Cisco ASA Nov2005
Transcript of Cisco ASA Nov2005
-
8/14/2019 Cisco ASA Nov2005
1/30
1 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Introducing the Cisco ASA 5500 Series
Adaptive Security Appliances
Rizwan QureshiProduct Manager
-
8/14/2019 Cisco ASA Nov2005
2/30
222 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Converged Adaptive Threat Defense and Flexible VPN ServicesApplication Security, Worm/Virus Mitigation,
Malware Protection, Threat-Protected VPN and Network Awareness
Introducing Cisco Adaptive Security AppliancesDelivering Adaptive Threat Defense and VPN Solutions
Minimize Deployment and Operations CostsPlatform Standardization, Unified Management
Technology Extensibility to Address New ThreatsPurpose-Built Adaptive Identification and Mitigation Architecture Enables
Unprecedented Extensibility and Policy Control
The Cisco ASA 5500 Series
-
8/14/2019 Cisco ASA Nov2005
3/30
333 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cisco ASA 5500 SeriesConvergence of Robust, Market-Proven Technologies
Firewall TechnologyFirewall Technology
Cisco PIXCisco PIX
IPS TechnologyIPS TechnologyCisco IPSCisco IPS
NW-AV TechnologyNW-AV Technology
Cisco IPS, AVCisco IPS, AV
VPN TechnologyVPN Technology
Cisco VPN 3000Cisco VPN 3000
Network IntelligenceNetwork Intelligence
Cisco NetworkCisco Network
ServicesServices
App Inspection, UseApp Inspection, Use
Enforcement, Web ControlEnforcement, Web Control
Application SecurityApplication Security
Malware/Content Defense,Malware/Content Defense,
Anomaly DetectionAnomaly Detection
Anti-X DefensesAnti-X Defenses
Traffic/Admission Control,Traffic/Admission Control,
Proactive ResponseProactive ResponseNetwork Containment &Network Containment &
ControlControl
Secure ConnectivitySecure Connectivity
IPSec & SSL VPNIPSec & SSL VPN
Market-ProvenMarket-ProvenTechnologiesTechnologies
Adaptive Threat Defense,Adaptive Threat Defense,Secure ConnectivitySecure Connectivity
http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images%3Fq%3Dbiohazard%26hl%3Den%26lr%3D%26safe%3Doff -
8/14/2019 Cisco ASA Nov2005
4/30
444 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Adaptive Identification and Mitigation (AIM) Services ArchitectureTechnology Extensibility to Mitigate Current and Future Threats
AdaptiveThreatDefense
SecureCon
nectivity
Security Services Extensibility
Cisco Intelligent Networking, High Availability, and Scalability ServicesCisco Intelligent Networking, High Availability, and Scalability Services
AdaptiveAdaptive
ClassificationClassification
& Policy& Policy
FrameworkFramework
ApplicationApplicationInspectionInspection& Control& Control
Anti-XAnti-XDefensesDefenses
NetworkNetworkContainmentContainment
& Control& Control
Remote AccessRemote AccessVPNVPN
ConnectivityConnectivity
Site-to-SiteSite-to-SiteVPNVPN
ConnectivityConnectivity
Cisco Technology & Service Extensions Partner Technology & Service Extensions
Innovative AIM services architecture allows business to adapt andextend the security services profile via Cisco-developed and partner-provide innovations delivering high current services performance
and services extensibility
-
8/14/2019 Cisco ASA Nov2005
5/30
555 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cisco ASA 5500 Series: Breadth and DepthIndustry First! Scalable, Multi-Function, Feature Rich
Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Advanced VoIP/multimedia security
Network-based worm and virus mitigation Spyware, adware, malware detection and control Accurate Prevention Technology for reliable, proactive
response On-box event correlation and proactive response
Layer 3 and 4 access control services Stateful packet inspection Flexible user, network and application policy grouping
Zero-touch, automatically updateable IPSec remote access Flexible and secure SSL VPN services
QoS/routing-enabled site-to-site VPN Integrated threat mitigation protect against VPN-delivered threats
Low Latency Diverse Topologies Multicast Support
Services Virtualization Network Segmentation & Partitioning Routing, Resiliency, Load-Balancing
ApplicationApplication
SecuritySecurity
Anti-XAnti-X
DefenseDefense
NetworkNetwork
Containment &Containment &
ControlControl
SecureSecureConnectivityConnectivity
Cisco NetworkingCisco Networking
ServicesServices
IntelligenceIntelligence
http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images%3Fq%3Dbiohazard%26hl%3Den%26lr%3D%26safe%3Doff -
8/14/2019 Cisco ASA Nov2005
6/30
666 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
666
IKEIPSecPPTP
H.323 v1-4SIP
SCCP (Skinny)GTP (3G Wireless)
MGCPRTSP
TAPI / JTAPI
Microsoft Windows MessengerMicrosoft NetMeeting
Real PlayerCisco IP Phones
Cisco Softphones
ILS / LDAPOracle / SQL*Net (V1/V2)
Microsoft NetworkingNFSRSH
SunRPC / NIS+
X Windows (XDMCP)HTTPFTP
TFTPSMTP / ESMTP
DNS / EDNSICMPTCP
UDP
Core Internet ProtocolsCore Internet Protocols
Security ServicesSecurity Services
Database / OS ServicesDatabase / OS ServicesMultimedia / Voice over IPMultimedia / Voice over IP
Specific ApplicationsSpecific Applications
OverOver3030
EnginEngineses
Application Inspection & Control EnginesProvide Control over Application Usage & Network Access
Application and protocol-aware inspection services providesstrong application-layer security
Performs conformance checking, state tracking, securitychecks, NAT/PAT support and dynamic port allocation
-
8/14/2019 Cisco ASA Nov2005
7/30777 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Spyware / Adware Prevents installation of malware
and blocks phone homecommunications
Frees network bandwidth andcontrols the transmission ofconfidential data
Traffic Cleansing Removes traffic ambiguities
such as overwritten fragments,TCP segment overwrites, TTL
discrepancies Simulates end host behavior to
increase inspection accuracy
Directed Attacks Controls corporate espionage Stops web defacing by preventing
web attacks
Prevents zombie, backdoor, andbot placement thus stoppingautomated attacks (e.g., denial ofservice (DoS)
Cisco ASA 5500 Series Delivers High PerformanceWorm//Malware and Attack Mitigation Services
Network Worms & Viruses Stops the infection and
propagation of malware Leverages internal development
and partnership with Trend Micro
Advanced Intrusion Prevention Services (IPS) and Network Anti-Virusfeatures mitigate wide range of network threats
http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images%3Fq%3Dbiohazard%26hl%3Den%26lr%3D%26safe%3Doff -
8/14/2019 Cisco ASA Nov2005
8/30888 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Accurate Prevention TechnologiesRisk Rating Provides Threat Context
+
+
+
Is attack relevant tohost being attacked?
How prone tofalse positive?
How critical is thisdestination host?
EventSeverity
SignatureFidelity
AttackRelevancy
Asset Valueof Target
RISKRATING
DrivesMitigation
Policy
How urgent isthe threat?
Decision supportbalances attack urgencywith business risk
-
8/14/2019 Cisco ASA Nov2005
9/30999 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Accurate Prevention TechnologiesMeta Event Generator Delivers Advanced Correlation
Low
Medium
High
Risk Rating
Time: 0 2 4 6 8 10
Event AEvent B
Event C
Event D
A + B + C + D =
WORM!
Links lower risk eventsinto a high risk meta-
event, triggeringprevention actions
Models attack Behavior byCorrelating:
Event type
Time span
DROPEvent D-WormStopped!
On-box correlation allows adaptation to new threats in real-timewithout user intervention
-
8/14/2019 Cisco ASA Nov2005
10/30101010 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cisco ASA 5500 Series VPN SolutionsEnterprise-Class Site-to-Site VPN Capabilities
Network-aware site-to-site VPNsQoS-Enabled VPNSupport for low latency queuing forlatency-sensitive traffic such as VoIP
IPSec Stateful Failover
Provides high performance Active-Standbyfailoverwith automatic key and SAinformation synchronization
OSPF Routing
Over VPNInternet
Robust X.509 Certificate SupportManual enrollment support (PKCS 7/10)n-tiered X.509 certificate chaining support 4096-bit RSA keysize support
-
8/14/2019 Cisco ASA Nov2005
11/30111111 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cisco AYT provides the ability toperform security posture checks whena VPN connection attempt is received
Enforces usage of authorized host-based security products (such as theCisco Security Agent) and verifies itsversion number, policies, and statusprior to granting access the corporatenetwork
Checks to see if security products are
both installed and active Pushes embedded personal firewall
policy
Re-checks posture every 30 secondsprotecting against user disablement
Telecommuterwith IPSec VPN
Cisco VPN Are You There (AYT) & CSAComprehensive Endpoint Protection
VPN Concentrator
CSA
Viruses
Public InternetPublic InternetWorms
Trojans
Malware
Viruses
http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images%3Fq%3Dbiohazard%26hl%3Den%26lr%3D%26safe%3Doff -
8/14/2019 Cisco ASA Nov2005
12/30121212 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cost-Effective VPN Headend ScalingPay as You Grow with Load Balancing and Clustering
10.10.1.X
.1
.2
.3
.4
124.118.24.X
.31
.32
.33
.34
Cluster IP Address
Cluster Master
Client requests connection to 124.118.24.50
Virtual cluster master responds with 124.118.24.33
Client requests IPSec/SSL session to 124.118.24.33
Cluster multiple Cisco ASA 5500s to scale as needed to 10,000s of users
Dynamic load balancing ensures effective utilization of all clustered devices
Clustering with load balancing provides maximum uptime
Seamlessly integrates with existing Cisco VPN 3000 clusters
-
8/14/2019 Cisco ASA Nov2005
13/30131313 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Free SSL VPN TrialFree SSL VPN TrialIncluded in Base Pricing Included in Base Pricing
No Per-Feature LicensesNo Per-Feature Licenses!!
WebVPN: SSL-Based Remote AccessEnables Clientless Remote Connectivity
Web Page Access (HTTP/HTTPS)
Remote E-Mail Access
Outlook (MAPI), OWA, POP, IMAP,SMTP, Notes, iNotes
File Access on Enterprise Servers
Windows CIFS file shares via Web Interface Flexible Login Options Customizable for Diverse
User Communities
Group based access control
Support for all enterprise authenticationmechanisms
Port Forwarding
Access to thick client TCP-based applications
Web-Based Management
Full-featured configuration and monitoring
-
8/14/2019 Cisco ASA Nov2005
14/30141414 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Scalable Security Services
Adds support for Security Contexts (virtualfirewalls) to lower operational costs
Enables device consolidation and segmentation
Supports separated policies and administration
Easy to Deploy Firewall and IPS Services
Introduces transparent firewall capabilities forrapid deployment of security
Drops into existing networks without need forreaddressing the network
Simplifies deployments ofinternal firewalling andsecurity zoning new applications
Dept/Cust 2Dept/Cust 1 Dept/Cust 3
Transparent Firewall and IPS
Existing Network
Virtualized Services and Transparent OperationSimplifies Deployment and Reduces Operational Costs
-
8/14/2019 Cisco ASA Nov2005
15/30151515 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Improved Network and Device Resiliency
Introduces Active-Active failover forenhancedresiliency and asymmetric routing support
Delivers new zero-downtime software upgradecapability forimproved uptime
Intelligent Network Integration
Provides QoS traffic prioritization for improvedhandling oflatency sensitive traffic
Adds IPv6 support for hybrid IPv4/IPv6 networkenvironments
Delivers PIM sparse mode multicast support forimproved support for streaming data deliveryservices, video conferencing, and othermission-critical real-time enterprise applications
Active
Active
V V VV V V
D D D D
Quality of Service
Advanced Network IntegrationMaximizes Uptime and Supports Next-Gen Networks
-
8/14/2019 Cisco ASA Nov2005
16/30161616 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Application Inspection and Access ControlServices Convergence Enables Stronger Security
Full Service Firewall with ApplicationFull Service Firewall with ApplicationInspection and Control:Inspection and Control:Stateful Layer 3-7 Inspection
Application and Access ControlDynamic Protocol Descriptor Updates
Quality of Service
Enables Control of:Enables Control of:
Peer-to-peer: Kazaa and GnutellaInstant MessagingHTTP and Port 80
Tunneled ApplicationsVoice over IP
And many more!
Designed from the ground up for reliable dynamic control ofthe application layer
Business Traffic
Peer to Peer,Tunneled Apps
PublicInternet
ASA 5500
2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 161616
-
8/14/2019 Cisco ASA Nov2005
17/30171717 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
PublicInternet
Comprehensive Response:Comprehensive Response:Attack Drop
Session RemovalServer DoS Protection through
Session Resets
Line Rate Analysis:Line Rate Analysis:
De-obfuscationDeep Packet Inspection
Protocol Anomaly DetectionHeuristic Analysis
Traffic Normalization
Zero-Hour Worm Mitigation At Line Rate!Services Convergence Enables Stronger Security
Leverages depth of IPS, firewall, and zero-hour protection features to stopmalicious worms and virusesand without a performance loss!
Slammer
MS Blaster
Witty
Code Red
NIMDA
W32.Tomorrows-Threat
ASA 5500
2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 171717
-
8/14/2019 Cisco ASA Nov2005
18/30181818 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
PublicInternet
Access Scenarios:Access Scenarios:
Site-to-Site ConnectivityManaged DesktopEmployee Desktop
Kiosk AccessFull or Limited Network Access
Partner Access
Cisco ASA 5500 Series Provides Highly Flexibleand Scalable VPN Services
Combined IPSec and WebVPN services allow tailored solutions forbusiness's growing connectivity and scalability requirements
ASA 5500Account ManagerMobile User
Branch OfficeSite-to-Site
Employee at HomeUnmanaged Desktop
Supply PartnerExtranet
Converged IPSec, WebVPN, Firewall:Converged IPSec, WebVPN, Firewall:Inspect/Control VPN Sessions
Single RA VPN Device InfrastructureUnified User Management
Unmatched ScalabilityComprehensive Load Balancing
2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 181818
SSL
SSL
IPSec
IPSec
-
8/14/2019 Cisco ASA Nov2005
19/30191919 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
CiscoASA 5520
CiscoASA 5540
CiscoASA 5510
Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise
PerformanceMax Firewall
Max Con. Threat MitigationMax IPSec VPN
SMB and SMETarget Market
Base PlatformServices
List Price
Enterprise Large Enterprise
Starting at$3,495
Starting at$7,995
Starting at$16,995
300 Mbps
150 Mbps170 Mbps
450 Mbps
375 Mbps225 Mbps
650 Mbps
450 Mbps325 Mbps
App FW, IPSec andSSL VPN, and more
A/S HA (Upg.),3 FE to 5 FE
Same as 5510, plusA/A Failover,
VPN Clustering,4 GE + 1 FE
Same as 5520, withhigher performance
and scalability
-
8/14/2019 Cisco ASA Nov2005
20/30
202020 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cisco ASA 5520/5540 Adaptive Security AppliancesProduct Tour
Sleek, High Performance1 Rack Unit (RU) Design
Four 10/100/1000Copper Gigabit Ports
One 10/100 Out of BandManagement Port*
One Expansion Slot for Addl
Accelerated Services or I/O
Single Field Upgradeable
AC or DC Power Supply
Console and AUX Ports
Five Status LEDs (Power,Status, Active, VPN, Flash)
Two USB 2.0 Ports forFuture Expansion (Credentials,
Failover, and more)
Diskless Architecture forHigh Reliability
Compact Flash for Software,Config, and Log Storage
2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 202020
-
8/14/2019 Cisco ASA Nov2005
21/30
212121 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 212121
Cisco ASA Security Services Module (SSM) 10 & 20Product Tour
High Performance Modulefor Additional Services
Thumbscrews for EasyInsertion and Removal
Gigabit Ethernet Port forOut-of-Band Management, etc.
Diskless (Flash-Based) Designfor Improved Reliability
-
8/14/2019 Cisco ASA Nov2005
22/30
222222 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Licensing on the Cisco ASA 5500 Series
All primary Firewall and VPN services in base systems
Several licenses enableadditional feature content
ASA 5510 Security Plus Active/Standby HA, VLANs, capacity
ASA 5520/5540 VPN Plus/Premium Unlocks addl VPN peers
Security Contexts Several tiers available 5, 10, 20, and 50
GTP Inspection Enables 3G Mobile Wireless security features
Additional services delivered via Security Svc ModulesFull featured, high performance IPS services (AIP SSM)
Requires IPS Services contract for signature updates
More services to come in the future
-
8/14/2019 Cisco ASA Nov2005
23/30
232323 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 232323
Common CriteriaFuture: EAL4+, v7.0(4) ASA Family
FIPS 140
Future: Level 2, v7.0(4) ASA Family
ICSA Firewall 4.1, Corporate Category
Future: v7.0(1) ASA Family
ICSA IPSec 1.1D
Future: v7.0(1) ASA Family
VPNC
Tentative: v7.0(1) ASA Family
Cisco ASA Adaptive Security AppliancesIndustry Certifications and Evaluations
-
8/14/2019 Cisco ASA Nov2005
24/30
242424 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Comprehensive Management, Monitoring & ResponseConverged Services Reduces Complexity and Costs
Cisco Adaptive SecurityDevice Manager (ASDM)
CiscoWorks VPN/SecurityManagement (VMS) System
Cisco Security AuditorCisco Security MARS
Device Management System Management
Monitoring and Response Auditing
Solsoft Policy Server
CiscoWorks SIMS
Integrated, web-based mgmt Converged configuration
FW, IPS, VPN, AV Real-time monitoring tools
Multi-device integrated mgmt Enterprise-scale
provisioning
Multi-platform eventmanagement and response
Sophisticated datareduction and correlation
Device posture validationagainst industry bestpractices and regulatorycompliance
-
8/14/2019 Cisco ASA Nov2005
25/30
252525 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 252525
Cisco Adaptive Security Device Manager (ASDM) v5.0Next-Generation of Popular Cisco PIX Device Manager
Adds support forall major newfeatures introducedin PIX OS v7.0
Homepage includes
new features, such as:
- Platform uptime
- Security Contexts
- Real-time syslogviewer (last ten)
- Improved navigation
- Powerful searchcapabilities
- And more!
-
8/14/2019 Cisco ASA Nov2005
26/30
262626 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cisco Adaptive Security Device Manager (ASDM) v5.0Robust Firewall Management and Monitoring
Cisco Confidential NDA Use Only
Cisco ASDM v5.0 delivers robust
firewall managementand monitoring of aCisco ASA appliance
Supports full
configuration of:
- Access control lists- Network and service
object groups- Inspection Engines- NAT/PAT
- AAA and more
Supports monitoring of:- Syslog (real-time)- Connections- Throughput & more!
2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 262626
-
8/14/2019 Cisco ASA Nov2005
27/30
272727 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cisco Adaptive Security Device Manager v5.0Comprehensive VPN Management and Monitoring
Cisco Confidential NDA Use Only
Cisco ASDM v5.0 delivers comprehensive
remote access andsite-to-site VPNmanagement andmonitoring of a single
Cisco ASA appliance Supports full
configuration of:
- WebVPN- IPSec RA groups- S2S tunnels
- AAA, DHCP, & more!
Supports monitoring of:
- Uptime, bytes xfered,by tunnel
- VPN usage trends
2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 272727
-
8/14/2019 Cisco ASA Nov2005
28/30
282828 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Cisco Adaptive Security Device Manager v5.0Extensive IPS Management and Monitoring
Cisco ASDM v5.0 delivers extensive
IPS management andmonitoring of a singleCisco ASA appliance
Supports fullconfiguration of:
- Engines- Signatures- Threat Risk Rating- IPS Actions- And more!
Supports monitoring of:
- Events- Diagnostic reports- Sensor statistics
Cisco Confidential NDA Use Only 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 282828
S Ci ASA 5500 S i
-
8/14/2019 Cisco ASA Nov2005
29/30
292929 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro
Summary: Cisco ASA 5500 Series3 Take aways
Eliminates security tradeoffs with convergedsecurity services
Single platform, many uses reduces
operational costs Unprecedented technology extensibility
adapts to new threats
-
8/14/2019 Cisco ASA Nov2005
30/30