Техническая Спецификация для Cisco Cisco ASA 5585-X Adaptive Security Appliance
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 5 of 6
queue is full, the ASA drops any subsequent packets that hash to the same queue. As the result, the
oversubscription impact from a single flow is contained to just one work queue out of 32,000; this translates into
about a 0.003 percent chance of one offending flow affecting other legitimate transit connections. This process is
yet another example of how the ASA 5585-X architecture is explicitly designed to contain and self-mitigate
common packet-flood attacks.
As mentioned earlier, the ASA performs all packet-processing tasks in the flexible SoftNP. On the multiple-core
Cisco ASA platforms, such as the ASA 5585-X, the SoftNP components are spread across the data path and
control plane processes. Most of the connection-processing functions are implemented directly in the data path
with the following logical components:
●
Fast path: As the name implies, this component allows to forward packets that match already established
stateful connections at a very high rate. It uses the previously evaluated security policy for the given flow to
perform the full scope of stateful checks with extremely low latency.
●
Session manager: This component evaluates the complete security policy when attempting to create the
stateful connection entry. If the connection is permitted by the policy used by the first packet, the complete
inspection action set is programmed into the fast path for future packet processing.
Packets that match certain connections may be escalated from any data path process to the control plane. Figure 5
provides a brief view of the functional separation between the fast path and session manager components within
the data path as well as the control plane modules of the SoftNP.
Figure 5. The ASA SoftNP Logical Diagram
In this hierarchical ASA architecture, a defense-in-depth approach can be effectively implemented, where every
connection is permitted or denied after the minimum necessary set of security checks. While ASA can effectively
manage most security threats at the basic Layer 3 and 4 levels, advanced application inspection engines as well as
IPS and CX modules can examine the permitted traffic all the way up to Layer 7 in order to stop the most complex
attacks. At every step, the ASA 5585-X architecture aims at optimizing the processing resources toward potentially
malicious traffic.