cisco asa 5500 series nebojte se jí

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Cisco ASA 5500 Series Nebojte se jí

Tomáš Chott at Cisco

[email protected]


Agenda

Cisco ASA 5500 Series Software Feature Overview

Cisco ASA 5500 Series Platforms and Modules

Cisco ASDM 6.0

Teleworker Deployment Model

Demo Scenario

Configuration tasks


Cisco ASA 5500 Series: Breadth and DepthIndustry First Scalable, Multi-Function, Feature Rich Appliance

Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Advanced VoIP/multimedia security

Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including

Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID

Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response

Low latency Diverse topologies Multicast support

Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing

Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN

Firewall with Application Layer Security

Access ControlandAuthentication

IPS and Anti-X Defenses

Cisco Intelligent NetworkingServices

SSL and IPSecConnectivity


CiscoASA 5520

CiscoASA 5540

Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise

CiscoASA 5550

CiscoASA 5510

CiscoASA 5505

Target Market SMB and SME Enterprise Medium

EnterpriseLarge

EnterpriseTeleworker /

Branch Office /SMB

PerformanceMax FirewallMax Firewall + IPSMax IPSec VPNMax IPSec/SSL VPN Peers

300 Mbps300 Mbps170 Mbps250/250

450 Mbps375 Mbps225 Mbps750/750

650 Mbps450 Mbps325 Mbps5000/2500

1.2 GbpsN/A

425 Mbps5000/5000

150 MbpsFuture

100 Mbps25/25

Platform CapabilitiesMax Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OVLANs SupportedHA Supported

50,000/130,0006,000

190,0005 FE

50/100A/A and A/S

(Sec Plus)

280,0009,000

320,0004 GE + 1 FE

150A/A and A/S

400,00020,000

500,0004 GE + 1 FE

200A/A and A/S

650,00028,000

600,0008 GE + 1 FE

250A/A and A/S

10,000/25,0003,000

85,0008-port FE switch

3/20 (trunk)Stateless A/S

(Sec Plus)


Wide-Range of Cisco ASA 5500 SeriesSecurity Service Modules (SSMs)

• Provides full-featured IPS and IDS services for protection of critical network assets• Available in two models: SSM-10 and SSM-20• Delivers up to 450 Mbps of IPS throughput• Has thumbscrews for easy insertion/removal• 10/100/1000 out-of-band management port• Supported on ASA 5510, 5520, and 5540

IPS Security Services Module (AIP SSM)

Anti-X Security Services Module (CSC SSM)• Provides full-featured Anti-X services (anti-virus, anti-spyware, anti-spam, anti-phishing, URL filtering, and more)• Available in two models SSM-10 and SSM-20• Anti-virus and anti-spyware services licensed by number of users, others optional add-on• Supported on ASA 5510, 5520, and 5540

4-Port GE Services Module (4GE SSM)• I/O module offers four copper 10/100/1000 ports in addition to four SFP ports for improved flexibility and network segmentation• Customers can use up-to four ports total out of these eight ports, with the ability to mix and match copper and optical GE ports• Supported on ASA 5510, 5520, and 5540


Cisco Adaptive Security Device Manager v6.0Introduces a Wealth of New Features and Usability Enhancements

Fresh new interface provides easy access to all services offered by ASA

Security Dashboards

Packet Tracer

Packet Capture

Provides live ACL hitcount in firewall rule table for easy policy auditing

Real-Time Syslog Viewer

Syslog to ACL correlation features

New Wizards


Typické požadavky zákazníka

Překlad adres - NAT

Kontrola provozu na L2-L7

Podpora dynamických aplikací

Připojení poboček

Remote Access VPN

Web VPN (SSL VPN)

Ochrana proti hrozbám z internetu


Home VLANHome VLAN

Internet VLANInternet VLANBusiness VLANBusiness VLAN

Teleworker Deployment ModelEasy to Install Modern Networking Services

Secure access to both Home Secure access to both Home and Internet VLANsand Internet VLANs

Power Over Ethernet for IP Power Over Ethernet for IP Phones and WiFi Access PointsPhones and WiFi Access Points

Secure access for a wide Secure access for a wide range of applications range of applications through the Internet VLANthrough the Internet VLAN

DHCP Server ServicesDHCP Server Services

DHCP and Dynamic DNS DHCP and Dynamic DNS servicesservices

PPPoE support PPPoE support

Backup ISP support Backup ISP support (Security Plus)(Security Plus)


ASA poprvé

#Show version

#Show run

#Show flash

#Configure terminal

(config)#Configure factory-default

#Write memory / Write erase

#Reload


Configuration tasks

Povolení pouze autorizovaného přístupu SSH přístup Logging DHCP Povolení provozu pomocí ACL NAT Inspekce provozu AAA pravidla Ochrana proti útokům Monitoring ...


Demo scenarioVLAN 10 – INSIDEVLAN 20 – OUTSIDEVLAN 30 – DMZ

VLAN 10 – INSIDEVLAN 20 – OUTSIDEVLAN 30 – DMZ

Inside E0/1

DMZ E0/7

Outside E0/0 Internet

HTTP server

10.0.0.1

172.16.1.1

10.0.0.0/24

172.16.1.10

DHCP

Syslog server

HTTP server

Povolit HTTPPovolit HTTP, ICMP

Povolit vše, inspekce HTTP, FTP


Externí dema

SSL VPN demo

https://vpndemo-external.cisco.com

ASDM demo

http://www.cisco.com/go/asdm


Q and A

cisco asa 5500 series nebojte se jí

Documents