Professional Documents
Culture Documents
zmeng@cisco.com 85155117
Day 1 9:00am
Description 10:30am Overview session (ASA Product Overview, Product Positioning, Competitive)
10:30am 10:45am Break and prepare for lab 10:45am 11:00am Lab Overview 11:00am 12:00pm ASA Routing & Firewall Lab
12:00pm 13:00pm Lunch 13:00pm 14:00pm ASA Routing & Firewall Lab 14:00am 16:00pm ASA IPS Lab 16:00pm 18:00pm ASA VPN Lab 17:15pm 17:30pm Closing
ASA Overview & Positioning ASA Adaptive Threat Defense Technology ASA Competitive Positioning
Malware/Content Defense, Anomaly Detection AntiAnti-X Defenses Traffic/Admission Control, Proactive Response Network Containment & Control, Incident Control System (ICS)
CLEAN VPN
PIX 515E
188 Mbps
PIX 525
330 Mbps
ASA to replace VPN3K for all IPSec VPNs and basic WebVPN. Use VPN3K only if full 4.7 SSLVPN is required.
Better price performance (upto 5000 IPSec, 325Mbps, 2500 SSLVPN) ASA = VPN 4.1, (4.7 features planned in ASA 7.1 early CY06) Cluster with VPN3K for migration. Enhanced features of FW, IPS, AV, QoS, OSPF, etc.
VPN 3005
200 IPSec 4 Mbps 50 SSL
IPS 4215
80 Mbps
APAC SEC Q4 UPD Chanray/25-Jul-05
IPS 4240
250 Mbps
VPN 3020
750 IPSec 50 Mbps 200 SSL
VPN 3030
1500 IPSec 50 Mbps 500 SSL
VPN 3060
5000 IPSec 100 Mbps 500 SSL
VPN 3080
10,000 IPSec 100 Mbps 500 SSL
5
Remote Site
Data Center
Enterprise Network
DMZ Corporate LAN
Public Internet
Business Partners
Robust access and policy enforcement with rich application protections based on Cisco PIX Firewall.
IPS Edition
Wireless LAN
Protect servers and critical assets from hackers and network worms with Intrusion Prevention, worm protection and firewall services
ANTI-X Edition
Protect users from Internet threats and connect remote sites securely with Anti-X, firewall and VPN services
VPN Edition
Unified SSL & IPSec Remote Access Services with Unified Threat Management
Target Market
Enterprise
Medium Enterprise
Large Enterprise
Starting at $3,495
Starting at $7,995
Starting at $16,995
Starting at $19,995
Platform Capabilities
Max Firewall Conns Max Conns/Second Packets/Second (64 byte) Base I/O VLANs Supported HA Supported 10,000/25,000 3,000 85,000 8-port FE switch 3/20 (trunk) Stateless A/S (Sec Plus) 50,000/130,000 6,000 190,000 5 FE 50/100 A/A and A/S (Sec Plus) 280,000 9,000 320,000 4 GE + 1 FE 150 A/A and A/S 400,000 20,000 500,000 4 GE + 1 FE 200 A/A and A/S 650,000 28,000 600,000 8 GE + 1 FE 250 A/A and A/S
9
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
10
Two Power over Ethernet (PoE) Ports for IP Phones, Wi-Fi Access Points, Video Surveillance, etc. 8-Port 10/100 Fully Configurable Switch with VLAN Support
Three USB v2.0 Ports for Future Use (One in Front) Console Port
Presentation_ID
Cisco Confidential
11
Two USB 2.0 Ports for Future Expansion (Credentials, Failover, and More) Compact Flash for Software, Config, and Log Storage
Console and AUX Ports Five Status LEDs (Power, Status, Active, VPN, Flash)
Presentation_ID
Cisco Confidential
12
Platform Highlights
Compact desktop form-factor Integrated VPN acceleration 8 x 10/100 ports with flexible port grouping VLANs: Home/Business/Outside Support for true DMZ & trunking Power over Ethernet (802.3af) ports for IP phones, external Wireless APs, etc. USB 2.0 ports for future use Wall and rack mountable Convection cooling (no fan)
13
Presentation_ID
Cisco Confidential
Internet VLAN
DHCP and Dynamic DNS services PPPoE support Backup ISP support (Security Plus)
Home VLAN
Secure access for a wide range of applications through the Internet VLAN DHCP Server Services
Presentation_ID
Cisco Confidential
14
SSL VPN
Sales Teams
Inside VLAN
Power Over Ethernet WiFi Access Point Employee/Guest VLANs VLAN Trunk Common Network Printer
Active/Standby design with Failback Support for DHCP, Dynamic DNS & PPPoE
Presentation_ID
15
16
Provides full-featured IPS and IDS services for protection of critical network assets Available in two models: SSM-10 and SSM-20 Delivers up to 450 Mbps of IPS throughput Has thumbscrews for easy insertion/removal 10/100/1000 out-of-band management port Supported on ASA 5510, 5520, and 5540 Provides full-featured Anti-X services (anti-virus, anti-spyware, anti-spam, anti-phishing, URL filtering, and more) Available in two models SSM-10 and SSM-20 Anti-virus and anti-spyware services licensed by number of users, others optional add-on Supported on ASA 5510, 5520, and 5540 I/O module offers four copper 10/100/1000 ports in addition to four SFP ports for improved flexibility and network segmentation Customers can use up-to four ports total out of these eight ports, with the ability to mix and match copper and optical GE ports Supported on ASA 5510, 5520, and 5540
Presentation_ID
Cisco Confidential
17
Diskless (Flash-Based) Design for Improved Reliability Gigabit Ethernet Port for Out-of-Band Management, etc. Thumbscrews for Easy Insertion and Removal
Presentation_ID
Cisco Confidential
18
Four Copper 10/100/1000 for Simplified Deployment Four SFP Gigabit Ports for Optical Connectivity Thumbscrews for Easy Insertion and Removal
Allows Customers to Choose Either Copper or Optical for Up to 4 Ports of Additional Connectivity
Presentation_ID
Cisco Confidential
19
Cisco ASA 5500 Series Content Security and Control Module (CSC SSM) Platforms/Subscription Levels
CSC SSM-10
50 User 100 User 250 User 500 User
Feature Sets
Base Services
File-based Anti-Virus and malware filtering; Anti-Spyware
CSC SSM-20
500 User 750 User 1,000 User
Plus License
Anti-Spam, Content Filtering, Anti-Phishing, URL Filtering and Blocking
20
21
21
Secure Connectivity
Application Inspection & Control Anti-X Defenses Network Containment & Control
Innovative AIM services architecture allows business to adapt and extend the security services profile via Cisco-developed and partnerprovide innovations delivering high current services performance and services extensibility
APAC SEC Q4 UPD Chanray/25-Jul-05 22
Reduces complexity of provisioning with single touch configuration Improves control over applications by introducing flow- or class-specific service policies
Tunnel group
23
Defends networks from application-layer attacks Gives businesses control over how applications and protocols are used Regulates application usage to free network bandwidth to drive IT cost savings
24
Specific Applications
Microsoft Windows Messenger Microsoft NetMeeting Real Player Cisco IP Phones Cisco Softphones
APAC SEC Q4 UPD Chanray/25-Jul-05
Security Services
IKE IPSec PPTP
25
25
Advanced HTTP inspection services help protect from web-based attacks and other types of port 80 misuse
Includes customizable policies for detecting and blocking tunneled applications and attacks, including:
- Instant messaging applications (AIM, MSN Messenger, Yahoo) - Peer-to-peer applications (KaZaA) - And more!
Adds advanced TCP stream re-assembly and de-obfuscation engines for hidden attack detection
Deep inspection services provide businesses control over what actions users can perform when accessing websites
Performs RFC compliance checking for protocol anomaly detection Supports HTTP command filtering for precise control over how web servers are accessed, providing a strong line of defense from a range of known and unknown attacks Provides MIME type filtering and content validation capabilities
APAC SEC Q4 UPD Chanray/25-Jul-05
26
26
FTP Inspection
Command Filtering
FTP Inspection:
Configure to allow or disallow specific commands through the security device. When a command is disallowed, the connection will be closed and syslog will be generated. Configurable commands: APPE CDUP DELE - GET HELP MKD PUT - RMD RNFR RNTO SITE STOU
pixfirewall(config)# ftp-map ftpins request-command deny appe cdup help
<ftp_map_name>
27
ESMTP Inspection
The current PIX Security Appliance software 6.3(4) supports the inspection of the SMTP commands listed in RFC 821. Customers use Mail Servers that leverage SMTP Extensions that were defined in follow-on RFCs. Most dominant is the requirement to support commands defined in RFC 1869. These extensions are commonly used with Microsoft Exchange. Effective with PIX/ASA OS 7.0 the firewall inspects the additional supported ESMTP commands for RFC compliance. The commands include all the commands that SMTP supports except EXPN, plus 2 commands for SMTP extensions AUTH and ETRN. This makes a total of 15 commands. Any commands except these listed are illegal.
AUTH DATA EHLO ETRN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML VRFY
APAC SEC Q4 UPD Chanray/25-Jul-05 28
TCP Normalization
Protects against network and application layer attacks Prevents hacker intrusions, DoS, and malware including worms, network viruses, Trojan horses, spyware and adware Frees up network bandwidth and system resources from damaging effects of attacks
APAC SEC Q4 UPD Chanray/25-Jul-05
Attack Evasion Defenses Specialized safeguards to scrub traffic and avoid evasion attempts
IP fragmentation reassembly and normalization TCP stream reassembly and normalization TCP evasion & IP anti-spoofing Deobfuscation
30
Prevents installation of malware and blocks phone home communications Frees network bandwidth and controls the transmission of confidential data
Stops the infection and propagation of malware Leverages internal development and partnership with Trend Micro
Controls corporate espionage Stops web defacing by preventing web attacks Prevents zombie, backdoor, and bot placement thus stopping automated attacks (e.g., denial of service (DoS)
APAC SEC Q4 UPD Chanray/25-Jul-05
Directed Attacks
Traffic Cleansing
Removes traffic ambiguities such as overwritten fragments, TCP segment overwrites, TTL discrepancies Simulates end host behavior to increase inspection accuracy
31
Ensures malicious attacks are stopped without impact to legitimate traffic Identifies and stops worms or escalating attacks which can rapidly propagate and cause extensive damage
Meta Event Generator Provides unique on-box correlation that adapts to new threats in realtime while minimizing user intervention modeling
Event type Time span Threat escalation
32
Risk Rating: Decision support balances attack urgency with business risk
+
How prone to false positive?
+ +
Is attack relevant to host being attacked? How critical is this destination host? Drives Final Mitigation Policy
High
Medium
Low
RISK RATING
APAC SEC Q4 UPD Chanray/25-Jul-05
Time:
8
33
Gives businesses precise control over application access and network traffic flows Enables strict adherence to corporate security policies Protects internal corporate network addresses from being shared with outside networks, such as the Internet
APAC SEC Q4 UPD Chanray/25-Jul-05
Traffic Flow
35
36
37
IPSec VPN
Delivers both IPSec and SSL-based VPN services on single platform eliminating need to parallel solutions Provides unique device clustering capabilities to seamlessly scale performance and eliminate single point of failure
Foundation Features
Flexible user authentication & access control Group/user policies
APAC SEC Q4 UPD Chanray/25-Jul-05 38
Central Site
VPN Concentrator
Public Internet
Worms CSA
Dynamic load balancing ensures effective utilization of all clustered devices Clustering + load balancing = High uptime Seamlessly integrates with existing VPN 3000 clusters
Cluster IP Address 124.118.24.X Client requests connection to 124.118.24.50 .31
Virtual cluster master responds with 124.118.24.33 Client requests IPSec/SSL session to 124.118.24.33
10.10.1.X .1
.4
.34
42
Internet
Leverages more than 20 years of Cisco networking leadership and innovation Delivers a wide range of networking services for seamless integration into diverse network environments
Intelligent Networking Services Security contexts (virtualized) Layer 2 transparent firewall VLAN-based virtual interfaces OSPF, RIP dynamic routing Multicast routing (PIM sparse) Quality of service (QoS) IPv6 networking
44
Transparent Firewall
45
46
Transparent Firewall
The transparent PIX/ASA uses an inside interface and an outside interface only. Each directly connected network must be on the same subnet.
Internet
A management IP address is required for each context, even if you do not intend to use Telnet to the context. Switch ASA uses this IP address as the source address for packets originating on the both Interface. VLAN 100 10.0.1.1 The management IP address must be on the same subnet as the connected network. ASA/PIX Do not specify the ASA management IP address as the 10.0.1.2 default gateway for connected devices; devices need to specify the router on the other side as thegateway. Make sure that the upstream router performs NAT if VLAN 200 you use overlapping subnets. Dynamic routing protocols will not run on the device. 10.0.1.3 However it can be pass through. NAT is not supported. You can also optionally use an EtherType ACL to allow non-IP traffic through.
APAC SEC Q4 UPD Chanray/25-Jul-05 47
Active
V D
VV D D D
V VV
Quality of Service
48
49
Common Criteria Coming: EAL4+, v7.0(2) ASA Family FIPS 140 Coming: Level 2, v7.0(2) ASA Family ICSA Firewall 4.1, Corporate Category Future: v7.0(1) ASA Family ICSA IPSec 1.1D Future: v7.0(1) ASA Family VPNC Tentative: v7.0(1) ASA Family
APAC SEC Q4 UPD Chanray/25-Jul-05
50
50
51
51
Monitoring and Mitigation Multi-platform event management and response Sophisticated data reduction and correlation Cisco Security MARS CiscoWorks SIMS
APAC SEC Q4 UPD Chanray/25-Jul-05
Auditing Device posture validation against industry best practices and regulatory compliance Cisco Security Auditor
52
53
54
55
Competitive Differentiation
56
56
Miercom Evaluated ASA 5520, Netscreen 208, Checkpoint NGX and Fortinet 1000
Miercoms Results for ASA 5500: Better performance surpassed every competitor in every scenario
More than 6X throughput for concurrent IPS/firewall security services 3X VPN throughput More than 4X firewall connection rate of nearest competitor
Connections Per Second with All Signatures On 7000 6000 5000 4000 3000 2000 1000 0 5881
1358 432
626
Results:
ASA accurately detects and stops 100% of threats Miercom presented ASA is the only device to detect and stop backdoor threats Overall, ASA delivers greater than 2X the threat prevention capabilities
APAC SEC Q4 UPD Chanray/25-Jul-05 59
End
61
61