Cisco ASA 5500 Series Nebojte se j Tom

Cisco ASA 5500 Series Nebojte se jí Tomáš Chott at Cisco tomas. chott@lsg-global. com

Agenda § Cisco ASA 5500 Series Software Feature Overview § Cisco ASA 5500 Series Platforms and Modules § Cisco ASDM 6. 0 § Teleworker Deployment Model § Demo Scenario § Configuration tasks Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

Cisco ASA 5500 Series: Breadth and Depth Industry First Scalable, Multi-Function, Feature Rich Appliance Firewall with Application Layer Security § § Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Advanced Vo. IP/multimedia security IPS and Anti-X Defenses § § Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response Access Control and Authentication § Flexible user and network based access control services § Stateful packet inspection § Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA Secur. ID Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services Qo. S/routing-enabled site-to-site VPN SSL and IPSec Connectivity § § Cisco Intelligent Networking Services § Low latency § Diverse topologies § Multicast support Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential § Services virtualization § Network segmentation & partitioning § Routing, resiliency, load-balancing 3

Cisco ASA 5500 Series Product Lineup Solutions Ranging from SMB to Large Enterprise Target Market Performance Max Firewall + IPS Max IPSec VPN Max IPSec/SSL VPN Peers Platform Capabilities Max Firewall Conns Max Conns/Second Packets/Second (64 byte) Base I/O VLANs Supported HA Supported Presentation_ID Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5550 Teleworker / Branch Office / SMB and SME Enterprise Medium Enterprise Large Enterprise 150 Mbps Future 100 Mbps 25/25 300 Mbps 170 Mbps 250/250 450 Mbps 375 Mbps 225 Mbps 750/750 650 Mbps 450 Mbps 325 Mbps 5000/2500 1. 2 Gbps N/A 425 Mbps 5000/5000 10, 000/25, 000 3, 000 85, 000 8 -port FE switch 3/20 (trunk) Stateless A/S (Sec Plus) 50, 000/130, 000 6, 000 190, 000 5 FE 50/100 A/A and A/S (Sec Plus) 280, 000 9, 000 320, 000 4 GE + 1 FE 150 A/A and A/S 400, 000 20, 000 500, 000 4 GE + 1 FE 200 A/A and A/S 650, 000 28, 000 600, 000 8 GE + 1 FE 250 A/A and A/S © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4

Wide-Range of Cisco ASA 5500 Series Security Service Modules (SSMs) IPS Security Services Module (AIP SSM) Anti-X Security Services Module (CSC SSM) 4 -Port GE Services Module (4 GE SSM) Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • Provides full-featured IPS and IDS services for protection of critical network assets • Available in two models: SSM-10 and SSM-20 • Delivers up to 450 Mbps of IPS throughput • Has thumbscrews for easy insertion/removal • 10/1000 out-of-band management port • Supported on ASA 5510, 5520, and 5540 • Provides full-featured Anti-X services (anti-virus, anti-spyware, anti-spam, anti-phishing, URL filtering, and more) • Available in two models SSM-10 and SSM-20 • Anti-virus and anti-spyware services licensed by number of users, others optional add-on • Supported on ASA 5510, 5520, and 5540 • I/O module offers four copper 10/1000 ports in addition to four SFP ports for improved flexibility and network segmentation • Customers can use up-to four ports total out of these eight ports, with the ability to mix and match copper and optical GE ports • Supported on ASA 5510, 5520, and 5540 5

Cisco Adaptive Security Device Manager v 6. 0 Introduces a Wealth of New Features and Usability Enhancements § Fresh new interface provides easy access to all services offered by ASA § Security Dashboards § Packet Tracer § Packet Capture § Provides live ACL hitcount in firewall rule table for easy policy auditing § Real-Time Syslog Viewer § Syslog to ACL correlation features § New Wizards Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

Typické požadavky zákazníka § Překlad adres - NAT § Kontrola provozu na L 2 -L 7 § Podpora dynamických aplikací § Připojení poboček § Remote Access VPN § Web VPN (SSL VPN) § Ochrana proti hrozbám z internetu Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7

Teleworker Deployment Model Easy to Install Modern Networking Services Business VLAN Internet VLAN § Secure access to both Home and Internet VLANs § DHCP and Dynamic DNS services § Power Over Ethernet for IP Phones and Wi. Fi Access Points § PPPo. E support § Backup ISP support (Security Plus) Home VLAN § Secure access for a wide range of applications through the Internet VLAN § DHCP Server Services Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8

ASA poprvé § #Show version § #Show run § #Show flash § #Configure terminal § (config)#Configure factory-default § #Write memory / Write erase § #Reload Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9

Configuration tasks § § § Presentation_ID Povolení pouze autorizovaného přístupu SSH přístup Logging DHCP Povolení provozu pomocí ACL NAT Inspekce provozu AAA pravidla Ochrana proti útokům Monitoring. . . © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10

Demo scenario VLAN 10 – INSIDE VLAN 20 – OUTSIDE VLAN 30 – DMZ HTTP server 172. 16. 1. 10 Povolit HTTP, ICMP Povolit HTTP 172. 16. 1. 1 10. 0/24 Inside E 0/1 DMZ E 0/7 Outside E 0/0 10. 0. 0. 1 HTTP server Internet DHCP Povolit vše, inspekce HTTP, FTP Syslog server Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11