Architecture for identity firewall deployments – Cisco ASA 5505 User Manual

36-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 36 Configuring the Identity Firewall

Information About the Identity Firewall

The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external Active
Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active
Directory as the source to retrieve the current user identity information for specific IP addresses and
allows transparent authentication for Active Directory users.

Identity-based firewall services enhance the existing access control and security policy mechanisms by
allowing users or groups to be specified in place of source IP addresses. Identity-based security policies
can be interleaved without restriction between traditional IP address based rules.

The key benefits of the Identity Firewall include:

•

Decoupling network topology from security policies

•

Simplifying the creation of security policies

•

Providing the ability to easily identify user activities on network resources

•

Simplify user activity monitoring

Architecture for Identity Firewall Deployments

The Identity Firewall integrates with Window Active Directory in conjunction with an external Active
Directory (AD) Agent that provides the actual identity mapping.

The identity firewall consists of three components:

•

ASA

•

Microsoft Active Directory

Though Active Directory is part of the Identity Firewall on the ASA, they are managed by Active
Directory administrators. The reliability and accuracy of the data depends on data in Active
Directory.

Supported versions include Windows Server 2003, Windows Server 2008, and Windows Server
2008 R2 servers.

•

Active Directory (AD) Agent

The AD Agent runs on a Windows server. Supported Windows servers include Windows 2003,
Windows 2008, and Windows 2008 R2.

Note

Windows 2003 R2 is not supported for the AD Agent server.