Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. ISA500 Next Generation SB UTM solution.

Published byBeatrix Casey Modified over 9 years ago

Similar presentations

Presentation on theme: "Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. ISA500 Next Generation SB UTM solution."— Presentation transcript:

1 Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. ISA500 Next Generation SB UTM solution

2 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 A Layered Solution and Defense in Depth (Layered: several systems work in parallel, addressing different layers, different entry points) Infrastructure Traffic Control Spanning Tree Protection Enable Necessary Services Secure Access Port–Based Security Disable Unused Services Hardened Devices Policy Enforcement Anti–Spoofing Services Firewall Unauthorized Access Prevention Intrusion Prevention Virus PreventionWorm Mitigation Security Connectivity Virtual Private Network

3 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 For SMB ISA570 Multi-Services with depth protections Scalable performance Data Center CampusBranch OfficeInternet Edge ASA 5585-X SSP-20 (10 Gbps, 125K cps) ASA 5585-X SSP-60 (40 Gbps, 350K cps) ASA 5585-X SSP-40 (20 Gbps, 200K cps) ASA 5585-X SSP-10 (4 Gbps, 50K cps) ASA 5555-X (4 Gbps,50K cps) NEW ASA 5545-X (3 Gbps,30K cps) NEW ASA 5525-X (2 Gbps,20K cps) NEW ASA 5512-X (1 Gbps, 10K cps) NEW ASA 5515-X (1.2 Gbps,15K cps) NEW ASA 5510 (300 Mbps, 9K cps) ASA 5510 + (300 Mbps, 9K cps) ASA 5520 (450 Mbps, 12K cps) ASA 5540 (650 Mbps, 25K cps) ASA 5550 (1.2 Gbps, 36K cps) Firewall/VPN Only SOHO ASA 5505 (150 Mbps, 4K cps) Enterprise-grade Looking for : multi-threat protections Easy to use solution Affordable for both solution and support SMB Max 500 Mbps Performance and Scalability NEW

4 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 FW VPN UTM  ISA500 are Cisco all-in-one security appliances/UTMs targeted for single networks or smaller deployments.  ASA is scalable for multi site networks, enterprise grade support, Cisco End-To- End borderless architecture Small Business: 100 employees, Few Sites, All-In-One Solution STAC support, Web GUI, OnPlus Reporting Enterprise, Commercial, Mid Market: High Availability, Several Sites, Central Management, Granular Policies, TAC support ISA500 For SB customers who need All-in-one security VPN/FW deployment flexibility Security appliance integrated with routing & switching capabilities Managed services offerings Price range $450 - $1250 ASA5510 and higher (Gig performance) For customers who need higher scalability and performance Street Price starts at $2000+ Part of SecureX RV series: For SB customers who need simple to use router with basic security Street Price starts at $50 ASA5505 Entry level performance Add modules (IPS etc.) Same config/software as 5510 and higher Ideal for branch, Cisco software, start at 500 $

5 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

6 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 X XX

7 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Not just a Firewall! A comprehensive Security Solution for Small Businesses Business Grade Firewall Intrusion Prevention System Productivity URL Filtering Email Safety and Spam Filtering Virtual Private Networking UTM http://dangerous-website.com http://inappropriate-website.com

8 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 ISA500 will replace SA500 Series; ISA500 moves to Cisco Security Features ISA Security Features HighlightsSA500ISA500 Cisco IPSec VPN (EzVPN) Server and client for remote IPSec VPN No (Generic IPSec) Cisco Cisco AnyConnec SSL VPN Server and client for remote SSLVPN VPN No (ODM SSLVPN) Cisco Cisco Hardware VPN client for TeleworkerNoCisco Web Reputation filteringTrend MicroCisco Web URL filteringTrend MicroCisco Spam FilterTrend MicroCisco Network ReputationNoCisco Zone based firewallNo Cisco Cisco cloud security reportsNo Cisco Ease adoption for existing Cisco solution adopters Ease migration to future enterprise solutions Simplify support Ease adoption for existing Cisco solution adopters Ease migration to future enterprise solutions Simplify support

9 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Dynamic, new Internet threats Web URL Filtering Web Threat protection Spam filtering Network reputation filtering Real-time query and periodical download of security data feeds Clean traffic Seamless security protection Low maintenance and operation efforts Seamless security protection Low maintenance and operation efforts Business Constant threat and vulnerability collection & analysis by Cisco SIO Cloud Based Solution Keeping Security Protections Up-to-Date With Ease 1 1 Superior & up-to-date security threat intelligence 2 2 3 3 ISA500 Cisco Security Essential

10 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Site to site VPN Remote access VPN o Cisco VPN client o Cisco AnyConnect client Teleworker VPN client mode Site to site VPN Remote access VPN o Cisco VPN client o Cisco AnyConnect client Teleworker VPN client mode Manage Internal Threat and Access Control Prevent Internet Threat Secure Remote Access Secure Remote Access  SPI Firewall, DMZ  Spam filter for email protection  Intrusion Prevention (IPS) with hardware acceleration  Web URL filtering and threat protection  Network Reputation Filter  Application control  Gateway Anti-virus (AV)  SPI Firewall, DMZ  Spam filter for email protection  Intrusion Prevention (IPS) with hardware acceleration  Web URL filtering and threat protection  Network Reputation Filter  Application control  Gateway Anti-virus (AV)  Zone based Firewall  Secure WLAN  Rogue AP detection  Guest access management  Port based authentication access with 802.1X  IPS/AV for internal traffic  Zone based Firewall  Secure WLAN  Rogue AP detection  Guest access management  Port based authentication access with 802.1X  IPS/AV for internal traffic Internet Threats (hacker, malware) Remote office SOHO Mobile worker Small Business Premise Public Servers Desk/office Conf. room Anywhere SB Networks Finance & App. Servers IT Services Inside Internet Remote visitor contractor Staff ISA500 Spying spoofing Infected PC Blue = New in ISA500

11 Cisco ISA500 Model Overview Security Appliance UTM Models ISA550ISA570 ISA550SA550WISA570ISA570W Hardware Ports7 GE10 GE Wireless (802.11b/g/n, 2.4 GHz) Yes (on ISA550W)Yes (on ISA570W) Security Acceleration HWNoYes Performance Firewall200 Mbps500 Mbps VPN65 Mbps125 Mbps AV60 Mbps120 Mbps IPS80 Mbps150 Mbps UTM *45 Mbps80 Mbps Max Connections15,00040,000 VPN tunnel (IPSec/SSL)50/25100/50 * UTM performance is measured by http traffic. Actual performance may vary depending on network traffic, conditions, and services enabled

12 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 All SKUs are bundled SKUs Bundle SKUs include hardware and comprehensive security subscription service suite Renewal SKUs for the Comprehensive Security subscription service suite will also be available * Subject to change Package SelectionSKUList* Product Bundle Low-end Wired 1-year ISA550-BUN1-K9 $443 3-year ISA550-BUN3-K9 $653 Wireless 1-year ISA550W-BUN1-K9 $524 3-year ISA550W-BUN3-K9 $706 High-end Wired 1-year ISA570-BUN1-K9 $792 3-year ISA570-BUN3-K9 $1,202 Wireless 1-year ISA570W-BUN1-K9 $921 3-year ISA570W-BUN3-K9 $1,286

13 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Trend Micro ProtectLink Gateway Service Internet Cisco ® Security Appliance Stateful Firewall protects the office from the outside. Data connection only possible from the inside and only between the hosts intended. Zone based firewall also defines firewalls between hosts inside my office (e.g. guest network, printers, sales department, HR). Zones are being placed in predefines security classes with automatic rules. AntiVirus, AntiSpam, Webfilter increase productivity and filter threats before they even enter my network. IPS looks inside allowed traffic and searches for Virus patterns or blocks specific applications (Peer-To-Peer, Chat etc.)

14 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Contains 7 security services managed through one ISA500 Comprehensive Security license One license Cisco AnyConnect Mobile Client (SSLVPN) Security ServicesDescription Anti-Virus & Anti- Spyware Supports various applications, including web, email, and file transfer applications. The solution scans traffic from not just HTTP (web) but also SMTP, FTP, NetBIOS, and CIFS protocols to identify and prevent infected files from downloading into users' devices Spam FilterStop spam at connection level IPSBlock malicious attacks Application Access Control Block unproductive app. usage Network ReputationBlock malicious sender Web URL FilterBlock unwanted web site access by category, domain, and URI Web Threat Protection Prevent dangerous web site access

15 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Zone-Based Firewall Firewall is inter-Zone firewall, intra-Zone traffic will not be checked. Zone Definition Zone is a group of VLAN/interfaces that have similar functions of features Each VLAN/interface can join only one Zone Each Zone can have multiple VLANs/interfaces Firewall Consists of three types of ACL rules Default Policies, User Defined ACL and System Generated ACL Session-Based Firewall Packets belonging to the same session will have the same action. 15

16 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 User can configure firewall rules for controlling traffic from a particular source to a particular destination 16

17 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Security Level (0 to 100) Each Zone is assigned a Security Level The Zone with higher security level CAN access the lower one The Zone with lower level CANNOT access the higher one Five security levels, trusted(100), VPN(75), Public(50), Guest(25) and Untrusted(0) User can override the default policy by adding user defined ACL. 17 From \ ToTrusted (100)VPN (75)Public (50)Guest (25)Untrusted (0) Trusted (100)DenyPermit VPN (75)Deny Permit Public (50)Deny Permit Guest (25)Deny Permit Untrusted (0)Deny

18 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 URL reputation checked URL category checked URL keyword/website checked SMTP Server IP checked Protecting against network and application-level attacks Virus checked Network Reputation Detection

19 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 General Settings Enable or disable AV, specify the zones to scan for viruses, and configure the preventive actions for different types of traffic Select zones for A/V processing. 19

20 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Web URL Filtering 1. HTTP request 2. Block and Whitelists checked (Content Filtering) 3. Web URL filtering (Query URL’s category and Action) 4. Report Delivered 5. Access this website 20 URL OK? 1234 5

21 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Web URL Filter LAN ZoneGuest ZoneVOICE Zone Internet User Access

22 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Choosing Reputation Threshold and filling in warning message when blocked URL

23 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Network Reputation 1. Any packet from LAN to WAN. 2. Check destination ip with local Database. 3. If it’s not in Database, then PASS. 4. If it’s in Database, then DROP. 23 Safe IP? 123 4 Packets To WAN PASS DROP Check DB

24 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 If you have two ISP links, one for WAN1 and the other for WAN2, you can configure the WAN redundancy to determine how the two ISP links are used 24 ISP B ISP A

25 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Load Balancing can be used to stack the WAN bandwidth. User can decide the weight percentage between WAN links. 25 ISP B ISP A 20%80%

26 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Load Balancing - Based on Real-time Bandwidth can adjust the weight of WAN links dynamically according to the remaining bandwidth of each WAN. 26 ISP B ISP A (10M – 5M) = 5M(50M – 20M) = 30M : Dynamical weight adjustment WAN1, WAN2 Base Bandwidth Setting WAN1, WAN2 Used Bandwidth WAN1 Remaining Bandwidth WAN2 Remaining Bandwidth WAN1 : WAN2 Weight Ratio T050M, 10M0M, 0M50M10M50:10 T150M, 10M20M, 5M30M5M30:5 T250M, 10M50M, 5M0M5M0:1 T350M, 10M 0M 50:10 5 : 30

27 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 If a failure is detected on the primary link, then all Internet traffic is directed to the backup link. When the primary link regains connectivity, all Internet traffic is directed to the primary link and the backup link becomes idle. 27 ISP B ISP A

28 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Configuring Authentication Server and Authenticated VLAN Authentication mode options have Forced Authorized/Unauthorized or Auto mode

29 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Every user belongs to one group and only one Local database, LDAP and AAA authentication Service privileges are bound to a group Available Services are: 29

30 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Address Group is a set of Address Objects Address Group can be used in ACL Rules and VPN Settings 30

31 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 802.11n 2.4GHZ band Multiple SSID support Various Security Modes MAC filtering VLANs Scheduling WPS Captive Portal Rogue AP detection 31

32 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 32 Example of Use Case – Internet & Guest Access Gateway @ A Dental Office ISA WLAN Intranet Internet Guest hotspot Key Applications:  Secure wireless connectivity for mobile device  Visitor Internet access with intranet isolation ISA500 Solution:  WiFi with multi-SSID  Zone Firewall with guest vlan  Captive portal

33 © 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 33 Example of Use Case – Teleworker Device Key Applications:  Secure always-on company network connection  Company and family networks isolation and policies support ISA500 Solution:  Cisco EzVPN hardware client  Split tunneling support  Zone firewall  802.1x  UTM mult-threat protections ISA Company VPN networks Internet Family networks

34

35 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Helps an SMB partner gain deeper insight into customer network usage & security performance, provide recommendations and informed advice based on capture trends. Detailed security reports from the Cisco ISA500: -Network Resource Utilization - VPN usage, Web usage (Top visited sites, Web category), Mail usage, FTP usage, Bandwidth Utilization -Security Performance - Virus attacks, Firewall attacks, Web Threats, Intrusions, Spam -Appliance Status - Device Utilization (CPU, Memory, Flash), Up / Down Stats, Login Attempts Targeted Availability Nov 2012 Requires ON100 Subscription View security service reports and events in a separate, consolidated dashboard Schedule security reports to be automatically and directly sent to their customers Personalize reports and add custom recommendations based on observations of data and trends captured in reports Store reports safely in the cloud without hassle of local storage

36 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Cfg Back-up and Restore  Firmware Upgrade  Event Monitoring  etc. Cfg Back-up and Restore  Firmware Upgrade  Event Monitoring  etc. OnPlus Baseline Security Reports OnPlus Adv. Security Service Network Usage Reports Partner Value, Partner Margins ISA500 Connected devices: Switch, Router, Security Appliance, NAS, Printer, iPad, Iphone, etc. Site 1 Site 2 Customer B Customer A  Dashboard View  Device Discovery & Topology etc.  Support contract status  Dashboard View  Device Discovery & Topology etc.  Support contract status Cisco OnPlus Device GUI  Easy to manage – single interface for all technologies  Easy to start – Cisco hosted  Profitability – enable managed security service Key Benefits: Notes: Partner foc us Not meant for end users or SP today User can still use device GUI via https VAR Appliance Status Reports

37 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Reports can be generated individually or grouped, on demand or scheduled

38 Security Reports Service Remote Network Management Threat Protection Services Security Platform Security Report Virus, Firewall attacks, Intrusions, Spam, Web Threat, Web Filter Resource Usage VPN, Web, Mail, FTP, Bandwidth Appliance Status CPU, Flash, Memory Util, Failed Logins Customer Dashboard Network Topology Device Connectivity Backup & Restore Upgrades, Maintenance Anti-virus, Anti-spam IPS, Anti-spyware URL Filtering, Web Threat protection Network Reputation Firewall, VPN, Routing & Switching Partner Value, Partner Margins OnPlus Security OnPlus Security ISA5xx *Post Market Introduction

Download ppt "Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. ISA500 Next Generation SB UTM solution."

Similar presentations

Introducing New Additions to ProSafe Advanced Smart Switch Family: GS724TR and GS748TR (ProSafe 24 and 48-port Gigabit Smart Switches with Static Routing)

Introducing New Additions to ProSafe Advanced Smart Switch Family: GS724TR and GS748TR (ProSafe 24 and 48-port Gigabit Smart Switches with Static Routing)
Agenda Product Overview Hardware Interfaces Software Features

Agenda Product Overview Hardware Interfaces Software Features
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco SB Summit Praha, 26.4.2012 Jan Křístek Tomáš Chott.

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco SB Summit Praha, Jan Křístek Tomáš Chott.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Www.cyberoam.com © Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Securing You Cyberoam Virtual UTM Our Products Unified Threat Management.

© Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. Securing You Cyberoam Virtual UTM Our Products Unified Threat Management.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
MSIT 458: Information Security & Assurance By Curtis Pethley.

MSIT 458: Information Security & Assurance By Curtis Pethley.
Preview of Cisco New Low-End ASA 5500-X Appliances - Cisco ASA 5506-X & 5508-X Your name Your team Date.

Preview of Cisco New Low-End ASA 5500-X Appliances - Cisco ASA 5506-X & 5508-X Your name Your team Date.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Cisco Confidential 1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Small Business RV320/RV325 Product Overview.

Cisco Confidential 1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Small Business RV320/RV325 Product Overview.
SecPath Firewall Architecture. Objectives Upon completion of this course, you will be able to: Understand the architecture of SecPath series firewalls.

SecPath Firewall Architecture. Objectives Upon completion of this course, you will be able to: Understand the architecture of SecPath series firewalls.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

Similar presentations

Ads by Google