Cisco ASA Firewalls
21
ASA55xx Series Cisco’s series of Adaptive Security Appliances Bryley Systems Inc. Business Technology Solutions Since 1987
-
Upload
bryley-systems-inc -
Category
Technology
-
view
180 -
download
5
Transcript of Cisco ASA Firewalls
ASA55xx Series
Cisco’s series of Adaptive Security Appliances
Bryley Systems Inc.Business Technology Solutions Since 1987
Agenda
• Default Capabilities• Models• Optional Capabilities
ASA Capabilities
• Stateful/Deep Packet Inspection Firewall• IPSec VPN Endpoint• SSL VPN Endpoint• Virtualization• Anti-X• Intrusion Prevention
Firewall
• Default firewall rules– Outbound traffic is allowed unless otherwise
specified– Inbound traffic is denied unless otherwise
specified• Stateful packet inspection ensures that
responses to outbound traffic match outgoing requests
ASA Firewall
• ASA assigns a security level to each interface– inside is 100, outside (Interent) is 0, DMZ is
typically assigned 50– Default rules allow free flow from higher security
level to lower security 0 level• NAT/PAT– Allows for more servers with fewer public Ips
• Deep packet inspection
IPSec VPN
• Used for LAN-to-LAN connections• Workstation clients for Windows, Macintosh,
Linux• Maximum connections depends on model• No additional licenses required• EasyVPN– Simplified configuration– Inbound connections only
SSL VPN
• No pre-installed client – connect with web browser
• Licensed by simultaneous connections (2 connections permitted for testing)
• Clientless connection– Simplest configuration– Limited to web applications– Some client-server applications are SSL VPN aware
SSL VPN
• Cisco AnyConnect VPN client• Downloaded on-the-fly• Full network access (if desired)• Windows/Macintosh/Linux• May not function of user rights on client
computer limited
IPSec vs SSL
IPSec• Workstation configuration
required• Administrator can configure
VPN then restrict user access
• Access as if client machine on LAN
• Has pre-shared key in addition to user password
• No additional cost
SSL• Browser-based from any
computer• Limited access if user does
not have right to install applications
• Need to use web applictions to ensure access
• Vulnerable to password compromise
• Extra cost feature
ASA Models
• ASA550x - SOHO/Telecommuter• ASA551x • ASA552x• ASA554x• ASA555x - Large enterprise• ASA558x - Datacenter/ISP
Main Office, Integrated Protection
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
ASA550x – Base License
• 10/50/Unlimited internal devices• 10 Simultaneous VPNs• 8 10/100 Ethernet ports – assigned to VLANs• 2 Power over Ethernet• 3 VLANs • One VLAN must be isolated from
communicating with one of the others.
ASA550x – Telecommuter setup
ASA550x – Security Plus
• 25 Simultaneous VPNs• Ports must be assigned to one of three
interfaces, up to 20 trunked VLANs permitted• Communications between interfaces restriced
by standard firewall rules• Failover to backup ISP for outbound access
ASA551x – Base License
• 250 Simultaneous VPNs• 3 – 10/100 Ethernet ports – Firewall interfaces• 1 – 10/100 Ethernet port – Management only• Up to 50 Trunked VLANs• SSM Slot for Content Filter or Intrusion
Prevention Module
ASA551x – Security Plus License
• 250 Simultaneous VPNs• 3 – 10/100 Ethernet ports• 2 – 10/100/1000 Ethernet ports• Up to 100 Trunked VLANs• SSM Slot for Content Filter, Intrusion
Prevention Module, or 4 x 10/100/1000 Ethernet Port module
• 2 included/5 maximum Security Contexts
ASA552x
• 750 Simultaneous VPNs• 1 – 10/100 Ethernet port• 4 – 10/100/1000 Ethernet ports• Up to 150 Trunked VLANs• SSM Slot for Content Filter, Intrusion
Prevention Module, or 4 x 10/100/1000 Ethernet Port module
• 2 included/20 maximum Security Contexts
ASA554x
• 5000 Simultaneous VPNs (2500 SSL)• 1 – 10/100 Ethernet port• 4 – 10/100/1000 Ethernet ports• Up to 200 Trunked VLANs• SSM Slot for Content Filter, Intrusion
Prevention Module, or 4 x 10/100/1000 Ethernet Port module
• 2 included/50 maximum Security Contexts
ASA555x
• 5000 Simultaneous VPNs• 1 – 10/100 Ethernet port• 4 – 10/100/1000 Ethernet ports• 4 ports selectable 1000T/SFP Fiber ports • Up to 250 Trunked VLANs• No SSM Slot• 2 included/50 maximum Security Contexts
Content Security and Control Module
• Standard License– Anti-virus– Anti-Spyware– File blocking
• Plus License adds– Anti-SPAM– URL Filter– E-mail content control
Content Security and Control Module
• CSC-SSM-10– 50/100/250/500 users– ASA5510 and ASA5520
• CSC-SSM-20– 750/1000 users– ASA5510 , ASA5520, ASA5540
• Subscription required for updates
Advanced Intrusion Prevention
• Compares every packet against a signature database
• Alerting or automatic blocking• Update subscription required
