Automated configuration and management of Cisco ASA security device.

Some of the problems included:

  • Company’s product required automated configuration and management of Cisco ASA security device to supplement its software defined infrastructure features
  • Previously integrated software load balancer from F5 Networks did not perform as robustly as expected and there were multiple issues which vendor was not able to resolve on time, therefore different software defined VPN and Firewall solution had to be used
  • Cisco ASA security device was to be used only in multi-context mode but Cisco ASA REST API did not support configuration in this mode
  • Cisco ASA REST API did not support persistent connections, resulting in NoHttpResponseException and SocketException exceptions
  • Cisco ASA REST API was configured to support very strict cipher suites which were not available by default in Java
  • Querying for High Avaialability / Failover status returned free-form text instead of machine-understandable output

Some of the solutions applied included:

  • Researching and prototyping operations as per “ASA Build Standards” and “ASA Multiple Context Mode Configuration” specifications
  • Implementing Java client for Cisco ASA security device
  • Utilizing Java Cryptography Extension (JCE) to enable communication with Cisco ASA security device utilizing very strict cipher suites
  • Automating configuring Hostname and Domain name programmatically in Cisco ASA security device
  • Automating creating, entering, listing, querying and deleting Contexts programmatically in Cisco ASA security device
  • Automating programmatic configuration and management of Contexts in Cisco ASA security device – including configuring and enabling Contexts’ passwords, setting up and deleting Contexts’ interfaces, saving Contexts’ configuration, and entering Default context
  • Automating configuring – including communication between interfaces – as well as listing and querying Interfaces programmatically in Cisco ASA security device
  • Automating enabling and disabling ACL for VPN programmatically in Cisco ASA security device
  • Automating enabling Anti-spoofing programmatically in Cisco ASA security device
  • Automating configuring Logging – including rate limits and messages – programmatically in Cisco ASA security device
  • Automating configuring SSH access, version, timeout and authentication programmatically in Cisco ASA security device
  • Automating configuring SNMP programmatically in Cisco ASA security device
  • Automating configuring and listing Routes and Object Groups programmatically in Cisco ASA security device
  • Automating creating, listing, querying and deleting Access Lists, Access Groups, Network Objects and Service Groups programmatically in Cisco ASA security device
  • Automating adding and removing entries to / from Access Lists programmatically in Cisco ASA security device
  • Automating querying Cisco ASA security device for availability programmatically
  • Automating querying HA pair of Cisco ASA security devices for status programmatically
  • Aggregating list of CLI commands to be used for a given operation and send them via CLI command executer API
  • Using regex expressions to extract active/standby failover status from output returned
  • Using regex expressions to extract primary/secondary failover status from output returned

Technology stack

  • Java
  • OSGi
  • Cisco ASA REST API
  • Apache HttpComponents
  • Jackson 2
  • Apache Commons IO
  • Google Guava

Industry

IT