firewall + ips update
DESCRIPTION
TRANSCRIPT
Firewall + IPS Update
Bruno Pedersoli, System Engineer | Comstor
• Cisco ASA 5500-X Overview
• Hardware
• Software
• Management
• Q & A
Agenda
ASA 5500-X Series (Saleen)
Overview
Shipping since 2005
Firewalls of choice for small businesses and large enterprises alike
ASA 5540650 Mbps Firewall Throughput
ASA 55501.2 Gbps Firewall Throughput
ASA 5520450 Mbps Firewall Throughput
ASA 5510300 Mbps Firewall Throughput
Cisco’s Current Mid-range ASA Product Portfolio (Benetton)
5 new models to meet varied throughput demands
ASA 5512-X1 Gbps Firewall Throughput
ASA 5515-X1.2 Gbps Firewall Throughput
ASA 5525-X2 Gbps Firewall Throughput
ASA 5545-X3 Gbps Firewall Throughput
ASA 5555-X4 Gbps Firewall Throughput
1. Multi-Gig PerformanceTo meet growing throughput requirements
2. Accelerated Integrated Services (no extra hardware required)To support changing business needs
3. Next-gen services enabled platform To provide investment protection
Next-Generation Security Services Platforms
Cisco ASA 5500 Series PortfolioComprehensive Solutions from SOHO to the Data Center
Multi-Service (Firewall/VPN and IPS)
Per
form
ance
and
Sca
labi
lity
Data CenterCampusBranch Office Internet Edge
ASA 5585-X SSP-20(10 Gbps, 125K cps)
ASA 5585-X SSP-60(40 Gbps, 350K cps)
ASA 5585-X SSP-40(20 Gbps, 200K cps)
ASA 5585-X SSP-10(4 Gbps, 50K cps)ASA 5555-X
(4 Gbps,50K cps)
NEWASA 5545-X (3 Gbps,30K cps)
NEWASA 5525-X
(2 Gbps,20K cps)
NEWASA 5512-X
(1 Gbps, 10K cps)
NEW
ASA 5515-X (1.2 Gbps,15K cps)
NEW
ASA 5510(300 Mbps, 9K cps)
ASA 5510 +(300 Mbps, 9K cps)
ASA 5520(450 Mbps, 12K cps)
ASA 5540(650 Mbps, 25K cps)
ASA 5550(1.2 Gbps, 36K cps)
Firewall/VPN Only
SOHO
ASA 5505 (150 Mbps, 4K cps)
Next Generation ASA Mid-Range Appliances
At-A-Glance
64Bit Multi-Core Processor
Up to 16GB of Memory
Built-In Multi-Core Crypto Accelerator Hardware
Dedicated IPS Hardware Acceleration Card
Up to 14 1GE Ports
Copper & Fiber I/O options
Firewall, VPN & IPS Services
Dedicated OOB Management Port
Performance
Density
Flexibility
Integrated Services
Management Consolidation
ASA 5500-X H/W Features
Customer Benefits
Long Chassis (5545-X & 5555-X)-- Hot-Swappable redundant dual power-supply
Hot-SwappableHard-Disk drive bays
Fan vent for front-to-backairflow
Short Chassis (5512-X, 5515-X & 5525-X)-- Fixed Single Power Supply
14’’
19’’
Hardware
I/O Expansion Slot
Status LED’s
Serial Console
USB Port
6 x 1GE Cu PortsFixed Power Supply
Dedicated Mgmt Port (1GE)
ASA 5512-X/ASA 5515-X Back Panel
I/O Expansion Slot
Status LED’s Serial Console
USB Port
8 x 1GE Cu Ports Fixed Power Supply
Dedicated Mgmt Port (1GE)
I/O Expansion Slot
Status LED’sSerial Console
USB Port
8 x 1GE Cu PortsRedundant Hot Swappable PSU
Dedicated Mgmt Port (1GE)
ASA 5525-X/ASA 5545-X Back Panel
Back-View Summary
ASA 5512-X
ASA 5515-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
Height Width Depth Weight
5512-X5515-X5525-X
1.67” 16.7” 15.6” 13.38 Kg
5525-X 1.67” 16.7” 15.6” 14.92 Kg
5545-X5555-X
1.67” 16.7” 19.1” 16.82 Kg
Physical Specifications
TemperatureOperating: 0C - +40CNon-Operating: -30C to +70C
Humidity RangeNon-Operating: 5% to 95% RH(non-condensing)
AltitudeOperating: 0 to 3024MNon-Operating: Up to 4572M
Airflow Front to Back
Environmental Specifications
• Works in load-sharing mode when both PSU’s are present.
• Power Supply SpecificationsInput Rating:
100 ~ 120V / 5A200 ~ 240V / 2.5A
Leakage Current: 3.5mAOperating Power: 382 WPower Cord Rating: 10 A
Models Power Supply
ASA 5545-X ASA-PWR-AC
ASA-PWR-AC=
ASA 5555-X
Optional AccessoriesRedundant Power Supply
I/O expansion card are available in two flavors
• 6 Port 10/100/1000 Base T , RJ45 Connector I/O NIC Card
• 6 Port 1GbE SFP Connector I/O NIC Card
Available on all
5500-X platforms
Available on all
5500-X platforms
ASA 5500-X I/O Module Options
Platform I/O CARD GbE ( Cu) I/O CARD SFP Total Data Ports
5512-X,5515-X ASA-IC-6GE-CU-AASA-IC-6GE-CU-A=
ASA-IC-6GE-SFP-AASA-IC-6GE-SFP-A=
12
5525-X ASA-IC-6GE-CU-BASA-IC-6GE-CU-B=
ASA-IC-6GE-SFP-BASA-IC-6GE-SFP-B=
14
5545-X, 5555-X ASA-IC-6GE-CU-CASA-IC-6GE-CU-C=
ASA-IC-6GE-SFP-CASA-IC-6GE-SFP-C=
14
Short Reach Optics* Long Reach Optics*
GLC-SX-MMGLC-SX-MMD
GLC-LH-SMGLC-LH-SMD
Interface Options
Specification ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
Platform Base 1RU Short chassis
19” Rack Mountable
1RU Short chassis
19” Rack Mountable
1RU Short chassis
19” Rack Mountable
1RU Long chassis
19” Rack Mountable
1RU Long chassis
19” Rack Mountable
CPU 1x 2.8 Ghz Intel 2C/2T
1 x 3.06 Ghz Intel 2C/4T
1x 2.40 Ghz Intel 4C/4T
1x 2.66 Ghz Intel 4C/8T
1x 2.80 Ghz Intel 4C/8T
DRAM 4GB 8 GB 8GB 12GB 16GB
Regex Accel Mezz Card
N/A N/A 1 1 1
Compact Flash 4GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB 8GB eUSB
I/O Ports 6 x 1GbE Cu
1 x 1GbE Cu Mgmt
6 x 1GbE Cu
1 x 1GbE Cu Mgmt
8 x 1GbE Cu
1 x 1GbE Cu Mgmt
8 x 1GbE Cu
1 x 1GbE Cu Mgmt
8 x 1GbE Cu
1 x 1GbE Cu Mgmt
Optional I/O Module
6 x 1GbE Cu or 6 x 1GbE SFP
6 x 1GbE Cu or 6 x 1GbE SFP
6 x 1GbE Cu or 6 x 1GbE SFP
6 x 1GbE Cu or 6 x 1GbE SFP
6 x 1GbE Cu or 6 x 1GbE SFP
Power Single Fixed AC Power Supply
Single Fixed AC Power Supply
Single Fixed AC Power Supply
Dual Hot-Swappable Redundant AC Power Supply
Dual Hot-Swappable Redundant AC Power Supply
Crypto Capacity 1 x Crypto Chip
4C
1 x Crypto Chip
4C
1 x Crypto Chip
4C
1 x Crypto Chip
8C
1 x Crypto Chip
8C
Saleen ASA Platform Matrix
ASA 5510 – ASA 5550 ASA 5512-X – ASA 5555-X
Single Core CPU Multi-Core CPU
1GB to 4GB DDR1 RAM 4GB to 16GB DDR3 RAM
Base I/O ports limited to 4 x 1GbE Copper interfaces
Base I/O ports up to 8 x 1GbE Copper interfaces
4 x 1GbE I/O port expansion module 6 x 1GbE Copper or fiber SFP I/O expansion module
IPS on SSM card Integrated IPS service within the same chassis
N/A Redundant Hot-Swappable power supply units
N/A Regex accelerator card
N/A Hard Disk Support
Saleen hardware comparison with ASA 5510 – ASA 5550
ASA 5510
ASA 5512-X
Price $3,495 $3,995
Firewall Throughput (Max) 300 Mbps 1 Gbps
Firewall Throughput (EMIX) Not Measured 500 Mbps
IPS Throughput (Media Rich) 150 Mbps 300 Mbps
VPN Throughput 170 Mbps 200 Mbps
Connections (Max) 50,000 100,000
Connections per second 9,000 10,000
VLANs 50 50
Security Contexts (Incl/Max) 0/0 0/0
High Availability & VPN Clustering No No
Services IPS, VPN, Content Security
IPS, VPN, next-gen services*
Service RestrictionIPS, Content Security, I/O expansion mutually exclusive
No restriction (multiple services run at same time in software)
Site-2-Site/IPSec IKEv1 Client Sessions /AnyConnect/Clientless VPN
Sessions250 250
Integrated Network I/O 5 FE 6 GE
Dedicated Management Port No Yes (GE)
Expansion IO4-port GE ,4-port GE SFP
6-port GE CU ,6-port GE SFP
CPU Single-Core Multi-Core
RAM 1 GB 4 GB
Key ChangesPerformance4X Firewall ThroughputIncreased IPS, VPN Throughput
HardwareMulti-core instead of Single-core CPUs4X MemoryDedicated Management portAdditional (+1) integrated I/O portsAdditional (+2) expansion I/O portsGE instead of FE portsExpansion slot now only for I/O Expansion
ServicesIPS does not require hardware moduleNext-gen services ready
ASA 5512-X versus ASA 5510
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
ASA 5510+
ASA 5515-X
Price $4,495 $4,995
Firewall Throughput (Max) 300 Mbps 1.2 Gbps
Firewall Throughput (EMIX) Not Measured 600 Mbps
IPS Throughput (Media Rich) 300 Mbps 400 Mbps
VPN Throughput 170 Mbps 250 Mbps
Connections (Max) 100,000 250,000
Connections per second 9,000 15,000
VLANs 100 100
Security Contexts (Incl/Max) 2/20 2/20
High Availability & VPN Clustering Yes Yes
Services IPS, VPN, Content Security
IPS, VPN, next-gen services
Service RestrictionIPS, Content Security, I/O expansion mutually exclusive
No restriction (multiple services run at same time in software)
Site-2-Site/IPSec IKEv1 Client Sessions /AnyConnect/Clientless
VPN Sessions250 250
Integrated Network I/O 2GE, 3FE 6 GE
Dedicated Management port No Yes (GE)
Expansion IO 4-port GE ,4-port GE SFP
6-port GE CU ,6-port GE SFP
CPU Single-core Multi-core
RAM 1 GB 8 GB
Key ChangesSecurity Plus License Not Required
Performance4X Firewall ThroughputIncreased IPS, VPN Throughput
HardwareMulti-core instead of Single-core CPUs8X MemoryDedicated Management portAdditional (+1) integrated I/O portsAdditional (+2) expansion I/O portsAll GE ports instead of FE portsExpansion slot now only for I/O Expansion
ServicesIPS does not require hardware moduleNext-gen services ready
ASA 5515-X versus ASA 5510+
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
ASA 5520
ASA 5525-X
Price $7,995 $8,995
Firewall Throughput (Max) 450 Mbps 2 Gbps
Firewall Throughput (EMIX) Not Measured 1 Gbps
IPS Throughput (Media Rich) 450 Mbps 600 Mbps
VPN Throughput 225 Mbps 300 Mbps
Connections (Max) 280,000 500,000
Connections per second 12,000 20,000
VLANs 150 200
Security Contexts (Incl/Max) 2/20 2/20
High Availability & VPN Clustering Yes Yes
Services IPS, VPN, Content Security
IPS, VPN, next-gen services*
Service Restriction
IPS, Content Security, I/O expansion mutually exclusive
No restriction (multiple services run at same time in software)
Site-2-Site/IPSec IKEv1 Client Sessions /AnyConnect/Clientless
VPN Sessions750 750
Integrated Network I/O 4 GE + 1 FE 8 GE
Dedicated Management port No Yes (GE)
Expansion IO 4-port GE ,4-port GE SFP
6-port GE CU ,6-port GE SFP
CPU Single-Core Multi-Core
RAM 2 GB 8 GB
Key ChangesPerformance4X Firewall ThroughputIncreased IPS, VPN Throughput
HardwareMulti-core instead of Single-core CPUs4X MemoryDedicated Management portAdditional (+3) integrated I/O portsAdditional (+2) expansion I/O portsExpansion slot now only for I/O Expansion
ServicesIPS does not require hardware moduleNext-gen services ready
ASA 5525-X versus ASA 5520
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
ASA 5540
ASA 5545-X
Price $16,995 $17,995
Firewall Throughput (Max) 650 Mbps 3 Gbps
Firewall Throughput (EMIX) Not Measured 1.5 Gbps
IPS Throughput (Media Rich) 650 Mbps 900 Mbps
VPN Throughput 325 Mbps 400 Mbps
Connections (Max) 400,000 750,000
Connections per second 25,000 30,000
VLANs 200 300
Security Contexts (Incl/Max) 2/50 2/50
High Availability & VPN Clustering Yes Yes
Services IPS, VPN, Content Security
IPS, VPN, next-gen services*
Service RestrictionIPS, Content Security, I/O expansion mutually exclusive
No restriction (multiple services run at same time in software)
Site-2-Site/IPSec IKEv1 Client Sessions /AnyConnect/Clientless
VPN Sessions
5000/2500 2500
Integrated Network I/O 4 GE + 1 FE 8 GE
Dedicated Management port No Yes (GE)
Expansion IO 4-port GE , 4-port GE SFP
6-port GE CU ,6-port GE SFP
CPU Single-Core Multi-Core
RAM 2 GB 12 GB
Redundant Power No Yes
Key ChangesPerformance4X Firewall ThroughputIncreased IPS, VPN Throughput
HardwareMulti-core instead of Single-core CPUs6X MemoryDedicated Management portAdditional (+3) integrated I/O portsAdditional (+2) expansion I/O portsExpansion slot now only for I/O Expansion
ServicesIPS does not require hardware moduleNext-gen services ready
ASA 5545-X versus ASA 5540
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
ASA 5550
ASA 5555-X
Price $19,995 $24,995
Firewall Throughput (Max) 1.2 Gbps 4 Gbps
Firewall Throughput (EMIX) Not Measured 2 Gbps
IPS Throughput (Media Rich) Not Applicable 1.3 Gbps
VPN Throughput 425 Mbps 700 Mbps
Connections (Max) 600,000 1,000,000
Connections per second 36,000 50,000
VLANs 400 500
Security Contexts (Incl/Max) 2/100 2/100
High Availability & VPN Clustering Yes Yes
Services VPN only IPS, VPN, next-gen services*
Site-2-Site/IPSec IKEv1 Client Sessions
/AnyConnect/Clientless VPN Sessions
5000 5000
Integrated Network I/O 8 GE + 1 FE 8 GE
Dedicated Management port No Yes (GE)
Expansion IO Not Available 6-port GE CU ,6-port GE SFP
CPU Single-Core Multi-Core
RAM 4 GB 16 GB
Redundant Power No Yes
Key ChangesPerformance4X Firewall ThroughputIncreased IPS, VPN Throughput
HardwareMulti-core instead of Single-core CPUs4X MemoryDedicated Management portExpansion I/O now available
ServicesIPS does not require hardware moduleNext-gen services ready
ASA 5555-X versus ASA 5550
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
New Feature – IPS Module
• A new licensing feature was introduced to enable the use of the IPS Software Module.
• Traffic destined to IPS will be dropped by ASA if this license is not enabled AND ‘fail-close’ is configured.
• IPS Signature Update license is required on top of the above license.
• All other license features remain unchanged and are based on ASA 8.4.2 software.
Licensing ChangesASA Licensing
Enabling IPS Service
• Dedicated Out-Of-Band management port M0/0
• Failover & VLAN sub-interface features are not configurable on M0/0
• ASA and integrated IPS management are independent of each other.• Management model is similar to previous ASA/SSM appliances
• ASA and IPS software module have separate management IP addresses but share the same physical port M0/0 for outbound connectivity
• ASA can log IPS module’s console messages “show module 1 log console”
• ASA configures and manages all external data ports
ASA Management Model
• ASA and IPS are managed very similar to previous SSM/SSP deployments.
• ASA is used to recover, reload, shutdown, etc. IPS.
• ASA is used to configure service-policies to pass traffic to IPS.
• ASA and IPS have unique IP addresses for management purposes.
• ASDM, IME, and IDM behave the same.
Similarities with SSM/SSP
ASA and IPS Management Model (1/2)
• ASA and IPS share the only dedicated management port on the box.
• IPS must use the dedicated management port. However, ASA can use any port on the box to manage the system.
• When ASA and IPS are sharing the dedicated management port then the IP address for ASA and IPS should be within the same subnet.
• The IPS image stored on the embedded flash is used to recover the software module instead of downloading the image over the SSM/SSP dedicated management port.
Differences with SSM/SSP
ASA and IPS Management Model (2/2)
ASDM 6.6.1.14 and above7.2.1 IME Software and above
Management Software Support
3© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Device View
Policy View
Map View
Cisco Security Manager 4.3Unified and comprehensive Firewall, VPN and IPS man agement
Event View
Saleen H/W support
Upcoming Release
Upcoming Release
SKU Makeup – Using ASA 5545 -X as an examples
All Hardware SKUs
ASA 5512-X
ASA 5515-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
Sample BOMs (Firewall + Single Option)
Sample BOMs (Firewall + IPS + Options)
Ordering Tip: With IPS, always start with ASAxxx-IPS-K9
Sample BOMs (Firewall + IPS + Options)
Ordering Tip: With IPS, always start with ASAxxx-IPS-K9
IPS 43xx Series Mid-Range Appliances
Single I/O Expansion slot
Single Mgmt Port
Single I/O Expansion slot
4360: Dual Power-Supply
Serial Console Port
USB Ports 8x 1GbE ports (numbered left-to-right)
IPS 43xx Back Panel
IPS 43xx Platform Matrix
Hardware Comparison with IPS 4240, IPS 4255 and IPS 4260
• SMP-enabled Kernel• 64-bit architecture• Environment Monitoring• Jumbo-Frame support• Flow Control support• Hardware Regex
Accelerator support for IPSstring-XL engine
High-Performance and Resiliencyfeatures on IPS 43xx Series
• IPS SSP module are based on 7.1(4) release• Platform support for new hardware
• Based on ASA 5585-X line of code
• Supports existing E4 Engine Update
• Supports all latest Signature Updates
– Sig S615 is bundled with Saleen images.• 7.1.4 IDM version included with the IPS image.
• 7.2.1 IME version provides full support.
• CSM support with version 4.3
• IPS 7.1(4) version supports all –X platforms (including 5585-X)
– Additional CFD bug fixes and a few serviceability enhancements also included in this version.
IPS Software
Questions