Winston Pinnock, profile picture
Uploaded byWinston Pinnock
PDF, PPTX6,007 views

Firewall + ips update

The document discusses Cisco's new ASA 5500-X series of next-generation firewall and IPS platforms. It provides an overview of the new hardware architectures, including multi-core CPUs, larger memory capacities, and integrated IPS acceleration. It also summarizes the key features and specifications of the new ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X models, and compares their performance to previous generation ASA appliances. The document is intended to help customers understand the new mid-range product portfolio from Cisco.

Embed presentation

Download as PDF, PPTX
Firewall + IPS Update Bruno Pedersoli, System Engineer | Comstor
Agenda • Cisco ASA 5500-X Overview • Hardware • Software • Management • Q&A
ASA 5500-X Series (Saleen) Overview
Cisco’s Current Mid-range ASA Product Portfolio (Benetton) ASA 5510 300 Mbps Firewall Throughput Shipping since 2005 ASA 5520 450 Mbps Firewall Throughput Firewalls of choice for ASA 5540 small businesses and 650 Mbps Firewall Throughput large enterprises alike ASA 5550 1.2 Gbps Firewall Throughput
Next-Generation Security Services Platforms 5 new models to meet varied throughput demands ASA 5512-X 1. Multi-Gig Performance 1 Gbps Firewall Throughput To meet growing throughput requirements ASA 5515-X 2. Accelerated Integrated 1.2 Gbps Firewall Throughput Services (no extra hardware ASA 5525-X required) 2 Gbps Firewall Throughput To support changing business needs ASA 5545-X 3. Next-gen services enabled 3 Gbps Firewall Throughput platform To provide investment protection ASA 5555-X 4 Gbps Firewall Throughput
Cisco ASA 5500 Series Portfolio Comprehensive Solutions from SOHO to the Data Center ASA 5585-X SSP-60 (40 Gbps, 350K cps) ASA 5585-X SSP-40 (20 Gbps, 200K cps) ASA 5585-X SSP-20 (10 Gbps, 125K cps) Multi-Service Performance and Scalability (Firewall/VPN and IPS) ASA 5585-X SSP-10 ASA 5555-X (4 Gbps, 50K cps) (4 Gbps,50K cps) ASA 5545-X NEW (3 Gbps,30K cps) ASA 5525-X (2 Gbps,20K cps) NEW ASA 5550 ASA 5515-X (1.2 Gbps,15K cps) (1.2 Gbps, 36K cps) NEW ASA 5512-X (1 Gbps, 10K cps) ASA 5540 Firewall/VPN Only NEW (650 Mbps, 25K cps) ASA 5520 NEW (450 Mbps, 12K cps) ASA 5510 + ASA 5510 (300 Mbps, 9K cps) (300 Mbps, 9K cps) ASA 5505 (150 Mbps, 4K cps) SOHO Branch Office Internet Edge Campus Data Center
Next Generation ASA Mid-Range Appliances At-A-Glance ASA 5500-X H/W Features Customer Benefits 64Bit Multi-Core Processor Up to 16GB of Memory Performance Built-In Multi-Core Crypto Accelerator Density Hardware Flexibility Dedicated IPS Hardware Acceleration Card Integrated Services Up to 14 1GE Ports Management Consolidation Copper & Fiber I/O options Firewall, VPN & IPS Services Dedicated OOB Management Port
Hardware Short Chassis (5512-X, 5515-X & 5525-X) -- Fixed Single Power Supply 14’’ Hot-Swappable Hard-Disk drive bays 19’’ Long Chassis (5545-X & 5555-X) Fan vent for front-to-back -- Hot-Swappable redundant dual power-supply airflow
ASA 5512-X/ASA 5515-X Back Panel Dedicated Mgmt Port (1GE) Status LED’s I/O Expansion Slot Serial Console Fixed Power Supply 6 x 1GE Cu Ports USB Port
ASA 5525-X/ASA 5545-X Back Panel Dedicated Mgmt Port (1GE) Serial Console 8 x 1GE Cu Ports Fixed Power Supply Status LED’s USB Port I/O Expansion Slot Dedicated Mgmt Port (1GE) Redundant Status LED’s 8 x 1GE Cu Ports Serial Console Hot Swappable PSU I/O Expansion Slot USB Port
Back-View Summary ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
Physical Specifications Height Width Depth Weight 5512-X 5515-X 1.67” 16.7” 15.6” 13.38 Kg 5525-X 5525-X 1.67” 16.7” 15.6” 14.92 Kg 5545-X 1.67” 16.7” 19.1” 16.82 Kg 5555-X
Environmental Specifications Operating: 0C - +40C Temperature Non-Operating: -30C to +70C Non-Operating: 5% to 95% Humidity Range RH(non-condensing) Operating: 0 to 3024M Altitude Non-Operating: Up to 4572M Airflow Front to Back
Optional Accessories Redundant Power Supply • Works in load-sharing mode when both PSU’s are present. • Power Supply Specifications Input Rating: 100 ~ 120V / 5A 200 ~ 240V / 2.5A Leakage Current: 3.5mA Operating Power: 382 W Power Cord Rating: 10 A Models Power Supply ASA 5545-X ASA-PWR-AC ASA-PWR-AC= ASA 5555-X
ASA 5500-X I/O Module Options Available on all 5500-X I/O expansion card are available in two flavors platforms • 6 Port 10/100/1000 Base T , RJ45 Connector I/O NIC Card • 6 Port 1GbE SFP Connector I/O NIC Card
Interface Options Platform I/O CARD GbE (Cu) I/O CARD SFP Total Data Ports 5512-X,5515-X ASA-IC-6GE-CU-A ASA-IC-6GE-SFP-A 12 ASA-IC-6GE-CU-A= ASA-IC-6GE-SFP-A= 5525-X ASA-IC-6GE-CU-B ASA-IC-6GE-SFP-B 14 ASA-IC-6GE-CU-B= ASA-IC-6GE-SFP-B= 5545-X, 5555-X ASA-IC-6GE-CU-C ASA-IC-6GE-SFP-C 14 ASA-IC-6GE-CU-C= ASA-IC-6GE-SFP-C= Short Reach Optics* Long Reach Optics* GLC-SX-MM GLC-LH-SM GLC-SX-MMD GLC-LH-SMD
Saleen ASA Platform Matrix Specification ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X Platform Base 1RU Short chassis 1RU Short chassis 1RU Short 1RU Long chassis 1RU Long chassis chassis 19” Rack 19” Rack 19” Rack Mountable 19” Rack Mountable Mountable Mountable 19” Rack Mountable CPU 1x 2.8 Ghz Intel 1 x 3.06 Ghz Intel 1x 2.40 Ghz Intel 1x 2.66 Ghz Intel 1x 2.80 Ghz Intel 2C/2T 2C/4T 4C/4T 4C/8T 4C/8T DRAM 4GB 8 GB 8GB 12GB 16GB Regex Accel N/A N/A 1 1 1 Mezz Card Compact Flash 4GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB I/O Ports 6 x 1GbE Cu 6 x 1GbE Cu 8 x 1GbE Cu 8 x 1GbE Cu 8 x 1GbE Cu 1 x 1GbE Cu Mgmt 1 x 1GbE Cu Mgmt 1 x 1GbE Cu 1 x 1GbE Cu Mgmt 1 x 1GbE Cu Mgmt Mgmt Optional I/O 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 x Module 1GbE SFP 1GbE SFP x 1GbE SFP 1GbE SFP 1GbE SFP Power Single Fixed AC Single Fixed AC Single Fixed AC Dual Hot-Swappable Dual Hot-Swappable Power Supply Power Supply Power Supply Redundant AC Redundant AC Power Supply Power Supply Crypto Capacity 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 4C 4C 4C 8C 8C
Saleen hardware comparison with ASA 5510 – ASA 5550 ASA 5510 – ASA 5550 ASA 5512-X – ASA 5555-X Single Core CPU Multi-Core CPU 1GB to 4GB DDR1 RAM 4GB to 16GB DDR3 RAM Base I/O ports limited to 4 x 1GbE Base I/O ports up to 8 x 1GbE Copper Copper interfaces interfaces 4 x 1GbE I/O port expansion module 6 x 1GbE Copper or fiber SFP I/O expansion module IPS on SSM card Integrated IPS service within the same chassis N/A Redundant Hot-Swappable power supply units N/A Regex accelerator card N/A Hard Disk Support
ASA 5512-X versus ASA 5510 ASA ASA Price 5510 $3,495 5512-X $3,995 Key Changes Firewall Throughput (Max) 300 Mbps 1 Gbps Firewall Throughput (EMIX) Not Measured 500 Mbps Performance IPS Throughput (Media Rich) 150 Mbps 300 Mbps 4X Firewall Throughput VPN Throughput 170 Mbps 200 Mbps Increased IPS, VPN Throughput Connections (Max) 50,000 100,000 Connections per second 9,000 10,000 Hardware VLANs 50 50 Multi-core instead of Single-core Security Contexts (Incl/Max) 0/0 0/0 CPUs High Availability & VPN Clustering No No 4X Memory IPS, VPN, Content IPS, VPN, next-gen Dedicated Management port Services Security services* No restriction Additional (+1) integrated I/O ports IPS, Content Security, Service Restriction I/O expansion mutually (multiple services run at same time in Additional (+2) expansion I/O ports exclusive software) GE instead of FE ports Site-2-Site/IPSec IKEv1 Client Expansion slot now only for I/O Sessions /AnyConnect/Clientless VPN 250 250 Sessions Expansion Integrated Network I/O 5 FE 6 GE Dedicated Management Port No Yes (GE) Services Expansion IO 4-port GE , 4-port GE SFP 6-port GE CU , 6-port GE SFP IPS does not require hardware CPU Single-Core Multi-Core module RAM 1 GB 4 GB Next-gen services ready * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
ASA 5515-X versus ASA 5510+ ASA ASA Price 5510+ $4,495 5515-X $4,995 Key Changes Firewall Throughput (Max) 300 Mbps 1.2 Gbps Firewall Throughput (EMIX) Not Measured 600 Mbps Security Plus License Not Required IPS Throughput (Media Rich) 300 Mbps 400 Mbps VPN Throughput 170 Mbps 250 Mbps Performance Connections (Max) 100,000 250,000 4X Firewall Throughput Connections per second 9,000 15,000 Increased IPS, VPN Throughput VLANs 100 100 Security Contexts (Incl/Max) 2/20 2/20 Hardware High Availability & VPN Clustering Yes Yes Multi-core instead of Single-core CPUs Services IPS, VPN, Content Security IPS, VPN, next- gen services 8X Memory No restriction Dedicated Management port IPS, Content Security, Service Restriction I/O expansion (multiple services Additional (+1) integrated I/O ports run at same time in mutually exclusive software) Additional (+2) expansion I/O ports Site-2-Site/IPSec IKEv1 Client All GE ports instead of FE ports Sessions /AnyConnect/Clientless 250 250 VPN Sessions Expansion slot now only for I/O Integrated Network I/O 2GE, 3FE 6 GE Expansion Dedicated Management port No Yes (GE) Expansion IO 4-port GE , 6-port GE CU , Services 4-port GE SFP 6-port GE SFP CPU Single-core Multi-core IPS does not require hardware module RAM 1 GB 8 GB Next-gen services ready * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
ASA 5525-X versus ASA 5520 ASA ASA Price 5520 $7,995 5525-X $8,995 Key Changes Firewall Throughput (Max) 450 Mbps 2 Gbps Firewall Throughput (EMIX) Not Measured 1 Gbps Performance IPS Throughput (Media Rich) 450 Mbps 600 Mbps 4X Firewall Throughput VPN Throughput 225 Mbps 300 Mbps Increased IPS, VPN Throughput Connections (Max) 280,000 500,000 Connections per second 12,000 20,000 Hardware VLANs 150 200 Multi-core instead of Single-core Security Contexts (Incl/Max) 2/20 2/20 CPUs High Availability & VPN Clustering Yes Yes 4X Memory Services IPS, VPN, Content Security IPS, VPN, next- gen services* Dedicated Management port IPS, Content No restriction Additional (+3) integrated I/O ports Service Restriction Security, I/O (multiple services Additional (+2) expansion I/O ports expansion mutually run at same time exclusive in software) Expansion slot now only for I/O Site-2-Site/IPSec IKEv1 Client Expansion Sessions /AnyConnect/Clientless 750 750 VPN Sessions Integrated Network I/O 4 GE + 1 FE 8 GE Services Dedicated Management port No Yes (GE) IPS does not require hardware Expansion IO 4-port GE , 6-port GE CU , module 4-port GE SFP 6-port GE SFP CPU Single-Core Multi-Core Next-gen services ready RAM 2 GB 8 GB * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
ASA 5545-X versus ASA 5540 ASA ASA Price 5540 $16,995 5545-X $17,995 Key Changes Firewall Throughput (Max) 650 Mbps 3 Gbps Firewall Throughput (EMIX) Not Measured 1.5 Gbps Performance IPS Throughput (Media Rich) 650 Mbps 900 Mbps 4X Firewall Throughput VPN Throughput 325 Mbps 400 Mbps Increased IPS, VPN Throughput Connections (Max) 400,000 750,000 Connections per second 25,000 30,000 Hardware VLANs 200 300 Multi-core instead of Single-core Security Contexts (Incl/Max) 2/50 2/50 CPUs High Availability & VPN Clustering Yes Yes 6X Memory Services IPS, VPN, Content Security IPS, VPN, next-gen services* Dedicated Management port IPS, Content Security, I/O No restriction (multiple Additional (+3) integrated I/O ports Service Restriction expansion mutually services run at same time Additional (+2) expansion I/O ports exclusive in software) Site-2-Site/IPSec IKEv1 Client Expansion slot now only for I/O 5000/ Sessions /AnyConnect/Clientless 2500 2500 Expansion VPN Sessions Integrated Network I/O 4 GE + 1 FE 8 GE Dedicated Management port No Yes (GE) Services 4-port GE , 4-port GE 6-port GE CU , IPS does not require hardware Expansion IO SFP 6-port GE SFP module CPU Single-Core Multi-Core Next-gen services ready RAM 2 GB 12 GB Redundant Power No Yes * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
ASA 5555-X versus ASA 5550 ASA ASA Price 5550 $19,995 5555-X $24,995 Key Changes Firewall Throughput (Max) 1.2 Gbps 4 Gbps Firewall Throughput (EMIX) Not Measured 2 Gbps Performance IPS Throughput (Media Rich) Not Applicable 1.3 Gbps 4X Firewall Throughput VPN Throughput 425 Mbps 700 Mbps Increased IPS, VPN Throughput Connections (Max) 600,000 1,000,000 Connections per second 36,000 50,000 Hardware VLANs 400 500 Multi-core instead of Single-core Security Contexts (Incl/Max) 2/100 2/100 CPUs High Availability & VPN Yes Yes 4X Memory Clustering IPS, VPN, next-gen Dedicated Management port Services VPN only services* Expansion I/O now available Site-2-Site/IPSec IKEv1 Client Sessions 5000 5000 /AnyConnect/Clientless VPN Services Sessions IPS does not require hardware Integrated Network I/O 8 GE + 1 FE 8 GE module Dedicated Management port No Yes (GE) Not Available 6-port GE CU , Next-gen services ready Expansion IO 6-port GE SFP CPU Single-Core Multi-Core RAM 4 GB 16 GB Redundant Power No Yes * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
Licensing Changes ASA Licensing New Feature – IPS Module • A new licensing feature was introduced to enable the use of the IPS Software Module. • Traffic destined to IPS will be dropped by ASA if this license is not enabled AND ‘fail- close’ is configured. • IPS Signature Update license is required on top of the above license. • All other license features remain unchanged and are based on ASA 8.4.2 software.
Enabling IPS Service
ASA Management Model • Dedicated Out-Of-Band management port M0/0 • Failover & VLAN sub-interface features are not configurable on M0/0 • ASA and integrated IPS management are independent of each other. • Management model is similar to previous ASA/SSM appliances • ASA and IPS software module have separate management IP addresses but share the same physical port M0/0 for outbound connectivity • ASA can log IPS module’s console messages “show module 1 log console” • ASA configures and manages all external data ports
ASA and IPS Management Model (1/2) Similarities with SSM/SSP • ASA and IPS are managed very similar to previous SSM/SSP deployments. • ASA is used to recover, reload, shutdown, etc. IPS. • ASA is used to configure service-policies to pass traffic to IPS. • ASA and IPS have unique IP addresses for management purposes. • ASDM, IME, and IDM behave the same.
ASA and IPS Management Model (2/2) Differences with SSM/SSP • ASA and IPS share the only dedicated management port on the box. • IPS must use the dedicated management port. However, ASA can use any port on the box to manage the system. • When ASA and IPS are sharing the dedicated management port then the IP address for ASA and IPS should be within the same subnet. • The IPS image stored on the embedded flash is used to recover the software module instead of downloading the image over the SSM/SSP dedicated management port.
Management Software Support ASDM 6.6.1.14 and above 7.2.1 IME Software and above
Cisco Security Manager 4.3 Unified and comprehensive Firewall, VPN and IPS management Upcoming Release Device View Policy View Event View Map View Saleen H/W support © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 3
SKU Makeup – Using ASA 5545-X as an examples
All Hardware SKUs ASA ASA 5545-X 5555-X ASA ASA ASA 5512-X 5515-X 5525-X
Sample BOMs (Firewall + Single Option)
Sample BOMs (Firewall + IPS + Options) Ordering Tip: With IPS, always start with ASAxxx-IPS-K9
Sample BOMs (Firewall + IPS + Options) Ordering Tip: With IPS, always start with ASAxxx-IPS-K9
IPS 43xx Series Mid-Range Appliances
IPS 43xx Back Panel Single I/O Expansion slot 4360: Dual Power-Supply Single I/O Expansion slot USB Ports 8x 1GbE ports Single Mgmt Port (numbered left-to-right) Serial Console Port
IPS 43xx Platform Matrix
Hardware Comparison with IPS 4240, IPS 4255 and IPS 4260
High-Performance and Resiliency features on IPS 43xx Series • SMP-enabled Kernel • 64-bit architecture • Environment Monitoring • Jumbo-Frame support • Flow Control support • Hardware Regex Accelerator support for IPS string-XL engine
IPS Software • IPS SSP module are based on 7.1(4) release • Platform support for new hardware • Based on ASA 5585-X line of code • Supports existing E4 Engine Update • Supports all latest Signature Updates – Sig S615 is bundled with Saleen images. • 7.1.4 IDM version included with the IPS image. • 7.2.1 IME version provides full support. • CSM support with version 4.3 • IPS 7.1(4) version supports all –X platforms (including 5585-X) – Additional CFD bug fixes and a few serviceability enhancements also included in this version.
Questions

More Related Content

PPTX
Catalyst 6500 ASA Service Module
byIxia
 
PPTX
Facultad de medicina unt mistica
byjcabrejop
 
PPTX
Libro de la nanda
byLupita Álvarez
 
PPTX
Proceso de atención de enfermeria.pptx
byisabram
 
PPTX
PARKINSON EN ADULTOS MAYORES
byKevin Magno Camac
 
PPT
Traumatismo Craneoencefalico
byYazmin A. Garcia
 
PPTX
Estatus Epileptico en el embarazo ppt.pptx
bycitlaliDeLaTorre1
 
PPTX
Delirium en el Anciano
byDr. Hiram O. Martín D., M.Sc.
 
Catalyst 6500 ASA Service Module
byIxia
 
Facultad de medicina unt mistica
byjcabrejop
 
Libro de la nanda
byLupita Álvarez
 
Proceso de atención de enfermeria.pptx
byisabram
 
PARKINSON EN ADULTOS MAYORES
byKevin Magno Camac
 
Traumatismo Craneoencefalico
byYazmin A. Garcia
 
Estatus Epileptico en el embarazo ppt.pptx
bycitlaliDeLaTorre1
 
Delirium en el Anciano
byDr. Hiram O. Martín D., M.Sc.
 

Viewers also liked

PDF
Presentation asa 5585-x next generation multi-service adaptive security app...
byxKinAnx
 
PDF
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
byCisco Russia
 
PPTX
Relay operation principles
byAmmar Al Hakeim
 
PPTX
Relay and switchgear protection
byBinit Das
 
PPTX
Relay
bySheshadri Shekhar Rauth
 
PDF
Alphorm.com Formation Sophos UTM
byAlphorm
 
PDF
Alphorm.com Formation SOPHOS XG FIREWALL, Administration
byAlphorm
 
PDF
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
byCisco DevNet
 
PPT
Instant Power Supply ( IPS) System with Load Priority
byavocado1111
 
PDF
Intel Cyber Security Briefing at the Cyberstrat14 Security Conference in Hels...
byMatthew Rosenquist
 
PDF
The Future of Cyber Security - Matthew Rosenquist
byMatthew Rosenquist
 
PPTX
Business communication
bySagor0167
 
Presentation asa 5585-x next generation multi-service adaptive security app...
byxKinAnx
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
byCisco Russia
 
Relay operation principles
byAmmar Al Hakeim
 
Relay and switchgear protection
byBinit Das
 
Relay
bySheshadri Shekhar Rauth
 
Alphorm.com Formation Sophos UTM
byAlphorm
 
Alphorm.com Formation SOPHOS XG FIREWALL, Administration
byAlphorm
 
CSTA - Cisco Security Technical Alliances, New Ecosystem Program Built on the...
byCisco DevNet
 
Instant Power Supply ( IPS) System with Load Priority
byavocado1111
 
Intel Cyber Security Briefing at the Cyberstrat14 Security Conference in Hels...
byMatthew Rosenquist
 
The Future of Cyber Security - Matthew Rosenquist
byMatthew Rosenquist
 
Business communication
bySagor0167
 

Similar to Firewall + ips update

PDF
Maximizing Firewall Performance (2012 San Diego)
byCisco Security
 
PPT
Packet icons 2 2-06
byAngel Ramiro Hurtado Hurtado
 
PPTX
Hds brcd solutions_tech_summit
bySteve Lee
 
PDF
Mutating IP Network Model Ethernet-InfiniBand Interconnect
byNaoto MATSUMOTO
 
PPT
Big Ip Platforms Customer Slides
byadutto
 
DOCX
Cisco asa 5505 vs juniper ssg 5
byIT Tech
 
PDF
Juniper Networks Product Comparisons
byAltaware, Inc.
 
PDF
Senao Networks Product Roadmap Introduction Q2 2009
bydexmachina
 
PDF
458857 ma5600t dslam brochure
byduyhau_85
 
PDF
Cambium networks pmp_100_access_point_specification
byAdvantec Distribution
 
DOCX
Network project
bygibbygoober
 
PDF
HighGig Market Overview 2013
byNaoto MATSUMOTO
 
DOCX
Example Net Design
bydjpuccio
 
PDF
Pico station2 hp
byManuel Lagos
 
PDF
Rdb45350 access point_specifications
byAdvantec Distribution
 
PDF
Tranzeo EL-500 Outdoor AP/ Router/ Bridge (quantumwimax.com)
byAri Zoldan
 
PDF
Cambium networks pmp_100_access_point_specification
byAdvantec Distribution
 
PDF
Specification ascen flow
byGalen Hsieh
 
PDF
Pmp450 ap prelim_brochure 100611
byAdvantec Distribution
 
PDF
Infocom03 rajiv
byzt5169
 
Maximizing Firewall Performance (2012 San Diego)
byCisco Security
 
Packet icons 2 2-06
byAngel Ramiro Hurtado Hurtado
 
Hds brcd solutions_tech_summit
bySteve Lee
 
Mutating IP Network Model Ethernet-InfiniBand Interconnect
byNaoto MATSUMOTO
 
Big Ip Platforms Customer Slides
byadutto
 
Cisco asa 5505 vs juniper ssg 5
byIT Tech
 
Juniper Networks Product Comparisons
byAltaware, Inc.
 
Senao Networks Product Roadmap Introduction Q2 2009
bydexmachina
 
458857 ma5600t dslam brochure
byduyhau_85
 
Cambium networks pmp_100_access_point_specification
byAdvantec Distribution
 
Network project
bygibbygoober
 
HighGig Market Overview 2013
byNaoto MATSUMOTO
 
Example Net Design
bydjpuccio
 
Pico station2 hp
byManuel Lagos
 
Rdb45350 access point_specifications
byAdvantec Distribution
 
Tranzeo EL-500 Outdoor AP/ Router/ Bridge (quantumwimax.com)
byAri Zoldan
 
Cambium networks pmp_100_access_point_specification
byAdvantec Distribution
 
Specification ascen flow
byGalen Hsieh
 
Pmp450 ap prelim_brochure 100611
byAdvantec Distribution
 
Infocom03 rajiv
byzt5169
 

Recently uploaded

PDF
TRACER-PPT-H61394-TracerLynxCustomerPresentation-EN-2106.pdf
byzhujiaqi4
 
PPTX
Arts University Bournemouth Diploma
byk6pqrluc
 
PPTX
Ixkxxjxjxlxkxlkzkzjzjxhxjkxkzzjbxhxkxjxxv
bypythonp121
 
PDF
01-ELE451-Advanced Programming.pdf1111111
byAhmedOsama295845
 
PPTX
Java_Inheritance_Types_With_Examples.pptx
byharry77pq
 
PPTX
Libera Accademia di Belle Arti di Firenze Diploma
by美国南加利福尼亚大学学位证书快速办理【Q微号:1954 292 140】USC毕业证
 
PPTX
Components of Genetic Algorithm (4).pptx
bysakshamkhurana23
 
PDF
Emergency Wrist Watch: SOS, GPS & Fall Detection
byMerge Insights
 
TRACER-PPT-H61394-TracerLynxCustomerPresentation-EN-2106.pdf
byzhujiaqi4
 
Arts University Bournemouth Diploma
byk6pqrluc
 
Ixkxxjxjxlxkxlkzkzjzjxhxjkxkzzjbxhxkxjxxv
bypythonp121
 
01-ELE451-Advanced Programming.pdf1111111
byAhmedOsama295845
 
Java_Inheritance_Types_With_Examples.pptx
byharry77pq
 
Libera Accademia di Belle Arti di Firenze Diploma
by美国南加利福尼亚大学学位证书快速办理【Q微号:1954 292 140】USC毕业证
 
Components of Genetic Algorithm (4).pptx
bysakshamkhurana23
 
Emergency Wrist Watch: SOS, GPS & Fall Detection
byMerge Insights
 

Firewall + ips update

  • 1.
    Firewall + IPSUpdate Bruno Pedersoli, System Engineer | Comstor
  • 2.
    Agenda • Cisco ASA5500-X Overview • Hardware • Software • Management • Q&A
  • 3.
  • 4.
    Cisco’s Current Mid-rangeASA Product Portfolio (Benetton) ASA 5510 300 Mbps Firewall Throughput Shipping since 2005 ASA 5520 450 Mbps Firewall Throughput Firewalls of choice for ASA 5540 small businesses and 650 Mbps Firewall Throughput large enterprises alike ASA 5550 1.2 Gbps Firewall Throughput
  • 5.
    Next-Generation Security Services Platforms 5new models to meet varied throughput demands ASA 5512-X 1. Multi-Gig Performance 1 Gbps Firewall Throughput To meet growing throughput requirements ASA 5515-X 2. Accelerated Integrated 1.2 Gbps Firewall Throughput Services (no extra hardware ASA 5525-X required) 2 Gbps Firewall Throughput To support changing business needs ASA 5545-X 3. Next-gen services enabled 3 Gbps Firewall Throughput platform To provide investment protection ASA 5555-X 4 Gbps Firewall Throughput
  • 6.
    Cisco ASA 5500Series Portfolio Comprehensive Solutions from SOHO to the Data Center ASA 5585-X SSP-60 (40 Gbps, 350K cps) ASA 5585-X SSP-40 (20 Gbps, 200K cps) ASA 5585-X SSP-20 (10 Gbps, 125K cps) Multi-Service Performance and Scalability (Firewall/VPN and IPS) ASA 5585-X SSP-10 ASA 5555-X (4 Gbps, 50K cps) (4 Gbps,50K cps) ASA 5545-X NEW (3 Gbps,30K cps) ASA 5525-X (2 Gbps,20K cps) NEW ASA 5550 ASA 5515-X (1.2 Gbps,15K cps) (1.2 Gbps, 36K cps) NEW ASA 5512-X (1 Gbps, 10K cps) ASA 5540 Firewall/VPN Only NEW (650 Mbps, 25K cps) ASA 5520 NEW (450 Mbps, 12K cps) ASA 5510 + ASA 5510 (300 Mbps, 9K cps) (300 Mbps, 9K cps) ASA 5505 (150 Mbps, 4K cps) SOHO Branch Office Internet Edge Campus Data Center
  • 7.
    Next Generation ASAMid-Range Appliances At-A-Glance ASA 5500-X H/W Features Customer Benefits 64Bit Multi-Core Processor Up to 16GB of Memory Performance Built-In Multi-Core Crypto Accelerator Density Hardware Flexibility Dedicated IPS Hardware Acceleration Card Integrated Services Up to 14 1GE Ports Management Consolidation Copper & Fiber I/O options Firewall, VPN & IPS Services Dedicated OOB Management Port
  • 8.
    Hardware Short Chassis (5512-X, 5515-X & 5525-X) -- Fixed Single Power Supply 14’’ Hot-Swappable Hard-Disk drive bays 19’’ Long Chassis (5545-X & 5555-X) Fan vent for front-to-back -- Hot-Swappable redundant dual power-supply airflow
  • 9.
    ASA 5512-X/ASA 5515-XBack Panel Dedicated Mgmt Port (1GE) Status LED’s I/O Expansion Slot Serial Console Fixed Power Supply 6 x 1GE Cu Ports USB Port
  • 10.
    ASA 5525-X/ASA 5545-XBack Panel Dedicated Mgmt Port (1GE) Serial Console 8 x 1GE Cu Ports Fixed Power Supply Status LED’s USB Port I/O Expansion Slot Dedicated Mgmt Port (1GE) Redundant Status LED’s 8 x 1GE Cu Ports Serial Console Hot Swappable PSU I/O Expansion Slot USB Port
  • 11.
    Back-View Summary ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
  • 12.
    Physical Specifications Height Width Depth Weight 5512-X 5515-X 1.67” 16.7” 15.6” 13.38 Kg 5525-X 5525-X 1.67” 16.7” 15.6” 14.92 Kg 5545-X 1.67” 16.7” 19.1” 16.82 Kg 5555-X
  • 13.
    Environmental Specifications Operating: 0C - +40C Temperature Non-Operating: -30C to +70C Non-Operating: 5% to 95% Humidity Range RH(non-condensing) Operating: 0 to 3024M Altitude Non-Operating: Up to 4572M Airflow Front to Back
  • 14.
    Optional Accessories Redundant PowerSupply • Works in load-sharing mode when both PSU’s are present. • Power Supply Specifications Input Rating: 100 ~ 120V / 5A 200 ~ 240V / 2.5A Leakage Current: 3.5mA Operating Power: 382 W Power Cord Rating: 10 A Models Power Supply ASA 5545-X ASA-PWR-AC ASA-PWR-AC= ASA 5555-X
  • 15.
    ASA 5500-X I/OModule Options Available on all 5500-X I/O expansion card are available in two flavors platforms • 6 Port 10/100/1000 Base T , RJ45 Connector I/O NIC Card • 6 Port 1GbE SFP Connector I/O NIC Card
  • 16.
    Interface Options Platform I/O CARD GbE (Cu) I/O CARD SFP Total Data Ports 5512-X,5515-X ASA-IC-6GE-CU-A ASA-IC-6GE-SFP-A 12 ASA-IC-6GE-CU-A= ASA-IC-6GE-SFP-A= 5525-X ASA-IC-6GE-CU-B ASA-IC-6GE-SFP-B 14 ASA-IC-6GE-CU-B= ASA-IC-6GE-SFP-B= 5545-X, 5555-X ASA-IC-6GE-CU-C ASA-IC-6GE-SFP-C 14 ASA-IC-6GE-CU-C= ASA-IC-6GE-SFP-C= Short Reach Optics* Long Reach Optics* GLC-SX-MM GLC-LH-SM GLC-SX-MMD GLC-LH-SMD
  • 17.
    Saleen ASA PlatformMatrix Specification ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X Platform Base 1RU Short chassis 1RU Short chassis 1RU Short 1RU Long chassis 1RU Long chassis chassis 19” Rack 19” Rack 19” Rack Mountable 19” Rack Mountable Mountable Mountable 19” Rack Mountable CPU 1x 2.8 Ghz Intel 1 x 3.06 Ghz Intel 1x 2.40 Ghz Intel 1x 2.66 Ghz Intel 1x 2.80 Ghz Intel 2C/2T 2C/4T 4C/4T 4C/8T 4C/8T DRAM 4GB 8 GB 8GB 12GB 16GB Regex Accel N/A N/A 1 1 1 Mezz Card Compact Flash 4GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB I/O Ports 6 x 1GbE Cu 6 x 1GbE Cu 8 x 1GbE Cu 8 x 1GbE Cu 8 x 1GbE Cu 1 x 1GbE Cu Mgmt 1 x 1GbE Cu Mgmt 1 x 1GbE Cu 1 x 1GbE Cu Mgmt 1 x 1GbE Cu Mgmt Mgmt Optional I/O 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 6 x 1GbE Cu or 6 x 6 x 1GbE Cu or 6 x Module 1GbE SFP 1GbE SFP x 1GbE SFP 1GbE SFP 1GbE SFP Power Single Fixed AC Single Fixed AC Single Fixed AC Dual Hot-Swappable Dual Hot-Swappable Power Supply Power Supply Power Supply Redundant AC Redundant AC Power Supply Power Supply Crypto Capacity 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 1 x Crypto Chip 4C 4C 4C 8C 8C
  • 18.
    Saleen hardware comparisonwith ASA 5510 – ASA 5550 ASA 5510 – ASA 5550 ASA 5512-X – ASA 5555-X Single Core CPU Multi-Core CPU 1GB to 4GB DDR1 RAM 4GB to 16GB DDR3 RAM Base I/O ports limited to 4 x 1GbE Base I/O ports up to 8 x 1GbE Copper Copper interfaces interfaces 4 x 1GbE I/O port expansion module 6 x 1GbE Copper or fiber SFP I/O expansion module IPS on SSM card Integrated IPS service within the same chassis N/A Redundant Hot-Swappable power supply units N/A Regex accelerator card N/A Hard Disk Support
  • 19.
    ASA 5512-X versusASA 5510 ASA ASA Price 5510 $3,495 5512-X $3,995 Key Changes Firewall Throughput (Max) 300 Mbps 1 Gbps Firewall Throughput (EMIX) Not Measured 500 Mbps Performance IPS Throughput (Media Rich) 150 Mbps 300 Mbps 4X Firewall Throughput VPN Throughput 170 Mbps 200 Mbps Increased IPS, VPN Throughput Connections (Max) 50,000 100,000 Connections per second 9,000 10,000 Hardware VLANs 50 50 Multi-core instead of Single-core Security Contexts (Incl/Max) 0/0 0/0 CPUs High Availability & VPN Clustering No No 4X Memory IPS, VPN, Content IPS, VPN, next-gen Dedicated Management port Services Security services* No restriction Additional (+1) integrated I/O ports IPS, Content Security, Service Restriction I/O expansion mutually (multiple services run at same time in Additional (+2) expansion I/O ports exclusive software) GE instead of FE ports Site-2-Site/IPSec IKEv1 Client Expansion slot now only for I/O Sessions /AnyConnect/Clientless VPN 250 250 Sessions Expansion Integrated Network I/O 5 FE 6 GE Dedicated Management Port No Yes (GE) Services Expansion IO 4-port GE , 4-port GE SFP 6-port GE CU , 6-port GE SFP IPS does not require hardware CPU Single-Core Multi-Core module RAM 1 GB 4 GB Next-gen services ready * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
  • 20.
    ASA 5515-X versusASA 5510+ ASA ASA Price 5510+ $4,495 5515-X $4,995 Key Changes Firewall Throughput (Max) 300 Mbps 1.2 Gbps Firewall Throughput (EMIX) Not Measured 600 Mbps Security Plus License Not Required IPS Throughput (Media Rich) 300 Mbps 400 Mbps VPN Throughput 170 Mbps 250 Mbps Performance Connections (Max) 100,000 250,000 4X Firewall Throughput Connections per second 9,000 15,000 Increased IPS, VPN Throughput VLANs 100 100 Security Contexts (Incl/Max) 2/20 2/20 Hardware High Availability & VPN Clustering Yes Yes Multi-core instead of Single-core CPUs Services IPS, VPN, Content Security IPS, VPN, next- gen services 8X Memory No restriction Dedicated Management port IPS, Content Security, Service Restriction I/O expansion (multiple services Additional (+1) integrated I/O ports run at same time in mutually exclusive software) Additional (+2) expansion I/O ports Site-2-Site/IPSec IKEv1 Client All GE ports instead of FE ports Sessions /AnyConnect/Clientless 250 250 VPN Sessions Expansion slot now only for I/O Integrated Network I/O 2GE, 3FE 6 GE Expansion Dedicated Management port No Yes (GE) Expansion IO 4-port GE , 6-port GE CU , Services 4-port GE SFP 6-port GE SFP CPU Single-core Multi-core IPS does not require hardware module RAM 1 GB 8 GB Next-gen services ready * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
  • 21.
    ASA 5525-X versusASA 5520 ASA ASA Price 5520 $7,995 5525-X $8,995 Key Changes Firewall Throughput (Max) 450 Mbps 2 Gbps Firewall Throughput (EMIX) Not Measured 1 Gbps Performance IPS Throughput (Media Rich) 450 Mbps 600 Mbps 4X Firewall Throughput VPN Throughput 225 Mbps 300 Mbps Increased IPS, VPN Throughput Connections (Max) 280,000 500,000 Connections per second 12,000 20,000 Hardware VLANs 150 200 Multi-core instead of Single-core Security Contexts (Incl/Max) 2/20 2/20 CPUs High Availability & VPN Clustering Yes Yes 4X Memory Services IPS, VPN, Content Security IPS, VPN, next- gen services* Dedicated Management port IPS, Content No restriction Additional (+3) integrated I/O ports Service Restriction Security, I/O (multiple services Additional (+2) expansion I/O ports expansion mutually run at same time exclusive in software) Expansion slot now only for I/O Site-2-Site/IPSec IKEv1 Client Expansion Sessions /AnyConnect/Clientless 750 750 VPN Sessions Integrated Network I/O 4 GE + 1 FE 8 GE Services Dedicated Management port No Yes (GE) IPS does not require hardware Expansion IO 4-port GE , 6-port GE CU , module 4-port GE SFP 6-port GE SFP CPU Single-Core Multi-Core Next-gen services ready RAM 2 GB 8 GB * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
  • 22.
    ASA 5545-X versusASA 5540 ASA ASA Price 5540 $16,995 5545-X $17,995 Key Changes Firewall Throughput (Max) 650 Mbps 3 Gbps Firewall Throughput (EMIX) Not Measured 1.5 Gbps Performance IPS Throughput (Media Rich) 650 Mbps 900 Mbps 4X Firewall Throughput VPN Throughput 325 Mbps 400 Mbps Increased IPS, VPN Throughput Connections (Max) 400,000 750,000 Connections per second 25,000 30,000 Hardware VLANs 200 300 Multi-core instead of Single-core Security Contexts (Incl/Max) 2/50 2/50 CPUs High Availability & VPN Clustering Yes Yes 6X Memory Services IPS, VPN, Content Security IPS, VPN, next-gen services* Dedicated Management port IPS, Content Security, I/O No restriction (multiple Additional (+3) integrated I/O ports Service Restriction expansion mutually services run at same time Additional (+2) expansion I/O ports exclusive in software) Site-2-Site/IPSec IKEv1 Client Expansion slot now only for I/O 5000/ Sessions /AnyConnect/Clientless 2500 2500 Expansion VPN Sessions Integrated Network I/O 4 GE + 1 FE 8 GE Dedicated Management port No Yes (GE) Services 4-port GE , 4-port GE 6-port GE CU , IPS does not require hardware Expansion IO SFP 6-port GE SFP module CPU Single-Core Multi-Core Next-gen services ready RAM 2 GB 12 GB Redundant Power No Yes * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
  • 23.
    ASA 5555-X versusASA 5550 ASA ASA Price 5550 $19,995 5555-X $24,995 Key Changes Firewall Throughput (Max) 1.2 Gbps 4 Gbps Firewall Throughput (EMIX) Not Measured 2 Gbps Performance IPS Throughput (Media Rich) Not Applicable 1.3 Gbps 4X Firewall Throughput VPN Throughput 425 Mbps 700 Mbps Increased IPS, VPN Throughput Connections (Max) 600,000 1,000,000 Connections per second 36,000 50,000 Hardware VLANs 400 500 Multi-core instead of Single-core Security Contexts (Incl/Max) 2/100 2/100 CPUs High Availability & VPN Yes Yes 4X Memory Clustering IPS, VPN, next-gen Dedicated Management port Services VPN only services* Expansion I/O now available Site-2-Site/IPSec IKEv1 Client Sessions 5000 5000 /AnyConnect/Clientless VPN Services Sessions IPS does not require hardware Integrated Network I/O 8 GE + 1 FE 8 GE module Dedicated Management port No Yes (GE) Not Available 6-port GE CU , Next-gen services ready Expansion IO 6-port GE SFP CPU Single-Core Multi-Core RAM 4 GB 16 GB Redundant Power No Yes * Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
  • 24.
    Licensing Changes ASA Licensing New Feature – IPS Module • A new licensing feature was introduced to enable the use of the IPS Software Module. • Traffic destined to IPS will be dropped by ASA if this license is not enabled AND ‘fail- close’ is configured. • IPS Signature Update license is required on top of the above license. • All other license features remain unchanged and are based on ASA 8.4.2 software.
  • 25.
  • 26.
    ASA Management Model •Dedicated Out-Of-Band management port M0/0 • Failover & VLAN sub-interface features are not configurable on M0/0 • ASA and integrated IPS management are independent of each other. • Management model is similar to previous ASA/SSM appliances • ASA and IPS software module have separate management IP addresses but share the same physical port M0/0 for outbound connectivity • ASA can log IPS module’s console messages “show module 1 log console” • ASA configures and manages all external data ports
  • 27.
    ASA and IPSManagement Model (1/2) Similarities with SSM/SSP • ASA and IPS are managed very similar to previous SSM/SSP deployments. • ASA is used to recover, reload, shutdown, etc. IPS. • ASA is used to configure service-policies to pass traffic to IPS. • ASA and IPS have unique IP addresses for management purposes. • ASDM, IME, and IDM behave the same.
  • 28.
    ASA and IPSManagement Model (2/2) Differences with SSM/SSP • ASA and IPS share the only dedicated management port on the box. • IPS must use the dedicated management port. However, ASA can use any port on the box to manage the system. • When ASA and IPS are sharing the dedicated management port then the IP address for ASA and IPS should be within the same subnet. • The IPS image stored on the embedded flash is used to recover the software module instead of downloading the image over the SSM/SSP dedicated management port.
  • 29.
    Management Software Support ASDM6.6.1.14 and above 7.2.1 IME Software and above
  • 30.
    Cisco Security Manager4.3 Unified and comprehensive Firewall, VPN and IPS management Upcoming Release Device View Policy View Event View Map View Saleen H/W support © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 3
  • 31.
    SKU Makeup –Using ASA 5545-X as an examples
  • 32.
    All Hardware SKUs ASA ASA 5545-X 5555-X ASA ASA ASA 5512-X 5515-X 5525-X
  • 33.
    Sample BOMs (Firewall+ Single Option)
  • 34.
    Sample BOMs (Firewall+ IPS + Options) Ordering Tip: With IPS, always start with ASAxxx-IPS-K9
  • 35.
    Sample BOMs (Firewall+ IPS + Options) Ordering Tip: With IPS, always start with ASAxxx-IPS-K9
  • 36.
    IPS 43xx SeriesMid-Range Appliances
  • 37.
    IPS 43xx BackPanel Single I/O Expansion slot 4360: Dual Power-Supply Single I/O Expansion slot USB Ports 8x 1GbE ports Single Mgmt Port (numbered left-to-right) Serial Console Port
  • 38.
  • 39.
    Hardware Comparison withIPS 4240, IPS 4255 and IPS 4260
  • 40.
    High-Performance and Resiliency featureson IPS 43xx Series • SMP-enabled Kernel • 64-bit architecture • Environment Monitoring • Jumbo-Frame support • Flow Control support • Hardware Regex Accelerator support for IPS string-XL engine
  • 41.
    IPS Software • IPSSSP module are based on 7.1(4) release • Platform support for new hardware • Based on ASA 5585-X line of code • Supports existing E4 Engine Update • Supports all latest Signature Updates – Sig S615 is bundled with Saleen images. • 7.1.4 IDM version included with the IPS image. • 7.2.1 IME version provides full support. • CSM support with version 4.3 • IPS 7.1(4) version supports all –X platforms (including 5585-X) – Additional CFD bug fixes and a few serviceability enhancements also included in this version.
  • 42.