The problem comes when those things are at war with each other in a simple list of permissions and denials. Thanks to the smart folks at SolarWinds there is now a tool that can give you more information about all those maddening entries on those lists. It’s a load off your mind and a chance for you to focus on the real problems in securing your network.

  • About the Author
  • Latest Posts

About Tom Hollingsworth

Tom Hollingsworth is a networking professional, blogger, and speaker on advanced technology topics. He is also an organizer for networking and wireless for Tech Field Day.  His blog can be found at https://networkingnerd.net/
  • Rethinking Networking Architecture with Arrcus - December 9, 2019
  • Intro to NetworkMiner - December 6, 2019
  • On The Hunt with Confluera - December 4, 2019
  • How Difficult Is SD-WAN? - December 4, 2019
  • Letting Go of the Digital Hoard - December 2, 2019
  • Tackling Troublesome IoT with Fortinet - November 26, 2019
  • Technology and Policymakers - November 26, 2019
  • BGP Traffic Engineering - November 25, 2019
  • The Value of Virtual Networks from Tesuto - November 20, 2019
  • TCP Is the Most Expensive Part of Your Data Center - November 18, 2019
Share this...
  • Facebook
  • Twitter
  • Linkedin
  • Reddit
  • email

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Exclusives

Gestalt IT Exclusives are original long-form posts written by the Gestalt IT team and published here first. Exclusives are highlighted in our weekly Gestalt News email. Sign up today, or follow us on Twitter!

Tech Field Day Events

Tech Field Day events bring together innovative IT product vendors and independent thought leaders to share information and opinions in a presentation and discussion format. Independent bloggers, speakers, freelance writers, and podcasters have a public presence that has immense influence on the ways that products and companies are perceived by IT practitioners. The world of media has changed, with social media and blogging gaining special importance. Tech Field Day is an opportunity for tech companies and independent writers to meet, update and discuss products and form new communications.

Connect

  • Email
  • Facebook
  • Instagram
  • RSS
  • Twitter
  • YouTube

More Exclusives

On The Hunt with Confluera

VMware is Delivering Pipelines to the Cloud with CAS

Meet Field Day Delegate – Gina Rosenthal

Meet Field Day Delegate – Greg Ferro

LogicMonitor Reveals the True Cost of IT Outages

Sign up for Gestalt News!

Select One or More Topics

Gestalt IT on YouTube

Stephen Foskett Catches Up With W. Curtis Preston of Druva at AWS re:Invent 2019

Machine Learning Dominates at AWS re:Invent 2019 | Gestalt IT Rundown: December 4, 2019

Subscribe on YouTube

Footer

Gestalt – (noun) an organized whole that is perceived as more than the sum of its parts.

About Gestalt IT

Categories

  • Exclusives
  • Tech Talks
  • Field Day
  • Favorites
  • *
  • Rundown
  • Gestalt News
  • Podcast

Topics

The Socials

  • View GestaltIT’s profile on Facebook
  • View GestaltIT’s profile on Twitter
  • View Gestalt_IT’s profile on Instagram
  • View isaHnBrJzPtxd5PcCOoSSw’s profile on YouTube

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Editors:

  • Stephen Foskett
  • Tiffany Lardomita
  • Rich Stroffolino

Copyright © 2019 · News Pro on Genesis Framework · WordPress · Log in