Cisco ASA Nov2005

8/14/2019 Cisco ASA Nov2005

1/30

1 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro

Introducing the Cisco ASA 5500 Series

Adaptive Security Appliances

Rizwan QureshiProduct Manager


2/30


Converged Adaptive Threat Defense and Flexible VPN ServicesApplication Security, Worm/Virus Mitigation,

Malware Protection, Threat-Protected VPN and Network Awareness

Introducing Cisco Adaptive Security AppliancesDelivering Adaptive Threat Defense and VPN Solutions

Minimize Deployment and Operations CostsPlatform Standardization, Unified Management

Technology Extensibility to Address New ThreatsPurpose-Built Adaptive Identification and Mitigation Architecture Enables

Unprecedented Extensibility and Policy Control

The Cisco ASA 5500 Series


3/30


Cisco ASA 5500 SeriesConvergence of Robust, Market-Proven Technologies

Firewall TechnologyFirewall Technology

Cisco PIXCisco PIX

IPS TechnologyIPS TechnologyCisco IPSCisco IPS

NW-AV TechnologyNW-AV Technology

Cisco IPS, AVCisco IPS, AV

VPN TechnologyVPN Technology

Cisco VPN 3000Cisco VPN 3000

Network IntelligenceNetwork Intelligence

Cisco NetworkCisco Network

ServicesServices

App Inspection, UseApp Inspection, Use

Enforcement, Web ControlEnforcement, Web Control

Application SecurityApplication Security

Malware/Content Defense,Malware/Content Defense,

Anomaly DetectionAnomaly Detection

Anti-X DefensesAnti-X Defenses

Traffic/Admission Control,Traffic/Admission Control,

Proactive ResponseProactive ResponseNetwork Containment &Network Containment &

ControlControl

Secure ConnectivitySecure Connectivity

IPSec & SSL VPNIPSec & SSL VPN

Market-ProvenMarket-ProvenTechnologiesTechnologies

Adaptive Threat Defense,Adaptive Threat Defense,Secure ConnectivitySecure Connectivity
http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images%3Fq%3Dbiohazard%26hl%3Den%26lr%3D%26safe%3Doff


4/30


Adaptive Identification and Mitigation (AIM) Services ArchitectureTechnology Extensibility to Mitigate Current and Future Threats

AdaptiveThreatDefense

SecureCon

nectivity

Security Services Extensibility

Cisco Intelligent Networking, High Availability, and Scalability ServicesCisco Intelligent Networking, High Availability, and Scalability Services

AdaptiveAdaptive

ClassificationClassification

& Policy& Policy

FrameworkFramework

ApplicationApplicationInspectionInspection& Control& Control

Anti-XAnti-XDefensesDefenses

NetworkNetworkContainmentContainment

& Control& Control

Remote AccessRemote AccessVPNVPN

ConnectivityConnectivity

Site-to-SiteSite-to-SiteVPNVPN

ConnectivityConnectivity

Cisco Technology & Service Extensions Partner Technology & Service Extensions

Innovative AIM services architecture allows business to adapt andextend the security services profile via Cisco-developed and partner-provide innovations delivering high current services performance

and services extensibility


5/30


Cisco ASA 5500 Series: Breadth and DepthIndustry First! Scalable, Multi-Function, Feature Rich

Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Advanced VoIP/multimedia security

Network-based worm and virus mitigation Spyware, adware, malware detection and control Accurate Prevention Technology for reliable, proactive

response On-box event correlation and proactive response

Layer 3 and 4 access control services Stateful packet inspection Flexible user, network and application policy grouping

Zero-touch, automatically updateable IPSec remote access Flexible and secure SSL VPN services

QoS/routing-enabled site-to-site VPN Integrated threat mitigation protect against VPN-delivered threats

Low Latency Diverse Topologies Multicast Support

Services Virtualization Network Segmentation & Partitioning Routing, Resiliency, Load-Balancing

ApplicationApplication

SecuritySecurity

Anti-XAnti-X

DefenseDefense

NetworkNetwork

Containment &Containment &

ControlControl

SecureSecureConnectivityConnectivity

Cisco NetworkingCisco Networking

ServicesServices

IntelligenceIntelligence


6/30


666

IKEIPSecPPTP

H.323 v1-4SIP

SCCP (Skinny)GTP (3G Wireless)

MGCPRTSP

TAPI / JTAPI

Microsoft Windows MessengerMicrosoft NetMeeting

Real PlayerCisco IP Phones

Cisco Softphones

ILS / LDAPOracle / SQL*Net (V1/V2)

Microsoft NetworkingNFSRSH

SunRPC / NIS+

X Windows (XDMCP)HTTPFTP

TFTPSMTP / ESMTP

DNS / EDNSICMPTCP

UDP

Core Internet ProtocolsCore Internet Protocols

Security ServicesSecurity Services

Database / OS ServicesDatabase / OS ServicesMultimedia / Voice over IPMultimedia / Voice over IP

Specific ApplicationsSpecific Applications

OverOver3030

EnginEngineses

Application Inspection & Control EnginesProvide Control over Application Usage & Network Access

Application and protocol-aware inspection services providesstrong application-layer security

Performs conformance checking, state tracking, securitychecks, NAT/PAT support and dynamic port allocation


7/30777 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro

Spyware / Adware Prevents installation of malware

and blocks phone homecommunications

Frees network bandwidth andcontrols the transmission ofconfidential data

Traffic Cleansing Removes traffic ambiguities

such as overwritten fragments,TCP segment overwrites, TTL

discrepancies Simulates end host behavior to

increase inspection accuracy

Directed Attacks Controls corporate espionage Stops web defacing by preventing

web attacks

Prevents zombie, backdoor, andbot placement thus stoppingautomated attacks (e.g., denial ofservice (DoS)

Cisco ASA 5500 Series Delivers High PerformanceWorm//Malware and Attack Mitigation Services

Network Worms & Viruses Stops the infection and

propagation of malware Leverages internal development

and partnership with Trend Micro

Advanced Intrusion Prevention Services (IPS) and Network Anti-Virusfeatures mitigate wide range of network threats



Accurate Prevention TechnologiesRisk Rating Provides Threat Context

+

+

+

Is attack relevant tohost being attacked?

How prone tofalse positive?

How critical is thisdestination host?

EventSeverity

SignatureFidelity

AttackRelevancy

Asset Valueof Target

RISKRATING

DrivesMitigation

Policy

How urgent isthe threat?

Decision supportbalances attack urgencywith business risk



Accurate Prevention TechnologiesMeta Event Generator Delivers Advanced Correlation

Low

Medium

High

Risk Rating

Time: 0 2 4 6 8 10

Event AEvent B

Event C

Event D

A + B + C + D =

WORM!

Links lower risk eventsinto a high risk meta-

event, triggeringprevention actions

Models attack Behavior byCorrelating:

Event type

Time span

DROPEvent D-WormStopped!

On-box correlation allows adaptation to new threats in real-timewithout user intervention



Cisco ASA 5500 Series VPN SolutionsEnterprise-Class Site-to-Site VPN Capabilities

Network-aware site-to-site VPNsQoS-Enabled VPNSupport for low latency queuing forlatency-sensitive traffic such as VoIP

IPSec Stateful Failover

Provides high performance Active-Standbyfailoverwith automatic key and SAinformation synchronization

OSPF Routing

Over VPNInternet

Robust X.509 Certificate SupportManual enrollment support (PKCS 7/10)n-tiered X.509 certificate chaining support 4096-bit RSA keysize support



Cisco AYT provides the ability toperform security posture checks whena VPN connection attempt is received

Enforces usage of authorized host-based security products (such as theCisco Security Agent) and verifies itsversion number, policies, and statusprior to granting access the corporatenetwork

Checks to see if security products are

both installed and active Pushes embedded personal firewall

policy

Re-checks posture every 30 secondsprotecting against user disablement

Telecommuterwith IPSec VPN

Cisco VPN Are You There (AYT) & CSAComprehensive Endpoint Protection

VPN Concentrator

CSA

Viruses

Public InternetPublic InternetWorms

Trojans

Malware

Viruses



Cost-Effective VPN Headend ScalingPay as You Grow with Load Balancing and Clustering

10.10.1.X

.1

.2

.3

.4

124.118.24.X

.31

.32

.33

.34

Cluster IP Address

Cluster Master

Client requests connection to 124.118.24.50

Virtual cluster master responds with 124.118.24.33

Client requests IPSec/SSL session to 124.118.24.33

Cluster multiple Cisco ASA 5500s to scale as needed to 10,000s of users

Dynamic load balancing ensures effective utilization of all clustered devices

Clustering with load balancing provides maximum uptime

Seamlessly integrates with existing Cisco VPN 3000 clusters



Free SSL VPN TrialFree SSL VPN TrialIncluded in Base Pricing Included in Base Pricing

No Per-Feature LicensesNo Per-Feature Licenses!!

WebVPN: SSL-Based Remote AccessEnables Clientless Remote Connectivity

Web Page Access (HTTP/HTTPS)

Remote E-Mail Access

Outlook (MAPI), OWA, POP, IMAP,SMTP, Notes, iNotes

File Access on Enterprise Servers

Windows CIFS file shares via Web Interface Flexible Login Options Customizable for Diverse

User Communities

Group based access control

Support for all enterprise authenticationmechanisms

Port Forwarding

Access to thick client TCP-based applications

Web-Based Management

Full-featured configuration and monitoring



Scalable Security Services

Adds support for Security Contexts (virtualfirewalls) to lower operational costs

Enables device consolidation and segmentation

Supports separated policies and administration

Easy to Deploy Firewall and IPS Services

Introduces transparent firewall capabilities forrapid deployment of security

Drops into existing networks without need forreaddressing the network

Simplifies deployments ofinternal firewalling andsecurity zoning new applications

Dept/Cust 2Dept/Cust 1 Dept/Cust 3

Transparent Firewall and IPS

Existing Network

Virtualized Services and Transparent OperationSimplifies Deployment and Reduces Operational Costs



Improved Network and Device Resiliency

Introduces Active-Active failover forenhancedresiliency and asymmetric routing support

Delivers new zero-downtime software upgradecapability forimproved uptime

Intelligent Network Integration

Provides QoS traffic prioritization for improvedhandling oflatency sensitive traffic

Adds IPv6 support for hybrid IPv4/IPv6 networkenvironments

Delivers PIM sparse mode multicast support forimproved support for streaming data deliveryservices, video conferencing, and othermission-critical real-time enterprise applications

Active

Active

V V VV V V

D D D D

Quality of Service

Advanced Network IntegrationMaximizes Uptime and Supports Next-Gen Networks



Application Inspection and Access ControlServices Convergence Enables Stronger Security

Full Service Firewall with ApplicationFull Service Firewall with ApplicationInspection and Control:Inspection and Control:Stateful Layer 3-7 Inspection

Application and Access ControlDynamic Protocol Descriptor Updates

Quality of Service

Enables Control of:Enables Control of:

Peer-to-peer: Kazaa and GnutellaInstant MessagingHTTP and Port 80

Tunneled ApplicationsVoice over IP

And many more!

Designed from the ground up for reliable dynamic control ofthe application layer

Business Traffic

Peer to Peer,Tunneled Apps

PublicInternet

ASA 5500

2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 161616



PublicInternet

Comprehensive Response:Comprehensive Response:Attack Drop

Session RemovalServer DoS Protection through

Session Resets

Line Rate Analysis:Line Rate Analysis:

De-obfuscationDeep Packet Inspection

Protocol Anomaly DetectionHeuristic Analysis

Traffic Normalization

Zero-Hour Worm Mitigation At Line Rate!Services Convergence Enables Stronger Security

Leverages depth of IPS, firewall, and zero-hour protection features to stopmalicious worms and virusesand without a performance loss!

Slammer

MS Blaster

Witty

Code Red

NIMDA

W32.Tomorrows-Threat

ASA 5500




PublicInternet

Access Scenarios:Access Scenarios:

Site-to-Site ConnectivityManaged DesktopEmployee Desktop

Kiosk AccessFull or Limited Network Access

Partner Access

Cisco ASA 5500 Series Provides Highly Flexibleand Scalable VPN Services

Combined IPSec and WebVPN services allow tailored solutions forbusiness's growing connectivity and scalability requirements

ASA 5500Account ManagerMobile User

Branch OfficeSite-to-Site

Employee at HomeUnmanaged Desktop

Supply PartnerExtranet

Converged IPSec, WebVPN, Firewall:Converged IPSec, WebVPN, Firewall:Inspect/Control VPN Sessions

Single RA VPN Device InfrastructureUnified User Management

Unmatched ScalabilityComprehensive Load Balancing


SSL

SSL

IPSec

IPSec



CiscoASA 5520

CiscoASA 5540

CiscoASA 5510

Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise

PerformanceMax Firewall

Max Con. Threat MitigationMax IPSec VPN

SMB and SMETarget Market

Base PlatformServices

List Price

Enterprise Large Enterprise

Starting at$3,495

Starting at$7,995

Starting at$16,995

300 Mbps

150 Mbps170 Mbps

450 Mbps

375 Mbps225 Mbps

650 Mbps

450 Mbps325 Mbps

App FW, IPSec andSSL VPN, and more

A/S HA (Upg.),3 FE to 5 FE

Same as 5510, plusA/A Failover,

VPN Clustering,4 GE + 1 FE

Same as 5520, withhigher performance

and scalability


20/30


Cisco ASA 5520/5540 Adaptive Security AppliancesProduct Tour

Sleek, High Performance1 Rack Unit (RU) Design

Four 10/100/1000Copper Gigabit Ports

One 10/100 Out of BandManagement Port*

One Expansion Slot for Addl

Accelerated Services or I/O

Single Field Upgradeable

AC or DC Power Supply

Console and AUX Ports

Five Status LEDs (Power,Status, Active, VPN, Flash)

Two USB 2.0 Ports forFuture Expansion (Credentials,

Failover, and more)

Diskless Architecture forHigh Reliability

Compact Flash for Software,Config, and Log Storage



21/30

212121 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 212121

Cisco ASA Security Services Module (SSM) 10 & 20Product Tour

High Performance Modulefor Additional Services

Thumbscrews for EasyInsertion and Removal

Gigabit Ethernet Port forOut-of-Band Management, etc.

Diskless (Flash-Based) Designfor Improved Reliability


22/30


Licensing on the Cisco ASA 5500 Series

All primary Firewall and VPN services in base systems

Several licenses enableadditional feature content

ASA 5510 Security Plus Active/Standby HA, VLANs, capacity

ASA 5520/5540 VPN Plus/Premium Unlocks addl VPN peers

Security Contexts Several tiers available 5, 10, 20, and 50

GTP Inspection Enables 3G Mobile Wireless security features

Additional services delivered via Security Svc ModulesFull featured, high performance IPS services (AIP SSM)

Requires IPS Services contract for signature updates

More services to come in the future


23/30

232323 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 232323

Common CriteriaFuture: EAL4+, v7.0(4) ASA Family

FIPS 140

Future: Level 2, v7.0(4) ASA Family

ICSA Firewall 4.1, Corporate Category

Future: v7.0(1) ASA Family

ICSA IPSec 1.1D

Future: v7.0(1) ASA Family

VPNC

Tentative: v7.0(1) ASA Family

Cisco ASA Adaptive Security AppliancesIndustry Certifications and Evaluations


24/30


Comprehensive Management, Monitoring & ResponseConverged Services Reduces Complexity and Costs

Cisco Adaptive SecurityDevice Manager (ASDM)

CiscoWorks VPN/SecurityManagement (VMS) System

Cisco Security AuditorCisco Security MARS

Device Management System Management

Monitoring and Response Auditing

Solsoft Policy Server

CiscoWorks SIMS

Integrated, web-based mgmt Converged configuration

FW, IPS, VPN, AV Real-time monitoring tools

Multi-device integrated mgmt Enterprise-scale

provisioning

Multi-platform eventmanagement and response

Sophisticated datareduction and correlation

Device posture validationagainst industry bestpractices and regulatorycompliance


25/30

252525 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 252525

Cisco Adaptive Security Device Manager (ASDM) v5.0Next-Generation of Popular Cisco PIX Device Manager

Adds support forall major newfeatures introducedin PIX OS v7.0

Homepage includes

new features, such as:

- Platform uptime

- Security Contexts

- Real-time syslogviewer (last ten)

- Improved navigation

- Powerful searchcapabilities

- And more!


26/30


Cisco Adaptive Security Device Manager (ASDM) v5.0Robust Firewall Management and Monitoring

Cisco Confidential NDA Use Only

Cisco ASDM v5.0 delivers robust

firewall managementand monitoring of aCisco ASA appliance

Supports full

configuration of:

- Access control lists- Network and service

object groups- Inspection Engines- NAT/PAT

- AAA and more

Supports monitoring of:- Syslog (real-time)- Connections- Throughput & more!



27/30


Cisco Adaptive Security Device Manager v5.0Comprehensive VPN Management and Monitoring

Cisco Confidential NDA Use Only

Cisco ASDM v5.0 delivers comprehensive

remote access andsite-to-site VPNmanagement andmonitoring of a single

Cisco ASA appliance Supports full

configuration of:

- WebVPN- IPSec RA groups- S2S tunnels

- AAA, DHCP, & more!

Supports monitoring of:

- Uptime, bytes xfered,by tunnel

- VPN usage trends



28/30


Cisco Adaptive Security Device Manager v5.0Extensive IPS Management and Monitoring

Cisco ASDM v5.0 delivers extensive

IPS management andmonitoring of a singleCisco ASA appliance

Supports fullconfiguration of:

- Engines- Signatures- Threat Risk Rating- IPS Actions- And more!

Supports monitoring of:

- Events- Diagnostic reports- Sensor statistics

Cisco Confidential NDA Use Only 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 282828

S Ci ASA 5500 S i


29/30


Summary: Cisco ASA 5500 Series3 Take aways

Eliminates security tradeoffs with convergedsecurity services

Single platform, many uses reduces

operational costs Unprecedented technology extensibility

adapts to new threats


30/30

Cisco ASA Nov2005

Documents

Transcript of Cisco ASA Nov2005