This was a question I had in a recent meeting with a large Fortune 100 company. They were traditionally a strong Check Point customer, but a shift in upper management forced them to take on 50+ Cisco ASAs. This was really unfortunate because their team’s Check Point knowledge was very strong and their experience with the ASAs for the next few years was anything but positive.
If you have worked with the ASAs you aware of some of the serious limitations. One of the big ones being the abysmal logging (or lack of) that the ASA tries to provide. For starters, when you load up the highly limited ASDM Java interface to administrate the ASA, you quickly realize that by default you can only view log events that have occurred since you launched ASDM. Need to troubleshoot an event that happened 10 minutes ago? Too bad. You need to keep the resource sucking ASDM open on your desktop and hope that you will see it before it scrolls by.
Once you realize this limitation, the lousy reseller that sold you this garbage will swoop in for another sale: Cisco MARS. This product is supposed to allow you to collect Syslog information. CS-MARS used to be a small company called Protego. Cisco acquired them back in 2004, which also happens to be when the product had its most active development.
Fast forward four years and you have pretty much the same product, which is notoriously difficult to setup and maintain. It has a lousy Java interface that is sloooow. CS-MARS has also had a questionable history when being used in a security function. But what was Cisco to do? They needed something that could function as a repository for all of the syslog traffic the ASAs kick out…unencrypted, with no authentication. How well will that fly in an audit? How can you possible demonstrate that your logs have not been tampered with, or are even accurate without strong encryption and authentication? Ahem…
Now going back to the customer that I am working with, we are now looking at several options. The first and easiest is to activate the Syslog function on the CMA, CLM, or SmartCenter object. This is done by simply checking a box. No special appliances needed, no special licenses, just check a box. This will allow you to then forward syslog events (unfortunately in the “clear”…hello Cisco?) to a CMA, CLM, or SmartCenter Server. These logs can then be viewed in SmartView Tracker which everyone knows is by far the best logging tool out there.
The next step will be a proof of concept with Eventia Analyzer to collect the logs, and correlate them against logs from other devices, and other security domains. On March 18th, there was an update released by Check Point to support ASA message IDs. Eventia Analyzer will allow the customer to watch for events being generated by the ASAs, and then tie them into a true Unified Security Architecure.
That is the solution for the next 18 months…which happens to be how much time is left until the ASAs are end of support, and can be replaced by UTM-1s.