Business Technology Solutions Since 1987 Agenda • Default Capabilities • Models • Optional Capabilities ASA Capabilities • Stateful/Deep Packet Inspection Firewall • IPSec VPN Endpoint • SSL VPN Endpoint • Virtualization • Anti-X • Intrusion Prevention Firewall • Default firewall rules – Outbound traffic is allowed unless otherwise specified – Inbound traffic is denied unless otherwise specified • Stateful packet inspection ensures that responses to outbound traffic match outgoing requests ASA Firewall • ASA assigns a security level to each interface – inside is 100, outside (Interent) is 0, DMZ is typically assigned 50 – Default rules allow free flow from higher security level to lower security 0 level • NAT/PAT – Allows for more servers with fewer public Ips • Deep packet inspection IPSec VPN • Used for LAN-to-LAN connections • Workstation clients for Windows, Macintosh, Linux • Maximum connections depends on model • No additional licenses required • EasyVPN – Simplified configuration – Inbound connections only SSL VPN • No pre-installed client – connect with web browser • Licensed by simultaneous connections (2 connections permitted for testing) • Clientless connection – Simplest configuration – Limited to web applications – Some client-server applications are SSL VPN aware SSL VPN • Cisco AnyConnect VPN client • Downloaded on-the-fly • Full network access (if desired) • Windows/Macintosh/Linux • May not function of user rights on client computer limited IPSec vs SSL IPSec SSL • Workstation configuration • Browser-based from any required computer • Administrator can configure • Limited access if user does VPN then restrict user not have right to install access applications • Access as if client machine • Need to use web applictions on LAN to ensure access • Has pre-shared key in • Vulnerable to password addition to user password compromise • No additional cost • Extra cost feature ASA Models • ASA550x - SOHO/Telecommuter • ASA551x Main Office, Integrated • ASA552x Protection • ASA554x • ASA555x - Large enterprise • ASA558x - Datacenter/ISP http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html ASA550x – Base License • 10/50/Unlimited internal devices • 10 Simultaneous VPNs • 8 10/100 Ethernet ports – assigned to VLANs • 2 Power over Ethernet • 3 VLANs • One VLAN must be isolated from communicating with one of the others. ASA550x – Telecommuter setup ASA550x – Security Plus • 25 Simultaneous VPNs • Ports must be assigned to one of three interfaces, up to 20 trunked VLANs permitted • Communications between interfaces restriced by standard firewall rules • Failover to backup ISP for outbound access ASA551x – Base License • 250 Simultaneous VPNs • 3 – 10/100 Ethernet ports – Firewall interfaces • 1 – 10/100 Ethernet port – Management only • Up to 50 Trunked VLANs • SSM Slot for Content Filter or Intrusion Prevention Module ASA551x – Security Plus License • 250 Simultaneous VPNs • 3 – 10/100 Ethernet ports • 2 – 10/100/1000 Ethernet ports • Up to 100 Trunked VLANs • SSM Slot for Content Filter, Intrusion Prevention Module, or 4 x 10/100/1000 Ethernet Port module • 2 included/5 maximum Security Contexts ASA552x • 750 Simultaneous VPNs • 1 – 10/100 Ethernet port • 4 – 10/100/1000 Ethernet ports • Up to 150 Trunked VLANs • SSM Slot for Content Filter, Intrusion Prevention Module, or 4 x 10/100/1000 Ethernet Port module • 2 included/20 maximum Security Contexts ASA554x • 5000 Simultaneous VPNs (2500 SSL) • 1 – 10/100 Ethernet port • 4 – 10/100/1000 Ethernet ports • Up to 200 Trunked VLANs • SSM Slot for Content Filter, Intrusion Prevention Module, or 4 x 10/100/1000 Ethernet Port module • 2 included/50 maximum Security Contexts ASA555x • 5000 Simultaneous VPNs • 1 – 10/100 Ethernet port • 4 – 10/100/1000 Ethernet ports • 4 ports selectable 1000T/SFP Fiber ports • Up to 250 Trunked VLANs • No SSM Slot • 2 included/50 maximum Security Contexts Content Security and Control Module • Standard License – Anti-virus – Anti-Spyware – File blocking • Plus License adds – Anti-SPAM – URL Filter – E-mail content control Content Security and Control Module • CSC-SSM-10 – 50/100/250/500 users – ASA5510 and ASA5520 • CSC-SSM-20 – 750/1000 users – ASA5510 , ASA5520, ASA5540 • Subscription required for updates Advanced Intrusion Prevention • Compares every packet against a signature database • Alerting or automatic blocking • Update subscription required