ASA550 Overview

Cisco ASA 5500 Series Adaptive Security Appliances
Technical Hands-on Training
zmeng@cisco.com 85155117
Session Number Presentation_ID
2005 Cisco Systems, Inc. All rights reserved.
PDF created with pdfFactory Pro trial version www.pdffactory.com
ASA Technical Training

Agenda (one-day)
Day 1 9:00am
Description 10:30am Overview session (ASA Product Overview, Product Positioning, Competitive)
Duration 1:30 0:15 0:15 1:00
10:30am 10:45am Break and prepare for lab 10:45am 11:00am Lab Overview 11:00am 12:00pm ASA Routing & Firewall Lab
12:00pm 13:00pm Lunch 13:00pm 14:00pm ASA Routing & Firewall Lab 14:00am 16:00pm ASA IPS Lab 16:00pm 18:00pm ASA VPN Lab 17:15pm 17:30pm Closing
1:00 1:00 2:00 2:00 0:15
APAC SEC Q4 UPD ASA 5500 Intro Chanray/25-Jul-05
ASA Technical Training

Agenda
ASA Overview & Positioning ASA Adaptive Threat Defense Technology ASA Competitive Positioning
APAC SEC Q4 UPD ASA 5500 Intro Chanray/25-Jul-05
Cisco ASA 5500 Series

Convergence of Robust, Market-Proven Technologies
MarketMarket-Proven Technologies
Firewall Technology Cisco PIX
Adaptive Threat Defense, Secure VPN Connectivity

App Inspection, Use Enforcement, Web Control Application Security
IPS Technology Cisco IPS
Malware/Content Defense, Anomaly Detection AntiAnti-X Defenses Traffic/Admission Control, Proactive Response Network Containment & Control, Incident Control System (ICS)
NWNW-AV Technology Cisco IPS, AV
VPN Technology Cisco VPN 3000
Network Intelligence Cisco Network Services

APAC SEC Q4 UPD Chanray/25-Jul-05
Secure VPN Connectivity
When to Sell ASA?

UTM, All-in-One, Multifunction/Converged
Capture new markets Blow the competitors away
ASA as FW instead of PIX515E, PIX525

Better price performance ASA = PIX7.0 PIX515E + 525 = 74% APAC PIX revenue in FY05. Enhanced features of IPS, AV, SSLVPN, etc.
CLEAN VPN
PIX 515E
188 Mbps
PIX 525
330 Mbps
ASA as IPS instead of IPS4215, 4240

Better price performance, upto 450 Mbps ASA = IPS 5.0 Enhanced features of FW, VPN etc.
ASA to replace VPN3K for all IPSec VPNs and basic WebVPN. Use VPN3K only if full 4.7 SSLVPN is required.
Better price performance (upto 5000 IPSec, 325Mbps, 2500 SSLVPN) ASA = VPN 4.1, (4.7 features planned in ASA 7.1 early CY06) Cluster with VPN3K for migration. Enhanced features of FW, IPS, AV, QoS, OSPF, etc.
VPN 3005
200 IPSec 4 Mbps 50 SSL
IPS 4215
80 Mbps
IPS 4240
250 Mbps
VPN 3020
VPN 3030
VPN 3060
VPN 3080
10,000 IPSec 100 Mbps 500 SSL
5
Meeting Needs Requires Many Services

Complex Location-specific Requirements
Internal Segmentation: Requirements
Robust access control Application security Worm protection Outbreak containment
Wireless LAN
Remote Site
Remote Site with Internet Access: Requirements

Enterprise-grade firewall Anti-virus Anti-spyware Web security services Site to site VPN
Data Center
Enterprise Network
DMZ Corporate LAN
Remote User Access: Requirements

SSL VPN IPSec VPN Client Protections Threat Defense
Public Internet
Business Partners
DMZ Internet Access Extranet: Requirements

Trusted firewall Application controls Sophisticated logging Intrusion Detection Intrusion Prevention Analysis and Correlation
Operational Inefficiencies from Multiple Platforms and Consoles

May Require Compromise on Protection
Complex Design and Configuration

6
ASA 5500 Series Enterprise Editions

A Family of Tailored Packages for Location Specific Needs
Enables standardization on the ASA 5500 series platform to reduce costs in management, training, and sparing Superior protection by providing the right services for the right location Simplifies design and deployment by providing pre-packaged locationspecific security solutions
Cisco ASA 5500 Firewall Edition
Cisco ASA 5500 VPN Edition
Cisco ASA 5500 IPS Edition
Cisco ASA 5500 Anti-X Edition
ASA 5500 Series Enterprise Editions

Tailored Packages to Location Specific Needs
FIREWALL Edition
ASA 5500 Anti-X Edition
Data Center
Remote Site w/ Local Internet Access
Robust access and policy enforcement with rich application protections based on Cisco PIX Firewall.
IPS Edition
Wireless LAN
ASA 5500 IPS Edition

Internal Segmentation
Corporate LAN
ASA 5500 IPS Edition

DMZ: Inbound Public Internet Services
Protect servers and critical assets from hackers and network worms with Intrusion Prevention, worm protection and firewall services
ANTI-X Edition
Protect users from Internet threats and connect remote sites securely with Anti-X, firewall and VPN services
ASA 5500 VPN Edition

Remote Access Users
ASA 5500 Firewall Edition
Extranet: Business Partner Access Outbound User Internet Access
VPN Edition
Unified SSL & IPSec Remote Access Services with Unified Threat Management
Cisco ASA 5500 Series Product Lineup

Solutions Ranging from SMB to Large Enterprise
Cisco ASA 5505
New
Cisco ASA 5510
Cisco ASA 5520
Cisco ASA 5540
Cisco ASA 5550
Target Market
Teleworker / Branch Office / SMB Starting at $595
SMB and SME
Enterprise
Medium Enterprise
Large Enterprise
List Price Performance

Max Firewall Max Firewall + IPS Max IPSec VPN Max IPSec/SSL VPN Peers
Starting at $3,495
Starting at $7,995
Starting at $16,995
Starting at $19,995
150 Mbps Future 100 Mbps 25/25
300 Mbps 300 Mbps 170 Mbps 250/250
450 Mbps 375 Mbps 225 Mbps 750/750
650 Mbps 450 Mbps 325 Mbps 5000/2500
1.2 Gbps N/A 425 Mbps 5000/5000
Platform Capabilities
Max Firewall Conns Max Conns/Second Packets/Second (64 byte) Base I/O VLANs Supported HA Supported 10,000/25,000 3,000 85,000 8-port FE switch 3/20 (trunk) Stateless A/S (Sec Plus) 50,000/130,000 6,000 190,000 5 FE 50/100 A/A and A/S (Sec Plus) 280,000 9,000 320,000 4 GE + 1 FE 150 A/A and A/S 400,000 20,000 500,000 4 GE + 1 FE 200 A/A and A/S 650,000 28,000 600,000 8 GE + 1 FE 250 A/A and A/S
9
Presentation_ID
Cisco Confidential
Cisco ASA 5505 Adaptive Security Appliance

Product Tour: Front
Link Status and Speed for Integrated 8-Port Switch Silent, ConvectionCooled Design
Convenient, Powered USB 2.0 Port for Future Expansion
VPN, High Availability, and System Health Status LEDs
Presentation_ID
Cisco Confidential
10
Cisco ASA 5505 Adaptive Security Appliance

Product Tour: Back
Diskless Architecture for High Reliability Expansion Slot for Future Capabilities Sleek, High Performance Desktop Design Secure Lock Slot and System Reset Button
Two Power over Ethernet (PoE) Ports for IP Phones, Wi-Fi Access Points, Video Surveillance, etc. 8-Port 10/100 Fully Configurable Switch with VLAN Support
Three USB v2.0 Ports for Future Use (One in Front) Console Port
Presentation_ID
Cisco Confidential
11
Cisco ASA 5510/5520/5540 Adaptive Security Appliances Product tour

Four 10/100/1000 Copper Gigabit Ports One 10/100 Out of Band Management Port* One Expansion Slot for Addl Accelerated Services or I/O Sleek, High Performance 1 Rack Unit (RU) Design Diskless Architecture for High Reliability Single Field Upgradeable AC or DC Power Supply
Two USB 2.0 Ports for Future Expansion (Credentials, Failover, and More) Compact Flash for Software, Config, and Log Storage
Console and AUX Ports Five Status LEDs (Power, Status, Active, VPN, Flash)
Presentation_ID
Cisco Confidential
12
Introducing the Cisco ASA 5505

Next Generation SOHO/ROBO Security Appliance
Next Generation solution for small business, branch office and enterprise teleworker environments!
Best-of-class Small Business, Branch Office, and Teleworker Solution

Full-featured, High Performance, Market-proven Security Services, Including
Advanced Application Inspection and Control services Site-to-Site VPN/Cisco Easy VPN Server/Remote IPSec VPN Connectivity SSL VPN Connectivity Dual ISP support with object tracking and failback Hardware failover, PPPoE, dynamic DNS, and more!
Platform Highlights
Compact desktop form-factor Integrated VPN acceleration 8 x 10/100 ports with flexible port grouping VLANs: Home/Business/Outside Support for true DMZ & trunking Power over Ethernet (802.3af) ports for IP phones, external Wireless APs, etc. USB 2.0 ports for future use Wall and rack mountable Convection cooling (no fan)
13
Presentation_ID
Cisco Confidential
Teleworker Deployment Model

Easy to Install Modern Home Networking Services
Business VLAN
Secure access to both Home and Internet VLANs Power Over Ethernet for IP Phones and WiFi Access Points
Internet VLAN
DHCP and Dynamic DNS services PPPoE support Backup ISP support (Security Plus)
Home VLAN
Secure access for a wide range of applications through the Internet VLAN DHCP Server Services
Presentation_ID
Cisco Confidential
14
Remote Office/SMB Deployment Model

High Performance, Resilient Security Services
Business/DMZ VLAN
Web Server Email Server DNS Server
Internet VLAN (Active)

SiteSite-toto-Site IPSec VPN Partners Remote Employees
Remote Access VPN
SSL VPN
Sales Teams
Inside VLAN
Power Over Ethernet WiFi Access Point Employee/Guest VLANs VLAN Trunk Common Network Printer
Active/Standby design with Failback Support for DHCP, Dynamic DNS & PPPoE
Internet VLAN (Standby)

Cisco Confidential
Presentation_ID
15
Cisco ASA 5505 Licensing Model

Similar to PIX 501 licensing, but with additional dimensions User Based Licensing
10, 50, and Unlimited user licenses
SSL VPN Licensing

Base includes 2 for free, 10 & 25 user upgrades available
Security Plus License offers many additional capabilities

Increased system capacity Increases number of maximum connections (10K to 25K) Increases IPSec peer count from 10 to 25 Device and link-level redundancy Enables stateless Active/Standby failover Enables redundant ISP support (dual ISP uplinks) Improved flexibility Enables full DMZ and 802.1q VLAN trunking support Can be used with any user licensing level
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
16
Wide-Range of Cisco ASA 5500 Series Security Service Modules (SSMs)

IPS Security Services Module (AIP SSM)
Provides full-featured IPS and IDS services for protection of critical network assets Available in two models: SSM-10 and SSM-20 Delivers up to 450 Mbps of IPS throughput Has thumbscrews for easy insertion/removal 10/100/1000 out-of-band management port Supported on ASA 5510, 5520, and 5540 Provides full-featured Anti-X services (anti-virus, anti-spyware, anti-spam, anti-phishing, URL filtering, and more) Available in two models SSM-10 and SSM-20 Anti-virus and anti-spyware services licensed by number of users, others optional add-on Supported on ASA 5510, 5520, and 5540 I/O module offers four copper 10/100/1000 ports in addition to four SFP ports for improved flexibility and network segmentation Customers can use up-to four ports total out of these eight ports, with the ability to mix and match copper and optical GE ports Supported on ASA 5510, 5520, and 5540
Anti-X Security Services Module (CSC SSM)
4-Port GE Services Module (4GE SSM)
Presentation_ID
Cisco Confidential
17
Cisco ASA Security Services Module (SSM)

Product Tour
High Performance Module for Additional Services
Diskless (Flash-Based) Design for Improved Reliability Gigabit Ethernet Port for Out-of-Band Management, etc. Thumbscrews for Easy Insertion and Removal
Presentation_ID
Cisco Confidential
18
Cisco Four-Port Gigabit Ethernet SSM

Product Tour
High-Performance Module Adds More I/O Capacity
Four Copper 10/100/1000 for Simplified Deployment Four SFP Gigabit Ports for Optical Connectivity Thumbscrews for Easy Insertion and Removal
Allows Customers to Choose Either Copper or Optical for Up to 4 Ports of Additional Connectivity
Ordering Information Product ID: SSM-4GE= List Price: $5,000
Presentation_ID
Cisco Confidential
19
Content Security and Control SSM

Product Details
Cisco ASA 5500 Series Content Security and Control Module (CSC SSM) Platforms/Subscription Levels
CSC SSM-10
50 User 100 User 250 User 500 User
Feature Sets
Base Services
File-based Anti-Virus and malware filtering; Anti-Spyware
CSC SSM-20
500 User 750 User 1,000 User
Plus License
Anti-Spam, Content Filtering, Anti-Phishing, URL Filtering and Blocking
Note: License Packages subject to change prior to FCS

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
20
ADAPTIVE THREAT DEFENSE TECHNOLOGY
ADAPTIVE THREAT DEFENSE TECHNOLOGY
APAC SEC Q4 UPD Presentation_ID Chanray/25-Jul-05
2003, Cisco Systems, Inc. All rights reserved.
21
21
Adaptive Identification and Mitigation (AIM) Services Architecture

Technology Extensibility to Mitigate Current and Future Threats
Security Services Extensibility
Cisco Technology & Service Extensions Partner Technology & Service Extensions
Adaptive Threat Defense
Secure Connectivity
Remote Access VPN Connectivity
Site-to-Site VPN Connectivity
Adaptive Classification & Policy Framework
Application Inspection & Control Anti-X Defenses Network Containment & Control
Cisco Intelligent Networking, High Availability, and Scalability Services
Innovative AIM services architecture allows business to adapt and extend the security services profile via Cisco-developed and partnerprovide innovations delivering high current services performance and services extensibility
APAC SEC Q4 UPD Chanray/25-Jul-05 22
Adaptive Classification & Policy Framework

Granular, Single Touch Configuration
Modular Policy Framework Multiple methods to identify traffic flow
Five-tuple match (src/dest IP, ports/protocols, etc.) DSCP field RTP
Reduces complexity of provisioning with single touch configuration Improves control over applications by introducing flow- or class-specific service policies
Tunnel group
Enables flow- or class-specific service application

Application inspection and control services Anti-x services Containment and control services Future services
23
Application Inspection & Control

Provides Strong Application Layer Security
Application Inspection Engines Extensive application and protocol knowledge and security enforcement technologies including:
Defends networks from application-layer attacks Gives businesses control over how applications and protocols are used Regulates application usage to free network bandwidth to drive IT cost savings
Command filtering Anomaly detection State tracking
Attack detection and mitigation techniques including:

Buffer overflow defenses Content filtering URL deobfuscation services
24
Application Inspection & Control Engines

Provide Control over Application Usage & Network Access
Application and protocol-aware inspection services provides strong application-layer security Performs conformance checking, state tracking, security checks, NAT/PAT support and dynamic port allocation
Multimedia / Voice over IP
H.323 v1-4 SIP SCCP (Skinny) GTP (3G Wireless) MGCP RTSP TAPI / JTAPI
Database / OS Services Over Over 30 30 Engines Engines

ILS / LDAP Oracle / SQL*Net (V1/V2) Microsoft Networking NFS RSH SunRPC / NIS+ X Windows (XDMCP)
Core Internet Protocols

HTTP FTP TFTP SMTP / ESMTP DNS / EDNS ICMP TCP UDP
Cisco Confidential NDA Use Only
Specific Applications
Microsoft Windows Messenger Microsoft NetMeeting Real Player Cisco IP Phones Cisco Softphones
Security Services
IKE IPSec PPTP
25
25
Advanced Web-Traffic Security

Protects Networks from Web-based Threats
Protection Against Peer-to-Peer, IM, and Mail Attachment Threats. Ensuring Network Performance by Controlling Application Abuse.
Advanced HTTP inspection services help protect from web-based attacks and other types of port 80 misuse
Includes customizable policies for detecting and blocking tunneled applications and attacks, including:
- Instant messaging applications (AIM, MSN Messenger, Yahoo) - Peer-to-peer applications (KaZaA) - And more!
Adds advanced TCP stream re-assembly and de-obfuscation engines for hidden attack detection
Deep inspection services provide businesses control over what actions users can perform when accessing websites
Performs RFC compliance checking for protocol anomaly detection Supports HTTP command filtering for precise control over how web servers are accessed, providing a strong line of defense from a range of known and unknown attacks Provides MIME type filtering and content validation capabilities
Cisco Confidential NDA Use Only
26
26
FTP Inspection
Command Filtering
FTP Inspection:
Configure to allow or disallow specific commands through the security device. When a command is disallowed, the connection will be closed and syslog will be generated. Configurable commands: APPE CDUP DELE - GET HELP MKD PUT - RMD RNFR RNTO SITE STOU
pixfirewall(config)# ftp-map ftpins request-command deny appe cdup help
<ftp_map_name>
27
ESMTP Inspection
The current PIX Security Appliance software 6.3(4) supports the inspection of the SMTP commands listed in RFC 821. Customers use Mail Servers that leverage SMTP Extensions that were defined in follow-on RFCs. Most dominant is the requirement to support commands defined in RFC 1869. These extensions are commonly used with Microsoft Exchange. Effective with PIX/ASA OS 7.0 the firewall inspects the additional supported ESMTP commands for RFC compliance. The commands include all the commands that SMTP supports except EXPN, plus 2 commands for SMTP extensions AUTH and ETRN. This makes a total of 15 commands. Any commands except these listed are illegal.
AUTH DATA EHLO ETRN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML VRFY
TCP Normalization
Configurable Fields using TCP Map

Anti-X and Attack Defenses

Maximizes Attack Detection and Mitigation
Micro Inspection Engines Numerous methods to detect policy violations, anomalous activity, and vulnerability exploitation
Stateful pattern recognition Protocol analysis & decodes Traffic anomaly detection Layer 2 traffic analysis
Protects against network and application layer attacks Prevents hacker intrusions, DoS, and malware including worms, network viruses, Trojan horses, spyware and adware Frees up network bandwidth and system resources from damaging effects of attacks
Attack Evasion Defenses Specialized safeguards to scrub traffic and avoid evasion attempts
IP fragmentation reassembly and normalization TCP stream reassembly and normalization TCP evasion & IP anti-spoofing Deobfuscation
30
Multi-Vector Threat Identification

Delivers Broad Anti-X and Malware protection
Spyware / Adware Network Worms & Viruses
Prevents installation of malware and blocks phone home communications Frees network bandwidth and controls the transmission of confidential data
Stops the infection and propagation of malware Leverages internal development and partnership with Trend Micro
Controls corporate espionage Stops web defacing by preventing web attacks Prevents zombie, backdoor, and bot placement thus stopping automated attacks (e.g., denial of service (DoS)
Directed Attacks
Traffic Cleansing
Removes traffic ambiguities such as overwritten fragments, TCP segment overwrites, TTL discrepancies Simulates end host behavior to increase inspection accuracy
31
Anti-X Accurate Prevention Technologies

Stops Real Threats, Permits Legitimate Traffic
Risk Rating Provides sophisticated context analysis to maximize accuracy evaluating
Event severity Signature/policy fidelity Asset value Attack relevancy
Ensures malicious attacks are stopped without impact to legitimate traffic Identifies and stops worms or escalating attacks which can rapidly propagate and cause extensive damage
Meta Event Generator Provides unique on-box correlation that adapts to new threats in realtime while minimizing user intervention modeling
Event type Time span Threat escalation
32
Accurate Prevention Technologies

Risk Rating & Meta Event Generator Provide Threat Context and Correlation Meta Event Generator: On-box correlation links lower risk events into a high risk meta-event, triggering prevention actions Models attack behavior by correlating: - Event type - Time span
Risk Rating
Risk Rating: Decision support balances attack urgency with business risk
Event Severity Signature Fidelity Attack Relevancy Asset Value of Target
How urgent is the threat?
+
How prone to false positive?
+ +
DROP Event DWorm Stopped!
Is attack relevant to host being attacked? How critical is this destination host? Drives Final Mitigation Policy
High
A + B + C + D = WORM! Event A Event B Event D Event C
Medium
Low
RISK RATING
Time:
8
33
Network Containment and Control

Controls Usage and Enforces Policy Compliance
Stateful Inspection Firewall Services Tracks all network communications and prevents unauthorized network access Enforces security policies and application and resource usage policies for more than 100 applications, services & protocols Access Control Services Granular policy construction
User identity & group membership Network resource address Application types VPN tunnels Time based, direction based
Gives businesses precise control over application access and network traffic flows Enables strict adherence to corporate security policies Protects internal corporate network addresses from being shared with outside networks, such as the Internet
NAT and PAT Services

34
Access-Group Keyword: OUT
Traffic Flow
35
Access-Group Keyword: OUT
Applied here Traffic Flow
36
Access-Group Keyword: Time Range
37
Remote Access VPN Connectivity

WebVPN / SSL VPN

Delivers Best Fit IPSec and SSL VPN Technologies

Core Enterprise Application Access: Clientless and Thin Client Modes Per-User/Group Portal and Access Customization Broad Browser Support Easy VPN for Touchless Client Management Automated VPN Client Updates for Ease of Client Deployment & Versioning Integrated Endpoint Security Proactive Endpoint Security Posture Assessment Flexible Access Controls
IPSec VPN
Delivers both IPSec and SSL-based VPN services on single platform eliminating need to parallel solutions Provides unique device clustering capabilities to seamlessly scale performance and eliminate single point of failure
Foundation Features
Flexible user authentication & access control Group/user policies
Remote Access VPN Solutions

Supply Partner Extranet Account Manager Mobile User IP/Internet VPN Doctor at Home Unmanaged Desktop
IPSEC VPN
ENGINEERMany servers/apps, needs native app formats, VoIP, frequent access, long connect times ACCOUNT MANAGERDiverse apps, homegrown apps, always works from enterprisemanaged desktop
39
Central Site
Software Engineer Telecommuter

SSL VPN
PARTNERFew apps/servers, tight access control, no control over desktop software environment, firewall traversal DOCTOROccasional access, few apps, no desktop software control
WebVPN: SSL-Based Remote Access

Enables Clientless Remote Connectivity
Web Page Access (HTTP/HTTPS) Remote E-Mail Access Outlook (MAPI), OWA, POP, IMAP, SMTP, Notes, iNotes File Access on Enterprise Servers Windows CIFS file shares via Web Interface Flexible Login Options Customizable for Diverse User Communities Group based access control Support for all enterprise authentication mechanisms Port Forwarding Access to thin client TCP-based applications Web-Based Management Full-featured configuration and monitoring
Free SSL VPN Trial Included in Base Pricing No PerPer-Feature Licenses!
Cisco VPN Are You There (AYT) & CSA

Comprehensive Endpoint Protection
Cisco AYT provides the ability to perform security posture checks when a VPN connection attempt is received Enforces usage of authorized hostbased security products (such as the Cisco Security Agent) and verifies its version number, policies, and status prior to granting access the corporate network Checks to see if security products are both installed and active Pushes embedded personal firewall policy Re-checks posture every 30 seconds protecting against user disablement
41
VPN Concentrator
Malware Viruses Trojans
Public Internet
Worms CSA
Telecommuter with IPSec VPN

Cost-Effective VPN Headend Scaling

Cluster multiple ASA 5500s to scale as needed to 10,000s of users
Pay as You Grow with Load Balancing and Clustering
Dynamic load balancing ensures effective utilization of all clustered devices Clustering + load balancing = High uptime Seamlessly integrates with existing VPN 3000 clusters
Cluster IP Address 124.118.24.X Client requests connection to 124.118.24.50 .31
Virtual cluster master responds with 124.118.24.33 Client requests IPSec/SSL session to 124.118.24.33
10.10.1.X .1
Cluster Master .32 .2 .3 .33
.4
.34
42
Cisco ASA 5500 Series VPN Solutions

Enterprise-Class Site-to-Site VPN Capabilities
Network-aware site-to-site VPNs

QoS-Enabled VPN:
Support for low latency queuing for latency-sensitive traffic such as VoIP
Internet
OSPF Routing Over VPN
IPSec Stateful Failover:

Provides high performance Active-Standby failover with automatic key and SA information synchronization
Robust X.509 certificate support

Manual enrollment support (PKCS 7/10) n-tiered X.509 certificate chaining support 4096-bit RSA keysize support
Intelligent Network Foundation

Delivers Seamless Integration into Diverse Networks
High Availability Services Active/active, active/standby failover VPN stateful failover LAN-based failover
Leverages more than 20 years of Cisco networking leadership and innovation Delivers a wide range of networking services for seamless integration into diverse network environments
Intelligent Networking Services Security contexts (virtualized) Layer 2 transparent firewall VLAN-based virtual interfaces OSPF, RIP dynamic routing Multicast routing (PIM sparse) Quality of service (QoS) IPv6 networking
44
Virtualized Services and Transparent Operation

Simplifies Deployment and Reduces Operational Costs
Dept/Cust 1 Dept/Cust 2 Dept/Cust 3
Scalable Security Services

Adds support for Security Contexts (virtual firewalls) to lower operational costs
Enables device consolidation and segmentation Supports separated policies and administration PIX
Easy to Deploy Firewall Services

Introduces transparent firewall capabilities for rapid deployment of security
Drops into existing networks without need for readdressing the network Simplifies deployments of internal firewalling and security zoning new applications
Existing Network
Transparent Firewall
45
Multiple Context on ASDM
46
Transparent Firewall
The transparent PIX/ASA uses an inside interface and an outside interface only. Each directly connected network must be on the same subnet.
Internet
A management IP address is required for each context, even if you do not intend to use Telnet to the context. Switch ASA uses this IP address as the source address for packets originating on the both Interface. VLAN 100 10.0.1.1 The management IP address must be on the same subnet as the connected network. ASA/PIX Do not specify the ASA management IP address as the 10.0.1.2 default gateway for connected devices; devices need to specify the router on the other side as thegateway. Make sure that the upstream router performs NAT if VLAN 200 you use overlapping subnets. Dynamic routing protocols will not run on the device. 10.0.1.3 However it can be pass through. NAT is not supported. You can also optionally use an EtherType ACL to allow non-IP traffic through.
Advanced Network Integration

Maximizes Uptime and Supports Next-Gen Networks
Improved Network and Device Resiliency
Introduces Active-Active failover for enhanced resiliency and asymmetric routing support Delivers new zero-downtime software upgrade capability for improved uptime
Active
Active
Intelligent Network Integration

Provides QoS traffic prioritization for improved handling of latency sensitive traffic Adds IPv6 support for hybrid IPv4/IPv6 network environments Delivers PIM sparse mode multicast support for improved support for streaming data delivery services, video conferencing, and other mission-critical real-time enterprise applications
V D
VV D D D
V VV
Quality of Service
48
How Active/Active Failover Works?

Summary Need Multiple context (no VPN) VLan Trunking (optional) LAN base/Serial Failover Works under NAT or No NAT (except for Shared Interface) New F/O group command A/A FO license or UR
49
Cisco ASA Adaptive Security Appliances

Industry Certifications and Evaluations
Common Criteria Coming: EAL4+, v7.0(2) ASA Family FIPS 140 Coming: Level 2, v7.0(2) ASA Family ICSA Firewall 4.1, Corporate Category Future: v7.0(1) ASA Family ICSA IPSec 1.1D Future: v7.0(1) ASA Family VPNC Tentative: v7.0(1) ASA Family
50
50
CONVERGED MANAGEMENT, MONITORING, AND RESPONSE
CONVERGED MANAGEMENT, MONITORING, AND RESPONSE
51
51
Converged Management, Monitoring & Response

Lower Operations Costs and Reduced Complexity
Device Management Integrated, web-based mgmt Converged configuration FW, IPS, VPN, AV Real-time monitoring tools Cisco Adaptive Security Device Manager (ASDM) System Management Multi-device integrated mgmt Enterprise-scale provisioning CSM Solsoft Policy Server
Monitoring and Mitigation Multi-platform event management and response Sophisticated data reduction and correlation Cisco Security MARS CiscoWorks SIMS
Auditing Device posture validation against industry best practices and regulatory compliance Cisco Security Auditor
52
Cisco Security Management Suite

Security Manager 3.0 - Device Centric Policy View
System Management Cisco SMS
53
Cisco Security Management Suite

Security Manager 3.0 - Map Centric View
Supports multi-layer map Provides device replication Enables operational features
Config roll back Deploy
Deployment Device Settings VPN Firewall IPS Other
Cross launch other tools

VPN builder Rules table Device settings
System Management Cisco SMS
54
Cisco Security MARS

Leverage YOUR existing investment to build pervasive security Correlate data from across the Enterprise
NIDS, Firewalls, Routers, Switches, CSA Syslog, SNMP, RDEP, SDEE, NetFlow, Endpoint event logs
Rapidly locate and mitigate attacks Key Features

Determines security incidents based on device messages, events, and sessions Incidents are topologically aware for visualization and replay Mitigation on L2 ports and L3 chokepoints Efficiently scales for real-time use across the Enterprise
Monitoring & Response Cisco MARS
55
SECURE CONNECTIVITY -- VPN TECHNOLOGY
Competitive Differentiation
56
56
ASA 5500 Top Performance, Top Security

Miercom Test Results for Security Appliances
Miercom Evaluated ASA 5520, Netscreen 208, Checkpoint NGX and Fortinet 1000
Miercoms Results for ASA 5500: Better performance surpassed every competitor in every scenario
More than 6X throughput for concurrent IPS/firewall security services 3X VPN throughput More than 4X firewall connection rate of nearest competitor
Better security stops more threats than competitors

ASA scored 100% threat detection success competitors averaged 30-40%
View the full Miercom report at:

http://www.miercom.com/dl.html?fid=20050914&type=report
Miercom Performance Highlights

Cisco ASA 5500 Series vs. Juniper, Check Point & Fortinet
Megabits Per Second 350 300 250 200 150 100 50 0 Cisco ASA 5520 Connections Per Second CheckPoint FortiGate VPN-1 1000 NetScreen 208 31 10 16 198 4k Object 16k Object 42 18 22 325 FW Throughput with All Signatures On
Test: Firewall performance with full IPS enabled Results:

ASA delivers up to 325 Mbps of concurrent firewall and IPS throughput. Nearest competitor 42 Mbps ASA delivers 5881 firewall connections per second. Nearest competitor 1358.
Connections Per Second with All Signatures On 7000 6000 5000 4000 3000 2000 1000 0 5881
1358 432
626
Cisco CheckPoint FortiGate NetScreen ASA 5520 VPN-1 1000 208

58
Miercom Security Highlights

Cisco ASA 5500 Series vs. Juniper, Check Point & Fortinet
Threat Prevention Effectiveness: Attacks Detected and Stopped
100% 80% 60% 40% 20% 0% Virus/Worm Backdoor General Peer-2-Peer IM Spyware Fortinet Overall ASA-5520 NetScreen Check Point
Test: Threat prevention effectiveness worms/viruses, spyware, etc.
Results:
ASA accurately detects and stops 100% of threats Miercom presented ASA is the only device to detect and stop backdoor threats Overall, ASA delivers greater than 2X the threat prevention capabilities
Test Results to Highlight with Customers

Performance for stand-alone firewall, VPN and concurrent firewall and IPS
Concurrent services performance is a key differentiator of the ASA 5500 product. Delivers over 6X the performance of the nearest competitor. For customers interested in stand-alone deployments of services like firewall and VPN, ASA delivers 4X and 3X greater performance in these areas, respectively.
Performance results highlight the superiority of the ASA architecture

Juniper and Fortinet like to tout their ASIC-based architecture as a differentiator. But the proof is in the performance and ASA wins hands-down. ASA delivers better performance with a highly flexible architecture that enables delivery of new services without forklift upgrades associated with ASIC-based platforms.
End
61
61

ASA550 Overview

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASA550 Overview

Uploaded by

Copyright:

Available Formats

Cisco ASA 5500 Series Adaptive Security Appliances

Technical Hands-on Training

Session Number Presentation_ID

2005 Cisco Systems, Inc. All rights reserved.

PDF created with pdfFactory Pro trial version www.pdffactory.com

ASA Technical Training

Duration 1:30 0:15 0:15 1:00

1:00 1:00 2:00 2:00 0:15

APAC SEC Q4 UPD ASA 5500 Intro Chanray/25-Jul-05

2004 Cisco Systems, Inc. All rights reserved.

PDF created with pdfFactory Pro trial version www.pdffactory.com

ASA Technical Training

APAC SEC Q4 UPD ASA 5500 Intro Chanray/25-Jul-05

2004 Cisco Systems, Inc. All rights reserved.

PDF created with pdfFactory Pro trial version www.pdffactory.com

Cisco ASA 5500 Series

Adaptive Threat Defense, Secure VPN Connectivity

IPS Technology Cisco IPS

NWNW-AV Technology Cisco IPS, AV

VPN Technology Cisco VPN 3000

Network Intelligence Cisco Network Services

Secure VPN Connectivity

PDF created with pdfFactory Pro trial version www.pdffactory.com

When to Sell ASA?

ASA as FW instead of PIX515E, PIX525

ASA as IPS instead of IPS4215, 4240

PDF created with pdfFactory Pro trial version www.pdffactory.com

Meeting Needs Requires Many Services

Remote Site with Internet Access: Requirements

Remote User Access: Requirements

DMZ Internet Access Extranet: Requirements

Operational Inefficiencies from Multiple Platforms and Consoles

May Require Compromise on Protection

Complex Design and Configuration

PDF created with pdfFactory Pro trial version www.pdffactory.com

ASA 5500 Series Enterprise Editions

Cisco ASA 5500 Firewall Edition

Cisco ASA 5500 VPN Edition

Cisco ASA 5500 IPS Edition

Cisco ASA 5500 Anti-X Edition

APAC SEC Q4 UPD Chanray/25-Jul-05

PDF created with pdfFactory Pro trial version www.pdffactory.com

ASA 5500 Series Enterprise Editions

Remote Site w/ Local Internet Access

ASA 5500 IPS Edition

ASA 5500 IPS Edition

ASA 5500 VPN Edition

ASA 5500 Firewall Edition

Extranet: Business Partner Access Outbound User Internet Access

APAC SEC Q4 UPD Chanray/25-Jul-05

PDF created with pdfFactory Pro trial version www.pdffactory.com

Cisco ASA 5500 Series Product Lineup

Cisco ASA 5510

Cisco ASA 5520

Cisco ASA 5540

Cisco ASA 5550

Teleworker / Branch Office / SMB Starting at $595

SMB and SME

List Price Performance

150 Mbps Future 100 Mbps 25/25

300 Mbps 300 Mbps 170 Mbps 250/250

450 Mbps 375 Mbps 225 Mbps 750/750

650 Mbps 450 Mbps 325 Mbps 5000/2500