Introducing the Cisco ASA 5500 Series

Adaptive Security Appliances

Rizwan Qureshi
Product Manager

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 1
Introducing Cisco Adaptive Security Appliances
Delivering Adaptive Threat Defense and VPN Solutions

Converged Adaptive Threat Defense and Flexible VPN Services

Application Security, Worm/Virus Mitigation,
Malware Protection, Threat-Protected VPN and Network Awareness

Minimize Deployment and Operations Costs

Platform Standardization, Unified Management

Technology Extensibility to Address New Threats

Purpose-Built Adaptive Identification and Mitigation Architecture Enables
Unprecedented Extensibility and Policy Control

The Cisco ASA 5500 Series

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 2
Cisco ASA 5500 Series
Convergence of Robust, Market-Proven Technologies

Market-Proven Adaptive Threat Defense,

Technologies Secure Connectivity

Firewall Technology App Inspection, Use

Cisco PIX Enforcement, Web Control
Application Security

IPS Technology
Cisco IPS Malware/Content Defense,
Anomaly Detection
Anti-X Defenses
NW-AV Technology
Cisco IPS, AV
Traffic/Admission Control,
Proactive Response

VPN Technology Network Containment &

Control
Cisco VPN 3000

Secure Connectivity
Network Intelligence IPSec & SSL VPN
Cisco Network
Services
ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 3
Adaptive Identification and Mitigation (AIM) Services Architecture
Technology Extensibility to Mitigate Current and Future Threats

Security Services Extensibility

Cisco Technology & Service Extensions Partner Technology & Service Extensions

Adaptive Threat Defense

Application
Secure Connectivity

Remote Access Inspection

VPN & Control
Connectivity Adaptive
Classification
Anti-X
& Policy Defenses
Site-to-Site Framework
VPN Network
Connectivity Containment
& Control

Cisco Intelligent Networking, High Availability, and Scalability Services

Innovative AIM services architecture allows business to adapt and

extend the security services profile via Cisco-developed and partner-
provide innovations delivering high current services performance
and services extensibility
ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 4
 Cisco ASA 5500 Series: Breadth and Depth
Industry First! Scalable, Multi-Function, Feature Rich

• Multi-layer packet and traffic analysis

Application • Advanced application and protocol inspection services
Security • Network application controls
• Advanced VoIP/multimedia security

• Network-based worm and virus mitigation

Anti-X • Spyware, adware, malware detection and control
• Accurate Prevention Technology for reliable, proactive
Defense response
• On-box event correlation and proactive response
Network • Layer 3 and 4 access control services
Containment & • Stateful packet inspection
• Flexible user, network and application policy grouping
Control
• Zero-touch, automatically updateable IPSec remote access
Secure • Flexible and secure SSL VPN services
Connectivity • QoS/routing-enabled site-to-site VPN
• Integrated threat mitigation protect against VPN-delivered threats

Cisco Networking • Low Latency • Services Virtualization

Services • Diverse Topologies • Network Segmentation & Partitioning
• Multicast Support • Routing, Resiliency, Load-Balancing
Intelligence
ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 5
 Application Inspection & Control Engines
Provide Control over Application Usage & Network Access

• Application and protocol-aware inspection services provides

strong application-layer security
• Performs conformance checking, state tracking, security
checks, NAT/PAT support and dynamic port allocation

Multimedia / Voice over IP Over Database / OS Services

H.323 v1-4 30 ILS / LDAP
SIP Engin Oracle / SQL*Net (V1/V2)
SCCP (Skinny) es Microsoft Networking
GTP (3G Wireless) NFS
MGCP RSH
RTSP Core Internet Protocols SunRPC / NIS+
TAPI / JTAPI X Windows (XDMCP)
HTTP
FTP
Specific Applications TFTP Security Services
Microsoft Windows Messenger SMTP / ESMTP
Microsoft NetMeeting DNS / EDNS IKE
Real Player ICMP IPSec
Cisco IP Phones TCP PPTP
Cisco Softphones UDP 6
ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 6
 Cisco ASA 5500 Series Delivers High Performance
Worm//Malware and Attack Mitigation Services

Spyware / Adware Network Worms & Viruses

• Prevents installation of malware • Stops the infection and
and blocks “phone home” propagation of malware
communications • Leverages internal development
• Frees network bandwidth and and partnership with Trend Micro
controls the transmission of
confidential data

Directed Attacks Traffic Cleansing

• Controls corporate espionage • Removes traffic ambiguities
• Stops web defacing by preventing such as overwritten fragments,
web attacks TCP segment overwrites, TTL
• Prevents zombie, backdoor, and discrepancies
bot placement thus stopping • Simulates end host behavior to
automated attacks (e.g., denial of increase inspection accuracy
service (DoS)

Advanced Intrusion Prevention Services (IPS) and Network Anti-Virus

features mitigate wide range of network threats

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 7
Accurate Prevention Technologies
Risk Rating Provides Threat Context

Decision support
Event How urgent is
Severity the threat? balances attack urgency
with business risk
+
Signature How prone to
Fidelity false positive?

Attack
+
Is attack relevant to
Relevancy host being attacked?
+
Asset Value How critical is this
of Target destination host?

RISK Drives
Mitigation
RATING Policy

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 8
Accurate Prevention Technologies
Meta Event Generator Delivers Advanced Correlation

On-box correlation allows adaptation to new threats in real-time

without user intervention

Links lower risk events

Risk Rating DROP into a high risk meta-
A+B+C+D=
WORM! Event D- event, triggering
High
Worm prevention actions
Stopped! Models attack Behavior by
Correlating:
Event A Event D • Event type
Medium Event B
• Time span

Event C
Low

Time: 0 2 4 6 8 10

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 9
Cisco ASA 5500 Series VPN Solutions
Enterprise-Class Site-to-Site VPN Capabilities

Network-aware site-to-site VPNs

QoS-Enabled VPN
Support for low latency queuing for
latency-sensitive traffic such as VoIP

Internet OSPF Routing

Over VPN
IPSec Stateful Failover
• Provides high performance Active-Standby
failover with automatic key and SA
information synchronization

Robust X.509 Certificate Support

• Manual enrollment support (PKCS 7/10)
• n-tiered X.509 certificate chaining support
• 4096-bit RSA keysize support

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 10
 Cisco VPN Are You There (AYT) & CSA
Comprehensive Endpoint Protection

VPN Concentrator • Cisco AYT provides the ability to

perform security posture checks when
a VPN connection attempt is received
• Enforces usage of authorized host-
Malware based security products (such as the
Cisco Security Agent) and verifies its
Trojans
Viruses version number, policies, and status
prior to granting access the corporate
Public Internet network
Worms • Checks to see if security products are
both installed and active
CSA
• Pushes embedded personal firewall
policy
• Re-checks posture every 30 seconds
Telecommuter
with IPSec VPN protecting against user disablement

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 11
 Cost-Effective VPN Headend Scaling
“Pay as You Grow” with Load Balancing and Clustering

• Cluster multiple Cisco ASA 5500s to scale as needed to 10,000s of users

• Dynamic load balancing ensures effective utilization of all clustered devices
• Clustering with load balancing provides maximum uptime
• Seamlessly integrates with existing Cisco VPN 3000 clusters

Cluster IP Address
10.10.1.X
124.118.24.X Client requests connection to 124.118.24.50

Virtual cluster master responds with 124.118.24.33
.1 .31
Client requests IPSec/SSL session to 124.118.24.33
Cluster Master
.2 .32

.3 .33

.4 .34

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 12
WebVPN: SSL-Based Remote Access
Enables Clientless Remote Connectivity

• Web Page Access (HTTP/HTTPS)

Free SSL VPN Trial
• Remote E-Mail Access Included in Base Pricing –
Outlook (MAPI), OWA, POP, IMAP, No Per-Feature Licenses!
SMTP, Notes, iNotes
• File Access on Enterprise Servers
Windows CIFS file shares via Web Interface
• Flexible Login Options Customizable for Diverse
User Communities
Group based access control
Support for all enterprise authentication
mechanisms
• Port Forwarding
Access to thick client TCP-based applications
• Web-Based Management
Full-featured configuration and monitoring

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 13
 Virtualized Services and Transparent Operation
Simplifies Deployment and Reduces Operational Costs

Dept/Cust 1 Dept/Cust 2 Dept/Cust 3

Scalable Security Services

• Adds support for Security Contexts (virtual
firewalls) to lower operational costs
Enables device consolidation and segmentation
Supports separated policies and administration

Easy to Deploy Firewall and IPS Services

• Introduces transparent firewall capabilities for
rapid deployment of security Transparent Firewall and IPS

Drops into existing networks without need for

readdressing the network
Simplifies deployments of internal firewalling and
security zoning – new applications

Existing Network

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 14
Advanced Network Integration
Maximizes Uptime and Supports Next-Gen Networks

Improved Network and Device Resiliency Active

• Introduces Active-Active failover for enhanced

resiliency and asymmetric routing support
• Delivers new zero-downtime software upgrade
capability for improved uptime
Active

Intelligent Network Integration

• Provides QoS traffic prioritization for improved
handling of latency sensitive traffic
• Adds IPv6 support for hybrid IPv4/IPv6 network V VV V VV

environments D D D D

• Delivers PIM sparse mode multicast support for Quality of Service

improved support for streaming data delivery
services, video conferencing, and other
mission-critical real-time enterprise applications

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 15
 Application Inspection and Access Control
Services Convergence Enables Stronger Security

Full Service Firewall with Application Enables Control of:

Inspection and Control: Peer-to-peer: Kazaa and Gnutella
Stateful Layer 3-7 Inspection Instant Messaging
Application and Access Control HTTP and Port 80
Dynamic Protocol Descriptor Updates Tunneled Applications
Quality of Service Voice over IP
And many more!

Public
Internet
ASA 5500

Business Traffic

Peer to Peer,
Tunneled Apps

Designed from the ground up for reliable dynamic control of

the application layer

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 16
 Zero-Hour Worm Mitigation – At Line Rate!
Services Convergence Enables Stronger Security

Line Rate Analysis:

De-obfuscation
Slammer Deep Packet Inspection
Protocol Anomaly Detection
Heuristic Analysis
MS Blaster Traffic Normalization

Witty
Public
Internet
Code Red
ASA 5500
NIMDA
Comprehensive Response:
W32.Tomorrow’s-Threat Attack Drop
Session Removal
Server DoS Protection through
Session Resets

Leverages depth of IPS, firewall, and zero-hour protection features to stop

malicious worms and viruses…and without a performance loss!

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 17
 Cisco ASA 5500 Series Provides Highly Flexible
and Scalable VPN Services
Access Scenarios:
Supply Partner Site-to-Site Connectivity
Extranet Managed Desktop
Employee Desktop
Branch Office SSL Kiosk Access
Site-to-Site Full or Limited Network Access
IPSec Partner Access
Public
Internet
SSL
Account Manager ASA 5500
Mobile User
Converged IPSec, WebVPN, Firewall:
Inspect/Control VPN Sessions
IPSec Single RA VPN Device Infrastructure
Employee at Home Unified User Management
Unmanaged Desktop Unmatched Scalability
Comprehensive Load Balancing

Combined IPSec and WebVPN services allow tailored solutions for

business's growing connectivity and scalability requirements

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 18
Cisco ASA 5500 Series Product Lineup
Solutions Ranging from SMB to Large Enterprise

Cisco Cisco Cisco

ASA 5510 ASA 5520 ASA 5540

Target Market SMB and SME Enterprise Large Enterprise

Starting at Starting at Starting at

List Price $3,495 $7,995 $16,995

Performance
Max Firewall 300 Mbps 450 Mbps 650 Mbps
Max Con. Threat Mitigation 150 Mbps 375 Mbps 450 Mbps
Max IPSec VPN 170 Mbps 225 Mbps 325 Mbps

App FW, IPSec and Same as 5510, plus

Base Platform Same as 5520, with
SSL VPN, and more A/A Failover,
higher performance
Services A/S HA (Upg.), VPN Clustering,
and scalability
3 FE to 5 FE 4 GE + 1 FE

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 19
 Cisco ASA 5520/5540 Adaptive Security Appliances
Product Tour

Four 10/100/1000 Sleek, High Performance

Copper Gigabit Ports 1 Rack Unit (RU) Design
One 10/100 Out of Band Diskless Architecture for
Management Port* High Reliability

One Expansion Slot for Add’l Single Field Upgradeable

Accelerated Services or I/O AC or DC Power Supply

Two USB 2.0 Ports for

Console and AUX Ports
Future Expansion (Credentials,
Failover, and more)
Five Status LEDs (Power,
Compact Flash for Software, Status, Active, VPN, Flash)
Config, and Log Storage

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 20
 Cisco ASA Security Services Module (SSM) 10 & 20
Product Tour

High Performance Module

for Additional Services

Diskless (Flash-Based) Design

for Improved Reliability

Gigabit Ethernet Port for

Out-of-Band Management, etc.

Thumbscrews for Easy

Insertion and Removal

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 21
 Licensing on the Cisco ASA 5500 Series

• All primary Firewall and VPN services in base systems

• Several licenses enable additional feature content
ASA 5510 Security Plus – Active/Standby HA, VLANs, capacity
ASA 5520/5540 VPN Plus/Premium – Unlocks add’l VPN peers
Security Contexts – Several tiers available 5, 10, 20, and 50
GTP Inspection – Enables 3G Mobile Wireless security features

• Additional services delivered via Security Svc Modules

Full featured, high performance IPS services (AIP SSM)
Requires IPS Services contract for signature updates
More services to come in the future

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 22
 Cisco ASA Adaptive Security Appliances
Industry Certifications and Evaluations

• Common Criteria
Future: EAL4+, v7.0(4) – ASA Family
• FIPS 140
Future: Level 2, v7.0(4) – ASA Family
• ICSA Firewall 4.1, Corporate Category
Future: v7.0(1) – ASA Family
• ICSA IPSec 1.1D
Future: v7.0(1) – ASA Family
• VPNC
Tentative: v7.0(1) – ASA Family

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 23
Comprehensive Management, Monitoring & Response
Converged Services Reduces Complexity and Costs

Device Management System Management

• Integrated, web-based mgmt • Multi-device integrated mgmt
• Converged configuration – • Enterprise-scale
FW, IPS, VPN, AV provisioning
• Real-time monitoring tools
CiscoWorks VPN/Security
Cisco Adaptive Security Management (VMS) System
Device Manager (ASDM) Solsoft Policy Server

Monitoring and Response Auditing

• Multi-platform event • Device posture validation

management and response against industry “best
• Sophisticated data practices” and regulatory
reduction and correlation compliance
Cisco Security MARS
Cisco Security Auditor
CiscoWorks SIMS

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 24
Cisco Adaptive Security Device Manager (ASDM) v5.0
Next-Generation of Popular Cisco PIX Device Manager

• Adds support for

all major new
features introduced
in PIX OS v7.0
• Homepage includes
new features, such as:
- Platform uptime
- Security Contexts
- Real-time syslog
viewer (last ten)
- Improved navigation
- Powerful search
capabilities
- And more!

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 25
Cisco Adaptive Security Device Manager (ASDM) v5.0
Robust Firewall Management and Monitoring

• Cisco ASDM v5.0

delivers robust
firewall management
and monitoring of a
Cisco ASA appliance
• Supports full
configuration of:
- Access control lists
- Network and service
object groups
- Inspection Engines
- NAT/PAT
- AAA and more
• Supports monitoring of:
- Syslog (real-time)
- Connections
- Throughput & more!

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential – NDA Use Only 26
Cisco Adaptive Security Device Manager v5.0
Comprehensive VPN Management and Monitoring

• Cisco ASDM v5.0

delivers comprehensive
remote access and
site-to-site VPN
management and
monitoring of a single
Cisco ASA appliance
• Supports full
configuration of:
- WebVPN
- IPSec RA groups
- S2S tunnels
- AAA, DHCP, & more!
• Supports monitoring of:
- Uptime, bytes xfered,
by tunnel
- VPN usage trends

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential – NDA Use Only 27
Cisco Adaptive Security Device Manager v5.0
Extensive IPS Management and Monitoring

• Cisco ASDM v5.0

delivers extensive
IPS management and
monitoring of a single
Cisco ASA appliance
• Supports full
configuration of:
- Engines
- Signatures
- Threat Risk Rating
- IPS Actions
- And more!
• Supports monitoring of:
- Events
- Diagnostic reports
- Sensor statistics

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. Cisco Confidential – NDA Use Only 28
Summary: Cisco ASA 5500 Series
3 Take aways…

• Eliminates security tradeoffs with converged

security services
• “Single platform, many uses” reduces
operational costs
• Unprecedented technology extensibility
adapts to new threats

ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 29
ASA 5500 Intro © 2004 Cisco Systems, Inc. All rights reserved. 30