Cisco Asa Nov2005

Introducing the Cisco ASA 5500 Series Adaptive Security Appliances Rizwan Qureshi Product Manager

ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

1

Introducing Cisco Adaptive Security Appliances Delivering Adaptive Threat Defense and VPN Solutions

Converged Adaptive Threat Defense and Flexible VPN Services Application Security, Worm/Virus Mitigation, Malware Protection, Threat-Protected VPN and Network Awareness

Minimize Deployment and Operations Costs Platform Standardization, Unified Management

Technology Extensibility to Address New Threats

Purpose-Built Adaptive Identification and Mitigation Architecture Enables Unprecedented Extensibility and Policy Control

The Cisco ASA 5500 Series ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

2

Cisco ASA 5500 Series

Convergence of Robust, Market-Proven Technologies Market-Proven Technologies

Adaptive Threat Defense, Secure Connectivity

Firewall Technology Cisco PIX

App Inspection, Use Enforcement, Web Control Application Security

IPS Technology Cisco IPS

Malware/Content Defense, Anomaly Detection Anti-X Defenses

NW-AV Technology Cisco IPS, AV

VPN Technology Cisco VPN 3000

Network Intelligence Cisco Network Services ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

Traffic/Admission Control, Proactive Response Network Containment & Control

Secure Connectivity IPSec & SSL VPN

3

Adaptive Identification and Mitigation (AIM) Services Architecture Technology Extensibility to Mitigate Current and Future Threats Security Services Extensibility

Remote Access VPN Connectivity

Site-to-Site VPN Connectivity

Partner Technology & Service Extensions

Adaptive Classification & Policy Framework

Application Inspection & Control Anti-X Defenses Network Containment & Control

Adaptive Threat Defense

Secure Connectivity

Cisco Technology & Service Extensions

Cisco Intelligent Networking, High Availability, and Scalability Services

Innovative AIM services architecture allows business to adapt and extend the security services profile via Cisco-developed and partnerprovide innovations delivering high current services performance and services extensibility ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

4

Cisco ASA 5500 Series: Breadth and Depth Industry First! Scalable, Multi-Function, Feature Rich

Application Security

• • • •

Anti-X Defense

• Network-based worm and virus mitigation • Spyware, adware, malware detection and control • Accurate Prevention Technology for reliable, proactive response • On-box event correlation and proactive response

Network Containment & Control

• Layer 3 and 4 access control services • Stateful packet inspection • Flexible user, network and application policy grouping

Secure Connectivity

• • • •

Cisco Networking Services Intelligence ASA 5500 Intro

Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Advanced VoIP/multimedia security

Zero-touch, automatically updateable IPSec remote access Flexible and secure SSL VPN services QoS/routing-enabled site-to-site VPN Integrated threat mitigation protect against VPN-delivered threats • Low Latency • Services Virtualization • Diverse Topologies • Network Segmentation & Partitioning • Multicast Support • Routing, Resiliency, Load-Balancing

© 2004 Cisco Systems, Inc. All rights reserved.

5

Application Inspection & Control Engines

Provide Control over Application Usage & Network Access • Application and protocol-aware inspection services provides strong application-layer security • Performs conformance checking, state tracking, security checks, NAT/PAT support and dynamic port allocation Multimedia / Voice over IP H.323 v1-4 SIP SCCP (Skinny) GTP (3G Wireless) MGCP RTSP TAPI / JTAPI

Over 30 Engin es Core Internet Protocols

Specific Applications Microsoft Windows Messenger Microsoft NetMeeting Real Player Cisco IP Phones Cisco Softphones ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

HTTP FTP TFTP SMTP / ESMTP DNS / EDNS ICMP TCP UDP

Database / OS Services ILS / LDAP Oracle / SQL*Net (V1/V2) Microsoft Networking NFS RSH SunRPC / NIS+ X Windows (XDMCP)

Security Services IKE IPSec PPTP 6 6

Cisco ASA 5500 Series Delivers High Performance Worm//Malware and Attack Mitigation Services Spyware / Adware

Network Worms & Viruses

Directed Attacks

Traffic Cleansing

• Prevents installation of malware and blocks “phone home” communications • Frees network bandwidth and controls the transmission of confidential data

• Controls corporate espionage • Stops web defacing by preventing web attacks • Prevents zombie, backdoor, and bot placement thus stopping automated attacks (e.g., denial of service (DoS)

• Stops the infection and propagation of malware • Leverages internal development and partnership with Trend Micro

• Removes traffic ambiguities such as overwritten fragments, TCP segment overwrites, TTL discrepancies • Simulates end host behavior to increase inspection accuracy

Advanced Intrusion Prevention Services (IPS) and Network Anti-Virus features mitigate wide range of network threats ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

7

Accurate Prevention Technologies Risk Rating Provides Threat Context

Event Severity Signature Fidelity Attack Relevancy Asset Value of Target

RISK RATING ASA 5500 Intro

How urgent is the threat?

+ + +

Decision support balances attack urgency with business risk

How prone to false positive? Is attack relevant to host being attacked? How critical is this destination host? Drives Mitigation Policy

© 2004 Cisco Systems, Inc. All rights reserved.

8

Accurate Prevention Technologies

Meta Event Generator Delivers Advanced Correlation On-box correlation allows adaptation to new threats in real-time without user intervention

Risk Rating

DROP Event DWorm Stopped!

A+B+C+D= WORM!

High

Event A Medium

Event D

Event B

Links lower risk events into a high risk metaevent, triggering prevention actions Models attack Behavior by Correlating: • Event type • Time span

Event C Low

Time: ASA 5500 Intro

0

2

4

6

© 2004 Cisco Systems, Inc. All rights reserved.

8

10 9

Cisco ASA 5500 Series VPN Solutions Enterprise-Class Site-to-Site VPN Capabilities

Network-aware site-to-site VPNs QoS-Enabled VPN Support for low latency queuing for latency-sensitive traffic such as VoIP

Internet

OSPF Routing Over VPN

IPSec Stateful Failover • Provides high performance Active-Standby failover with automatic key and SA information synchronization

Robust X.509 Certificate Support • Manual enrollment support (PKCS 7/10) • n-tiered X.509 certificate chaining support • 4096-bit RSA keysize support ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

10

Cisco VPN Are You There (AYT) & CSA Comprehensive Endpoint Protection

• Cisco AYT provides the ability to perform security posture checks when a VPN connection attempt is received

VPN Concentrator

Malware Viruses

Trojans

Public Internet Worms CSA

• Checks to see if security products are both installed and active • Pushes embedded personal firewall policy

Telecommuter with IPSec VPN ASA 5500 Intro

• Enforces usage of authorized hostbased security products (such as the Cisco Security Agent) and verifies its version number, policies, and status prior to granting access the corporate network

© 2004 Cisco Systems, Inc. All rights reserved.

• Re-checks posture every 30 seconds protecting against user disablement 11

Cost-Effective VPN Headend Scaling

“Pay as You Grow” with Load Balancing and Clustering • Cluster multiple Cisco ASA 5500s to scale as needed to 10,000s of users • Dynamic load balancing ensures effective utilization of all clustered devices • Clustering with load balancing provides maximum uptime • Seamlessly integrates with existing Cisco VPN 3000 clusters 10.10.1.X .1

Cluster IP Address 124.118.24.X Client requests connection to 124.118.24.50 .31

Cluster Master .32 .2

ASA 5500 Intro

.3

.33

.4

.34

Virtual cluster master responds with 124.118.24.33 Client requests IPSec/SSL session to 124.118.24.33

© 2004 Cisco Systems, Inc. All rights reserved.

12

WebVPN: SSL-Based Remote Access Enables Clientless Remote Connectivity • Web Page Access (HTTP/HTTPS) • Remote E-Mail Access Outlook (MAPI), OWA, POP, IMAP, SMTP, Notes, iNotes • File Access on Enterprise Servers Windows CIFS file shares via Web Interface

Free SSL VPN Trial Included in Base Pricing – No Per-Feature Licenses!

• Flexible Login Options Customizable for Diverse User Communities Group based access control Support for all enterprise authentication mechanisms • Port Forwarding Access to thick client TCP-based applications • Web-Based Management Full-featured configuration and monitoring ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

13

Virtualized Services and Transparent Operation

Simplifies Deployment and Reduces Operational Costs Dept/Cust 1 Dept/Cust 2 Dept/Cust 3

Scalable Security Services • Adds support for Security Contexts (virtual firewalls) to lower operational costs Enables device consolidation and segmentation Supports separated policies and administration

Easy to Deploy Firewall and IPS Services • Introduces transparent firewall capabilities for rapid deployment of security

Transparent Firewall and IPS

Drops into existing networks without need for readdressing the network Simplifies deployments of internal firewalling and security zoning – new applications Existing Network ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

14

Advanced Network Integration

Maximizes Uptime and Supports Next-Gen Networks Improved Network and Device Resiliency

Active

• Introduces Active-Active failover for enhanced resiliency and asymmetric routing support • Delivers new zero-downtime software upgrade capability for improved uptime

Active

Intelligent Network Integration • Provides QoS traffic prioritization for improved handling of latency sensitive traffic • Adds IPv6 support for hybrid IPv4/IPv6 network environments • Delivers PIM sparse mode multicast support for improved support for streaming data delivery services, video conferencing, and other mission-critical real-time enterprise applications ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

V

VV D

V VV D

D

D

Quality of Service

15

Application Inspection and Access Control Services Convergence Enables Stronger Security Full Service Firewall with Application Inspection and Control: Stateful Layer 3-7 Inspection Application and Access Control Dynamic Protocol Descriptor Updates Quality of Service

Enables Control of: Peer-to-peer: Kazaa and Gnutella Instant Messaging HTTP and Port 80 Tunneled Applications Voice over IP And many more!

Public Internet ASA 5500 Business Traffic Peer to Peer, Tunneled Apps

Designed from the ground up for reliable dynamic control of the application layer ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

16

Zero-Hour Worm Mitigation – At Line Rate! Services Convergence Enables Stronger Security Line Rate Analysis: De-obfuscation Deep Packet Inspection Protocol Anomaly Detection Heuristic Analysis Traffic Normalization

Slammer MS Blaster Witty

Public Internet

Code Red

ASA 5500

NIMDA W32.Tomorrow’s-Threat

Comprehensive Response: Attack Drop Session Removal Server DoS Protection through Session Resets

Leverages depth of IPS, firewall, and zero-hour protection features to stop malicious worms and viruses…and without a performance loss! ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

17

Cisco ASA 5500 Series Provides Highly Flexible and Scalable VPN Services Access Scenarios: Site-to-Site Connectivity Managed Desktop Employee Desktop Kiosk Access Full or Limited Network Access Partner Access

Supply Partner Extranet

SSL

Branch Office Site-to-Site

IPSec Public Internet

Account Manager Mobile User

SSL

IPSec Employee at Home Unmanaged Desktop

ASA 5500 Converged IPSec, WebVPN, Firewall: Inspect/Control VPN Sessions Single RA VPN Device Infrastructure Unified User Management Unmatched Scalability Comprehensive Load Balancing

Combined IPSec and WebVPN services allow tailored solutions for business's growing connectivity and scalability requirements ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

18

Cisco ASA 5500 Series Product Lineup Solutions Ranging from SMB to Large Enterprise Cisco ASA 5510

Cisco ASA 5520

Cisco ASA 5540

Target Market

SMB and SME

Enterprise

Large Enterprise

List Price

Starting at $3,495

Starting at $7,995

Starting at $16,995

Max Firewall Max Con. Threat Mitigation Max IPSec VPN

300 Mbps 150 Mbps 170 Mbps

450 Mbps 375 Mbps 225 Mbps

650 Mbps 450 Mbps 325 Mbps

Base Platform Services

App FW, IPSec and SSL VPN, and more A/S HA (Upg.), 3 FE to 5 FE

Same as 5510, plus A/A Failover, VPN Clustering, 4 GE + 1 FE

Same as 5520, with higher performance and scalability

Performance

ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

19

Cisco ASA 5520/5540 Adaptive Security Appliances Product Tour

Four 10/100/1000 Copper Gigabit Ports

Sleek, High Performance 1 Rack Unit (RU) Design

One 10/100 Out of Band Management Port*

Diskless Architecture for High Reliability

One Expansion Slot for Add’l Accelerated Services or I/O

Single Field Upgradeable AC or DC Power Supply

Two USB 2.0 Ports for Future Expansion (Credentials, Failover, and more) Compact Flash for Software, Config, and Log Storage ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

Console and AUX Ports Five Status LEDs (Power, Status, Active, VPN, Flash)

20

Cisco ASA Security Services Module (SSM) 10 & 20 Product Tour

High Performance Module for Additional Services Diskless (Flash-Based) Design for Improved Reliability Gigabit Ethernet Port for Out-of-Band Management, etc. Thumbscrews for Easy Insertion and Removal

ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

21

Licensing on the Cisco ASA 5500 Series • All primary Firewall and VPN services in base systems • Several licenses enable additional feature content ASA 5510 Security Plus – Active/Standby HA, VLANs, capacity ASA 5520/5540 VPN Plus/Premium – Unlocks add’l VPN peers Security Contexts – Several tiers available 5, 10, 20, and 50 GTP Inspection – Enables 3G Mobile Wireless security features

• Additional services delivered via Security Svc Modules Full featured, high performance IPS services (AIP SSM) Requires IPS Services contract for signature updates More services to come in the future ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

22

Cisco ASA Adaptive Security Appliances Industry Certifications and Evaluations

• Common Criteria Future: EAL4+, v7.0(4) – ASA Family • FIPS 140 Future: Level 2, v7.0(4) – ASA Family

• ICSA Firewall 4.1, Corporate Category Future: v7.0(1) – ASA Family • ICSA IPSec 1.1D Future: v7.0(1) – ASA Family

• VPNC Tentative: v7.0(1) – ASA Family ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

23

Comprehensive Management, Monitoring & Response Converged Services Reduces Complexity and Costs Device Management

System Management

• Integrated, web-based mgmt • Converged configuration – FW, IPS, VPN, AV • Real-time monitoring tools

• Multi-device integrated mgmt • Enterprise-scale provisioning

Cisco Adaptive Security Device Manager (ASDM)

Monitoring and Response • Multi-platform event management and response • Sophisticated data reduction and correlation Cisco Security MARS CiscoWorks SIMS ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

CiscoWorks VPN/Security Management (VMS) System Solsoft Policy Server

Auditing • Device posture validation against industry “best practices” and regulatory compliance Cisco Security Auditor

24

Cisco Adaptive Security Device Manager (ASDM) v5.0 Next-Generation of Popular Cisco PIX Device Manager

• Adds support for all major new features introduced in PIX OS v7.0 • Homepage includes new features, such as: - Platform uptime - Security Contexts - Real-time syslog viewer (last ten) - Improved navigation - Powerful search capabilities - And more! ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

25

Cisco Adaptive Security Device Manager (ASDM) v5.0 Robust Firewall Management and Monitoring

• Cisco ASDM v5.0 delivers robust firewall management and monitoring of a Cisco ASA appliance • Supports full configuration of: - Access control lists - Network and service object groups - Inspection Engines - NAT/PAT - AAA and more • Supports monitoring of: - Syslog (real-time) - Connections - Throughput & more!

ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

Cisco Confidential – NDA Use Only

26

Cisco Adaptive Security Device Manager v5.0 Comprehensive VPN Management and Monitoring

• Cisco ASDM v5.0 delivers comprehensive remote access and site-to-site VPN management and monitoring of a single Cisco ASA appliance • Supports full configuration of: - WebVPN - IPSec RA groups - S2S tunnels - AAA, DHCP, & more! • Supports monitoring of: - Uptime, bytes xfered, by tunnel - VPN usage trends ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

Cisco Confidential – NDA Use Only

27

Cisco Adaptive Security Device Manager v5.0 Extensive IPS Management and Monitoring

• Cisco ASDM v5.0 delivers extensive IPS management and monitoring of a single Cisco ASA appliance • Supports full configuration of: - Engines - Signatures - Threat Risk Rating - IPS Actions - And more! • Supports monitoring of: - Events - Diagnostic reports - Sensor statistics

ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

Cisco Confidential – NDA Use Only

28

Summary: Cisco ASA 5500 Series 3 Take aways…

• Eliminates security tradeoffs with converged security services • “Single platform, many uses” reduces operational costs • Unprecedented technology extensibility adapts to new threats

ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

29

ASA 5500 Intro

© 2004 Cisco Systems, Inc. All rights reserved.

30