Asa sslvpn security
-
Upload
jack-melson -
Category
Documents
-
view
44 -
download
2
description
Transcript of Asa sslvpn security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
ASA Remote Access VPN Technologies:SSLVPNWebVPNIPSecVPN
http://www.cisco.com/go/securityhttp://www.cisco.com/security
Tim Ryan – [email protected] Consulting SE
CCIE, CISSP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Cisco ASA 5500 SeriesConvergence of Robust, Market-Proven Technologies
Firewall Firewall TechnologyTechnologyCisco PIXCisco PIX
IPS TechnologyIPS TechnologyCisco IPSCisco IPS
Content SecurityContent SecurityTrend MicroTrend Micro
VPN TechnologyVPN TechnologyCisco VPN 3000Cisco VPN 3000
Network IntelligenceNetwork IntelligenceCisco Network Cisco Network
ServicesServices
App Inspection, UseApp Inspection, Use Enforcement, Web Enforcement, Web
ControlControlApplication SecurityApplication Security
Malware/Content Malware/Content Defense,Defense,
Anomaly DetectionAnomaly DetectionIPS & Content Security IPS & Content Security
ServicesServices
Traffic/Admission Traffic/Admission Control,Control,
Proactive ResponseProactive ResponseNetwork Containment Network Containment
and Controland Control
Secure ConnectivitySecure ConnectivityIPSec & SSL VPNIPSec & SSL VPN
Market-ProvenMarket-ProvenTechnologiesTechnologies
Adaptive Threat Defense,Adaptive Threat Defense,Secure ConnectivitySecure Connectivity
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Cisco ASA 5500 Series: Threat Protected VPN ServicesLeveraging On-Board Security to Protect the VPN Threat Vector
ASA 5500
Worm/Virus
UnwantedApplication
Spyware
Illegal Access
Exploit
Remote AccessVPN User
Threat MitigationIncident Control Virus DetectionWorm MitigationSpyware Detection
Application Firewall and Access ControlApplication Inspection/ControlGranular, Per-User/Group Access ControlProtocol Anomaly DetectionStateful Traffic Filtering
Accurate EnforcementReal-Time CorrelationRisk RatingAttack DropSession Removal and Resets
Comprehensive Endpoint SecurityPre-Connection Posture AssessmentMalware MitigationSession/Data SecurityPost-Session Clean-Up
Leverages Depth of Threat Defense Features to Stop Malicious Worms, Viruses, and More…and Without External Devices or Performance Loss!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
VPN Technologies for Remote Clients
Encrypted Connection Protocols:SSL tunnel uses the SSL protocol with RC4 or AES to encrypt dataIPSec tunnel uses the IPSec protocol with DES, 3DES or AES to encrypt data
Encrypted Client options supported by the ASAAnyConnect VPN Client is an SSL based VPN client that is installed on a desktop and can tunnel any traffic (aka SVC)WEB VPN (aka Clientless VPN) uses the browser as the Client with the ASA acting as a proxy. It can tunnel http,https traffic and a limited number of other supported protocols such as CIFS, OWA, RDP, VNC, SSH, Telnet via pluginsCisco VPN Client is an IPSec client that can tunnel any traffic except for multicast.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
ASA VPN ConfigurationThe AnyConnect Configuration document at the url below is an excellent starting place for any ASA VPN configuration. http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808efbd2.shtml
Configure Step 1. Configure a Self-Issued Certificate Step 2. Upload and Identify the SSL VPN Client Image Step 3. Enable Anyconnect Access Step 4. Create a new Group Policy Configure Access List Bypass for VPN Connections Step 6. Create a Connection Profile and Tunnel Group
for the AnyConnect Client Connections Step 7. Configure NAT Exemption for AnyConnect
Clients Step 8. Add Users to the Local Database
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
VPN Connection Flow SummaryDuring Client connection time Group Policy settings takes precedence over Connection Profile settings.If Connection Profile has a setting and Group Policy is set to "inherit" then Connection Profile settings are used.
ANYCONNECT CLIENT ConnectionConnection Profile (called tunnel group at CLI) = SSLClientProfile
Uses Group Policy = GroupPolicy1Alias = SSLClient
IPSEC CLIENT ConnectionConnection Profile (called tunnel group at CLI) = IPSecVPN
Uses Group Policy = IPSecClientIPSec Client settings: Groupname=IPSecVPN , pre-shared
key=cisco123WEBVPN - BROWSER CLIENT ConnectionConnection Profile Clientless SSL VPN Access (tunnel group inCLI) = WebVPN
Uses Group Policy = WebGroupAlias = WebVPN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
AnyConnect Client Connection Config
ANYCONNECT CLIENT Connection ProfileSSLClientProfile
Alias = SSLClientAuthentication type = (local, AAA, Certs)Uses Group Policy = GroupPolicy1
Connection Profile lock = SSL Client ProfileSSL VPN Client tunnelling protocol ONLYAddress pool = ECRU-1
10.199.0.1 – 10.199.7.254DNS = 4.2.2.2Default Domain = gtei.netSplit tunnel options = Default = tunnel all networks
Test user: User1 pw=cisco123Locked to SSL Client profileUses Group Policy1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Client-Based SSL VPN (AnyConnect/SSL VPN Client)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
ASA 5500 version 8.0 VPN Clientless Access Precise, granular access control to
specific resources
Enhanced Portal DesignLocalizable
RSS feeds
Personal bookmarks
AnyConnect Client access
Drag and Drop file access and webified file transport
Transformation enhancements including Flash support
Head-end deployed applets for telnet, SSH, RDP, and VNC, framework supports add’l plug-ins
Advanced port-forwarder for Windows (Smart Tunnel) accesses TCP applications without admin privileges on Client PC
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Enhanced Remote Access Security Enhanced authorization using policies
and group information
Extended use of credentials
Always up to date via automatic updating (no admin)
Virtual keyboard option
SAML Single Sign-On (SSO) verified with RSA Access Manager (was ClearTrust)
Group/User-to-VLAN mapping support
Start before Login for Vista
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Cisco VPN ClientCisco SSL VPN
ClientCisco AnyConnect
VPN Client
Protocol IPsec SSL (HTTPS)DTLS, SSL
(HTTPS) - Auto
Approximate size 10 MB 400 KB 1.7 MB
Initial install distributeauto download
distribute
auto download
distribute
Admin rights required yes
Initial installation only
(Stub installer available)
Initial installation only
(MSI available – Windows)
OS Support2K/XP/Vista 32-bit, Linux, Mac OS X, Solaris UltraSparc
2000/XP
2K/XP/Vista (32 & 64-bit), Linux, Mac
OS X, Win 2008 Server, Mobile 5/6
Rebootless Installs No Yes Yes
Head End ASA/PIX/3K/IOS ASA/3K/IOS ASA/IOS
Current Snapshot of VPN Client Offerings
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
HTTPS/SSL DTLS/SSL IPsec / IKEv1
Locked down FW Compatible
Yes Novia TCP
tunneling
Proxy server Compatible
Yes No No
High performance transport
No Yes Yes
Protocol Fallback N/A HTTPS/SSL (TCP)
QoS Friendly (DSCP Preservation)
No Possible Yes
Mobility Friendly Yes YesNo
(IKEv2/Mobile IKE)
Transport TCP UDPESP, UDP, Fake
TCP
Perceived Customer Value ($$s)
$$$ $$$ $
Tunneling Protocol ComparisonCisco SSL VPN Client
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
AnyConnect VPN Client InstallationDynamic or Manual Installation
ASA downloads client to user based on group policy.
ASA can automatically download client, or prompt remote user to download.
Client packages provided for manual install or distribution via desktop management system
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Text
To verify split tunnel configuration from remote PC, open AnyConnect VPN icon in task tray, then select: Statistics > Details > Route Details
AnyConnect VPN Client Local LAN Access (Split Tunnel Variant)
In this example, only traffic to the Local PC LAN (192.168.100.0/24) is sent in clear (no VPN).
All other traffic is sent encrypted over VPN to ASA.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
AnyConnect VPN Client Datagram Transport Layer Security (DTLS)
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels
TLS is used to tunnel TCP/IP over TCP/443
TCP requires retransmission of lost packets
Both application and TLS wind up retransmitting when packet loss is detected.
DTLS solves the TCP over TCP problem
DTLS replaces underlying transport TCP/443 with UDP/443
DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)
Datagrams only are transmitted over DTLS
Other benefits
Low latency for real time applications
DTLS is enabled by default; dynamically negotiated at connect time.
DTLS is optional and will automatically fallback to TLS (HTTPS)
Defined in RFC 4347 Implemented as part of the standard OpenSSL package
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Clientless WebVPN Features
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
For End-Users, Seamless Access Anywhere Personalized application and resource access
Personalized homepage
Localizable, RSS feeds, personal bookmarks, etc.
Delivers web-based and traditional applications
Sophisticated web and other applications delivered seamlessly to the browser
SAML Single Sign-On (SSO) – verified with RSA Access Manager
Intuitive user experience
Drag and Drop file access and webified file transport
Delivers key applications beyond the browser
Smart Tunnels deliver more applications without admin privileges
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
For End-Users, Seamless Access Anywhere Enhanced clientless interface, highly customizable
Customizable Banner Graphic
Customizable Colors and Sections
Customizable Links, Network Resource
Access
Customizable Access Methods
Customizable Banner Message
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Clientless WebVPN Personal Bookmarks
Specify personal storage location under Group Policy
User can add/delete personal bookmarks that are persistent between WebVPN sessions.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Clientless WebVPN Browsing Networks Clientless File Access for CIFS and FTP
Click icon from web portal to browse networks
Click Browse Entire Network link under Browse Networks application
OR
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Clientless WebVPN Java Client/Server Plugins - Details
When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).
The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.
The Java applet(s) are transparently cached in the ASA cache.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Remote Desktop Plugin for Windows Terminal Services
Native Windows support using ActiveX or ProperRDP client using Java
Virtual Network Computing (VNC) remote server access based on TightVNC
SSH/Telnet – Combined open source plugin provides either SSHv1 or Telnet access to manage devices and servers
Lotus Sametime – Secure instant messaging application from IBM
POST plugin – Provides Portal Homepage with optional SSO
Clientless WebVPN PluginsRDP, VNC, Sametime, SSH, Telnet, Post
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Link directly to Citrix applications from portal Plugin supports all Citrix Java client parameters/features. ASA optimizes performance by downloading components as needed. Verify your Citrix EULA grants rights and permissions to deploy the client
Clientless WebVPN PluginsCitrix Plugin
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Clientless WebVPN Native Citrix Support (No Plugin)
ASA automatically intercepts web traffic with content type ICA from Web Presentation Server and modifies return ICA file to client to ensure ASA proxies session.
Java or ActiveX ICA Client is also pushed down to client if not running standalone client on endpoint.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Clientless WebVPN Smart Tunnels
Smart Tunnels are application-level port forwarding
It is a connection between a Winsock 2, TCP-based application and the private site, using a clientless (browser-based) SSL VPN session.
You can specify client applications which you want to grant Smart Tunnel access including Telnet, SSH, RDP, VNC, Passive FTP, Outlook Express, Lotus Notes, Sametime, Citrix Program Neighborhood client, and Outlook via POP/SMTP/IMAP.
SSL VPN loads a stub into each process spawned by an authorized application, and intercepts socket calls to redirect via ASA.
This can be used where other methods such as AnyConnect or Port Forwarding cannot be used.
A browser with Active-X, Java or JavaScript support is required on 32-bit OS’s only, such as Windows XP & 2K
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Clientless WebVPN General Configuration Overview
1. Import Web Content (Optional)
2. Define Bookmarks and assign to Group Policies
3. Customize Login/Logout and Portal Pages and assign to Connection Profiles and Group Policies, respectively (Optional)
4. Import plugins and apply to bookmarks (Optional)
5. Define Smart Tunnels and enable in bookmarks or Group Policies (Optional)
6. Review and tune User/Group Policies as required.
7. Apply Cisco Secure Desktop, Endpoint Assessment, DAP, and enforcement policies (covered in later training sessions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Secure Session (aka Secure Desktop or Vault)Overview
Encrypts data and files associated with or downloaded during remote session into a secure desktop partition
Provides tasktray icon to signify a safe environment for remote user to work in.
Upon session termination, uses U.S. Department of Defense (DoD) sanitation algorithm to remove the partition.
Typically used during clientless SSL VPN sessions--attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs.
Runs over Microsoft Windows Vista, Windows XP, and Windows 2000.
If Prelogin policy is configured to install Secure Session, but remote OS does not support Secure Session, then Cache Cleaner install attempted instead.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Cisco Secure DesktopLogin Page (After Scan)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Policy Inheritance Overview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
Policy Objects Connection Profile / Tunnel Group
Pre-login attributes (inc. AAA, login page for Clientless, cert handling)
Group Policy (Internal and External)
Post-login attributes (inc. portal page, bookmarks, access policies)
User Policy (Internal and External)
User-specific attributes
Dynamic Access Policy
Dynamically created policies based on multiple inputs (Location, Directory attributes, PC attributes)
Internal versus External
Internal attributes – locally defined on ASA
External attributes – returned as values from queries to external servers (for example, RADIUS and LDAP)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
User Attribute Primer
DAP Attributes
User Attributes
Group Policy Attributes
DfltGrpPolicy Attributes (System Default Group Policy)
User Connection Profile/ Tunnel Group
Start Here
Group Policy Attributes
Note: Individual Attributes may not be collected in sequence, but resulting policy will always be a compilation based on above prioritization
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
Data Collection and Policy Assignment Flow
DAP• Pre-Login Policy• Scan Results• OS DetailsPre-Login Scan
Basic Host ScanExtended Host ScanCustom Checks
Pre-login Policy (Location) Assigned
Initial SSL Connection User login
User/Group Policy Selected
• DefaultWEBVPNGroup• Conn/Group URL (auto)• Group Drop-Down List• Certificate-based (auto)
Connection Profile Selected
Scan Results
DAP• User Attributes• Group Attributes• Connection Type
User Policy
SSL VPN User
Resultant Policy is a collection of multiple data points and attributes, not necessarily collected in order, that are compiled based on policy inheritance and prioritization hierarchy.
CSDCiscoSecureDesktop
User Connect/Login
Pre-Login
Post-Login
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
ASA VPN Load BalancingLoad balancing is supported on remote sessions initiated with the following: • Cisco AnyConnect VPN Client (Release 2.0 and later) • Cisco VPN Client (Release 3.0 and later) • Cisco VPN 3002 Hardware Client (Release 3.5 or later) • Cisco PIX 501/506E when acting as an Easy VPN client.
Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but they cannot participate in load balancing.
You can configure the number of IPSec and WebVPN sessions to allow, up to the maximum allowed by your configuration and license. With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally in determining the load that each device in the cluster carries.
If using Certificates you must enable redirection using a fully-qualified domain name in vpn load-balancing mode.Use the command “redirect-fqdn enable” in global configuration mode.This is disabled by default.http://www.cisco.com/en/US/partner/docs/security/asa/asa81/config/guide/vpnsysop.html
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
Cisco ASA 5500 WebVPN/SSL VPN
WebVPN-SSLVPN License Options:25,100,250,500,1000,2500,5000,10000
Additional End Point Assessment License includes:Cisco Secure Desktop - For running Secure Applications on an In-Secure DeviceEnd point Assessment – (NAC Lite)To verify posture of device, enabling ASA to
assign client to a specific group with specific access rights.
Mobile VPN Client Support (ASA-MOBILE-VPN) Phone Proxy – Encrypted Call setup and Firewalling
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
VPN Security Challenges
Remote User
Employee at Home
Supply Partner
During SSL VPN Session
Is session data protected?
Are typed passwords protected?
Has malware launched?
After SSL VPN Session
Browser cached intranet web pages?
Browser stored passwords?
Downloaded files left behind?
Before SSL VPN Session
Who owns the endpoint?
Endpoint security posture: AV, personal firewall?
Is malware running?
Extranet Machine
Unmanaged Machine
Customer Managed Machine
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
Comprehensive EndPoint Security
Cisco Secure Desktop (CSD) now supports hundreds of pre-defined products, updated frequently
Anti-virus, anti-spyware, personal firewall, and more
Administrators can define custom checks including running processes
CSD posture policy presented visually to simplify configuration and troubleshooting
Newin 8.0!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Cisco ASA 5500 Series Platforms and Modules
Wide Range of Leading Solutions for Customers of All Sizes
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
Cisco ASA 5500 Series High-End Lineup Data Center Solutions
Target Market
List Price
PerformanceMax Firewall (Real-world HTTP)Max Firewall (1400 byte)Max Firewall (Jumbo frames)Max IPSec VPNMax IPSec/SSL VPN Peers
Platform CapabilitiesMax Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OMax I/OVLANs SupportedHA Supported
CiscoASA 5550
CampusSegmentation
Starting at$19,995
-1.2 Gbps
-425 Mbps
5000 / 5000
650,00036,000
600,0008 GE + 1 FE8 GE + 1 FE
250A/A and A/S
CiscoASA 5580-20
CampusSegmentation/ Data Center
Starting at $59,995
with-8GE
5 Gbps6.5 Gbps10 Gbps1 Gbps
10,000 / 10,000
1,000,00090,000
2,750,0002 Mgmt
24 GE / 12 10GE250
A/A and A/S
CiscoASA 5580-40
Data Center
Starting at$109,995With 8GE
10 Gbps14 Gbps20 Gbps1 Gbps
10,000 / 10,000
2,000,000150,000
5,500,000 2 Mgmt
24 GE / 12 10GE250
A/A and A/S
New NewCisco
ASA 5540
InternetEdge
Starting at$16,995
-650 Mbps
-325 Mbps
5000 / 2500
400,00025,000
500,0004 GE + 1 FE8 GE + 1 FE
200A/A and A/S
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
CiscoASA 5520
CiscoASA 5540
Cisco ASA 5500 Series Product Lineup
CiscoASA 5550
CiscoASA 5510
CiscoASA 5505
Target Market
List Price
SMB and SME
Enterprise MediumEnterprise
Starting at$3,495
Starting at$7,995
Starting at$16,995
LargeEnterprise
Starting at$19,995
Teleworker / Branch Office /
SMB
Starting at$595
PerformanceMax FirewallMax Firewall + IPSMax IPSec VPNMax IPSec/SSL VPN Peers
300 Mbps150/300
170 Mbps250/250
450 Mbps350/450
225 Mbps750/500
650 Mbps650 Mbps325 Mbps5000/2500
1.2 GbpsN/A
425 Mbps5000/5000
150 Mbps45Mbps
100 Mbps25/25
Max Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OVLANs SupportedHA Supported
50,000/130,0006,000
190,000
5 FE50/100
A/A and A/S (Sec Plus)
280,0009,000
320,000
4 GE + 1 FE150
A/A and A/S
400,00020,000
500,000
4 GE + 1 FE200
A/A and A/S
650,00028,000
600,000
8 GE + 1 FE250
A/A and A/S
10,000/25,0003,000
85,000
8-port FE switch3/20 (trunk)
Stateless A/S (Sec Plus)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
Configuration: Auto Update, SSH, Telnet, XML/HTTPS, and ASDM Real-time monitoring: Syslog, SNMP, HTTPS, and ASDM Software updates: Auto Update, SCP, HTTP, HTTPS, and TFTP
Wide Range of Management SolutionsProvide Scalable, Cost Optimized Options for Businesses
Family of high performance appliances designed to provide automated analysis of security event information to help identify, manage, and counter attacks
Supports getting events from wide range of Cisco and 3rd party solutions—and also analyzes NetFlow for additional intelligence
Offers event correlation, visualization, rules engine, and reporting
Scalable management solution for wide range of Cisco security solutions including routers, switches, blades, and appliances
Delivers centralized management of firewall, VPN, IPS/IDS, networking, and other services via flexible user interface
Supports device grouping for simplified policy maintenance Provides role-based admin access and workflow capabilities Available on Windows (Linux version coming)
Cisco Security Manager (CS-Manager)
Cisco Monitoring and Response Solution (CS-MARS)
Integrated Remote Management Capabilities Within ASA
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61
Web VPN Client Monitoring
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66
Cisco ASA Adaptive Security AppliancesIndustry Certifications and Evaluations
Common CriteriaCompleted: EAL4, v7.0.6—ASA 5510/20/40 (FW)Completed: EAL2, v6.0—ASA SSM-10/20 (IPS)In process: EAL4+, v7.2.2—ASA Family (FW) In process: EAL4, v7.2.2—ASA Family (VPN)
FIPS 140Completed: Level 2, v7.0.4—ASA FamilyCompleted: Level 2, v7.2.2In process: Level 2, v8.0.2
ICSA Firewall 4.1, Corporate CategoryCompleted: v7.2.2—ASA Family
ICSA IPSec 1.0DCompleted: v7.0.4—ASA Family
ICSA Anti-Virus GatewayCompleted: v7.1—ASA Family
NEBS Level 3Completed: ASA 5510, 5520, and 5540
New
New
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 67