cisco asa 5500 series nebojte se jí
DESCRIPTION
Cisco ASA 5500 Series Nebojte se jí . Tomáš Chott at Cisco tomas.chott @ lsg-global.com. Agenda. Cisco ASA 5500 Series Software Feature Overview Cisco ASA 5500 Series Platforms and Modules Cisco ASDM 6.0 Teleworker Deployment Model Demo Scenario Configuration tasks. - PowerPoint PPT PresentationTRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco ASA 5500 Series Nebojte se jí
Tomáš Chott at Cisco
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Agenda
Cisco ASA 5500 Series Software Feature Overview
Cisco ASA 5500 Series Platforms and Modules
Cisco ASDM 6.0
Teleworker Deployment Model
Demo Scenario
Configuration tasks
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Cisco ASA 5500 Series: Breadth and DepthIndustry First Scalable, Multi-Function, Feature Rich Appliance
Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Advanced VoIP/multimedia security
Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including
Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID
Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response
Low latency Diverse topologies Multicast support
Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing
Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN
Firewall with Application Layer Security
Access ControlandAuthentication
IPS and Anti-X Defenses
Cisco Intelligent NetworkingServices
SSL and IPSecConnectivity
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
CiscoASA 5520
CiscoASA 5540
Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise
CiscoASA 5550
CiscoASA 5510
CiscoASA 5505
Target Market SMB and SME Enterprise Medium
EnterpriseLarge
EnterpriseTeleworker /
Branch Office /SMB
PerformanceMax FirewallMax Firewall + IPSMax IPSec VPNMax IPSec/SSL VPN Peers
300 Mbps300 Mbps170 Mbps250/250
450 Mbps375 Mbps225 Mbps750/750
650 Mbps450 Mbps325 Mbps5000/2500
1.2 GbpsN/A
425 Mbps5000/5000
150 MbpsFuture
100 Mbps25/25
Platform CapabilitiesMax Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OVLANs SupportedHA Supported
50,000/130,0006,000
190,0005 FE
50/100A/A and A/S
(Sec Plus)
280,0009,000
320,0004 GE + 1 FE
150A/A and A/S
400,00020,000
500,0004 GE + 1 FE
200A/A and A/S
650,00028,000
600,0008 GE + 1 FE
250A/A and A/S
10,000/25,0003,000
85,0008-port FE switch
3/20 (trunk)Stateless A/S
(Sec Plus)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Wide-Range of Cisco ASA 5500 SeriesSecurity Service Modules (SSMs)
• Provides full-featured IPS and IDS services for protection of critical network assets• Available in two models: SSM-10 and SSM-20• Delivers up to 450 Mbps of IPS throughput• Has thumbscrews for easy insertion/removal• 10/100/1000 out-of-band management port• Supported on ASA 5510, 5520, and 5540
IPS Security Services Module (AIP SSM)
Anti-X Security Services Module (CSC SSM)• Provides full-featured Anti-X services (anti-virus, anti-spyware, anti-spam, anti-phishing, URL filtering, and more)• Available in two models SSM-10 and SSM-20• Anti-virus and anti-spyware services licensed by number of users, others optional add-on• Supported on ASA 5510, 5520, and 5540
4-Port GE Services Module (4GE SSM)• I/O module offers four copper 10/100/1000 ports in addition to four SFP ports for improved flexibility and network segmentation• Customers can use up-to four ports total out of these eight ports, with the ability to mix and match copper and optical GE ports• Supported on ASA 5510, 5520, and 5540
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Cisco Adaptive Security Device Manager v6.0Introduces a Wealth of New Features and Usability Enhancements
Fresh new interface provides easy access to all services offered by ASA
Security Dashboards
Packet Tracer
Packet Capture
Provides live ACL hitcount in firewall rule table for easy policy auditing
Real-Time Syslog Viewer
Syslog to ACL correlation features
New Wizards
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Typické požadavky zákazníka
Překlad adres - NAT
Kontrola provozu na L2-L7
Podpora dynamických aplikací
Připojení poboček
Remote Access VPN
Web VPN (SSL VPN)
Ochrana proti hrozbám z internetu
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Home VLANHome VLAN
Internet VLANInternet VLANBusiness VLANBusiness VLAN
Teleworker Deployment ModelEasy to Install Modern Networking Services
Secure access to both Home Secure access to both Home and Internet VLANsand Internet VLANs
Power Over Ethernet for IP Power Over Ethernet for IP Phones and WiFi Access PointsPhones and WiFi Access Points
Secure access for a wide Secure access for a wide range of applications range of applications through the Internet VLANthrough the Internet VLAN
DHCP Server ServicesDHCP Server Services
DHCP and Dynamic DNS DHCP and Dynamic DNS servicesservices
PPPoE support PPPoE support
Backup ISP support Backup ISP support (Security Plus)(Security Plus)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
ASA poprvé
#Show version
#Show run
#Show flash
#Configure terminal
(config)#Configure factory-default
#Write memory / Write erase
#Reload
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Configuration tasks
Povolení pouze autorizovaného přístupu SSH přístup Logging DHCP Povolení provozu pomocí ACL NAT Inspekce provozu AAA pravidla Ochrana proti útokům Monitoring ...
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Demo scenarioVLAN 10 – INSIDEVLAN 20 – OUTSIDEVLAN 30 – DMZ
VLAN 10 – INSIDEVLAN 20 – OUTSIDEVLAN 30 – DMZ
Inside E0/1
DMZ E0/7
Outside E0/0 Internet
HTTP server
10.0.0.1
172.16.1.1
10.0.0.0/24
172.16.1.10
DHCP
Syslog server
HTTP server
Povolit HTTPPovolit HTTP, ICMP
Povolit vše, inspekce HTTP, FTP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Externí dema
SSL VPN demo
https://vpndemo-external.cisco.com
ASDM demo
http://www.cisco.com/go/asdm
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14