Asa sslvpn security

43
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_I D 1 ASA Remote Access VPN Technologies: SSLVPN WebVPN IPSecVPN http://www.cisco.com/go/security http://www.cisco.com/security Tim Ryan – [email protected] Security Consulting SE CCIE, CISSP

description

ASA

Transcript of Asa sslvpn security

Page 1: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

ASA Remote Access VPN Technologies:SSLVPNWebVPNIPSecVPN

http://www.cisco.com/go/securityhttp://www.cisco.com/security

Tim Ryan – [email protected] Consulting SE

CCIE, CISSP

Page 2: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2

Cisco ASA 5500 SeriesConvergence of Robust, Market-Proven Technologies

Firewall Firewall TechnologyTechnologyCisco PIXCisco PIX

IPS TechnologyIPS TechnologyCisco IPSCisco IPS

Content SecurityContent SecurityTrend MicroTrend Micro

VPN TechnologyVPN TechnologyCisco VPN 3000Cisco VPN 3000

Network IntelligenceNetwork IntelligenceCisco Network Cisco Network

ServicesServices

App Inspection, UseApp Inspection, Use Enforcement, Web Enforcement, Web

ControlControlApplication SecurityApplication Security

Malware/Content Malware/Content Defense,Defense,

Anomaly DetectionAnomaly DetectionIPS & Content Security IPS & Content Security

ServicesServices

Traffic/Admission Traffic/Admission Control,Control,

Proactive ResponseProactive ResponseNetwork Containment Network Containment

and Controland Control

Secure ConnectivitySecure ConnectivityIPSec & SSL VPNIPSec & SSL VPN

Market-ProvenMarket-ProvenTechnologiesTechnologies

Adaptive Threat Defense,Adaptive Threat Defense,Secure ConnectivitySecure Connectivity

Page 3: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3

Cisco ASA 5500 Series: Threat Protected VPN ServicesLeveraging On-Board Security to Protect the VPN Threat Vector

ASA 5500

Worm/Virus

UnwantedApplication

Spyware

Illegal Access

Exploit

Remote AccessVPN User

Threat MitigationIncident Control Virus DetectionWorm MitigationSpyware Detection

Application Firewall and Access ControlApplication Inspection/ControlGranular, Per-User/Group Access ControlProtocol Anomaly DetectionStateful Traffic Filtering

Accurate EnforcementReal-Time CorrelationRisk RatingAttack DropSession Removal and Resets

Comprehensive Endpoint SecurityPre-Connection Posture AssessmentMalware MitigationSession/Data SecurityPost-Session Clean-Up

Leverages Depth of Threat Defense Features to Stop Malicious Worms, Viruses, and More…and Without External Devices or Performance Loss!

Page 4: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4

VPN Technologies for Remote Clients

Encrypted Connection Protocols:SSL tunnel uses the SSL protocol with RC4 or AES to encrypt dataIPSec tunnel uses the IPSec protocol with DES, 3DES or AES to encrypt data

Encrypted Client options supported by the ASAAnyConnect VPN Client is an SSL based VPN client that is installed on a desktop and can tunnel any traffic (aka SVC)WEB VPN (aka Clientless VPN) uses the browser as the Client with the ASA acting as a proxy. It can tunnel http,https traffic and a limited number of other supported protocols such as CIFS, OWA, RDP, VNC, SSH, Telnet via pluginsCisco VPN Client is an IPSec client that can tunnel any traffic except for multicast.

Page 5: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5

ASA VPN ConfigurationThe AnyConnect Configuration document at the url below is an excellent starting place for any ASA VPN configuration. http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Configure       Step 1. Configure a Self-Issued Certificate       Step 2. Upload and Identify the SSL VPN Client Image       Step 3. Enable Anyconnect Access       Step 4. Create a new Group Policy       Configure Access List Bypass for VPN Connections       Step 6. Create a Connection Profile and Tunnel Group

for the AnyConnect Client Connections       Step 7. Configure NAT Exemption for AnyConnect

Clients       Step 8. Add Users to the Local Database

Page 6: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6

VPN Connection Flow SummaryDuring Client connection time Group Policy settings takes precedence over Connection Profile settings.If Connection Profile has a setting and Group Policy is set to "inherit" then Connection Profile settings are used.

ANYCONNECT CLIENT ConnectionConnection Profile (called tunnel group at CLI) = SSLClientProfile

Uses Group Policy = GroupPolicy1Alias = SSLClient

IPSEC CLIENT ConnectionConnection Profile (called tunnel group at CLI) = IPSecVPN

Uses Group Policy = IPSecClientIPSec Client settings: Groupname=IPSecVPN , pre-shared

key=cisco123WEBVPN - BROWSER CLIENT ConnectionConnection Profile Clientless SSL VPN Access (tunnel group inCLI) = WebVPN

Uses Group Policy = WebGroupAlias = WebVPN

Page 7: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7

AnyConnect Client Connection Config

ANYCONNECT CLIENT Connection ProfileSSLClientProfile

Alias = SSLClientAuthentication type = (local, AAA, Certs)Uses Group Policy = GroupPolicy1

Connection Profile lock = SSL Client ProfileSSL VPN Client tunnelling protocol ONLYAddress pool = ECRU-1

10.199.0.1 – 10.199.7.254DNS = 4.2.2.2Default Domain = gtei.netSplit tunnel options = Default = tunnel all networks

Test user: User1 pw=cisco123Locked to SSL Client profileUses Group Policy1

Page 8: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25

Client-Based SSL VPN (AnyConnect/SSL VPN Client)

Page 9: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26

ASA 5500 version 8.0 VPN Clientless Access Precise, granular access control to

specific resources

Enhanced Portal DesignLocalizable

RSS feeds

Personal bookmarks

AnyConnect Client access

Drag and Drop file access and webified file transport

Transformation enhancements including Flash support

Head-end deployed applets for telnet, SSH, RDP, and VNC, framework supports add’l plug-ins

Advanced port-forwarder for Windows (Smart Tunnel) accesses TCP applications without admin privileges on Client PC

Page 10: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27

Enhanced Remote Access Security Enhanced authorization using policies

and group information

Extended use of credentials

Always up to date via automatic updating (no admin)

Virtual keyboard option

SAML Single Sign-On (SSO) verified with RSA Access Manager (was ClearTrust)

Group/User-to-VLAN mapping support

Start before Login for Vista

Page 11: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28

Cisco VPN ClientCisco SSL VPN

ClientCisco AnyConnect

VPN Client

Protocol IPsec SSL (HTTPS)DTLS, SSL

(HTTPS) - Auto

Approximate size 10 MB 400 KB 1.7 MB

Initial install distributeauto download

distribute

auto download

distribute

Admin rights required yes

Initial installation only

(Stub installer available)

Initial installation only

(MSI available – Windows)

OS Support2K/XP/Vista 32-bit, Linux, Mac OS X, Solaris UltraSparc

2000/XP

2K/XP/Vista (32 & 64-bit), Linux, Mac

OS X, Win 2008 Server, Mobile 5/6

Rebootless Installs No Yes Yes

Head End ASA/PIX/3K/IOS ASA/3K/IOS ASA/IOS

Current Snapshot of VPN Client Offerings

Page 12: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29

HTTPS/SSL DTLS/SSL IPsec / IKEv1

Locked down FW Compatible

Yes Novia TCP

tunneling

Proxy server Compatible

Yes No No

High performance transport

No Yes Yes

Protocol Fallback N/A HTTPS/SSL (TCP)

QoS Friendly (DSCP Preservation)

No Possible Yes

Mobility Friendly Yes YesNo

(IKEv2/Mobile IKE)

Transport TCP UDPESP, UDP, Fake

TCP

Perceived Customer Value ($$s)

$$$ $$$ $

Tunneling Protocol ComparisonCisco SSL VPN Client

Page 13: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30

AnyConnect VPN Client InstallationDynamic or Manual Installation

ASA downloads client to user based on group policy.

ASA can automatically download client, or prompt remote user to download.

Client packages provided for manual install or distribution via desktop management system

Page 14: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31

Text

To verify split tunnel configuration from remote PC, open AnyConnect VPN icon in task tray, then select: Statistics > Details > Route Details

AnyConnect VPN Client Local LAN Access (Split Tunnel Variant)

In this example, only traffic to the Local PC LAN (192.168.100.0/24) is sent in clear (no VPN).

All other traffic is sent encrypted over VPN to ASA.

Page 15: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32

AnyConnect VPN Client Datagram Transport Layer Security (DTLS)

Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels

TLS is used to tunnel TCP/IP over TCP/443

TCP requires retransmission of lost packets

Both application and TLS wind up retransmitting when packet loss is detected.

DTLS solves the TCP over TCP problem

DTLS replaces underlying transport TCP/443 with UDP/443

DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)

Datagrams only are transmitted over DTLS

Other benefits

Low latency for real time applications

DTLS is enabled by default; dynamically negotiated at connect time.

DTLS is optional and will automatically fallback to TLS (HTTPS)

Defined in RFC 4347 Implemented as part of the standard OpenSSL package

Page 16: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33

Clientless WebVPN Features

Page 17: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34

For End-Users, Seamless Access Anywhere Personalized application and resource access

Personalized homepage

Localizable, RSS feeds, personal bookmarks, etc.

Delivers web-based and traditional applications

Sophisticated web and other applications delivered seamlessly to the browser

SAML Single Sign-On (SSO) – verified with RSA Access Manager

Intuitive user experience

Drag and Drop file access and webified file transport

Delivers key applications beyond the browser

Smart Tunnels deliver more applications without admin privileges

Page 18: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35

For End-Users, Seamless Access Anywhere Enhanced clientless interface, highly customizable

Customizable Banner Graphic

Customizable Colors and Sections

Customizable Links, Network Resource

Access

Customizable Access Methods

Customizable Banner Message

Page 19: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36

Clientless WebVPN Personal Bookmarks

Specify personal storage location under Group Policy

User can add/delete personal bookmarks that are persistent between WebVPN sessions.

Page 20: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37

Clientless WebVPN Browsing Networks Clientless File Access for CIFS and FTP

Click icon from web portal to browse networks

Click Browse Entire Network link under Browse Networks application

OR

Page 21: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38

Clientless WebVPN Java Client/Server Plugins - Details

When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).

The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.

The Java applet(s) are transparently cached in the ASA cache.

Page 22: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39

Remote Desktop Plugin for Windows Terminal Services

Native Windows support using ActiveX or ProperRDP client using Java

Virtual Network Computing (VNC) remote server access based on TightVNC

SSH/Telnet – Combined open source plugin provides either SSHv1 or Telnet access to manage devices and servers

Lotus Sametime – Secure instant messaging application from IBM

POST plugin – Provides Portal Homepage with optional SSO

Clientless WebVPN PluginsRDP, VNC, Sametime, SSH, Telnet, Post

Page 23: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40

Link directly to Citrix applications from portal Plugin supports all Citrix Java client parameters/features. ASA optimizes performance by downloading components as needed. Verify your Citrix EULA grants rights and permissions to deploy the client

Clientless WebVPN PluginsCitrix Plugin

Page 24: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41

Clientless WebVPN Native Citrix Support (No Plugin)

ASA automatically intercepts web traffic with content type ICA from Web Presentation Server and modifies return ICA file to client to ensure ASA proxies session.

Java or ActiveX ICA Client is also pushed down to client if not running standalone client on endpoint.

Page 25: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42

Clientless WebVPN Smart Tunnels

Smart Tunnels are application-level port forwarding

It is a connection between a Winsock 2, TCP-based application and the private site, using a clientless (browser-based) SSL VPN session.

You can specify client applications which you want to grant Smart Tunnel access including Telnet, SSH, RDP, VNC, Passive FTP, Outlook Express, Lotus Notes, Sametime, Citrix Program Neighborhood client, and Outlook via POP/SMTP/IMAP.

SSL VPN loads a stub into each process spawned by an authorized application, and intercepts socket calls to redirect via ASA.

This can be used where other methods such as AnyConnect or Port Forwarding cannot be used.

A browser with Active-X, Java or JavaScript support is required on 32-bit OS’s only, such as Windows XP & 2K

Page 26: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43

Clientless WebVPN General Configuration Overview

1. Import Web Content (Optional)

2. Define Bookmarks and assign to Group Policies

3. Customize Login/Logout and Portal Pages and assign to Connection Profiles and Group Policies, respectively (Optional)

4. Import plugins and apply to bookmarks (Optional)

5. Define Smart Tunnels and enable in bookmarks or Group Policies (Optional)

6. Review and tune User/Group Policies as required.

7. Apply Cisco Secure Desktop, Endpoint Assessment, DAP, and enforcement policies (covered in later training sessions

Page 27: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44

Secure Session (aka Secure Desktop or Vault)Overview

Encrypts data and files associated with or downloaded during remote session into a secure desktop partition

Provides tasktray icon to signify a safe environment for remote user to work in.

Upon session termination, uses U.S. Department of Defense (DoD) sanitation algorithm to remove the partition.

Typically used during clientless SSL VPN sessions--attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs.

Runs over Microsoft Windows Vista, Windows XP, and Windows 2000.

If Prelogin policy is configured to install Secure Session, but remote OS does not support Secure Session, then Cache Cleaner install attempted instead.

Page 28: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45

Cisco Secure DesktopLogin Page (After Scan)

Page 29: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46

Policy Inheritance Overview

Page 30: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47

Policy Objects Connection Profile / Tunnel Group

Pre-login attributes (inc. AAA, login page for Clientless, cert handling)

Group Policy (Internal and External)

Post-login attributes (inc. portal page, bookmarks, access policies)

User Policy (Internal and External)

User-specific attributes

Dynamic Access Policy

Dynamically created policies based on multiple inputs (Location, Directory attributes, PC attributes)

Internal versus External

Internal attributes – locally defined on ASA

External attributes – returned as values from queries to external servers (for example, RADIUS and LDAP)

Page 31: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48

User Attribute Primer

DAP Attributes

User Attributes

Group Policy Attributes

DfltGrpPolicy Attributes (System Default Group Policy)

User Connection Profile/ Tunnel Group

Start Here

Group Policy Attributes

Note: Individual Attributes may not be collected in sequence, but resulting policy will always be a compilation based on above prioritization

Page 32: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52

Data Collection and Policy Assignment Flow

DAP• Pre-Login Policy• Scan Results• OS DetailsPre-Login Scan

Basic Host ScanExtended Host ScanCustom Checks

Pre-login Policy (Location) Assigned

Initial SSL Connection User login

User/Group Policy Selected

• DefaultWEBVPNGroup• Conn/Group URL (auto)• Group Drop-Down List• Certificate-based (auto)

Connection Profile Selected

Scan Results

DAP• User Attributes• Group Attributes• Connection Type

User Policy

SSL VPN User

Resultant Policy is a collection of multiple data points and attributes, not necessarily collected in order, that are compiled based on policy inheritance and prioritization hierarchy.

CSDCiscoSecureDesktop

User Connect/Login

Pre-Login

Post-Login

Page 33: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53

ASA VPN Load BalancingLoad balancing is supported on remote sessions initiated with the following: • Cisco AnyConnect VPN Client (Release 2.0 and later) • Cisco VPN Client (Release 3.0 and later) • Cisco VPN 3002 Hardware Client (Release 3.5 or later) • Cisco PIX 501/506E when acting as an Easy VPN client.

Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but they cannot participate in load balancing.

You can configure the number of IPSec and WebVPN sessions to allow, up to the maximum allowed by your configuration and license. With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally in determining the load that each device in the cluster carries.

If using Certificates you must enable redirection using a fully-qualified domain name in vpn load-balancing mode.Use the command “redirect-fqdn enable” in global configuration mode.This is disabled by default.http://www.cisco.com/en/US/partner/docs/security/asa/asa81/config/guide/vpnsysop.html

Page 34: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54

Cisco ASA 5500 WebVPN/SSL VPN

WebVPN-SSLVPN License Options:25,100,250,500,1000,2500,5000,10000

Additional End Point Assessment License includes:Cisco Secure Desktop - For running Secure Applications on an In-Secure DeviceEnd point Assessment – (NAC Lite)To verify posture of device, enabling ASA to

assign client to a specific group with specific access rights.

Mobile VPN Client Support (ASA-MOBILE-VPN) Phone Proxy – Encrypted Call setup and Firewalling

Page 35: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55

VPN Security Challenges

Remote User

Employee at Home

Supply Partner

During SSL VPN Session

Is session data protected?

Are typed passwords protected?

Has malware launched?

After SSL VPN Session

Browser cached intranet web pages?

Browser stored passwords?

Downloaded files left behind?

Before SSL VPN Session

Who owns the endpoint?

Endpoint security posture: AV, personal firewall?

Is malware running?

Extranet Machine

Unmanaged Machine

Customer Managed Machine

Page 36: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56

Comprehensive EndPoint Security

Cisco Secure Desktop (CSD) now supports hundreds of pre-defined products, updated frequently

Anti-virus, anti-spyware, personal firewall, and more

Administrators can define custom checks including running processes

CSD posture policy presented visually to simplify configuration and troubleshooting

Newin 8.0!

Page 37: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57

Cisco ASA 5500 Series Platforms and Modules

Wide Range of Leading Solutions for Customers of All Sizes

Page 38: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58

Cisco ASA 5500 Series High-End Lineup Data Center Solutions

Target Market

List Price

PerformanceMax Firewall (Real-world HTTP)Max Firewall (1400 byte)Max Firewall (Jumbo frames)Max IPSec VPNMax IPSec/SSL VPN Peers

Platform CapabilitiesMax Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OMax I/OVLANs SupportedHA Supported

CiscoASA 5550

CampusSegmentation

Starting at$19,995

-1.2 Gbps

-425 Mbps

5000 / 5000

650,00036,000

600,0008 GE + 1 FE8 GE + 1 FE

250A/A and A/S

CiscoASA 5580-20

CampusSegmentation/ Data Center

Starting at $59,995

with-8GE

5 Gbps6.5 Gbps10 Gbps1 Gbps

10,000 / 10,000

1,000,00090,000

2,750,0002 Mgmt

24 GE / 12 10GE250

A/A and A/S

CiscoASA 5580-40

Data Center

Starting at$109,995With 8GE

10 Gbps14 Gbps20 Gbps1 Gbps

10,000 / 10,000

2,000,000150,000

5,500,000 2 Mgmt

24 GE / 12 10GE250

A/A and A/S

New NewCisco

ASA 5540

InternetEdge

Starting at$16,995

-650 Mbps

-325 Mbps

5000 / 2500

400,00025,000

500,0004 GE + 1 FE8 GE + 1 FE

200A/A and A/S

Page 39: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59

CiscoASA 5520

CiscoASA 5540

Cisco ASA 5500 Series Product Lineup

CiscoASA 5550

CiscoASA 5510

CiscoASA 5505

Target Market

List Price

SMB and SME

Enterprise MediumEnterprise

Starting at$3,495

Starting at$7,995

Starting at$16,995

LargeEnterprise

Starting at$19,995

Teleworker / Branch Office /

SMB

Starting at$595

PerformanceMax FirewallMax Firewall + IPSMax IPSec VPNMax IPSec/SSL VPN Peers

300 Mbps150/300

170 Mbps250/250

450 Mbps350/450

225 Mbps750/500

650 Mbps650 Mbps325 Mbps5000/2500

1.2 GbpsN/A

425 Mbps5000/5000

150 Mbps45Mbps

100 Mbps25/25

Max Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OVLANs SupportedHA Supported

50,000/130,0006,000

190,000

5 FE50/100

A/A and A/S (Sec Plus)

280,0009,000

320,000

4 GE + 1 FE150

A/A and A/S

400,00020,000

500,000

4 GE + 1 FE200

A/A and A/S

650,00028,000

600,000

8 GE + 1 FE250

A/A and A/S

10,000/25,0003,000

85,000

8-port FE switch3/20 (trunk)

Stateless A/S (Sec Plus)

Page 40: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60

Configuration: Auto Update, SSH, Telnet, XML/HTTPS, and ASDM Real-time monitoring: Syslog, SNMP, HTTPS, and ASDM Software updates: Auto Update, SCP, HTTP, HTTPS, and TFTP

Wide Range of Management SolutionsProvide Scalable, Cost Optimized Options for Businesses

Family of high performance appliances designed to provide automated analysis of security event information to help identify, manage, and counter attacks

Supports getting events from wide range of Cisco and 3rd party solutions—and also analyzes NetFlow for additional intelligence

Offers event correlation, visualization, rules engine, and reporting

Scalable management solution for wide range of Cisco security solutions including routers, switches, blades, and appliances

Delivers centralized management of firewall, VPN, IPS/IDS, networking, and other services via flexible user interface

Supports device grouping for simplified policy maintenance Provides role-based admin access and workflow capabilities Available on Windows (Linux version coming)

Cisco Security Manager (CS-Manager)

Cisco Monitoring and Response Solution (CS-MARS)

Integrated Remote Management Capabilities Within ASA

Page 41: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61

Web VPN Client Monitoring

Page 42: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66

Cisco ASA Adaptive Security AppliancesIndustry Certifications and Evaluations

Common CriteriaCompleted: EAL4, v7.0.6—ASA 5510/20/40 (FW)Completed: EAL2, v6.0—ASA SSM-10/20 (IPS)In process: EAL4+, v7.2.2—ASA Family (FW) In process: EAL4, v7.2.2—ASA Family (VPN)

FIPS 140Completed: Level 2, v7.0.4—ASA FamilyCompleted: Level 2, v7.2.2In process: Level 2, v8.0.2

ICSA Firewall 4.1, Corporate CategoryCompleted: v7.2.2—ASA Family

ICSA IPSec 1.0DCompleted: v7.0.4—ASA Family

ICSA Anti-Virus GatewayCompleted: v7.1—ASA Family

NEBS Level 3Completed: ASA 5510, 5520, and 5540

New

New

Page 43: Asa sslvpn security

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 67