Asa sslvpn security

2,564 views
2,358 views

Published on

ASA

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,564
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
134
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • This slide maps the “old world” of technology silos to the new world of Cisco Adaptive Threat Defense solutions. This will be the last time you see the traditional silos in this preso. Key points: ASA is built on market proven technologies from the Cisco platforms listed above. This is a key differentiator. Most “multi-function” security devices are strong in one area and weak in the others, therefore causing customers to give up features in such a device. Cisco literally built this device from the best of its security technologies, all of which are road-tested and proven in customer environments. All these security/VPN technologies are built on a foundation of “Network Intelligence”…meaning ASA is network aware, thus won’t “break” network traffic and applications, such as VoIP or virtualized or VLAN’d networks. ASA converges all of these technologies to deliver the ATD and VPN services listed at the right. Very similar to the ATD message in previous slides, this slide just brings down to the actual product implementation level (i.e. ATD customers can buy).
  • This slide maps the “old world” of technology silos to the new world of Cisco Adaptive Threat Defense solutions. This will be the last time you see the traditional silos in this preso. Key points: ASA is built on market proven technologies from the Cisco platforms listed above. This is a key differentiator. Most “multi-function” security devices are strong in one area and weak in the others, therefore causing customers to give up features in such a device. Cisco literally built this device from the best of its security technologies, all of which are road-tested and proven in customer environments. All these security/VPN technologies are built on a foundation of “Network Intelligence”…meaning ASA is network aware, thus won’t “break” network traffic and applications, such as VoIP or virtualized or VLAN’d networks. ASA converges all of these technologies to deliver the ATD and VPN services listed at the right. Very similar to the ATD message in previous slides, this slide just brings down to the actual product implementation level (i.e. ATD customers can buy).
  • This slide maps the “old world” of technology silos to the new world of Cisco Adaptive Threat Defense solutions. This will be the last time you see the traditional silos in this preso. Key points: ASA is built on market proven technologies from the Cisco platforms listed above. This is a key differentiator. Most “multi-function” security devices are strong in one area and weak in the others, therefore causing customers to give up features in such a device. Cisco literally built this device from the best of its security technologies, all of which are road-tested and proven in customer environments. All these security/VPN technologies are built on a foundation of “Network Intelligence”…meaning ASA is network aware, thus won’t “break” network traffic and applications, such as VoIP or virtualized or VLAN’d networks. ASA converges all of these technologies to deliver the ATD and VPN services listed at the right. Very similar to the ATD message in previous slides, this slide just brings down to the actual product implementation level (i.e. ATD customers can buy).
  • This slide maps the “old world” of technology silos to the new world of Cisco Adaptive Threat Defense solutions. This will be the last time you see the traditional silos in this preso. Key points: ASA is built on market proven technologies from the Cisco platforms listed above. This is a key differentiator. Most “multi-function” security devices are strong in one area and weak in the others, therefore causing customers to give up features in such a device. Cisco literally built this device from the best of its security technologies, all of which are road-tested and proven in customer environments. All these security/VPN technologies are built on a foundation of “Network Intelligence”…meaning ASA is network aware, thus won’t “break” network traffic and applications, such as VoIP or virtualized or VLAN’d networks. ASA converges all of these technologies to deliver the ATD and VPN services listed at the right. Very similar to the ATD message in previous slides, this slide just brings down to the actual product implementation level (i.e. ATD customers can buy).
  • This slide maps the “old world” of technology silos to the new world of Cisco Adaptive Threat Defense solutions. This will be the last time you see the traditional silos in this preso. Key points: ASA is built on market proven technologies from the Cisco platforms listed above. This is a key differentiator. Most “multi-function” security devices are strong in one area and weak in the others, therefore causing customers to give up features in such a device. Cisco literally built this device from the best of its security technologies, all of which are road-tested and proven in customer environments. All these security/VPN technologies are built on a foundation of “Network Intelligence”…meaning ASA is network aware, thus won’t “break” network traffic and applications, such as VoIP or virtualized or VLAN’d networks. ASA converges all of these technologies to deliver the ATD and VPN services listed at the right. Very similar to the ATD message in previous slides, this slide just brings down to the actual product implementation level (i.e. ATD customers can buy).
  • This slide gives more detail on the ATD, VPN and network-awareness listed on the previous slide. The key message: ASA is the first multi-function security device in the market where multi-function doesn’t require feature or performance trade-offs. Application security: ASA delivers port-80 application inspection and control for peer-to-peer, IM, and other often unwanted application traffic; all the granular traffic analysis that comes from its embedded IPS technology; deep VoIP traffic inspection, protocol validation and other VoIP security features Anti-X: Stops all the things listed above. Also offers on-device security event correlation and risk rating event response “tuning” to increase the accuracy of classifying threats so that appropriate action may be taken. NCC: In this area, ASA delivers typical NCC features like layer 3 and 4 firewall/access control features and stateful traffic inspection to control network user and application access. VPN: ASA offers all the “Easy VPN” features for touchless remote access and remote device VPN configuration. ASA also offers basic SSL VPN services. ASA also provides S-S VPN services with QoS and routing support. All of the ATD features can be applied to the VPN services to ensure the VPN doesn’t become a conduit for worms, viruses, etc. This enables “threat-protected” VPN without any additional cost or operations complexity. Network awareness: ASA supports all the features listed here to make sure that ASA inserts gracefully into the network and doesn’t disrupt traffic or applications.
  • PIX OS 7.0 introduces powerful new web inspection services that provide two classes of protection. First, PIX OS 7.0 provides visibility and control of Instant Messaging, Peer-to-Peer, and other tunneling applications (such as GoToMyPC.com). Secondly, PIX OS 7.0 provides businesses robust control over what actions users can perform when accessing websites. A common example we share is: you can now create a policy that states that traffic coming from the Internet to a web server on a DMZ can only view web pages – not edit or delete them. Correspondingly, businesses could create a second policy that states that the staging web server can edit and/or delete content on the production web server. Additional capabilities include MIME type filtering, giving administrators further control over what type of web content is acceptable in their environment. The new HTTP inspection engine in PIX OS 7.0 provides the following major features: 1. Check whether a HTTP message is compliant to the RFC – this includes checking the Request Message to ensure it is one of the predefined methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT. If the request messages does not contain one of the above request methods a check is made to verify that it is an extension method. If both the checks fail then the user will be alerted. The default action will be a syslog message, but through configuration it can be modified to reset the TCP connection. 2. Configure which HTTP methods (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) are permitted through the firewall. By default all the predefined methods in the RFC are permissible. This list can be narrowed using the CLI/ASDM. Upon receiving a message that contains a method that is listed as not permissible, the action specified by the user through the policy will be executed. 3. Specify which extension methods are allowed through the firewall. If the messages do not contain a predefined HTTP request method or an extension method it is considered to be non-compliant to the RFC. Once again the action whether the messages should be passed or logged is decided by the user during configuration. The default behavior is to allow all the hard coded extension methods. Examples of extension methods include: INDEX, MOVE, etc. For a complete list of extension methods supported please refer to Appendix A. 4. Select whether a subset of mime-types are to be permitted through the firewall. The user will be provided with a predefined list of mime-types ex. image/Jpeg, text/html, application/msword, audio/mpeg. The user can choose whether only the mime-types mentioned in this list are to be permitted through the firewall or all mime-types are acceptable. The default behavior is to allow all mime-types. 5. Configure the minimum and maximum size of an http message body. When a request or response HTTP message passes through the firewall, a check will be made to ensure that it meets the size constraints. If it does not the action configured for this policy by the user will be executed. 6. Verify that the content-type specified in the header is the same as that being passed in the body of the http message. If a discrepancy is noticed then the action that the user configured is executed. 7. Validate that the content-type passed in the response message is one of those listed in the request message’s accept-type field. Once again if a violation is detected the action specified in the policy is taken. 8. Specify whether all traffic not compliant to the HTTP standard should be permitted or logged. By default the behavior is to disallow all non-http traffic through the firewall. The user can change this default behavior during configuration. 9. The ability to filter http messages on keywords. When a message transmitting the keyword is detected the appropriate action for this rule will be taken. An example where this is useful is when looking for Yahoo Messenger running over HTTP. The keyword will be YMSG should be in the first 4 bytes of the HTTP data. 10. The ability to specify the maximum header length for HTTP request and response messages. 11. Ability to configure the maximum size of URI to be permitted through the firewall. 12. The ability to catch double encoding attacks (aka de-obfuscation) New CLI introduced for this inspection engine includes: inspect http map <http_map_name> http-map <map_name> Note: these are used as part of the new Modular Policy Framework introduced in PIX OS 7.0. Once a particular traffic stream (possibly on port 80, 8080, or any other user-specific port, etc) is selected, the http-map further refines the search to what traffic to target and what actions to take when offending traffic is found. In the http-map sub-mode, the following new commands will be added: strict-http content-length content-type-verification max-header-length max-uri-length port-misuse request-method transfer-encoding Usage of these sub-mode commands are as follows: strict-http action { allow | reset | drop } [log] content-length {min <bytes> max <bytes> | min <bytes | max <bytes>} action {allow | reset | drop} [log] content-type-verification [match-req-rsp] action {allow | reset | drop} [log] max-header-length {request <bytes> response <bytes>} action {allow | reset | drop} [log] max-uri-length <bytes> action {allow | reset | drop} [log] request-method rfc <rfc_method> action {allow | reset | drop} [log] (used for RFC 2616 conformance checking) request-method ext <ext_method> action {allow | reset | drop} [log] (used for extension methods) <rfc-method> connect | delete | get | head | options | post | put | trace | default <ext-method> index | move | mkdir | copy | edit | unedit | save | lock | unlock | revlabel | revlog | revadd | revnum | setattribute | getattribute | getproperties | startrev | stoprev | default port-misuse <appl_category> action {allow | reset | drop} [log] <appl_category> p2p | tunneling | im | default transfer-encoding type <coding_types> action {allow | reset | drop} [log] } <coding_types> default | chunked | compress | deflate | gzip | identity
  • ensure resilient network protection
  • Today, when a system connects to the network, it’s identity is typically checked via identity mechanisms such as one-time passwords. However, no check is made to see if that system is compliant with corporate security policy. Even if a network has been purged of known threats, the entry of non-compliant system once again makes that network vulnerable to attack. For example, an infected system could immediately begin to spread a worm throughout the corporate network. Alternatively, it might be down-rev with respect to operating system patch levels, thus creating a new vulnerability that opens the network to external attack. Even the most conscientious users can be at risk. Systems may be shut down or off the network when signature files schedule for update. Even scripts that enforce “push mechanisms” for patches or virus signatures can only do so AFTER the system has been connected to the network. Complications such as this is one of the primary reasons worms, viruses, and other threats continue to propagate after a fix has been released and applied. The more time that elapses before all systems are brought into compliance increases the risk. And that’s the problem… time itself. As John stated, people cannot react quickly enough to ensure that all of these safeguards are in place. An automated system is required.
  • New with version 5.0, cisco enhances this threat identification by recognizing and identifying new vectors of threats such as Spyware and Adware…by protecting the network through its control of the transmission of confidential data, as well policing the network traffic to filter out spyware communications. Also, Network Viruses….Cisco leverages its partnership with Trend Micro to integrate late-breaking malware, and improves virus coverage and response time. Another vector of threat identification is Application Abuse by providing deep inspection for web protection and control of “port 80 misuse”…as well, controls usage of Instant Message, Peer 2 Peer methods/commands, and other MIME types. And finally Cisco protects Voice Over IP traffic by ensuring protocol compliance for call setup, protects voice gateways from attacks, and prevents excess memory allocation of URL overflows.
  • PIX OS 7.0 introduces powerful new web inspection services that provide two classes of protection. First, PIX OS 7.0 provides visibility and control of Instant Messaging, Peer-to-Peer, and other tunneling applications (such as GoToMyPC.com). Secondly, PIX OS 7.0 provides businesses robust control over what actions users can perform when accessing websites. A common example we share is: you can now create a policy that states that traffic coming from the Internet to a web server on a DMZ can only view web pages – not edit or delete them. Correspondingly, businesses could create a second policy that states that the staging web server can edit and/or delete content on the production web server. Additional capabilities include MIME type filtering, giving administrators further control over what type of web content is acceptable in their environment. The new HTTP inspection engine in PIX OS 7.0 provides the following major features: 1. Check whether a HTTP message is compliant to the RFC – this includes checking the Request Message to ensure it is one of the predefined methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT. If the request messages does not contain one of the above request methods a check is made to verify that it is an extension method. If both the checks fail then the user will be alerted. The default action will be a syslog message, but through configuration it can be modified to reset the TCP connection. 2. Configure which HTTP methods (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) are permitted through the firewall. By default all the predefined methods in the RFC are permissible. This list can be narrowed using the CLI/ASDM. Upon receiving a message that contains a method that is listed as not permissible, the action specified by the user through the policy will be executed. 3. Specify which extension methods are allowed through the firewall. If the messages do not contain a predefined HTTP request method or an extension method it is considered to be non-compliant to the RFC. Once again the action whether the messages should be passed or logged is decided by the user during configuration. The default behavior is to allow all the hard coded extension methods. Examples of extension methods include: INDEX, MOVE, etc. For a complete list of extension methods supported please refer to Appendix A. 4. Select whether a subset of mime-types are to be permitted through the firewall. The user will be provided with a predefined list of mime-types ex. image/Jpeg, text/html, application/msword, audio/mpeg. The user can choose whether only the mime-types mentioned in this list are to be permitted through the firewall or all mime-types are acceptable. The default behavior is to allow all mime-types. 5. Configure the minimum and maximum size of an http message body. When a request or response HTTP message passes through the firewall, a check will be made to ensure that it meets the size constraints. If it does not the action configured for this policy by the user will be executed. 6. Verify that the content-type specified in the header is the same as that being passed in the body of the http message. If a discrepancy is noticed then the action that the user configured is executed. 7. Validate that the content-type passed in the response message is one of those listed in the request message’s accept-type field. Once again if a violation is detected the action specified in the policy is taken. 8. Specify whether all traffic not compliant to the HTTP standard should be permitted or logged. By default the behavior is to disallow all non-http traffic through the firewall. The user can change this default behavior during configuration. 9. The ability to filter http messages on keywords. When a message transmitting the keyword is detected the appropriate action for this rule will be taken. An example where this is useful is when looking for Yahoo Messenger running over HTTP. The keyword will be YMSG should be in the first 4 bytes of the HTTP data. 10. The ability to specify the maximum header length for HTTP request and response messages. 11. Ability to configure the maximum size of URI to be permitted through the firewall. 12. The ability to catch double encoding attacks (aka de-obfuscation) New CLI introduced for this inspection engine includes: inspect http map <http_map_name> http-map <map_name> Note: these are used as part of the new Modular Policy Framework introduced in PIX OS 7.0. Once a particular traffic stream (possibly on port 80, 8080, or any other user-specific port, etc) is selected, the http-map further refines the search to what traffic to target and what actions to take when offending traffic is found. In the http-map sub-mode, the following new commands will be added: strict-http content-length content-type-verification max-header-length max-uri-length port-misuse request-method transfer-encoding Usage of these sub-mode commands are as follows: strict-http action { allow | reset | drop } [log] content-length {min <bytes> max <bytes> | min <bytes | max <bytes>} action {allow | reset | drop} [log] content-type-verification [match-req-rsp] action {allow | reset | drop} [log] max-header-length {request <bytes> response <bytes>} action {allow | reset | drop} [log] max-uri-length <bytes> action {allow | reset | drop} [log] request-method rfc <rfc_method> action {allow | reset | drop} [log] (used for RFC 2616 conformance checking) request-method ext <ext_method> action {allow | reset | drop} [log] (used for extension methods) <rfc-method> connect | delete | get | head | options | post | put | trace | default <ext-method> index | move | mkdir | copy | edit | unedit | save | lock | unlock | revlabel | revlog | revadd | revnum | setattribute | getattribute | getproperties | startrev | stoprev | default port-misuse <appl_category> action {allow | reset | drop} [log] <appl_category> p2p | tunneling | im | default transfer-encoding type <coding_types> action {allow | reset | drop} [log] } <coding_types> default | chunked | compress | deflate | gzip | identity
  • SYN Cookie: SYN Cookies is a way to mitigate TCP spoofed SYN attacks. Attacker sends SYN packets that lies about its src address. TCP resource exhaustion bc server needs to maintain due maintaining state of embryonic connection (per SYN packets). If src replies with a SYN ACK then it will not cause the server exhaustion. SYN Cookie serves as a proxy for the TCP connection to the server. Sensor acts as an endpoint for the server from the source side, as if the sensor where the final destination. So if there is a SYN attack, the server never sees the SYN packet. So support for SYN cookies allows the security device to not keep state of the connection until it has been proven valid. Main reason traceback. Atta sends syn. Server sends SYN ACK. Underlying OS of the attacker automatically sends a rst packet to the server. When the server sees the rst packet he drops the connection state. The attacker does not send an ACK instead of a RST since most OSs a memory militiation of keeping state of embryonic (half open connections). So the rst thwarts the flooding process. RST sent from attacker to server TCP Worm detection: For every TCP flow that has seen a SYN packet and no other packet for X seconds, send an event to the AD with type TCP-non-established and data that holds the 5-tuple (sourceIP, destIP, proto=TCP, source-port, dest-port). UDP worm detection: The event definition for UDP is short, uni- directional inactive connection: UDP connection that has less than a pre-defined number of packets, all packets going only on one directional and is idle for more than a time period. Non allocated addresses: user can define 3 lists: internal, external, and un-allocated. 2 non allocated address types: Global unallocated: IP blocks that AT&T owns that hasn’t been assigned Inside org, probably use use a systematic fashion to allocate 10.1, 10.2, but non allocated 10.10, so if someone is approaching 10.10 Behavioral: Therefore, for each destination port, we keep a histogram that express the distribution of the source IPs according to their scanning "behavior." More precisely, the histogram is a table, such that entry X in the table, contains the number of source IPs that had incomplete connections to more than X dest IPs.
  • SYN Cookie: SYN Cookies is a way to mitigate TCP spoofed SYN attacks. Attacker sends SYN packets that lies about its src address. TCP resource exhaustion bc server needs to maintain due maintaining state of embryonic connection (per SYN packets). If src replies with a SYN ACK then it will not cause the server exhaustion. SYN Cookie serves as a proxy for the TCP connection to the server. Sensor acts as an endpoint for the server from the source side, as if the sensor where the final destination. So if there is a SYN attack, the server never sees the SYN packet. So support for SYN cookies allows the security device to not keep state of the connection until it has been proven valid. Main reason traceback. Atta sends syn. Server sends SYN ACK. Underlying OS of the attacker automatically sends a rst packet to the server. When the server sees the rst packet he drops the connection state. The attacker does not send an ACK instead of a RST since most OSs a memory militiation of keeping state of embryonic (half open connections). So the rst thwarts the flooding process. RST sent from attacker to server TCP Worm detection: For every TCP flow that has seen a SYN packet and no other packet for X seconds, send an event to the AD with type TCP-non-established and data that holds the 5-tuple (sourceIP, destIP, proto=TCP, source-port, dest-port). UDP worm detection: The event definition for UDP is short, uni- directional inactive connection: UDP connection that has less than a pre-defined number of packets, all packets going only on one directional and is idle for more than a time period. Non allocated addresses: user can define 3 lists: internal, external, and un-allocated. 2 non allocated address types: Global unallocated: IP blocks that AT&T owns that hasn’t been assigned Inside org, probably use use a systematic fashion to allocate 10.1, 10.2, but non allocated 10.10, so if someone is approaching 10.10 Behavioral: Therefore, for each destination port, we keep a histogram that express the distribution of the source IPs according to their scanning "behavior." More precisely, the histogram is a table, such that entry X in the table, contains the number of source IPs that had incomplete connections to more than X dest IPs.
  • Risk Rating —Offers unprecedented reliability and complete confidence to enable your inline prevention deployment. Traditional intrusion prevention has relied on severity rating as its sole method of determining the potential damage associated with an event. In contrast to simplistic ratings used by traditional IPS solutions that only consider values like the event severity, RR uses 4 discrete terms whose aggregate delivers the RR rating. Some of these terms are user definable. The terms are: Event severity —Rating indicating potential damage per event Signature fidelity —Rating indicating accuracy of the signature. For example, how prone that specific sig. is to a false positive (in v 5.0 each sig. will be delivered with its unique fidelity rating). Asset value — The asset value term allows the user to define the assets value for various mission critical components on the network. So if there is a mission critical server that contains credit card info., for example, the asset value for this server can be escalated Attack relevancy —Value based on the susceptibility of the target to this attack type The aggregate of these values provides a single Risk Rating for the event. Most of these terms are configured by default and require minimal user involvement. The Risk Rating is then applied to each signature. It takes on a value between 0 and 100 and the higher the RR value, the greater the confidence that the event detected is an indication of malicious activity (vs a false positive). RR Thresholds may be applied to dictate the response action that are applied to certain behavior that is detected by the sensor. So for example, if the user sets 2 thresholds at , 30 and 80, he may also set associated actions that the sensor must dynamically execute once those thresholds are exceeded. So according to the preceding example, the user may choose to generate an alarm only when RR <30 and perhaps generate an alarm and perform an ACL modification on a router for alarms that have a RR between 30 and 80, and they may choose to drop the packet and not display the alarm when the RR value exceeds 80, since this indicates a high confidence level that the event generated is actually a true event.
  • Enhanced Portal Design eliminates mandatory pop-up toolbar Drag & Drop Webified File Access Support for new webified file transport (FTP) Head-end deployed applets for telnet, SSH, RDP, and VNC as well as overall framework to support new plug-ins Advanced port-forwarder for Windows (SmartTunnel) – least privileged operation providing access to TCP based applications without the need to manually configure individual ports IPv6 internal resource access over an IPv4 connection Text resources will be externalized, allowing for administratively defined translation/localization of all user visible content Ability to define RSS newsfeeds on portal page Access AnyConnect (Network access) client from Portal page Personal bookmark support Transformation enhancements including Flash support
  • I think this is enhanced authorization (vs. authentication) if we're referring to the functionality that allows us to map users better taking in to account LDAP and posture status
  • Details at http://stg-wiki.cisco.com/index.php/Cisco_AnyConnect What is the Cisco AnyConnect VPN Client? A. The Cisco AnyConnect VPN Client is the next generation of the Cisco SSL VPN Client. It provides many new options that were not previously available with the SSL VPN Client, including, but not limited to: Additional platform support for Microsoft Vista 32-bit (x86), Vista 64-bit (x64), Windows XP 64-bit (x64), Mac OS X, Linux Intel and Windows Mobile 5 handheld devices (Pocket PC Edition, release estimate ~CY4Q07). Optimized tunneling for latency-sensitive traffic using Datagram Transport Layer Security (DTLS) Ability to establish a standalone VPN connection without needing to use a Web browser Ability to establish a VPN connection through a clientless portal link (download and/or auto-launch AnyConnect) Microsoft Installer package for simplified pre-deployment
  • This slide provides information for the administrator on where to configure Proxy/PAC support.
  • DTLS is defined in RFC 4347 DTLS stands for Datagram Transport Layer Security. It is defined under RFC-4347 Created to deal with datagram based applications that are latency sensitive Implemented as part of the standard OpenSSL package Looks like SSL over UDP to a firewall
  • The AnyConnect 8.0 clientless interface is highly customizable and localizable. Administrators can add non-English language text, change the actual information shown, configure population of newsfeeds via (RSS) and even allow for users to have their own personal customization & bookmarks. The customization/bookmark information is stored off-device on a file server and accessed via the CIFS (or FTP) protocol. This allows the information to easily be shared between multiple devices. Additional sophisticated web content is supported in clientless mode with every release. In addition, Single Sign On (SSO) options have been increased in the ASA 8.0 release to now include support for the RSA Access Manager protocol via the SAML protocol. Previous support was available for CA Siteminder (Netegrity) and Basic/NTLM/Form based pass through. In addition, user information such as login username and password can now be sent off via a web link to ease the SSO process. WebFolders is a new feature that allows the administrator to make use of the native Windows Explorer application in order to manage webified file shares. This feature is compatible with the Internet Explorer browser on Windows platforms. Smart Tunnels is described in more detail later on in the presentation. The goal of Smart Tunnels is to provide access to as many TCP based applications as possible without the need for administrative rights on the remote system. This feature is compatible with most Winsock v2 compliant TCP applications, but does not presently provide compatibility for Outlook communicating with an Exchange server (MAPI). This is a Windows 2000 & XP (x86) feature only.
  • This is a screenshot of the new clientless user interface in ASA 8.0. A significant portion of the information shown is customizable and the interface has been redesigned to focus on the end user experience.
  • Screenshot shown on this slide is for webified file access. The Webfolder user experience will be similar to that of utilizing Windows explorer. New support is available for the FTP protocol in ASA 8.0. Current support includes CIFS and FTP.
  • Screenshot shown on this slide is for webified file access. The Webfolder user experience will be similar to that of utilizing Windows explorer. New support is available for the FTP protocol in ASA 8.0. Current support includes CIFS and FTP.
  • Left screen shot shows example of how the administrator will import a plugin. Right side of screen shows an example pull down list with options for the configured plugins.
  • Screenshot shown on this slide is for webified file access. The Webfolder user experience will be similar to that of utilizing Windows explorer. New support is available for the FTP protocol in ASA 8.0. Current support includes CIFS and FTP.
  • Access 2003: ica://10.86.92.135?InitialProgram=#Microsoft Office Word 2003&TWIMode=on Powerpoint: ica://10.86.92.135?InitialProgram=#Microsoft Office Powerpoint 2003&TWIMode=on Desktop:  ica://10.86.92.135?InitialProgram=#desktop&TWIMode=on
  • Screenshot shown on this slide is for webified file access. The Webfolder user experience will be similar to that of utilizing Windows explorer. New support is available for the FTP protocol in ASA 8.0. Current support includes CIFS and FTP.
  • Screenshot shown on this slide is for webified file access. The Webfolder user experience will be similar to that of utilizing Windows explorer. New support is available for the FTP protocol in ASA 8.0. Current support includes CIFS and FTP.
  • Screenshot shown on this slide is for webified file access. The Webfolder user experience will be similar to that of utilizing Windows explorer. New support is available for the FTP protocol in ASA 8.0. Current support includes CIFS and FTP.
  • Flow of a CSD protected connection Secure Session, also called Secure Desktop or Vault, encrypts the data and files associated with or downloaded during the remote session into a secure desktop partition, and presents a graphical representation of a desktop that includes an image of a lock to signify a safe environment for the remote user to work in. Upon session termination, it uses a U.S. Department of Defense (DoD) sanitation algorithm to remove the partition. Typically used during clientless SSL VPN sessions, Secure Session attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs. Secure Session runs over Microsoft Windows Vista, Windows XP, and Windows 2000. If a prelogin policy is configured to install Secure Session, but the operating system on the remote computer does not support Secure Session, Cache Cleaner attempts to install instead. Secure Session does not encrypt or clean system memory information, including that which may be left on the disk by the operating system in the Microsoft Windows virtual memory file, commonly referred to as the paging file. Secure Desktop Manager provides an option that seeks to disable printing from within a user session. If local printing is permitted, there may be instances when data can remain in the local system print spool.
  • Enhanced Portal Design eliminates mandatory pop-up toolbar Drag & Drop Webified File Access Support for new webified file transport (FTP) Head-end deployed applets for telnet, SSH, RDP, and VNC as well as overall framework to support new plug-ins Advanced port-forwarder for Windows (SmartTunnel) – least privileged operation providing access to TCP based applications without the need to manually configure individual ports IPv6 internal resource access over an IPv4 connection Text resources will be externalized, allowing for administratively defined translation/localization of all user visible content Ability to define RSS newsfeeds on portal page Access AnyConnect (Network access) client from Portal page Personal bookmark support Transformation enhancements including Flash support
  • Cisco Certifications Page (External): http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html
  • Asa sslvpn security

    1. 1. ASA Remote Access VPNTechnologies:SSLVPNWebVPNIPSecVPN http://www.cisco.com/go/security http://www.cisco.com/security Tim Ryan – tiryan@cisco.com Security Consulting SE CCIE, CISSPPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
    2. 2. Cisco ASA 5500 Series Convergence of Robust, Market-Proven Technologies Market-Proven Adaptive Threat Defense, Technologies Secure Connectivity Firewall App Inspection, Use Technology Enforcement, Web Cisco PIX Control Application Security IPS Technology Malware/Content Cisco IPS Defense, Anomaly Detection IPS & Content Security Services Content Security Trend Micro Traffic/Admission Control, Proactive Response VPN Technology Network Containment Cisco VPN 3000 and Control Secure Connectivity Network Intelligence IPSec & SSL VPN Cisco Network ServicesPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
    3. 3. Cisco ASA 5500 Series: Threat Protected VPN Services Leveraging On-Board Security to Protect the VPN Threat Vector Application Firewall and Access Control Threat Mitigation Application Inspection/Control Incident Control Virus Granular, Per-User/Group Access Control Detection Protocol Anomaly Detection Worm Mitigation Stateful Traffic Filtering Spyware DetectionRemote Access VPN User Worm/ Virus Spyware Exploit Unwanted Illegal ASA 5500 Application Access Comprehensive Endpoint Security Accurate Enforcement Pre-Connection Posture Assessment Real-Time Correlation Malware Mitigation Risk Rating Session/Data Security Attack Drop Post-Session Clean-Up Session Removal and Resets Leverages Depth of Threat Defense Features to Stop Malicious Worms, Viruses, and More…and Without External Devices or Performance Loss!Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
    4. 4. VPN Technologies for Remote Clients Encrypted Connection Protocols: SSL tunnel uses the SSL protocol with RC4 or AES to encrypt data IPSec tunnel uses the IPSec protocol with DES, 3DES or AES to encrypt data Encrypted Client options supported by the ASA AnyConnect VPN Client is an SSL based VPN client that is installed on a desktop and can tunnel any traffic (aka SVC) WEB VPN (aka Clientless VPN) uses the browser as the Client with the ASA acting as a proxy. It can tunnel http,https traffic and a limited number of other supported protocols such as CIFS, OWA, RDP, VNC, SSH, Telnet via plugins Cisco VPN Client is an IPSec client that can tunnel any traffic except for multicast.Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
    5. 5. ASA VPN Configuration The AnyConnect Configuration document at the url below is an excellent starting place for any ASA VPN configuration. http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_ex ample09186a00808efbd2.shtml Configure Step 1. Configure a Self-Issued Certificate Step 2. Upload and Identify the SSL VPN Client Image Step 3. Enable Anyconnect Access Step 4. Create a new Group Policy Configure Access List Bypass for VPN Connections Step 6. Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections Step 7. Configure NAT Exemption for AnyConnect Clients Step 8. Add Users to the Local DatabasePresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
    6. 6. VPN Connection Flow Summary During Client connection time Group Policy settings takes precedence over Connection Profile settings. If Connection Profile has a setting and Group Policy is set to "inherit" then Connection Profile settings are used. ANYCONNECT CLIENT Connection Connection Profile (called tunnel group at CLI) = SSLClientProfile Uses Group Policy = GroupPolicy1 Alias = SSLClient IPSEC CLIENT Connection Connection Profile (called tunnel group at CLI) = IPSecVPN Uses Group Policy = IPSecClient IPSec Client settings: Groupname=IPSecVPN , pre-shared key=cisco123 WEBVPN - BROWSER CLIENT Connection Connection Profile Clientless SSL VPN Access (tunnel group inCLI) = WebVPN Uses Group Policy = WebGroup Alias = WebVPNPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
    7. 7. AnyConnect Client Connection Config ANYCONNECT CLIENT Connection Profile SSLClientProfile Alias = SSLClient Authentication type = (local, AAA, Certs) Uses Group Policy = GroupPolicy1 Connection Profile lock = SSL Client Profile SSL VPN Client tunnelling protocol ONLY Address pool = ECRU-1 10.199.0.1 – 10.199.7.254 DNS = 4.2.2.2 Default Domain = gtei.net Split tunnel options = Default = tunnel all networks Test user: User1 pw=cisco123 Locked to SSL Client profile Uses Group Policy1Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
    8. 8. Client-Based SSL VPN (AnyConnect/ SSL VPN Client)Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
    9. 9. ASA 5500 version 8.0 VPN Clientless Access  Precise, granular access control to specific resources  Enhanced Portal Design Localizable RSS feeds Personal bookmarks AnyConnect Client access  Drag and Drop file access and webified file transport  Transformation enhancements including Flash support  Head-end deployed applets for telnet, SSH, RDP, and VNC, framework supports add’l plug-ins  Advanced port-forwarder for Windows (Smart Tunnel) accesses TCP applications without admin privileges on Client PCPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
    10. 10. Enhanced Remote Access Security Enhanced authorization using policies and group information Extended use of credentials Always up to date via automatic updating (no admin) Virtual keyboard option SAML Single Sign-On (SSO) verified with RSA Access Manager (was ClearTrust) Group/User-to-VLAN mapping support Start before Login for VistaPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
    11. 11. Current Snapshot of VPN Client Offerings Cisco SSL VPN Cisco AnyConnect Cisco VPN Client Client VPN Client DTLS, SSLProtocol IPsec SSL (HTTPS) (HTTPS) - AutoApproximate size 10 MB 400 KB 1.7 MB auto download auto downloadInitial install distribute distribute distribute Initial installation Initial installation only onlyAdmin rights required yes (Stub installer (MSI available – available) Windows) 2K/XP/Vista (32 & 2K/XP/Vista 32-bit, 64-bit), Linux, MacOS Support Linux, Mac OS X, 2000/XP OS X, Win 2008 Solaris UltraSparc Server, Mobile 5/6Rebootless Installs No Yes YesHead End ASA/PIX/3K/IOS ASA/3K/IOS ASA/IOS Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
    12. 12. Tunneling Protocol Comparison Cisco SSL VPN Client HTTPS/SSL DTLS/SSL IPsec / IKEv1 Locked down FW via TCP Yes No Compatible tunneling Proxy server Yes No No Compatible High performance No Yes Yes transport Protocol Fallback N/A HTTPS/SSL (TCP) QoS Friendly (DSCP No Possible Yes Preservation) No Mobility Friendly Yes Yes (IKEv2/Mobile IKE) ESP, UDP, Fake Transport TCP UDP TCP Perceived Customer $$$ $$$ $ Value ($$s)Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
    13. 13. AnyConnect VPN Client Installation Dynamic or Manual Installation ASA downloads client to user based on group policy. ASA can automatically download client, or prompt remote user to download. Client packages provided for manual install or distribution via desktop management system Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
    14. 14. AnyConnect VPN Client Local LAN Access (Split Tunnel Variant) To verify split tunnel configuration from remote PC, open AnyConnect VPN icon in task tray, then select: Statistics > Details > Route DetailsIn this example,only traffic to theLocal PC LAN Text(192.168.100.0/24) All other traffic isis sent in clear (no sent encryptedVPN). over VPN to ASA.Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
    15. 15. Defined in AnyConnect VPN Client RFC 4347 Datagram Transport Layer Security (DTLS) Implemented as part of the standard OpenSSL package Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels TLS is used to tunnel TCP/IP over TCP/443 TCP requires retransmission of lost packets Both application and TLS wind up retransmitting when packet loss is detected. DTLS solves the TCP over TCP problem DTLS replaces underlying transport TCP/443 with UDP/443 DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange) Datagrams only are transmitted over DTLS Other benefits Low latency for real time applications DTLS is enabled by default; dynamically negotiated at connect time. DTLS is optional and will automatically fallback to TLS (HTTPS)Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
    16. 16. Clientless WebVPN FeaturesPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
    17. 17. For End-Users, Seamless Access AnywherePersonalized application and resource access  Personalized homepage Localizable, RSS feeds, personal bookmarks, etc.  Delivers web-based and traditional applications Sophisticated web and other applications delivered seamlessly to the browser SAML Single Sign-On (SSO) – verified with RSA Access Manager  Intuitive user experience Drag and Drop file access and webified file transport  Delivers key applications beyond the browser Smart Tunnels deliver more applications without admin privilegesPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
    18. 18. For End-Users, Seamless Access AnywhereEnhanced clientless interface, highly customizable Customizable Customizable Banner Graphic Banner Message Customizable Access Methods Customizable Links, Customizable Network Resource Colors and Sections AccessPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
    19. 19. Clientless WebVPNPersonal Bookmarks  Specify personal storage location under Group Policy  User can add/delete personal bookmarks that are persistent between WebVPN sessions.Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
    20. 20. Clientless WebVPN Browsing NetworksClientless File Access for CIFS and FTP  Click icon from web portal to browse networks OR  Click Browse Entire Network link under Browse Networks applicationPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
    21. 21. Clientless WebVPNJava Client/Server Plugins - Details  When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).  The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.  The Java applet(s) are transparently cached in the ASA cache.Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
    22. 22. Clientless WebVPN PluginsRDP, VNC, Sametime, SSH, Telnet, Post  Remote Desktop Plugin for Windows Terminal Services Native Windows support using ActiveX or ProperRDP client using Java  Virtual Network Computing (VNC) remote server access based on TightVNC  SSH/Telnet – Combined open source plugin provides either SSHv1 or Telnet access to manage devices and servers  Lotus Sametime – Secure instant messaging application from IBM  POST plugin – Provides Portal Homepage with optional SSOPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
    23. 23. Clientless WebVPN PluginsCitrix Plugin  Link directly to Citrix applications from portal  Plugin supports all Citrix Java client parameters/features.  ASA optimizes performance by downloading components as needed.  Verify your Citrix EULA grants rights and permissions to deploy the clientPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
    24. 24. Clientless WebVPNNative Citrix Support (No Plugin)  ASA automatically intercepts web traffic with content type ICA from Web Presentation Server and modifies return ICA file to client to ensure ASA proxies session.  Java or ActiveX ICA Client is also pushed down to client if not running standalone client on endpoint.Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
    25. 25. Clientless WebVPN Smart Tunnels  Smart Tunnels are application-level port forwarding  It is a connection between a Winsock 2, TCP-based application and the private site, using a clientless (browser-based) SSL VPN session.  You can specify client applications which you want to grant Smart Tunnel access including Telnet, SSH, RDP, VNC, Passive FTP, Outlook Express, Lotus Notes, Sametime, Citrix Program Neighborhood client, and Outlook via POP/SMTP/IMAP.  SSL VPN loads a stub into each process spawned by an authorized application, and intercepts socket calls to redirect via ASA.  This can be used where other methods such as AnyConnect or Port Forwarding cannot be used.  A browser with Active-X, Java or JavaScript support is required on 32-bit OS’s only, such as Windows XP & 2KPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
    26. 26. Clientless WebVPNGeneral Configuration Overview 1. Import Web Content (Optional) 2. Define Bookmarks and assign to Group Policies 3. Customize Login/Logout and Portal Pages and assign to Connection Profiles and Group Policies, respectively (Optional) 4. Import plugins and apply to bookmarks (Optional) 5. Define Smart Tunnels and enable in bookmarks or Group Policies (Optional) 6. Review and tune User/Group Policies as required. 7. Apply Cisco Secure Desktop, Endpoint Assessment, DAP, and enforcement policies (covered in later training sessionsPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
    27. 27. Secure Session (aka Secure Desktop or Vault) Overview  Encrypts data and files associated with or downloaded during remote session into a secure desktop partition  Provides tasktray icon to signify a safe environment for remote user to work in.  Upon session termination, uses U.S. Department of Defense (DoD) sanitation algorithm to remove the partition.  Typically used during clientless SSL VPN sessions--attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs.  Runs over Microsoft Windows Vista, Windows XP, and Windows 2000.  If Prelogin policy is configured to install Secure Session, but remote OS does not support Secure Session, then Cache Cleaner install attempted instead.Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
    28. 28. Cisco Secure Desktop Login Page (After Scan)Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
    29. 29. Policy Inheritance OverviewPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
    30. 30. Policy Objects  Connection Profile / Tunnel Group  Pre-login attributes (inc. AAA, login page for Clientless, cert handling)  Group Policy (Internal and External)  Post-login attributes (inc. portal page, bookmarks, access policies)  User Policy (Internal and External)  User-specific attributes  Dynamic Access Policy  Dynamically created policies based on multiple inputs (Location, Directory attributes, PC attributes)  Internal versus External  Internal attributes – locally defined on ASA  External attributes – returned as values from queries to external servers (for example, RADIUS and LDAP)Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
    31. 31. User Attribute Primer Start Here DAP Attributes User Attributes Group Policy Attributes User Connection Profile/ Group Policy Attributes Tunnel Group DfltGrpPolicy Attributes (System Default Group Policy) Note: Individual Attributes may not be collected in sequence, but resulting policy will always be a compilation based on above prioritizationPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
    32. 32. Data Collection and Policy Assignment Flow Connection Profile SelectedUser User/GroupConnect/Login Policy Selected • DefaultWEBVPNGroup DAP • Conn/Group URL (auto) • User Attributes Initial SSL • Group Drop-Down List • Group Attributes Connection • Certificate-based (auto) • Connection Type User login Pre- Post- User Login Login PolicySSL VPN Basic Host ScanUser Extended Host Scan DAP Custom Checks • Pre-Login Policy CSD Pre-Login Scan • Scan Results Cisco • OS Details Secure Scan Results Desktop Resultant Policy is a collection of multiple data Pre-login Policy points and attributes, not necessarily collected in (Location) Assigned order, that are compiled based on policy inheritance and prioritization hierarchy.Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
    33. 33. ASA VPN Load BalancingLoad balancing is supported on remote sessions initiated with the following:• Cisco AnyConnect VPN Client (Release 2.0 and later)• Cisco VPN Client (Release 3.0 and later)• Cisco VPN 3002 Hardware Client (Release 3.5 or later)• Cisco PIX 501/506E when acting as an Easy VPN client.Load balancing works with both IPSec clients and WebVPN sessions. Allother clients, including LAN-to-LAN connections, can connect to a securityappliance on which load balancing is enabled, but they cannot participate inload balancing.You can configure the number of IPSec and WebVPN sessions to allow, upto the maximum allowed by your configuration and license.With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally indetermining the load that each device in the cluster carries.If using Certificates you must enable redirection using a fully-qualifieddomain name in vpn load-balancing mode.Use the command “redirect-fqdn enable” in global configuration mode.This is disabled by default.http://www.cisco.com/en/US/partner/docs/security/asa/asa81/config/guide/vpnsysop.htmlPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 53 Cisco Confidential
    34. 34. Cisco ASA 5500 WebVPN/SSL VPN WebVPN-SSLVPN License Options: 25,100,250,500,1000,2500,5000,10000Additional End Point Assessment License includes: Cisco Secure Desktop - For running Secure Applications on an In-Secure Device End point Assessment – (NAC Lite)To verify posture of device, enabling ASA to assign client to a specific group with specific access rights. Mobile VPN Client Support (ASA-MOBILE-VPN) Presentation_ID Phone Cisco Systems, Inc. All rights reserved. Cisco Confidential © 2006 Proxy – Encrypted Call setup and Firewalling 54
    35. 35. VPN Security Challenges Extranet Machine Supply Partner Unmanaged Machine Employee at Home During SSL VPN Remote User Session Customer Managed Machine  Is session dataBefore SSL VPN protected? After SSL VPN Session  Are typed passwords Session Who owns the protected?  Browser cached endpoint? intranet web pages?  Has malware Endpoint security launched?  Browser stored posture: AV, personal firewall? passwords? Is malware running?  Downloaded filesPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential left behind? 55
    36. 36. Comprehensive EndPoint Security  Cisco Secure Desktop (CSD) now supports hundreds of pre-defined products, New updated frequently in 8.0! Anti-virus, anti-spyware, personal firewall, and more  Administrators can define custom checks including running processes  CSD posture policy presented visually to simplify configuration and troubleshootingPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
    37. 37. Cisco ASA 5500 Series Platforms and Modules Wide Range of Leading Solutions for Customers of All SizesPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
    38. 38. Cisco ASA 5500 Series High-End Lineup Data Center Solutions New New Cisco Cisco Cisco Cisco ASA 5540 ASA 5550 ASA 5580-20 ASA 5580-40 Internet CampusTarget Market Campus Data Center Edge Segmentation Segmentation / Data Center Starting at Starting at Starting at Starting atList Price $16,995 $19,995 $59,995 $109,995 with-8GE With 8GEPerformanceMax Firewall (Real-world HTTP) - - 5 Gbps 10 GbpsMax Firewall (1400 byte) 650 Mbps 1.2 Gbps 6.5 Gbps 14 GbpsMax Firewall (Jumbo frames) - - 10 Gbps 20 GbpsMax IPSec VPN 325 Mbps 425 Mbps 1 Gbps 1 GbpsMax IPSec/SSL VPN Peers 5000 / 2500 5000 / 5000 10,000 / 10,000 10,000 / 10,000Platform CapabilitiesMax Firewall Conns 400,000 650,000 1,000,000 2,000,000Max Conns/Second 25,000 36,000 90,000 150,000Packets/Second (64 byte) 500,000 600,000 2,750,000 5,500,000Base I/O 4 GE + 1 FE 8 GE + 1 FE 2 Mgmt 2 MgmtMax I/O 8 GE + 1 FE 8 GE + 1 FE 24 GE / 12 10GE 24 GE / 12 10GEVLANs Supported 200 250 250 250HA Supported A/A and A/S A/A and A/S A/A and A/S A/A and A/SPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
    39. 39. Cisco ASA 5500 Series Product Lineup Cisco Cisco Cisco Cisco Cisco ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550 Teleworker / SMB and Enterprise Medium LargeTarget Market Branch Office / SME Enterprise Enterprise SMB Starting at Starting at Starting at Starting at Starting atList Price $595 $3,495 $7,995 $16,995 $19,995PerformanceMax Firewall 150 Mbps 300 Mbps 450 Mbps 650 Mbps 1.2 GbpsMax Firewall + IPS 45Mbps 150/300 350/450 650 Mbps N/AMax IPSec VPN 100 Mbps 170 Mbps 225 Mbps 325 Mbps 425 MbpsMax IPSec/SSL VPN Peers 25/25 250/250 750/500 5000/2500 5000/5000Max Firewall Conns 10,000/25,000 50,000/130,000 280,000 400,000 650,000Max Conns/Second 3,000 6,000 9,000 20,000 28,000 85,000 190,000 320,000 500,000 600,000Packets/Second (64 byte)Base I/O 8-port FE switch 5 FEVLANs Supported 3/20 (trunk) 50/100 4 GE + 1 FE 4 GE + 1 FE 8 GE + 1 FEHA Supported Stateless A/S A/A and A/S 150 200 250 (Sec Plus) (Sec Plus) A/A and A/S A/A and A/S A/A and A/SPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59
    40. 40. Wide Range of Management Solutions Provide Scalable, Cost Optimized Options for Businesses Integrated Remote Management Capabilities Within ASA  Configuration: Auto Update, SSH, Telnet, XML/HTTPS, and ASDM  Real-time monitoring: Syslog, SNMP, HTTPS, and ASDM  Software updates: Auto Update, SCP, HTTP, HTTPS, and TFTP Cisco Security Manager (CS-Manager)  Scalable management solution for wide range of Cisco security solutions including routers, switches, blades, and appliances  Delivers centralized management of firewall, VPN, IPS/IDS, networking, and other services via flexible user interface  Supports device grouping for simplified policy maintenance  Provides role-based admin access and workflow capabilities  Available on Windows (Linux version coming) Cisco Monitoring and Response Solution (CS-MARS)  Family of high performance appliances designed to provide automated analysis of security event information to help identify, manage, and counter attacks  Supports getting events from wide range of Cisco and 3 rd party solutions—and also analyzes NetFlow for additional intelligence  Offers event correlation, visualization, rules engine, and reportingPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60
    41. 41. Web VPN Client MonitoringPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
    42. 42. Cisco ASA Adaptive Security Appliances Industry Certifications and Evaluations  Common Criteria Completed: EAL4, v7.0.6—ASA 5510/20/40 (FW) New Completed: EAL2, v6.0—ASA SSM-10/20 (IPS) In process: EAL4+, v7.2.2—ASA Family (FW) In process: EAL4, v7.2.2—ASA Family (VPN)  FIPS 140 Completed: Level 2, v7.0.4—ASA Family New Completed: Level 2, v7.2.2 In process: Level 2, v8.0.2  ICSA Firewall 4.1, Corporate Category Completed: v7.2.2—ASA Family  ICSA IPSec 1.0D Completed: v7.0.4—ASA Family  ICSA Anti-Virus Gateway Completed: v7.1—ASA Family  NEBS Level 3 Completed: ASA 5510, 5520, and 5540Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66
    43. 43. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67

    ×