Firewall and IPS - Cisco · Firewall and IPS Abdullah Ahmed Regional Security Consultant. Cisco...

Firewall and IPSAbdullah AhmedRegional Security Consultant

Cisco Systems

Management Services Partners

ControlVisibility Context

Network

CloudIntegrated Overlay

Context Aware Enforcement

Context Aware Policy

Cisco SIO Threat Intelligence

Network

JohnASA Identity Firewall D

AnyConnect

Identity Repository

AAAInfrastructure

John / Intern

Mark / Doctor

records.hospital.com

Network

Single code base for all deployments

All managed in the same way with the same tools

Appliances

Blades

Virtual

ASA Appliance ASA SM for Catalyst 6500

VSG ASA 1000V*

INTEGRATEDOverlay

* Roadmap

Network

CONNECTIONS PER SECOND

THROUGHPUT

# OF CONCURRENT CONNECTIONS

9 7 95 8

Power & Space

MultiScaleTM

CONNECTIONS PER SECOND

THROUGHPUT

# OF CONCURRENT CONNECTIONS

9 7 95 8

Multiple Technology Span and Deployment Scenarios

Broad Client OS, Platform Support

Multiple Security ServicesFW, IPS, Remote Access

Accelerated Throughput80 Gbps Firewall or

40 Gbps FW + 10 Gbps IPS

20 Million ConnectionsAbundance of

Concurrent Sessions

700,000 CPSRapid Connections

per Second

• Cisco ASA 5585-X as Blade• Cisco ASA security blade

for the Catalyst 6500• Places security directly into

the datacenter backbone• Simplified installation and

greater flexibility

MultiScale

Introducing the High Performance, Multi-Service ASA 5585-XMarketing Leading Firewall, IPS and VPN Services

Raising the Bar for Firewall, IPS, and VPN Capabilities

MultiScaleTM Performance• Provides up to 35 Gbps of firewall throughput• Extends firewall and IPS throughput

to 10 Gbps• Scales up to 10,000 users of remote

access VPN

Investment Protection• Scalable chassis that grows with your business

Industry-Leading Multi-Service Security• Advanced threat protection with Botnet Traffic

Filtering and hardware-accelerated IPS with Global Correlation

• Leading-edge remote access with Cisco AnyConnect™

• Built upon 15 years of security innovation

Cisco ASA 5585-X Appliance Portfolio

ASA 5585-S10P10

ASA 5585-S20P20

ASA 5585-S40P40

ASA 5585-S60P60

Securing Internet-Edge and Campus Networks

Scalable Data Center Solutions

Data CenterCampusBranch Office

Enhancing the Customer Experience

Multi-Service (Firewall/VPN and IPS)

Data CenterCampusBranch OfficeSOHO Internet Edge

ASA 5585 SSP-60(40 Gbps, 350K cps)

ASA 5540 (650 Mbps,25K cps)

ASA 5520 (450 Mbps,12K cps)

ASA 5510 (300 Mbps,9K cps)ASA 5505

(150 Mbps, 4K cps)

ASA 5550 (1.2 Gbps, 36K cps)

ASA SM (16 Gbps, 300K cps)

Cisco ASA 5500 Series High-End Lineup SolutionsNEW

Network Location

PerformanceMax FirewallMax IPS Max IPSec VPNMax IPSec/SSL VPN Peers

Platform CapabilitiesMax Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OMax I/OVLANs SupportedHA Supported

Internet Edge/Campus

ASA 5585 SSP-20

10 Gbps3 Gbps2 Gbps10,000

1,000,000125,0003,000,0008 GE + 2 10 GE16 GE + 4 10 GE250A/A and A/S

Campus/ Data Center

ASA 5585 SSP-40

2,000,000200,0005,000,0006 GE + 4 10GE12 GE + 8 10GE250A/A and A/S

Data CenterASA 5585 SSP-60

2,000,000350,0009,00,0006 GE + 4 10GE12 GE + 8 10GE250A/A and A/S

Internet Edge/Campus

ASA 5585 SSP-10

4 Gbps2 Gbps1 Gbps5000

750,00050,0001,500,0008 GE + 2 10 GE16 GE + 4 10 GE250A/A and A/S

High Performance Multi-ServiceCisco ASA 5585-X Series

Under the Covers

Security Service Processors Multi-services capable Dedicated 64bit multi-core processors Future-proof hardware

2 RU Chassis 2 x full-slot modules 1 x full-slot + 2 x

half-slot modules OIR capable

Multi Gigabit Fabric Passive backplane Module to module

communications Packet prioritization

and shaping

eUSB 2 GB internal Convenience storage Security credentials

Redundant Hot Swappable Power Supply Units Front to back air flow

GE Ports Up to 8 x 10G SFP+

with OIR support Up to 16 x 1GbE Cu SFP/SFP+ slots on all modules

ASA 5585-X Firewall/VPN Module Hardware Comparison

ASA SSP-10 ASA SSP-20 ASA SSP-40 ASA SSP-60

Multi Core Processors Yes YesYes

(Dual CPU)Yes

(Dual CPU)

Maximum Memory 6 GB 12 GB 12 GB 24 GB

Maximum Storage 2 GB eUSB 2 GB eUSB 2 GB eUSB 2 GB eUSB

2 x SFP+8 x 1GbE Cu2 x 1GbE Cu

Crypto Chipset Yes Yes Yes Yes

ASA 5585-X

ASA 5585-X IPS ModuleHardware Comparison

IPS SSP-10 IPS SSP-20 IPS SSP-40 IPS SSP-60

Processor Yes YesYes

(Dual CPU)Yes

(Dual CPU)

Maximum Memory 6 GB 12 GB 24 GB 48 GB

Maximum Storage 2 GB eUSB 2 GB eUSB 2 GB eUSB 2 GB eUSB

ASA 5585-X

High Availability

Software

Firewall A/S and A/A support

IPS fail-open and fail-close support

Hardware

Redundant hot-swappable power supplies

OIR capable SFP/SFP+ modules

Network

nectCisco SIO Threat Intelligence

Extend role based management to virtual world

Hybrid security solutions

Feature consistency across physical and virtual security solutions

Single manager across hybrid portfolio (simplicity)

TENANT A

ASA 1000V

Hypervisor Nexus1000V vPath

Virtual Network Management Center (VNMC)

vCenter

TENANT B

ASA 1000V

VDC VDC

Network

Beta1Q-2012

PacketSGT=06

SGT (6) mktg-servers

SGT (9) HR-servers

PacketSGT=09

Security Xchange Protocol

Cisco Trustsec Capable Network

Compliance Mandates

Application and Infrastructure Availability

• PCI Compliance (Retail); HIPAA (Healthcare); Sarbanes-Oxley/GLBA (Finance)

• Fines for noncompliance

• Minimize risk of security breach

• Minimize downtime due to security breach

• Reduced patch deployment urgency

• Protection of sensitive or confidential information

• Tarnished reputation from security compromises

Data Loss Prevention

Network

SensorBase Threat Operations Center Dynamic Updates

35%DATA RECEIVED PER DAY

WORLDWIDE TRAFFIC

500ENGINEERS, TECHNICIANS AND RESEARCHERS

SPENT IN DYNAMIC RESEARCH AND DEVELOPMENT

6,500+SIGNATURES

RULE UPDATES

Innovations in Threat Management

Traffic Cleansing andSignature InspectionIdentify known behaviors

Global InspectionIncrease Risk Rating for known bad actors

DecisionEngineBlock, Alert, Permit, Limit

IPS Reputation FiltersBlock worst global attackers

Innovations in Threat Management

Data Center Perimeter

Campus

Attackers

Attacks SIGNATURE TECHNOLOGY

TRAFFIC CLEANSING

GLOBAL CORRELATION INSPECTION

REPUTATION FILTER

Cisco SIO

100% of Cisco Security advisories

100% of Microsoft Security Bulletins

100% of Critical Enterprise App Vulnerabilities

100% in 24 Hours

90% in 90 Minutes (Cisco, Microsoft)

Cisco SIO

White-list Black-list

online.wsj.com, 7.1.2.3

facebook.com, 3.4.5.6

Firewall and IPS - Cisco · Firewall and IPS Abdullah Ahmed Regional Security Consultant. Cisco...

Documents

Transcript of Firewall and IPS - Cisco · Firewall and IPS Abdullah Ahmed Regional Security Consultant. Cisco...

5514688 Cisco PIX Firewall

APPENDICES - Supreme Court of the United States...Cisco intrusion protection system (“IPS”) products, Cisco remote management services, Cisco IPS services, Sourcefire4 IPS products,

Global Correlation for Cisco ASA, IPS - University of Žilinapalo/Rozne/cisco-expo-2009/Presentation - DA… · IPS. Firewall Reputation is the history of both actions and qualities

IPS User Interface Reference - Cisco · IPS User Interface Reference - Cisco ... m-1

Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN ...

Cisco Router Guide (PDF) Router Guide.pdf · IOS Firewall, Cisco IOS Zone-Based Firewall, Cisco IOS IPS, and Cisco IOS Content Filtering • Identity management that uses authentication,

Cisco Next Generation - Cisco - Global Home Page · Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer

INTEGRATED FIREWALL WITH IPS SERVICE — s Cisco-ASA-based Managed Firewall and Intrusion Prevention services can play an important role in ... the Integrated Firewall with IPS Service

Network Security: What is a Firewall? Firewall, VPN, IDS/IPS, SIEMabc/teaching/bbm463/... · 2016. 11. 3. · 3.11.2016 1 Network Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak

Cisco Meraki Cloud - Managed IT Solution...Management solution (IPS, AMP, CF, Geo-IP, L7 App. Firewall) AMP & Threat Grid Cisco Meraki Overview Demo Cisco Meraki Overview What is NEW

Configuring the ASA IPS Module - cisco.com · 31-3 Cisco ASA Series Firewall CLI Configuration Guide Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module

Firewall and IPS - Storage Networks · • Cisco ASA 5500-X Series Adaptive Security Appliances for Internet edge firewall security and intrusion prevention • Cisco IPS 4300 Series

Firewall + ips update

Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN ......Cisco ASA All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, Second Edition Jazib Frahim, CCIE No. 5459

Firewall and IPS Deployment Guide - Cisco Firewall and IPS Deployment Guide focuses on the Internet edge firewall and intrusion prevention system (IPS) security services that protect

Cisco ASA: All-in-one Next-Generation Firewall, IPS, … › images › 9781587143076 › ...Cisco Press 800 East 96th Street Indianapolis, IN 46240 Cisco ASA All-in-One Next-Generation

Cisco Firewall

Cisco SD-WAN Solution Overview · Cisco SD-WAN can transform your Cisco routers into advanced, multilayered security devices with an application-aware enterprise firewall, IPS, URL

Firewall and IDS/IPS - polito.itsecurity.polito.it/~lioy/01krq/firewall_en_2x.pdf · better authentication (user+pwd or GSS-API) ... Firewall and IDS/IPS (fw - dec'09) firewall firewall.

Firewall and IDS/IPS - PoliTO