Professional Documents
Culture Documents
Subversion Disruption
Bots, Viruses, and Worms Denial of service attacks
Spyware and Adware Advanced Persistent
Threats (APTs)
Primary filtering appliances/VMs that work at both the network and application layers
Provide a platform for the features/functionality needed for network security
VPNs (remote-access and site to site)
NGIPS
Anti-malware
Next-generation security should not abandon proven stateful inspection capabilities in
favor of application and user ID awareness by itself
Comprehensive network security solution needs includes firewalls, next-generation
firewalls (application inspection and filtering) and next generation intrusion prevention
systems (context aware)
The firewall often is the conduit from which other defense components combat the threats
that face the network
Where and Why
Filtering on a Tuple? Packet
ICMP (1)
TCP (6)
UDP (17)
GRE (47)
ESP (50)
AH (51)
EIGRP (88)
OSPF (89)
http://www.iana.org/assignments/protocol-
numbers/protocol-numbers.xhtml
Stateful Inspection Src IP 2.2.2.2
Dest IP 1.1.1.1
Src Port TCP/80
Most routers and switches can filter Dest Port TCP/35478
based on the five tuplewhy a firewall Packet
then?
Stateful firewalls track L3/L4 traffic as it
leaves and returns to the network
Connections are maintained in the
connection table tracking five tuple and
additional information such as sequence
Packet
TCP outside:2.2.2.2/80 (2.2.2.2/80) inside:1.1.1.1/35478 (1.1.1.1/35478), Src IP 1.1.1.1
flags UIO, idle 4m39s, uptime 6m16s, timeout 1h0m, bytes 3002 Dest IP 2.2.2.2
Src Port TCP/35478
*Best Practice Limit outbound Dest Port TCP/80
Centralized cloud
management scales to
thousands of sites
Multi-site visibility and control Map-based dashboard; configuration sync; remote diagnostics; automatic monitoring and alerts
Zero-touch provisioning Devices automatically provision from the cloud, no staging required; self-configuring site-to-site VPN
Traffic acceleration WAN optimization and web caching accelerates and de-duplicates network traffic; application-aware QoS prioritizes productivity apps
Automated site-to-site VPN
Simple Creates L3 site-to-site VPN tunnels with just 2 clicks in the dashboard
Mid-size branches
(~100 users) Large Web cache (1TB) 250 Mbps Z1
High-speed uplinks
Large Built-in redundancy
branch/campus 2 Gbps
Modular interface
MX600 (~10,000 users) Large Web cache (4TB) All devices support 3G/4G
Zone Based Firewall
Zone Based Firewall
Support for:
ISR, ASR, CSR
NAT DMZ
All Traffic
WAAS Permit
VRFs G0/1.103
Redundancy
VTIs for VPNs G0/1.101 G0/0
Deep Packet
Inspection Trusted Internet
TCP/UDP/ICMP
Response OK
Configuring ZBF
zone security Internet
zone security Trusted Create Zones
zone security DMZ
interface LISP0
zone-member security DMZ
!
interface GigabitEthernet0/0
description Public Outside
zone-member security Internet
! Assign interfaces to
interface GigabitEthernet0/1.101
description Inside security zones
zone-member security Trusted
!
interface GigabitEthernet0/1.103
description Public DMZ
zone-member security DMZ
Configuring ZBF
class-map type inspect match-any All_Protocols
description - Match all outgoing protocols
match protocol tcp Create Inspection Class
match protocol udp
match protocol icmp
Maximum Memory 4 GB 8 GB 8 GB 12 GB 16 GB
1 Cavium Nitrox 1620 2 Cavium Nitrox 1620 3 Cavium Nitrox 1620 4 Cavium Nitrox 1620
Security 1.5 Gbps 3 Gbps 4.5 Gbps 6 Gbps
AES 256 AES 256 AES 256 AES 256
ASA 5585-X (FirePOWER Next-Generation IPS)
Performance
Max firewall 4 Gbps 10 Gbps 20 Gbps 40 Gbps
Max traditional IPS 2 Gbps 3 Gbps 5 Gbps 10 Gbps
Max IPS 2.5 Gbps 7 Gbps 10 Gbps 15 Gbps
Max IPS + AVC 2 Gbps 3.5 Gbps 6 Gbps 10 Gbps
Max IPsec VPN 1 Gbps 2 Gbps 3 Gbps 5 Gbps
Max IPsec/SSL VPN peers 5000 10,000 10,000 10,000
Platform Capabilities
Max firewall connections 1 million 2 million 4 million 10 million
Max connections per second 50,000 125,000 200,000 350,000
Packets per second (64 byte) 1.5 million 3 million 5 million 9 million
Base I/O 8 x 1 GE + 2 x 10 GE 8 x 1 GE + 2 x 10 GE 6 x 1 GE + 4 x 10 GE 6 x 1 GE + 4 x 10 GE
Max I/O 16 x 1 GE + 4 x 10 GE 16 x 1 GE + 4 x 10 GE 12 x 1 GE + 8 x 10 GE 12 x 1 GE + 8 x 10 GE
VLANs supported 250 250 250 250
High availability supported A/A and A/S A/A and A/S A/A and A/S A/A and A/S
New Additions to the 5500 Portfolio
5506X with FirePOWER Services
Up to 16 Units
Cisco ASAv Firewall and Management Features
Cisco ASA 9 Feature Set
10 vNIC interfaces and VLAN tagging
Virtualization displaces multiple-context and clustering
Parity with all other Cisco ASA platform features
Cisco
ASAv5 100 Mbps
Cisco 1 Gbps
ASAv10
Cisco
2 Gbps
ASAv30
* Lab Edition license is built in with 100-Kbps throughput and 100 total
connections allowed
ASAv Deployed in Amazon Web Services
admin
Internet Internet
Management (required) interface - used for SSH/ASDM
access from the Jumpbox, and is provided by default. Ubuntu1
It has no Public/Elastic IPs and can not be used for through jumpbox
traffic.
Outside Management
Outside Interface (required) - used to connect ASAv to the (default route) (no routes)
Ubuntu3
Routed Firewall
Routed Tenant Edge use case Gateway 1 Gateway 2
client DMZ
host2
Transparent Firewall
Bridge up to 4 interfaces / sub-interfaces Gateway
Segment-2
Cisco
ASAv
Transp
Segment-3
Segment-4
client
host2
9.3.2
Cisco ASAv Data Sheet - Performance and Scale
Data Sheet Metric Cisco ASAv5 Cisco ASAv10 Cisco ASAv30
VLANS 25 50 200
Bridge Groups (2 VLANs/BVI) 12 25 100
Event corresponds
Act immediately,
1 vulnerable
to vulnerability
mapped to host
Good to know,
0 unknown network
Unmonitored network
Indications of Compromise (IoCs)
http://www.cisco.com/security
Notification Registration
Current News
Use Cases For Secure
Group Tags
ASA Policy Enforcement with MDM
8 ASA
3
WLC SXP Policy on ASA by
Security Group Web
9 Server
7
AP Security Group 2
Query
5 Leverage security
groups to authorize
endpoints based on
Create Security MDM compliance.
4 1 Groups on ISE
1 Compliant
6
2 Non-Compliant ISE MDM
Compliance check
ASA Policy Enforcement with Nexus 1000V
10 ASA
Policy on ASA by 1000V
WLC SXP Security Group 5
Virtual
11 Web
SXP 6
Server
9
Security Group HTTPS
AP Query 2 3
8
7
vCenter
4
Create Port
1 Profiles on
N1000V Leverage security groups to
DMZ ISE automate provisioning of
Web virtual servers.
HR
Thank you
Complete Your Online Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Participate in the My Favorite Speaker Contest
Promote Your Favorite Speaker and You Could Be a Winner
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
Send a tweet and include
Your favorite speakers Twitter handle @12LISN2
Two hashtags: #CLUS #MyFavoriteSpeaker
You can submit an entry for more than one of your favorite speakers
Dont forget to follow @CiscoLive and @CiscoPress
View the official rules at http://bit.ly/CLUSwin
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
Related sessions
Security Cisco Education Offerings
Course Description Cisco Certification
Implementing Cisco IOS Network Security (IINS) Focuses on the design, implementation, and monitoring of a comprehensive CCNA Security
security policy, using Cisco IOS security features
Implementing Cisco Edge Network Security Solutions
(SENSS) Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Implementing Cisco Threat Control Solutions (SITCS)
Deploy Ciscos Next Generation Firewall (NGFW) as well as Web Security, Email
Implementing Cisco Secure Access Solutions (SISAS) Security and Cloud Web Security
Implementing Cisco Secure Mobility Solutions Deploy Ciscos Identity Services Engine and 802.1X secure network access
(SIMOS)
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Securing Cisco Networks with Threat Detection and Designed for professional security analysts, the course covers essential areas of Cisco Cybersecurity Specialist
Analysis (SCYBER) competency including event monitoring, security event/alarm/traffic analysis, and
incident response
Network Security Product and Solutions Training For official product training on Ciscos latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining
Designing for Cisco Internetwork Solutions Instructor led training focused on fundamental design methodologies used CCDA (Design Associate)
(DESGN) to determine requirements for network performance, security, voice, and
wireless solutions. Prepares candidates for the CCDA certification exam.