Professional Documents
Culture Documents
Cisco ASA CX Context-Aware Security is different. Unlike other next-generation firewalls, ASA CX addresses
todays evolving security needs by delivering end-to-end network intelligence to help administrators make effective
security decisions. Cisco ASA CX goes well beyond application and user ID awareness in two ways. First, ASA CX
adds fine-grained control of micro-applications and tasks within specific applications. Second, ASA CX adds
awareness of the device and its location (on- versus off-premise), making it a comprehensive context-aware
solution.
example, Cisco AnyConnect provides detailed information on the type and location of a mobile device before it
can access the network. ASA CX also uses global threat intelligence from Cisco Security Intelligence Operations
(SIO) to provide zero-day malware protection. Using these and other Cisco security technologies throughout the
network, ASA CS delivers far more network visibility than other next-generation firewalls, including:
Robust authentication. In addition to passive authentication methods using Active Directory agent and
LDAP, Kerberos and NT LAN Manager are used to provide active authentication.
Detailed device information. Understanding the specific types (and locations) of user devices attempting
to gain access to the network enables administrators to confidently allow devices while maintaining high
levels of network protection and control.
Reputation-based threat defense. Threat intelligence feeds from Cisco SIO use the global footprint of
Cisco security deployments (more than 750,000 devices) to analyze approximately one-third of the worlds
Internet traffic from email, IPS, and web threat vectors; the feeds are updated every five minutes for nearreal-time protection from zero-day malware.
2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 2
ASA CX also employs deeper social networking controls than other next-generation firewalls. It recognizes more
than 1000 applications and 75,000 micro-applications, enabling organizations to provide individual or group-based
access to specific components of an application (Facebook for business use, for example) while disabling other
components (such as Facebook games). Specific behaviors can also be blocked within allowed micro-applications
for an additional layer of control.
ASA CX shows the specific type of device attempting to gain access to the network, the operating system it is
running, and its location. With a clear understanding of the devices that are attempting to access network
resources, administrators can confidently allow a multitude of devices while maintaining high levels of network
protection and control.
Feature
Benefit
Application awareness
Enforces access policy based on more than 1000 commonly used applications and 75,000 micro-applications;
provides granular access control based on behavior (e.g., a file upload or a post on a social networking site) to
further control user activity related to applications; controls port- and protocol-hopping applications that can
evade classic security controls.
Identity-based firewalling
Provides differentiated access control based on user and user role; supports common identity mechanisms
such as Active Directory agent, LDAP, Kerberos, and NT LAN Manager.
Device-type-based
enforcement
Identifies the types of devices (such as iPads, iPhones, and Android devices) that are accessing the network,
and controls which devices will be permitted or denied.
URL filtering
Enterprise-class, full-featured URL filtering solution enables granular control of Internet traffic.
Global intelligence
Uses the global footprint of Cisco security deployments for more comprehensive network protection. Cisco SIO
delivers regularly updated threat intelligence feeds for near-real-time protection from zero-day malware.
In addition to enabling rich Layer 7 context-aware rules, provides extensive support for Layer 3 and Layer 4
stateful firewall features, including access control, network address translation, and stateful inspection.
Pre-loaded with Cisco Prime Security Manager, a powerful, intuitive management solution that simplifies the
management of context-aware firewalls.
Product Performance
Table 2 lists the capabilities and capacities of Cisco ASA CX Context-Aware Security.
Table 2.
Feature
ASA CX SSP-10
ASA CX SSP-20
Throughput
2 Gbps (multiprotocol)
5 Gbps (multiprotocol)
500,000
1,000,000
2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 4
Feature
ASA CX SSP-10
ASA CX SSP-20
40,000
75,000
Supported applications
1000+
1000+
Supported micro-applications
75,000+
75,000+
URL categories
78
78
20+ million
20+ million
60+
60+
30 billion
30 billion
Product Specifications
Table 3 provides a comparison of the Cisco ASA CX Security Services Processor (SSP) 10 and 20.
Table 3.
Product Specifications
Product Model
ASA CX SSP-10
ASA CX SSP-20
Memory
12 GB
24 GB
Disk storage
600 GB
600 GB
Yes
Yes
RAID 1, Software
RAID 1, Software
Minimum flash
8 GB
8 GB
50F to 95F
50F to 95F
(10C to 35C)
(10C to 35C)
Relative humidity
Nonoperating temperature
-40F to 158F
-40F to 158F
(-40C to 70C)
(-40C to 70C)
Relative humidity
5% to 95% (noncondensing)
5% to 95% (noncondensing)
Altitude
0 to 30,000 ft
0 to 30,000 ft
(9144 m)
(9144 m)
Technical Specifications
400W maximum
400W maximum
109,887 hrs
87,829 hrs
Reporting
Steady State
Mean time between failures (MTBF)
Physical Specifications
Dimensions (HxWxD)
Weight
Management Features
2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 4
Product Model
ASA CX SSP-10
ASA CX SSP-20
UL 60950
UL 60950
EN 60950
EN 60950
IEC 60950
IEC 60950
AS/NZS60950
AS/NZS60950
CE marking
CE marking
VCCI Class A
VCCI Class A
EN55022 Class A
EN55022 Class A
CISPR22 Class A
CISPR22 Class A
EN61000-3-2
EN61000-3-2
EN61000-3-3
EN61000-3-3
Platform Support/Compatibility
The ASA CX SSP-10 and SSP-20 are supported on Cisco ASA 5585-X platforms running Cisco ASA Software
Release 8.4.4 and higher. The solution can be managed using Cisco Prime Security Manager.
Printed in USA
2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
C78-701659-01
12/12
Page 4 of 4