Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 ASA Mid-Range SEVT Update

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 2

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential #

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 5 new models to meet varied throughput demands What’s New ASA 5512-X 1 Gbps Firewall Throughput ASA 5515-X 1.2 Gbps Firewall Throughput ASA 5525-X 2 Gbps Firewall Throughput ASA 5545-X 3 Gbps Firewall Throughput ASA 5555-X 4 Gbps Firewall Throughput 1. Multi-Gig Performance To meet growing throughput requirements 2. Accelerated Integrated Services No extra hardware required To support changing business needs 3. Next-gen services enabled platform To provide investment protection

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Enterprise-class hardware architecture designed to support multiple services Multi-Core multi-threaded CPUs 4x Memory Dedicated IPS Hardware Accelerator Dedicated VPN Hardware Accelerator Services Supported IPS Botnet Traffic Filter Combined with real-time threat information from 500 feeds through Cisco SIO (Security Intelligence Operations), IPS and Botnet Protection provide protection against complex APTs. VPN & AnyConnect Enables BYOD with security besides providing always-on remote access

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 At-A-Glance 64Bit Multi-Core Processor Up to 16GB of Memory Built-In Multi-Core Crypto Accelerator Hardware Dedicated IPS Hardware Acceleration Card Up to 14 1GE Ports Copper & Fiber I/O options Firewall, VPN & IPS Services Dedicated OOB Management Port Performance Density Flexibility Integrated Services Management Consolidation ASA 5500-X H/W Features Customer Benefits

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential #

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Six port copper 10/100/1000 RJ45 module Available on all new appliances Six port 1GE SFP I/O Module Available on all new appliances Supports short and long reach optics GLC-SX-MM, GLC-SX-MMD GLC-LH-SM, GLC-LH-SMD

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 AC option available at FCS Optional on, ASA 5545-X & ASA 5555-X appliances Works in load-sharing mode Input Rating 100 ~ 120V / 5A 200 ~ 240V / 2.5A Available post FCS Fixed DC power supply option available on ASA 5512-X, 5515-X & 5525-X Redundant DC power supply available on ASA 5545-X & 5555-X DC Power Supply ASA-PWR-AC

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential #

© 2010 Cisco and/or its affiliates. All rights reserved. 11

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Based on 15years of proven Cisco IDS & IPS technology SMP enabled Software based on 64bit architecture Virtual Sensor Support Hardware acceleration for String-XL engines Reputation based mitigation technology Global Correlation Support

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Uses reputation to significantly increase accuracy of attacks caught Provides dual-stage filtering Stage 1: Reputation list used to filter out bad traffic Stage 2: Reputation data used to influence policy decision (for instance, change risk rating (RR) to >90 to cause a drop action IPS Reputation Filter Cisco ® IPS Service Block known bad traffic Scan suspicious traffic further with dynamic policy decisions Stage 1 Stage 2 Dual-Stage Reputation Filtering Increases Accuracy by 2X IPS Efficacy Allow known good traffic

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Reputation Filtering in Action Step 1: The sensor base network within the Cisco SIO gathers telemetry data from other sensors across the world Step 2: Cisco 5500-X IPS Service gets updated reputation filter list; influences policy decisions (deny or drop attacker, etc.) Step 3: Alerts go out to the security teams for prevention, mitigation, and remediation Cisco ASA 5500-X IPS Service Filter Internet Cisco® Security Intelligence Operations Local Connectivity Worldwide Visibility Cisco ASA 5500-X Cisco IPS 4300 Internet Global Correlation

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 15

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Botnet traffic filter Scans all traffic, all ports, and all protocols Monitors command and control traffic from internal bots to external hosts Detects infected clients by tracking rogue “phone-home” traffic Powerful anti-malware data promotes accuracy Provides guidance now for blocking Botnet communication Dynamic discovery provides real time identification of malware communication Client Infection Detection Industry’s Most Accurate Malware Traffic Monitor Anti-Malware Cisco ® ASA

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Botnet Traffic Filter Integration into ASDM Main Dashboard Botnet Traffic Filter Statistics

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Top Infected Hosts Infected Hosts Malware Sites Report Generation

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 19

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Wide Range of Connectivity Options Mobile Access IPsec VPN Tunneling DTLS (Voice and Video) Tunneling Clientless VPN Access SSL VPN Tunneling Powered by the Cisco ASA

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential #

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Device Dashboard Firewall Dashboard IPS Dashboard Traffic Reports

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Device View Events View Reports View

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Unified and comprehensive Firewall, VPN and IPS management Device View New H/W Platform Support Policy View Map View Event View

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 CX services available only on Saleen Ability to run multiple services “simultaneously” without requiring a separate hardware module for each More base and expansion I/O on Saleen e.g., Availability of dual-power supplies on 5545-X and 5555-X for mission critical deployments 5510 SEC PLUS5515-X Base I/O2GE + 3FE6GE + 1GE Mgmt Expansion I/O4GE copper or Fiber 6GE Copper or Fiber

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Hardware Multi-core CPUs Up to 4x RAM More Base and Expansion I/O Dual Power supplies (ASA 5545/5555) SSDs for on-box CX events and future services Instead of doing memory upgrade on Benetton, opt for device upgrade USB thumb drive for storing logs/configs Performance/Scaling/Features 4x firewall performance More IPS, VPN throughput SuiteB (ASA 9.0) Native TrustSec capable I/O ports (expansion only) – feature not yet available Services Multiple services and I/O are not mutually exclusive anymore CX (Web Services, AVC) availability

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 SMB and Branch Office ASA 5510ASA 5512-X 300-Mbps Firewall 250-Mbps FW + IPS 200-Mbps VPN 5 FE Data + Mgmt 1 GB RAM Security Plus License for High Availability ASA 5510ASA 5512-X NEW 1-Gbps Firewall 250-Mbps FW+IPS 200-Mbps VPN 6 GE Data + 1 GE Mgmt 4 GB RAM Security Plus License for High Availability SMB and Branch Office ASA 5510 Security Plus ASA 5515-X 300 Mbps Firewall 250-Mbps FW + IPS 200-Mbps VPN 5 FE Data + Mgmt 1 GB RAM ASA 5510 SEC PLUSASA 5515-X NEW 1.2-Gbps Firewall 400-Mbps FW + IPS 250-Mbps VPN 6 GE Data + 1 GE Mgmt 8 GB RAM Midsize Business Headquarters and High-Throughput Branch Office ASA 5520ASA 5525-X 450-Mbps Firewall 450-Mbps FW + IPS 225-Mbps VPN 5 FE Data + Mgmt 1 GB RAM ASA 5520ASA 5525-XNEW 2-Gbps Firewall 600-Mbps FW + IPS 300-Mbps VPN 8 GE Data + 1 GE Mgmt 8 GB RAM If a customer needs 5512-X + HA, they are better off buying a 5515-X instead If a customer needs 5512-X + HA, they are better off buying a 5515-X instead All GE interfaces 4x Performance All GE interfaces 4x Performance 8x RAM 1 Gbps EMIX FW IPS h/w regex 1 Gbps EMIX FW IPS h/w regex

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 CSCScanSafe AV scanning ✔✔ DLP ✔✔ URL Filtering ✔✔ Anti-Spyware ✔✔ Anti-Spam ✔ Anti-Phishing ✔✔ (Webmail only) Real time protection for web access, mail and file transfers ✔ AVC ✔ Web Reputation ✔ HTTPS decryption ✔ End user notification ✔ Note that Cisco Cloud Web Security does not carry separate SmartNet

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 29

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 You responded… Only SSD 120GB With Encryption; No Spinning Hard Drives Less Failure Rate Encryption in Hardware (feature will be turned on in later release) Customers expect SSDs; Most competitors provide SSDs 5512/5515/5525 can take one SSD 5545/5555 can take two SSDs (in RAID 1 only) Orderable as a bundle with ASA If SSD is physically removed while CX in function, syslog and SNMP sent; ASA stops sending traffic to CX Ample storage space – 480M events every day for 5 years Less Failure Rate Encryption in Hardware (feature will be turned on in later release) Customers expect SSDs; Most competitors provide SSDs 5512/5515/5525 can take one SSD 5545/5555 can take two SSDs (in RAID 1 only) Orderable as a bundle with ASA If SSD is physically removed while CX in function, syslog and SNMP sent; ASA stops sending traffic to CX Ample storage space – 480M events every day for 5 years We listened…

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Hardware ASA5500X-SSD120 ASA5500X-SSD120= ASA5512-SSD120-K8/9 ASA5515-SSD120-K8/9 ASA5525-SSD120-K8/9 ASA5545-2SSD120-K8/9 ASA5555-2SSD120-K8/9 Software (for ASA 5512) ASA5512-AP(1/3/5)Y ASA5512-WS(1/3/5)Y ASA5512-AW(1/3/5)Y ASA CX 9.1 Software SKU (TBD)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Existing Saleen customers Order SSD Spare Order CX subscriptions (preferably AVC+WSE combo) New Saleen customers Order ASA+SSD bundle SKUs e.g., ASA5525-SSD120-K9 Order CX subscriptions (preferably AVC+WSE combo)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 FeatureASA5500xASA5585-SSP StorageSSD 120GB capacity “show inventory” on ASA will show SSD details ASA provides syslogs & SNMP Traps for SSD insertion & removal ASA will shutdown CX service when all storage devices have been removed Spinning hard drives 600GB capacity RAIDSupported only on 5545 & 5555 RAID CLI is on ASA Supported on both SSP10 and SSP20 RAID CLI is on CX Console & Management CX console is thru ASA CLI Shares management port with ASA Dedicated Console Dedicated Management port CX - PRSM features All features are supported

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 New customers buying ASA and CX Manufacturing installs CX completely before shipping CX is booted automatically when ASA is started Login to CX console from ASA CLI and setup management IP Configure CXSC redirection on ASA for traffic redirection Customers who own an ASA Install one or two SSDs on ASA depending on the model Copy ASA image which supports CX onto flash filesystem CX uses 3GB space on ASA flash filesystem, so ensure we have more than 3GB free space on ASA flash Reload ASA with version Follow the bootstrapping process

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 35

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Chassis Serial Number Used for SmartNet and Service Request Creation Pasted on exterior back panel PCB Serial Number Used for ASA License Enforcement “show version” command for ASA or IPS “show idprom” command in ROMMON Requests-Using/ta-p/29391

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Vendors selected Checkpoint (4200 and 4800) running Gaia or R75.40 (latest software release) Fortinet FG310B running 4.0MR3; FG 300C started shipping in Mar 2012 and Miercom report effort was started earlier Key metrics to focus on IMIX Performance – used by competitors -- compare IPv4 and IPv6 EMIX Performance – TCP throughput traffic test

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 ASAs have overall better IMIX performance for IPv4 and IPv6 traffic

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 IPv4 IPv6 ASA is optimized for IPv4 and IPv6 unlike other vendors

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 ASA Performance with real-life world traffic is much better than Checkpoint or Fortinet 113% better 99% better

Thank you.