Introducing the Cisco ASA 5500 Series Adaptive Security Appliances Rizwan Qureshi Product Manager
ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
1
Introducing Cisco Adaptive Security Appliances Delivering Adaptive Threat Defense and VPN Solutions
Converged Adaptive Threat Defense and Flexible VPN Services Application Security, Worm/Virus Mitigation, Malware Protection, Threat-Protected VPN and Network Awareness
Minimize Deployment and Operations Costs Platform Standardization, Unified Management
Technology Extensibility to Address New Threats
Purpose-Built Adaptive Identification and Mitigation Architecture Enables Unprecedented Extensibility and Policy Control
The Cisco ASA 5500 Series ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
2
Cisco ASA 5500 Series
Convergence of Robust, Market-Proven Technologies Market-Proven Technologies
Adaptive Threat Defense, Secure Connectivity
Firewall Technology Cisco PIX
App Inspection, Use Enforcement, Web Control Application Security
IPS Technology Cisco IPS
Malware/Content Defense, Anomaly Detection Anti-X Defenses
NW-AV Technology Cisco IPS, AV
VPN Technology Cisco VPN 3000
Network Intelligence Cisco Network Services ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
Traffic/Admission Control, Proactive Response Network Containment & Control
Secure Connectivity IPSec & SSL VPN
3
Adaptive Identification and Mitigation (AIM) Services Architecture Technology Extensibility to Mitigate Current and Future Threats Security Services Extensibility
Remote Access VPN Connectivity
Site-to-Site VPN Connectivity
Partner Technology & Service Extensions
Adaptive Classification & Policy Framework
Application Inspection & Control Anti-X Defenses Network Containment & Control
Adaptive Threat Defense
Secure Connectivity
Cisco Technology & Service Extensions
Cisco Intelligent Networking, High Availability, and Scalability Services
Innovative AIM services architecture allows business to adapt and extend the security services profile via Cisco-developed and partnerprovide innovations delivering high current services performance and services extensibility ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
4
Cisco ASA 5500 Series: Breadth and Depth Industry First! Scalable, Multi-Function, Feature Rich
Application Security
• • • •
Anti-X Defense
• Network-based worm and virus mitigation • Spyware, adware, malware detection and control • Accurate Prevention Technology for reliable, proactive response • On-box event correlation and proactive response
Network Containment & Control
• Layer 3 and 4 access control services • Stateful packet inspection • Flexible user, network and application policy grouping
Secure Connectivity
• • • •
Cisco Networking Services Intelligence ASA 5500 Intro
Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Advanced VoIP/multimedia security
Zero-touch, automatically updateable IPSec remote access Flexible and secure SSL VPN services QoS/routing-enabled site-to-site VPN Integrated threat mitigation protect against VPN-delivered threats • Low Latency • Services Virtualization • Diverse Topologies • Network Segmentation & Partitioning • Multicast Support • Routing, Resiliency, Load-Balancing
© 2004 Cisco Systems, Inc. All rights reserved.
5
Application Inspection & Control Engines
Provide Control over Application Usage & Network Access • Application and protocol-aware inspection services provides strong application-layer security • Performs conformance checking, state tracking, security checks, NAT/PAT support and dynamic port allocation Multimedia / Voice over IP H.323 v1-4 SIP SCCP (Skinny) GTP (3G Wireless) MGCP RTSP TAPI / JTAPI
Over 30 Engin es Core Internet Protocols
Specific Applications Microsoft Windows Messenger Microsoft NetMeeting Real Player Cisco IP Phones Cisco Softphones ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
HTTP FTP TFTP SMTP / ESMTP DNS / EDNS ICMP TCP UDP
Database / OS Services ILS / LDAP Oracle / SQL*Net (V1/V2) Microsoft Networking NFS RSH SunRPC / NIS+ X Windows (XDMCP)
Security Services IKE IPSec PPTP 6 6
Cisco ASA 5500 Series Delivers High Performance Worm//Malware and Attack Mitigation Services Spyware / Adware
Network Worms & Viruses
Directed Attacks
Traffic Cleansing
• Prevents installation of malware and blocks “phone home” communications • Frees network bandwidth and controls the transmission of confidential data
• Controls corporate espionage • Stops web defacing by preventing web attacks • Prevents zombie, backdoor, and bot placement thus stopping automated attacks (e.g., denial of service (DoS)
• Stops the infection and propagation of malware • Leverages internal development and partnership with Trend Micro
• Removes traffic ambiguities such as overwritten fragments, TCP segment overwrites, TTL discrepancies • Simulates end host behavior to increase inspection accuracy
Advanced Intrusion Prevention Services (IPS) and Network Anti-Virus features mitigate wide range of network threats ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
7
Accurate Prevention Technologies Risk Rating Provides Threat Context
Event Severity Signature Fidelity Attack Relevancy Asset Value of Target
RISK RATING ASA 5500 Intro
How urgent is the threat?
+ + +
Decision support balances attack urgency with business risk
How prone to false positive? Is attack relevant to host being attacked? How critical is this destination host? Drives Mitigation Policy
© 2004 Cisco Systems, Inc. All rights reserved.
8
Accurate Prevention Technologies
Meta Event Generator Delivers Advanced Correlation On-box correlation allows adaptation to new threats in real-time without user intervention
Risk Rating
DROP Event DWorm Stopped!
A+B+C+D= WORM!
High
Event A Medium
Event D
Event B
Links lower risk events into a high risk metaevent, triggering prevention actions Models attack Behavior by Correlating: • Event type • Time span
Event C Low
Time: ASA 5500 Intro
0
2
4
6
© 2004 Cisco Systems, Inc. All rights reserved.
8
10 9
Cisco ASA 5500 Series VPN Solutions Enterprise-Class Site-to-Site VPN Capabilities
Network-aware site-to-site VPNs QoS-Enabled VPN Support for low latency queuing for latency-sensitive traffic such as VoIP
Internet
OSPF Routing Over VPN
IPSec Stateful Failover • Provides high performance Active-Standby failover with automatic key and SA information synchronization
Robust X.509 Certificate Support • Manual enrollment support (PKCS 7/10) • n-tiered X.509 certificate chaining support • 4096-bit RSA keysize support ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
10
Cisco VPN Are You There (AYT) & CSA Comprehensive Endpoint Protection
• Cisco AYT provides the ability to perform security posture checks when a VPN connection attempt is received
VPN Concentrator
Malware Viruses
Trojans
Public Internet Worms CSA
• Checks to see if security products are both installed and active • Pushes embedded personal firewall policy
Telecommuter with IPSec VPN ASA 5500 Intro
• Enforces usage of authorized hostbased security products (such as the Cisco Security Agent) and verifies its version number, policies, and status prior to granting access the corporate network
© 2004 Cisco Systems, Inc. All rights reserved.
• Re-checks posture every 30 seconds protecting against user disablement 11
Cost-Effective VPN Headend Scaling
“Pay as You Grow” with Load Balancing and Clustering • Cluster multiple Cisco ASA 5500s to scale as needed to 10,000s of users • Dynamic load balancing ensures effective utilization of all clustered devices • Clustering with load balancing provides maximum uptime • Seamlessly integrates with existing Cisco VPN 3000 clusters 10.10.1.X .1
Cluster IP Address 124.118.24.X Client requests connection to 124.118.24.50 .31
Cluster Master .32 .2
ASA 5500 Intro
.3
.33
.4
.34
Virtual cluster master responds with 124.118.24.33 Client requests IPSec/SSL session to 124.118.24.33
© 2004 Cisco Systems, Inc. All rights reserved.
12
WebVPN: SSL-Based Remote Access Enables Clientless Remote Connectivity • Web Page Access (HTTP/HTTPS) • Remote E-Mail Access Outlook (MAPI), OWA, POP, IMAP, SMTP, Notes, iNotes • File Access on Enterprise Servers Windows CIFS file shares via Web Interface
Free SSL VPN Trial Included in Base Pricing – No Per-Feature Licenses!
• Flexible Login Options Customizable for Diverse User Communities Group based access control Support for all enterprise authentication mechanisms • Port Forwarding Access to thick client TCP-based applications • Web-Based Management Full-featured configuration and monitoring ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
13
Virtualized Services and Transparent Operation
Simplifies Deployment and Reduces Operational Costs Dept/Cust 1 Dept/Cust 2 Dept/Cust 3
Scalable Security Services • Adds support for Security Contexts (virtual firewalls) to lower operational costs Enables device consolidation and segmentation Supports separated policies and administration
Easy to Deploy Firewall and IPS Services • Introduces transparent firewall capabilities for rapid deployment of security
Transparent Firewall and IPS
Drops into existing networks without need for readdressing the network Simplifies deployments of internal firewalling and security zoning – new applications Existing Network ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
14
Advanced Network Integration
Maximizes Uptime and Supports Next-Gen Networks Improved Network and Device Resiliency
Active
• Introduces Active-Active failover for enhanced resiliency and asymmetric routing support • Delivers new zero-downtime software upgrade capability for improved uptime
Active
Intelligent Network Integration • Provides QoS traffic prioritization for improved handling of latency sensitive traffic • Adds IPv6 support for hybrid IPv4/IPv6 network environments • Delivers PIM sparse mode multicast support for improved support for streaming data delivery services, video conferencing, and other mission-critical real-time enterprise applications ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
V
VV D
V VV D
D
D
Quality of Service
15
Application Inspection and Access Control Services Convergence Enables Stronger Security Full Service Firewall with Application Inspection and Control: Stateful Layer 3-7 Inspection Application and Access Control Dynamic Protocol Descriptor Updates Quality of Service
Enables Control of: Peer-to-peer: Kazaa and Gnutella Instant Messaging HTTP and Port 80 Tunneled Applications Voice over IP And many more!
Public Internet ASA 5500 Business Traffic Peer to Peer, Tunneled Apps
Designed from the ground up for reliable dynamic control of the application layer ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
16
Zero-Hour Worm Mitigation – At Line Rate! Services Convergence Enables Stronger Security Line Rate Analysis: De-obfuscation Deep Packet Inspection Protocol Anomaly Detection Heuristic Analysis Traffic Normalization
Slammer MS Blaster Witty
Public Internet
Code Red
ASA 5500
NIMDA W32.Tomorrow’s-Threat
Comprehensive Response: Attack Drop Session Removal Server DoS Protection through Session Resets
Leverages depth of IPS, firewall, and zero-hour protection features to stop malicious worms and viruses…and without a performance loss! ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
17
Cisco ASA 5500 Series Provides Highly Flexible and Scalable VPN Services Access Scenarios: Site-to-Site Connectivity Managed Desktop Employee Desktop Kiosk Access Full or Limited Network Access Partner Access
Supply Partner Extranet
SSL
Branch Office Site-to-Site
IPSec Public Internet
Account Manager Mobile User
SSL
IPSec Employee at Home Unmanaged Desktop
ASA 5500 Converged IPSec, WebVPN, Firewall: Inspect/Control VPN Sessions Single RA VPN Device Infrastructure Unified User Management Unmatched Scalability Comprehensive Load Balancing
Combined IPSec and WebVPN services allow tailored solutions for business's growing connectivity and scalability requirements ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
18
Cisco ASA 5500 Series Product Lineup Solutions Ranging from SMB to Large Enterprise Cisco ASA 5510
Cisco ASA 5520
Cisco ASA 5540
Target Market
SMB and SME
Enterprise
Large Enterprise
List Price
Starting at $3,495
Starting at $7,995
Starting at $16,995
Max Firewall Max Con. Threat Mitigation Max IPSec VPN
300 Mbps 150 Mbps 170 Mbps
450 Mbps 375 Mbps 225 Mbps
650 Mbps 450 Mbps 325 Mbps
Base Platform Services
App FW, IPSec and SSL VPN, and more A/S HA (Upg.), 3 FE to 5 FE
Same as 5510, plus A/A Failover, VPN Clustering, 4 GE + 1 FE
Same as 5520, with higher performance and scalability
Performance
ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
19
Cisco ASA 5520/5540 Adaptive Security Appliances Product Tour
Four 10/100/1000 Copper Gigabit Ports
Sleek, High Performance 1 Rack Unit (RU) Design
One 10/100 Out of Band Management Port*
Diskless Architecture for High Reliability
One Expansion Slot for Add’l Accelerated Services or I/O
Single Field Upgradeable AC or DC Power Supply
Two USB 2.0 Ports for Future Expansion (Credentials, Failover, and more) Compact Flash for Software, Config, and Log Storage ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
Console and AUX Ports Five Status LEDs (Power, Status, Active, VPN, Flash)
20
Cisco ASA Security Services Module (SSM) 10 & 20 Product Tour
High Performance Module for Additional Services Diskless (Flash-Based) Design for Improved Reliability Gigabit Ethernet Port for Out-of-Band Management, etc. Thumbscrews for Easy Insertion and Removal
ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
21
Licensing on the Cisco ASA 5500 Series • All primary Firewall and VPN services in base systems • Several licenses enable additional feature content ASA 5510 Security Plus – Active/Standby HA, VLANs, capacity ASA 5520/5540 VPN Plus/Premium – Unlocks add’l VPN peers Security Contexts – Several tiers available 5, 10, 20, and 50 GTP Inspection – Enables 3G Mobile Wireless security features
• Additional services delivered via Security Svc Modules Full featured, high performance IPS services (AIP SSM) Requires IPS Services contract for signature updates More services to come in the future ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
22
Cisco ASA Adaptive Security Appliances Industry Certifications and Evaluations
• Common Criteria Future: EAL4+, v7.0(4) – ASA Family • FIPS 140 Future: Level 2, v7.0(4) – ASA Family
• ICSA Firewall 4.1, Corporate Category Future: v7.0(1) – ASA Family • ICSA IPSec 1.1D Future: v7.0(1) – ASA Family
• VPNC Tentative: v7.0(1) – ASA Family ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
23
Comprehensive Management, Monitoring & Response Converged Services Reduces Complexity and Costs Device Management
System Management
• Integrated, web-based mgmt • Converged configuration – FW, IPS, VPN, AV • Real-time monitoring tools
• Multi-device integrated mgmt • Enterprise-scale provisioning
Cisco Adaptive Security Device Manager (ASDM)
Monitoring and Response • Multi-platform event management and response • Sophisticated data reduction and correlation Cisco Security MARS CiscoWorks SIMS ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
CiscoWorks VPN/Security Management (VMS) System Solsoft Policy Server
Auditing • Device posture validation against industry “best practices” and regulatory compliance Cisco Security Auditor
24
Cisco Adaptive Security Device Manager (ASDM) v5.0 Next-Generation of Popular Cisco PIX Device Manager
• Adds support for all major new features introduced in PIX OS v7.0 • Homepage includes new features, such as: - Platform uptime - Security Contexts - Real-time syslog viewer (last ten) - Improved navigation - Powerful search capabilities - And more! ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
25
Cisco Adaptive Security Device Manager (ASDM) v5.0 Robust Firewall Management and Monitoring
• Cisco ASDM v5.0 delivers robust firewall management and monitoring of a Cisco ASA appliance • Supports full configuration of: - Access control lists - Network and service object groups - Inspection Engines - NAT/PAT - AAA and more • Supports monitoring of: - Syslog (real-time) - Connections - Throughput & more!
ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
Cisco Confidential – NDA Use Only
26
Cisco Adaptive Security Device Manager v5.0 Comprehensive VPN Management and Monitoring
• Cisco ASDM v5.0 delivers comprehensive remote access and site-to-site VPN management and monitoring of a single Cisco ASA appliance • Supports full configuration of: - WebVPN - IPSec RA groups - S2S tunnels - AAA, DHCP, & more! • Supports monitoring of: - Uptime, bytes xfered, by tunnel - VPN usage trends ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
Cisco Confidential – NDA Use Only
27
Cisco Adaptive Security Device Manager v5.0 Extensive IPS Management and Monitoring
• Cisco ASDM v5.0 delivers extensive IPS management and monitoring of a single Cisco ASA appliance • Supports full configuration of: - Engines - Signatures - Threat Risk Rating - IPS Actions - And more! • Supports monitoring of: - Events - Diagnostic reports - Sensor statistics
ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
Cisco Confidential – NDA Use Only
28
Summary: Cisco ASA 5500 Series 3 Take aways…
• Eliminates security tradeoffs with converged security services • “Single platform, many uses” reduces operational costs • Unprecedented technology extensibility adapts to new threats
ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
29
ASA 5500 Intro
© 2004 Cisco Systems, Inc. All rights reserved.
30