36 (yonghkim@cisco.com) cisco systems korea · highly effective netflow event typical firewall...

1010

(yonghkim@cisco.com)

© 2008 Cisco Systems, Inc. All rights reserved. 1

Cisco Systems Korea

10G10G

(UTM)

© 2008 Cisco Systems, Inc. All rights reserved. 2

10G10G

© 2008 Cisco Systems, Inc. All rights reserved. 3

The Human NetworkChanging the Way We Live, Work, Play, and Learn

S/W

Rich MediaRich Media

WiKi

Social NetworkingWiKi Networking

© 2008 Cisco Systems, Inc. All rights reserved. 42.0

syslog 302013 TCP connection creation

syslog 302015 UDP connection creation

syslog 302017 GRE connection creation

syslog 302020 ICMP connection creation

L4L4

syslog 302015 UDP connection creation

----

----

L4 L4

© 2008 Cisco Systems, Inc. All rights reserved. 5

High-End

But Now Still…10G

Firewall Internet Internet

IDCInternet

ISP,

L4 L4 ACLACL ACL

L4 L4ACL

L4 L4

• 1~2Gbps •Multi-Giga

LB BW

• 4~10Gbps, Multi-Giga

BW

• Access-list • Deny All

© 2008 Cisco Systems, Inc. All rights reserved. 6

LB•LB Switch

BW • BW , Connection Rate

LB

• Deny, All Permit• ,

Cisco ASA 5580 Series Overview

• Connection ThroughputD t t Ult L L t

Highest Performance and Speed

N• Data center Ultra Low Latency

Highly Flexible Deployment

New

•

• NetFlow Security Event Monitoring

Highly Effective NetFlow Event

Cisco Cisco 10G10G !!!!!!

© 2008 Cisco Systems, Inc. All rights reserved. 7

Highest Performance and Speed

5~7Connection Rate

75

hput

Thro

ugh

Firewall Rules

© 2008 Cisco Systems, Inc. All rights reserved. 8

Highly Flexible Deployment

OS Quality of Service

V V VV V V

D DD D D D

Active-Active Failover L2

© 2008 Cisco Systems, Inc. All rights reserved. 9

Highly Effective NetFlow Event

Typical firewall syslog Cisco ASA5580 Netflow

g y

= Flow creation event

syslog 302013 TCP connection creation

syslog 302015 UDP connection creationsyslog 302013

syslog 302015

syslog 302017

syslog 302017 GRE connection creation

syslog 302020 ICMP connection creation

syslog 302017

syslog 302020

CiscoASA 5500

CiscoASA 5500

Netflow v9Netflow v9

CS-MARS 3rd PartyNetFlowCollector

CS-MARS 3rd PartyNetFlowCollector

© 2008 Cisco Systems, Inc. All rights reserved. 10

Remote Access VPN

Any PolicyAny Application Any Endpoint

IPSec SSL VPN

What’s New?• 10,000

© 2008 Cisco Systems, Inc. All rights reserved. 11

• 100,000

Cisco ASA 5580 H/W

총 8개의 Hard drive Bay총 8개의 Hard drive Bay Power Button과 상태 LEDPower Button과 상태 LED총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay Power Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LED총 8개의 Hard drive Bay총 8개의 Hard drive Bay Power Button과 상태 LEDPower Button과 상태 LED총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay Power Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LED

4RU Rack Mount Form Factor26.5” Chassis Depth

4RU Rack Mount Form Factor26.5” Chassis Depth

내부 Compact Flash- 소프트웨어와 config 저장

내부 Compact Flash- 소프트웨어와 config 저장

4RU Rack Mount Form Factor26.5” Chassis Depth

4RU Rack Mount Form Factor26.5” Chassis Depth

4RU Rack Mount Form Factor26.5” Chassis Depth

4RU Rack Mount Form Factor26.5” Chassis Depth

4RU Rack Mount Form Factor26.5” Chassis Depth

4RU Rack Mount Form Factor26.5” Chassis Depth

내부 Compact Flash- 소프트웨어와 config 저장

내부 Compact Flash- 소프트웨어와 config 저장

내부 Compact Flash- 소프트웨어와 config 저장

내부 Compact Flash- 소프트웨어와 config 저장

내부 Compact Flash- 소프트웨어와 config 저장

내부 Compact Flash- 소프트웨어와 config 저장

© 2008 Cisco Systems, Inc. All rights reserved. 12

Mounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and Back

Processing Engine- 20~40개의 Upgrade Kit 계획

Processing Engine- 20~40개의 Upgrade Kit 계획

Mounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and Back

Processing Engine- 20~40개의 Upgrade Kit 계획

Processing Engine- 20~40개의 Upgrade Kit 계획

Processing Engine- 20~40개의 Upgrade Kit 계획

Processing Engine- 20~40개의 Upgrade Kit 계획

Processing Engine- 20~40개의 Upgrade Kit 계획

Processing Engine- 20~40개의 Upgrade Kit 계획

© 2008 Cisco Systems, Inc. All rights reserved. 13

24 Giga Port 12 10GE

IDC Cisco 10G Firewall

Layer Typical Solution Cisco Solution DescriptionTypical Solution

Front End Network

Layer Typical Solution Cisco Solution Description

•DCReal 10G Firewall ASA5580 40

Typical Solution

•Security Net•Data Center Switch

L4 L4

L4 L4

10G

10G ASA5580-40 • Layer 1

•

N Ti A

L4 L4 10G

10G

•Application

N-Tier App•SLB network•Web,App,DB,MainFrame

L4L4 L4 L4 L4

•C6K FWSM, ACE

•

Storage

•

© 2008 Cisco Systems, Inc. All rights reserved. 14

Storage network

VPN Gateway Service

WANCisco ASA 5580

Cisco ASA

(IPsec & SSLVPN)

Cisco ASA withInternetwith VPNASA with

VPN

Remote VPN Users

© 2008 Cisco Systems, Inc. All rights reserved. 15

e ote Use s(IPsec & SSLVPN)

DEMO10G Firewall

© 2008 Cisco Systems, Inc. All rights reserved. 16

10Gbps

© 2008 Cisco Systems, Inc. All rights reserved. 17

© 2008 Cisco Systems, Inc. All rights reserved. 18

200M NAT

© 2008 Cisco Systems, Inc. All rights reserved. 19

© 2008 Cisco Systems, Inc. All rights reserved. 20

(UTM)(UTM)

© 2008 Cisco Systems, Inc. All rights reserved. 21

UTM ?

Spam, PhishingSpyware, Hackers

p , g

Unwelcome Visitors

Cisco Cisco ASAASA 5500 5500 S iS iInappropriateViruses

SerieseSerieseRemote Access

Inappropriate Web Browsing

Viruses

UTM = Unified Threat Management,

© 2008 Cisco Systems, Inc. All rights reserved. 22

UTM Cisco UTM

Cisco UTMCisco UTM

SP-1

ASA 5500

SP 2

ASA 5500 Firewall

IDS/IPS IPSec VPN

SSL VPN

SP-2

?

© 2008 Cisco Systems, Inc. All rights reserved. 23

UTM Traffic Flow

Cisco ASA 5500 Series

© 2008 Cisco Systems, Inc. All rights reserved. 24

( )

Cisco ASA 5500 Series Cisco ASA 5500 Series Cisco ASA 5500 SeriesCisco ASA 5500 SeriesAdvanced Inspection and Prevention Module (AIP SSM)

Cisco ASA 5500 SeriesContent Security and Control Module (CSC SSM)

Cisco ASA 5500 Series4-Port GE Services Module (4GE SSM)

© 2008 Cisco Systems, Inc. All rights reserved. 25

Cisco ASDM v6.1

Security Dashboards

Packet Tracer

Packet Capture WizardPacket Capture Wizard

© 2008 Cisco Systems, Inc. All rights reserved. 26

© 2008 Cisco Systems, Inc. All rights reserved. 27

10G ……

New

NewASA 5580-40 (10 20 Gbm

s

ASA 5550ASA 5580-20 (5-10 Gbps,

(10-20 Gbps, 150K conn/s)

Plat

form

ASA 5550 (1.2 Gbps, 36K conn/s)

ASA 5540 (650 Mbps, 2 K / )

( p ,90K conn/s)

5500

P

25K conn/s)ASA 5520 (450 Mbps, 12K conn/s)

ASA 5510ASA

5

ASA 5505 (150 Mbps, 4K conn/s)

ASA 5510 (300 Mbps, 9K conn/s)

Cis

co

© 2008 Cisco Systems, Inc. All rights reserved. 28

Teleworker Branch Office

InternetEdge Data CenterCampus

Why Cisco 10G Firewall?

Cisco 10G New

• Connection Rate

•Real 10GReal 10G

• OS

•Netflow

© 2008 Cisco Systems, Inc. All rights reserved. 29

10G

Why Cisco UTM?

/ASA 5500

D t C t

RemoteSite

ASA 5580-20A/S 5G

FW+IPSec VPN +Anti-X

Data Center

Corporate LANEnterprise Network

A/S 5G Firewall

ASA

Public Internet

Wireless LANDMZ

Network ASA 5580-40 A/A 10G Firewall

Business Partners

ASA 5580-20 Firewall + SSL/IPSec

VPN

ASA 5500FW+SSL/

IPSec VPNVPN+IPS

© 2008 Cisco Systems, Inc. All rights reserved. 30