Data Sheet

Cisco ASA CX Context-Aware Security

Product Overview
Most next-generation firewalls differ from classic firewalls in that they can identify which applications are being
requested and which user has requested them. While application and user awareness can be effective, with so
much more happening in the network, these firewalls simply cannot provide the complete level of visibility and
control administrators need to effectively manage their complex network security challenges.

Cisco ASA CX Context-Aware Security is different. Unlike other next-generation firewalls, ASA CX addresses
todays evolving security needs by delivering end-to-end network intelligence to help administrators make effective
security decisions. Cisco ASA CX goes well beyond application and user ID awareness in two ways. First, ASA CX
adds fine-grained control of micro-applications and tasks within specific applications. Second, ASA CX adds
awareness of the device and its location (on- versus off-premise), making it a comprehensive context-aware
solution.

Unprecedented Network Visibility

Cisco ASA CX Context-Aware Security gives security administrators an unprecedented level of visibility regarding
the traffic flowing through the network, including the users connecting to the network, the devices used, and the
applications and websites that are accessed.
ASA CX uses Cisco security technologies to provide actionable intelligence to security administrators. For

example, Cisco AnyConnect provides detailed information on the type and location of a mobile device before it
can access the network. ASA CX also uses global threat intelligence from Cisco Security Intelligence Operations
(SIO) to provide zero-day malware protection. Using these and other Cisco security technologies throughout the
network, ASA CS delivers far more network visibility than other next-generation firewalls, including:

Robust authentication. In addition to passive authentication methods using Active Directory agent and
LDAP, Kerberos and NT LAN Manager are used to provide active authentication.

Detailed device information. Understanding the specific types (and locations) of user devices attempting
to gain access to the network enables administrators to confidently allow devices while maintaining high
levels of network protection and control.

Reputation-based threat defense. Threat intelligence feeds from Cisco SIO use the global footprint of
Cisco security deployments (more than 750,000 devices) to analyze approximately one-third of the worlds
Internet traffic from email, IPS, and web threat vectors; the feeds are updated every five minutes for nearreal-time protection from zero-day malware.

Granular Application, User, and Device Control

Cisco ASA CX blocks port- and protocol-hopping applications such as Skype and other peer-to-peer applications,
providing more effective security while requiring fewer policies. It also uses rich language so that policies can be
written based on a wide range of contextual elements, including application, user, device, and location.

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 1 of 2

ASA CX also employs deeper social networking controls than other next-generation firewalls. It recognizes more
than 1000 applications and 75,000 micro-applications, enabling organizations to provide individual or group-based
access to specific components of an application (Facebook for business use, for example) while disabling other
components (such as Facebook games). Specific behaviors can also be blocked within allowed micro-applications
for an additional layer of control.
ASA CX shows the specific type of device attempting to gain access to the network, the operating system it is
running, and its location. With a clear understanding of the devices that are attempting to access network
resources, administrators can confidently allow a multitude of devices while maintaining high levels of network
protection and control.

Comprehensive Security Architecture

ASA CX extends the ASA platform to provide unprecedented visibility and control. Support for Layer 3 and Layer 4
stateful firewall features, including access control, network address translation, and stateful inspection, enables
organizations to keep existing classic firewall policies, while adding rich Layer 7 context-aware rules that can act
intelligently on contextual information. ASA CX uses the Cisco SecureX Framework to gain local intelligence from
the Cisco AnyConnect Secure Mobility Client and near-real-time global threat intelligence from Cisco SIO. A
proven firewall platform, combined with the power of local and global threat intelligence, provides a
comprehensive, dynamic security architecture that is capable of addressing an organizations evolving security
needs to enable growth, extensibility, and ongoing innovation.

Features and Benefits

Table 1 lists the features and benefits of Cisco ASA CX Context-Aware Security.
Table 1.

Features and Benefits

Feature

Benefit

Application awareness

Enforces access policy based on more than 1000 commonly used applications and 75,000 micro-applications;
provides granular access control based on behavior (e.g., a file upload or a post on a social networking site) to
further control user activity related to applications; controls port- and protocol-hopping applications that can
evade classic security controls.

Identity-based firewalling

Provides differentiated access control based on user and user role; supports common identity mechanisms
such as Active Directory agent, LDAP, Kerberos, and NT LAN Manager.

Device-type-based
enforcement

Identifies the types of devices (such as iPads, iPhones, and Android devices) that are accessing the network,
and controls which devices will be permitted or denied.

URL filtering

Enterprise-class, full-featured URL filtering solution enables granular control of Internet traffic.

Global intelligence

Uses the global footprint of Cisco security deployments for more comprehensive network protection. Cisco SIO
delivers regularly updated threat intelligence feeds for near-real-time protection from zero-day malware.

Stateful firewall capabilities

In addition to enabling rich Layer 7 context-aware rules, provides extensive support for Layer 3 and Layer 4
stateful firewall features, including access control, network address translation, and stateful inspection.

Intuitive management solution

Pre-loaded with Cisco Prime Security Manager, a powerful, intuitive management solution that simplifies the
management of context-aware firewalls.

Product Performance
Table 2 lists the capabilities and capacities of Cisco ASA CX Context-Aware Security.
Table 2.

Cisco ASA CX Capabilities and Capacities

Feature

ASA CX SSP-10

ASA CX SSP-20

Throughput

2 Gbps (multiprotocol)

5 Gbps (multiprotocol)

Maximum concurrent sessions

500,000

1,000,000

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 2 of 4

Feature

ASA CX SSP-10

ASA CX SSP-20

Connections per second

40,000

75,000

Supported applications

1000+

1000+

Supported micro-applications

75,000+

75,000+

URL categories

78

78

Number of URLs categorized

20+ million

20+ million

Languages for URL filtering

60+

60+

Number of web requests analyzed by Cisco SIO every day

30 billion

30 billion

Product Specifications
Table 3 provides a comparison of the Cisco ASA CX Security Services Processor (SSP) 10 and 20.
Table 3.

Product Specifications

Product Model

ASA CX SSP-10

ASA CX SSP-20

Memory

12 GB

24 GB

Disk storage

600 GB

600 GB

Hot-swappable hard disk

Yes

Yes

RAID level and controller

RAID 1, Software

RAID 1, Software

Minimum flash

8 GB

8 GB

50F to 95F

50F to 95F

(10C to 35C)

(10C to 35C)

Relative humidity

10% to 90% (noncondensing)

10% to 90% (noncondensing)

Nonoperating temperature

-40F to 158F

-40F to 158F

(-40C to 70C)

(-40C to 70C)

Relative humidity

5% to 95% (noncondensing)

5% to 95% (noncondensing)

Altitude

0 to 30,000 ft

0 to 30,000 ft

(9144 m)

(9144 m)

Technical Specifications

Environmental Operating Ranges

Operating temperature

Power Consumption and Mean Time Between Failures

Maximum peak

400W maximum

400W maximum

109,887 hrs

87,829 hrs

1.70 x 6.80 x 11.00 in.

1.70 x 6.80 x 11.00 in.

(4.32 x 17.27 x 27.94 cm)

(4.32 x 17.27 x 27.94 cm)

3.00 lb (1.36 kg)

3.00 lb (1.36 kg)

Management and monitoring interface

2 Ethernet 10/100/1000 ports

2 Ethernet 10/100/1000 ports

Configuration, logging, and monitoring

On-box Cisco Prime Security Manager

On-box Cisco Prime Security Manager

Reporting

On-box Cisco Prime Security Manager

On-box Cisco Prime Security Manager

Centralized configuration, logging,

monitoring, and reporting

Multidevice Cisco Prime Security Manager

Multidevice Cisco Prime Security Manager

Steady State
Mean time between failures (MTBF)
Physical Specifications
Dimensions (HxWxD)

Weight
Management Features

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

Page 3 of 4

Product Model

ASA CX SSP-10

ASA CX SSP-20

UL 60950

UL 60950

CSA C22.2 No. 60950

CSA C22.2 No. 60950

EN 60950

EN 60950

IEC 60950

IEC 60950

AS/NZS60950

AS/NZS60950

CE marking

CE marking

FCC Part 15 Class A

FCC Part 15 Class A

AS/NZS CISPR22 Class A

AS/NZS CISPR22 Class A

VCCI Class A

VCCI Class A

EN55022 Class A

EN55022 Class A

CISPR22 Class A

CISPR22 Class A

EN61000-3-2

EN61000-3-2

EN61000-3-3

EN61000-3-3

Regulatory and Standards Compliance

Safety

Electromagnetic compatibility (EMC)

Platform Support/Compatibility
The ASA CX SSP-10 and SSP-20 are supported on Cisco ASA 5585-X platforms running Cisco ASA Software
Release 8.4.4 and higher. The solution can be managed using Cisco Prime Security Manager.

For More Information

For more information, please visit the following links:
Cisco ASA CX Context-Aware Security: http://www.cisco.com/go/asacx.
Cisco ASA 5500 Series Adaptive Security Appliances: http://www.cisco.com/go/asa.
Cisco Prime Security Manager: http://www.cisco.com/go/prsm.
Cisco Security Services: http://www.cisco.com/en/US/products/svcs/ps2961/ps2952/serv_group_home.html.

Printed in USA

2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.

C78-701659-01

12/12

Page 4 of 4