Download - Firewall + ips update

Transcript
Page 1: Firewall + ips update

Firewall + IPS Update

Bruno Pedersoli, System Engineer | Comstor

Page 2: Firewall + ips update

• Cisco ASA 5500-X Overview

• Hardware

• Software

• Management

• Q & A

Agenda

Page 3: Firewall + ips update

ASA 5500-X Series (Saleen)

Overview

Page 4: Firewall + ips update

Shipping since 2005

Firewalls of choice for small businesses and large enterprises alike

ASA 5540650 Mbps Firewall Throughput

ASA 55501.2 Gbps Firewall Throughput

ASA 5520450 Mbps Firewall Throughput

ASA 5510300 Mbps Firewall Throughput

Cisco’s Current Mid-range ASA Product Portfolio (Benetton)

Page 5: Firewall + ips update

5 new models to meet varied throughput demands

ASA 5512-X1 Gbps Firewall Throughput

ASA 5515-X1.2 Gbps Firewall Throughput

ASA 5525-X2 Gbps Firewall Throughput

ASA 5545-X3 Gbps Firewall Throughput

ASA 5555-X4 Gbps Firewall Throughput

1. Multi-Gig PerformanceTo meet growing throughput requirements

2. Accelerated Integrated Services (no extra hardware required)To support changing business needs

3. Next-gen services enabled platform To provide investment protection

Next-Generation Security Services Platforms

Page 6: Firewall + ips update

Cisco ASA 5500 Series PortfolioComprehensive Solutions from SOHO to the Data Center

Multi-Service (Firewall/VPN and IPS)

Per

form

ance

and

Sca

labi

lity

Data CenterCampusBranch Office Internet Edge

ASA 5585-X SSP-20(10 Gbps, 125K cps)

ASA 5585-X SSP-60(40 Gbps, 350K cps)

ASA 5585-X SSP-40(20 Gbps, 200K cps)

ASA 5585-X SSP-10(4 Gbps, 50K cps)ASA 5555-X

(4 Gbps,50K cps)

NEWASA 5545-X (3 Gbps,30K cps)

NEWASA 5525-X

(2 Gbps,20K cps)

NEWASA 5512-X

(1 Gbps, 10K cps)

NEW

ASA 5515-X (1.2 Gbps,15K cps)

NEW

ASA 5510(300 Mbps, 9K cps)

ASA 5510 +(300 Mbps, 9K cps)

ASA 5520(450 Mbps, 12K cps)

ASA 5540(650 Mbps, 25K cps)

ASA 5550(1.2 Gbps, 36K cps)

Firewall/VPN Only

SOHO

ASA 5505 (150 Mbps, 4K cps)

Page 7: Firewall + ips update

Next Generation ASA Mid-Range Appliances

At-A-Glance

64Bit Multi-Core Processor

Up to 16GB of Memory

Built-In Multi-Core Crypto Accelerator Hardware

Dedicated IPS Hardware Acceleration Card

Up to 14 1GE Ports

Copper & Fiber I/O options

Firewall, VPN & IPS Services

Dedicated OOB Management Port

Performance

Density

Flexibility

Integrated Services

Management Consolidation

ASA 5500-X H/W Features

Customer Benefits

Page 8: Firewall + ips update

Long Chassis (5545-X & 5555-X)-- Hot-Swappable redundant dual power-supply

Hot-SwappableHard-Disk drive bays

Fan vent for front-to-backairflow

Short Chassis (5512-X, 5515-X & 5525-X)-- Fixed Single Power Supply

14’’

19’’

Hardware

Page 9: Firewall + ips update

I/O Expansion Slot

Status LED’s

Serial Console

USB Port

6 x 1GE Cu PortsFixed Power Supply

Dedicated Mgmt Port (1GE)

ASA 5512-X/ASA 5515-X Back Panel

Page 10: Firewall + ips update

I/O Expansion Slot

Status LED’s Serial Console

USB Port

8 x 1GE Cu Ports Fixed Power Supply

Dedicated Mgmt Port (1GE)

I/O Expansion Slot

Status LED’sSerial Console

USB Port

8 x 1GE Cu PortsRedundant Hot Swappable PSU

Dedicated Mgmt Port (1GE)

ASA 5525-X/ASA 5545-X Back Panel

Page 11: Firewall + ips update

Back-View Summary

ASA 5512-X

ASA 5515-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

Page 12: Firewall + ips update

Height Width Depth Weight

5512-X5515-X5525-X

1.67” 16.7” 15.6” 13.38 Kg

5525-X 1.67” 16.7” 15.6” 14.92 Kg

5545-X5555-X

1.67” 16.7” 19.1” 16.82 Kg

Physical Specifications

Page 13: Firewall + ips update

TemperatureOperating: 0C - +40CNon-Operating: -30C to +70C

Humidity RangeNon-Operating: 5% to 95% RH(non-condensing)

AltitudeOperating: 0 to 3024MNon-Operating: Up to 4572M

Airflow Front to Back

Environmental Specifications

Page 14: Firewall + ips update

• Works in load-sharing mode when both PSU’s are present.

• Power Supply SpecificationsInput Rating:

100 ~ 120V / 5A200 ~ 240V / 2.5A

Leakage Current: 3.5mAOperating Power: 382 WPower Cord Rating: 10 A

Models Power Supply

ASA 5545-X ASA-PWR-AC

ASA-PWR-AC=

ASA 5555-X

Optional AccessoriesRedundant Power Supply

Page 15: Firewall + ips update

I/O expansion card are available in two flavors

• 6 Port 10/100/1000 Base T , RJ45 Connector I/O NIC Card

• 6 Port 1GbE SFP Connector I/O NIC Card

Available on all

5500-X platforms

Available on all

5500-X platforms

ASA 5500-X I/O Module Options

Page 16: Firewall + ips update

Platform I/O CARD GbE ( Cu) I/O CARD SFP Total Data Ports

5512-X,5515-X ASA-IC-6GE-CU-AASA-IC-6GE-CU-A=

ASA-IC-6GE-SFP-AASA-IC-6GE-SFP-A=

12

5525-X ASA-IC-6GE-CU-BASA-IC-6GE-CU-B=

ASA-IC-6GE-SFP-BASA-IC-6GE-SFP-B=

14

5545-X, 5555-X ASA-IC-6GE-CU-CASA-IC-6GE-CU-C=

ASA-IC-6GE-SFP-CASA-IC-6GE-SFP-C=

14

Short Reach Optics* Long Reach Optics*

GLC-SX-MMGLC-SX-MMD

GLC-LH-SMGLC-LH-SMD

Interface Options

Page 17: Firewall + ips update

Specification ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X

Platform Base 1RU Short chassis

19” Rack Mountable

1RU Short chassis

19” Rack Mountable

1RU Short chassis

19” Rack Mountable

1RU Long chassis

19” Rack Mountable

1RU Long chassis

19” Rack Mountable

CPU 1x 2.8 Ghz Intel 2C/2T

1 x 3.06 Ghz Intel 2C/4T

1x 2.40 Ghz Intel 4C/4T

1x 2.66 Ghz Intel 4C/8T

1x 2.80 Ghz Intel 4C/8T

DRAM 4GB 8 GB 8GB 12GB 16GB

Regex Accel Mezz Card

N/A N/A 1 1 1

Compact Flash 4GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB

I/O Ports 6 x 1GbE Cu

1 x 1GbE Cu Mgmt

6 x 1GbE Cu

1 x 1GbE Cu Mgmt

8 x 1GbE Cu

1 x 1GbE Cu Mgmt

8 x 1GbE Cu

1 x 1GbE Cu Mgmt

8 x 1GbE Cu

1 x 1GbE Cu Mgmt

Optional I/O Module

6 x 1GbE Cu or 6 x 1GbE SFP

6 x 1GbE Cu or 6 x 1GbE SFP

6 x 1GbE Cu or 6 x 1GbE SFP

6 x 1GbE Cu or 6 x 1GbE SFP

6 x 1GbE Cu or 6 x 1GbE SFP

Power Single Fixed AC Power Supply

Single Fixed AC Power Supply

Single Fixed AC Power Supply

Dual Hot-Swappable Redundant AC Power Supply

Dual Hot-Swappable Redundant AC Power Supply

Crypto Capacity 1 x Crypto Chip

4C

1 x Crypto Chip

4C

1 x Crypto Chip

4C

1 x Crypto Chip

8C

1 x Crypto Chip

8C

Saleen ASA Platform Matrix

Page 18: Firewall + ips update

ASA 5510 – ASA 5550 ASA 5512-X – ASA 5555-X

Single Core CPU Multi-Core CPU

1GB to 4GB DDR1 RAM 4GB to 16GB DDR3 RAM

Base I/O ports limited to 4 x 1GbE Copper interfaces

Base I/O ports up to 8 x 1GbE Copper interfaces

4 x 1GbE I/O port expansion module 6 x 1GbE Copper or fiber SFP I/O expansion module

IPS on SSM card Integrated IPS service within the same chassis

N/A Redundant Hot-Swappable power supply units

N/A Regex accelerator card

N/A Hard Disk Support

Saleen hardware comparison with ASA 5510 – ASA 5550

Page 19: Firewall + ips update

ASA 5510

ASA 5512-X

Price $3,495 $3,995

Firewall Throughput (Max) 300 Mbps 1 Gbps

Firewall Throughput (EMIX) Not Measured 500 Mbps

IPS Throughput (Media Rich) 150 Mbps 300 Mbps

VPN Throughput 170 Mbps 200 Mbps

Connections (Max) 50,000 100,000

Connections per second 9,000 10,000

VLANs 50 50

Security Contexts (Incl/Max) 0/0 0/0

High Availability & VPN Clustering No No

Services IPS, VPN, Content Security

IPS, VPN, next-gen services*

Service RestrictionIPS, Content Security, I/O expansion mutually exclusive

No restriction (multiple services run at same time in software)

Site-2-Site/IPSec IKEv1 Client Sessions /AnyConnect/Clientless VPN

Sessions250 250

Integrated Network I/O 5 FE 6 GE

Dedicated Management Port No Yes (GE)

Expansion IO4-port GE ,4-port GE SFP

6-port GE CU ,6-port GE SFP

CPU Single-Core Multi-Core

RAM 1 GB 4 GB

Key ChangesPerformance4X Firewall ThroughputIncreased IPS, VPN Throughput

HardwareMulti-core instead of Single-core CPUs4X MemoryDedicated Management portAdditional (+1) integrated I/O portsAdditional (+2) expansion I/O portsGE instead of FE portsExpansion slot now only for I/O Expansion

ServicesIPS does not require hardware moduleNext-gen services ready

ASA 5512-X versus ASA 5510

* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module

Page 20: Firewall + ips update

ASA 5510+

ASA 5515-X

Price $4,495 $4,995

Firewall Throughput (Max) 300 Mbps 1.2 Gbps

Firewall Throughput (EMIX) Not Measured 600 Mbps

IPS Throughput (Media Rich) 300 Mbps 400 Mbps

VPN Throughput 170 Mbps 250 Mbps

Connections (Max) 100,000 250,000

Connections per second 9,000 15,000

VLANs 100 100

Security Contexts (Incl/Max) 2/20 2/20

High Availability & VPN Clustering Yes Yes

Services IPS, VPN, Content Security

IPS, VPN, next-gen services

Service RestrictionIPS, Content Security, I/O expansion mutually exclusive

No restriction (multiple services run at same time in software)

Site-2-Site/IPSec IKEv1 Client Sessions /AnyConnect/Clientless

VPN Sessions250 250

Integrated Network I/O 2GE, 3FE 6 GE

Dedicated Management port No Yes (GE)

Expansion IO 4-port GE ,4-port GE SFP

6-port GE CU ,6-port GE SFP

CPU Single-core Multi-core

RAM 1 GB 8 GB

Key ChangesSecurity Plus License Not Required

Performance4X Firewall ThroughputIncreased IPS, VPN Throughput

HardwareMulti-core instead of Single-core CPUs8X MemoryDedicated Management portAdditional (+1) integrated I/O portsAdditional (+2) expansion I/O portsAll GE ports instead of FE portsExpansion slot now only for I/O Expansion

ServicesIPS does not require hardware moduleNext-gen services ready

ASA 5515-X versus ASA 5510+

* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module

Page 21: Firewall + ips update

ASA 5520

ASA 5525-X

Price $7,995 $8,995

Firewall Throughput (Max) 450 Mbps 2 Gbps

Firewall Throughput (EMIX) Not Measured 1 Gbps

IPS Throughput (Media Rich) 450 Mbps 600 Mbps

VPN Throughput 225 Mbps 300 Mbps

Connections (Max) 280,000 500,000

Connections per second 12,000 20,000

VLANs 150 200

Security Contexts (Incl/Max) 2/20 2/20

High Availability & VPN Clustering Yes Yes

Services IPS, VPN, Content Security

IPS, VPN, next-gen services*

Service Restriction

IPS, Content Security, I/O expansion mutually exclusive

No restriction (multiple services run at same time in software)

Site-2-Site/IPSec IKEv1 Client Sessions /AnyConnect/Clientless

VPN Sessions750 750

Integrated Network I/O 4 GE + 1 FE 8 GE

Dedicated Management port No Yes (GE)

Expansion IO 4-port GE ,4-port GE SFP

6-port GE CU ,6-port GE SFP

CPU Single-Core Multi-Core

RAM 2 GB 8 GB

Key ChangesPerformance4X Firewall ThroughputIncreased IPS, VPN Throughput

HardwareMulti-core instead of Single-core CPUs4X MemoryDedicated Management portAdditional (+3) integrated I/O portsAdditional (+2) expansion I/O portsExpansion slot now only for I/O Expansion

ServicesIPS does not require hardware moduleNext-gen services ready

ASA 5525-X versus ASA 5520

* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module

Page 22: Firewall + ips update

ASA 5540

ASA 5545-X

Price $16,995 $17,995

Firewall Throughput (Max) 650 Mbps 3 Gbps

Firewall Throughput (EMIX) Not Measured 1.5 Gbps

IPS Throughput (Media Rich) 650 Mbps 900 Mbps

VPN Throughput 325 Mbps 400 Mbps

Connections (Max) 400,000 750,000

Connections per second 25,000 30,000

VLANs 200 300

Security Contexts (Incl/Max) 2/50 2/50

High Availability & VPN Clustering Yes Yes

Services IPS, VPN, Content Security

IPS, VPN, next-gen services*

Service RestrictionIPS, Content Security, I/O expansion mutually exclusive

No restriction (multiple services run at same time in software)

Site-2-Site/IPSec IKEv1 Client Sessions /AnyConnect/Clientless

VPN Sessions

5000/2500 2500

Integrated Network I/O 4 GE + 1 FE 8 GE

Dedicated Management port No Yes (GE)

Expansion IO 4-port GE , 4-port GE SFP

6-port GE CU ,6-port GE SFP

CPU Single-Core Multi-Core

RAM 2 GB 12 GB

Redundant Power No Yes

Key ChangesPerformance4X Firewall ThroughputIncreased IPS, VPN Throughput

HardwareMulti-core instead of Single-core CPUs6X MemoryDedicated Management portAdditional (+3) integrated I/O portsAdditional (+2) expansion I/O portsExpansion slot now only for I/O Expansion

ServicesIPS does not require hardware moduleNext-gen services ready

ASA 5545-X versus ASA 5540

* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module

Page 23: Firewall + ips update

ASA 5550

ASA 5555-X

Price $19,995 $24,995

Firewall Throughput (Max) 1.2 Gbps 4 Gbps

Firewall Throughput (EMIX) Not Measured 2 Gbps

IPS Throughput (Media Rich) Not Applicable 1.3 Gbps

VPN Throughput 425 Mbps 700 Mbps

Connections (Max) 600,000 1,000,000

Connections per second 36,000 50,000

VLANs 400 500

Security Contexts (Incl/Max) 2/100 2/100

High Availability & VPN Clustering Yes Yes

Services VPN only IPS, VPN, next-gen services*

Site-2-Site/IPSec IKEv1 Client Sessions

/AnyConnect/Clientless VPN Sessions

5000 5000

Integrated Network I/O 8 GE + 1 FE 8 GE

Dedicated Management port No Yes (GE)

Expansion IO Not Available 6-port GE CU ,6-port GE SFP

CPU Single-Core Multi-Core

RAM 4 GB 16 GB

Redundant Power No Yes

Key ChangesPerformance4X Firewall ThroughputIncreased IPS, VPN Throughput

HardwareMulti-core instead of Single-core CPUs4X MemoryDedicated Management portExpansion I/O now available

ServicesIPS does not require hardware moduleNext-gen services ready

ASA 5555-X versus ASA 5550

* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module

Page 24: Firewall + ips update

New Feature – IPS Module

• A new licensing feature was introduced to enable the use of the IPS Software Module.

• Traffic destined to IPS will be dropped by ASA if this license is not enabled AND ‘fail-close’ is configured.

• IPS Signature Update license is required on top of the above license.

• All other license features remain unchanged and are based on ASA 8.4.2 software.

Licensing ChangesASA Licensing

Page 25: Firewall + ips update

Enabling IPS Service

Page 26: Firewall + ips update

• Dedicated Out-Of-Band management port M0/0

• Failover & VLAN sub-interface features are not configurable on M0/0

• ASA and integrated IPS management are independent of each other.• Management model is similar to previous ASA/SSM appliances

• ASA and IPS software module have separate management IP addresses but share the same physical port M0/0 for outbound connectivity

• ASA can log IPS module’s console messages “show module 1 log console”

• ASA configures and manages all external data ports

ASA Management Model

Page 27: Firewall + ips update

• ASA and IPS are managed very similar to previous SSM/SSP deployments.

• ASA is used to recover, reload, shutdown, etc. IPS.

• ASA is used to configure service-policies to pass traffic to IPS.

• ASA and IPS have unique IP addresses for management purposes.

• ASDM, IME, and IDM behave the same.

Similarities with SSM/SSP

ASA and IPS Management Model (1/2)

Page 28: Firewall + ips update

• ASA and IPS share the only dedicated management port on the box.

• IPS must use the dedicated management port. However, ASA can use any port on the box to manage the system.

• When ASA and IPS are sharing the dedicated management port then the IP address for ASA and IPS should be within the same subnet.

• The IPS image stored on the embedded flash is used to recover the software module instead of downloading the image over the SSM/SSP dedicated management port.

Differences with SSM/SSP

ASA and IPS Management Model (2/2)

Page 29: Firewall + ips update

ASDM 6.6.1.14 and above7.2.1 IME Software and above

Management Software Support

Page 30: Firewall + ips update

3© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Device View

Policy View

Map View

Cisco Security Manager 4.3Unified and comprehensive Firewall, VPN and IPS man agement

Event View

Saleen H/W support

Upcoming Release

Upcoming Release

Page 31: Firewall + ips update

SKU Makeup – Using ASA 5545 -X as an examples

Page 32: Firewall + ips update

All Hardware SKUs

ASA 5512-X

ASA 5515-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

Page 33: Firewall + ips update

Sample BOMs (Firewall + Single Option)

Page 34: Firewall + ips update

Sample BOMs (Firewall + IPS + Options)

Ordering Tip: With IPS, always start with ASAxxx-IPS-K9

Page 35: Firewall + ips update

Sample BOMs (Firewall + IPS + Options)

Ordering Tip: With IPS, always start with ASAxxx-IPS-K9

Page 36: Firewall + ips update

IPS 43xx Series Mid-Range Appliances

Page 37: Firewall + ips update

Single I/O Expansion slot

Single Mgmt Port

Single I/O Expansion slot

4360: Dual Power-Supply

Serial Console Port

USB Ports 8x 1GbE ports (numbered left-to-right)

IPS 43xx Back Panel

Page 38: Firewall + ips update

IPS 43xx Platform Matrix

Page 39: Firewall + ips update

Hardware Comparison with IPS 4240, IPS 4255 and IPS 4260

Page 40: Firewall + ips update

• SMP-enabled Kernel• 64-bit architecture• Environment Monitoring• Jumbo-Frame support• Flow Control support• Hardware Regex

Accelerator support for IPSstring-XL engine

High-Performance and Resiliencyfeatures on IPS 43xx Series

Page 41: Firewall + ips update

• IPS SSP module are based on 7.1(4) release• Platform support for new hardware

• Based on ASA 5585-X line of code

• Supports existing E4 Engine Update

• Supports all latest Signature Updates

– Sig S615 is bundled with Saleen images.• 7.1.4 IDM version included with the IPS image.

• 7.2.1 IME version provides full support.

• CSM support with version 4.3

• IPS 7.1(4) version supports all –X platforms (including 5585-X)

– Additional CFD bug fixes and a few serviceability enhancements also included in this version.

IPS Software

Page 42: Firewall + ips update

Questions