background image

 

 

© 2005 Cisco Systems, Inc. All rights reserved. 

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. 

Page 2 of 20 

 
 

secure connectivity strategies, these security appliances converge a wide range of security and VPN technologies to provide rich application security, 

anti-x defenses, network containment and control, and secure connectivity. 

APPLICATION SECURITY 

The Cisco ASA 5500 Series provides strong application layer security through 30 intelligent, application-aware inspection engines that examine 

network flows at Layers 2–7. To defend networks from application layer attacks and give businesses control over use of applications and protocols 

in their environments, these inspection engines incorporate extensive application and protocol knowledge and employ security enforcement 

technologies that include application and protocol command filtering, protocol anomaly detection, and application and protocol state tracking. As 

another layer of application inspection and control, these inspection engines also incorporate attack detection and mitigation techniques such as 

buffer overflow defenses, content filtering and verification, and URL deobfuscation services. Inspection engines are available for a wide range of 

popular applications and protocols, including Web, file transfer, e-mail, voice and multimedia, database, operating system, and third-generation (3G) 

Mobile Wireless services. These inspection engines also give businesses control over threats such as instant messaging, peer-to-peer file sharing, and 

other tunneling applications, allowing businesses to enforce usage policies and protect network bandwidth for legitimate business applications. 

ANTI-X DEFENSES 

The Cisco ASA 5500 Series provides advanced, high-performance protection against network and application layer attacks, denial-of-service (DoS) 

attacks, and malware, including worms, network viruses, Trojan horses, spyware, and adware. Effective anti-x defense requires broad attack detection 

coupled with advanced analysis techniques, resulting in highly accurate threat classification that helps ensure appropriate mitigation actions are taken 

with no impact on legitimate network traffic. 

Advanced Detection Techniques 

To help ensure that threats do not go unnoticed, the Cisco ASA 5500 Series offers numerous methods to identify policy violations, anomalous 

activity, and vulnerability exploitation. They include stateful pattern recognition for stopping attacks hidden inside a data stream; protocol analysis 

to validate network traffic; traffic anomaly detection to identify attacks that cover multiple sessions and connections; protocol anomaly detection to 

identify attacks based on observed deviations in the normal RFC behavior of a protocol or service; and Layer 2 analysis to detect man-in-the-middle 

attacks. Specialized safeguards “scrub” network traffic to prevent “detection evasion” attempts; these safeguards include IP fragmentation reassembly 

and normalization, TCP stream reassembly and normalization, TCP evasion control, IP antispoofing, and deobfuscation. 

Combined with the extensive detection techniques are two innovative analysis and correlation technologies from Cisco Systems

®

 that help enable 

accurate mitigation of the detected threats: Risk Rating and the Meta Event Generator. 

Risk Rating 

The Cisco ASA 5500 Series uses the innovative Cisco Risk Rating technology to help ensure that malicious attacks are stopped without impacting 

legitimate traffic. Going beyond the typical single-factor methods in determining threat risk, Cisco Risk Rating incorporates four measures to 

accurately determine the risk of an event: 

 

Event severity—Rating indicating the relative impact of the threat 

 

Signature fidelity—Rating indicating the accuracy of the signature 

 

Asset value—Customizable value indicating the importance of the attack target (low value for a print server in a wiring closet, a high value for 

an e-commerce server in a data center, for example) 

 

Attack relevancy—Value based on susceptibility of the target to the attack type 

 

These four factors combine to produce an accurate threat rating that allows for confident mitigation actions to take place. 

Summary of Contents for Cisco ASA 5500 Series

Page 1: ...network antivirus and IP Security Secure Sockets Layer IPSec SSL VPN technologies deliver robust application security user and application based access control worm and virus mitigation malware protection and remote user and site connectivity Extensible Adaptive Identification and Mitigation services architecture Taking advantage of a modular services processing and policy framework the Cisco Adap...

Page 2: ...k detection coupled with advanced analysis techniques resulting in highly accurate threat classification that helps ensure appropriate mitigation actions are taken with no impact on legitimate network traffic Advanced Detection Techniques To help ensure that threats do not go unnoticed the Cisco ASA 5500 Series offers numerous methods to identify policy violations anomalous activity and vulnerabil...

Page 3: ...ologies that deliver tailored solutions to suit connectivity requirements providing employees company managed desktops with robust customizable remote access through an IPSec VPN For situations where endpoints are not company managed such as extranets Internet kiosks or employee owned desktops the Cisco ASA 5500 Series delivers WebVPN for SSL based remote access Taking advantage of Cisco remote ac...

Page 4: ...ents that require simultaneous dual stack support of IPv4 and IPv6 Quality of Service QoS Low Latency Queuing LLQ and Traffic Policing features support applications with demanding QoS requirements such as voice or video helping ensure an end to end network QoS policy latency sensitive traffic can be prioritized ahead of file transfer and other more delay tolerant traffic IP phone zero touch provis...

Page 5: ...cess VPN capabilities Alternatively it serves equally well in the network interior for interdepartmental access control and to guard against worms viruses and other malicious code that internal users may unwittingly bring into a network In small business and branch office environments the Cisco ASA 5500 Series serves as an all in one solution offering comprehensive threat prevention and VPN servic...

Page 6: ...ty of desktop server and network security solutions to determine the actual attack path and provide mitigation options thus simplifying security incident management for environments where dedicated security analysts may not be available Additionally Cisco offers the CiscoWorks Security Information Management Solution CiscoWorks SIMS which is well suited for large enterprises and managed security s...

Page 7: ...e tracking response validation Multipurpose Internet Mail Extensions MIME type validation and content control Uniform Resource Identifier URI length enforcement and more Tunneling Application Control Provides advanced inspection services to detect and optionally block instant messaging peer to peer file sharing and other applications tunneling through Web application ports Blocks popular instant m...

Page 8: ...in real time networking environments TAPI JTAPI over CTIQBE Security Services Supports inspection of various Cisco TAPI and JTAPI based applications that use CTIQBE including Cisco IP SoftPhone and the Cisco Customer Response solution Fragmented and Segmented Multimedia Stream Inspection Enables inspection of H 323 SIP and SCCP based voice and multimedia streams that have been fragmented or segmen...

Page 9: ...ts inbound and outbound access control lists ACLs for interfaces time based ACLs and per user or group policies for improved control over network and application usage Simplifies management of security policies by giving administrators the ability to create reusable network and service object groups that can be referenced by multiple security policies simplifying initial policy definition and ongo...

Page 10: ...PN Client Available on wide range of platforms including Microsoft Windows 98 ME NT 2000 and XP Sun Solaris Intel based Linux distributions and Apple Macintosh OS X Provides many innovative features including dynamic security policy downloading from Cisco Easy VPN Server enabled products automatic failover to back up Easy VPN Servers administrator customizable distributions and more Integrates wit...

Page 11: ... of a system or network failure network sessions are automatically transitioned between firewalls with complete transparency to users Active Active Stateful Failover Provides a complementary solution to Active Standby failover where both systems in an Active Active failover pair actively pass network traffic simultaneously effectively doubling the throughput of the failover pair for bursty network...

Page 12: ...ath routes Routing Information Protocol RIP Dynamic Routing Enables secure integration in RIP based enterprise networks by learning routing updates for both versions 1 and 2 of the protocol Protects against RIP based reconnaissance activities and DoS attacks by supporting plaintext and keyed MD5 authentication methods for RIPv2 Multicast Routing Streamlines the delivery of multimedia traffic in vi...

Page 13: ...l user database or through integration with enterprise databases either directly using TACACS and RADIUS or indirectly with Cisco Secure Access Control Server ACS Supports up to 16 levels of customizable administrative roles so that businesses can grant administrators and operations personnel the appropriate level of access to each appliance for example monitoring only access read only access to t...

Page 14: ...configuration data certificates and key material stored on Cisco ASA 5500 Series appliances by automatically wiping flash memory contents if an asset recovery or password reset procedure occurs if preconfigured to do so Scheduled System Reloads Allows administrators to schedule a reload on a Cisco ASA 5500 Series appliance either at a specific time or at an offset from the current time making it s...

Page 15: ... a Security Plus license This license increases port density on the platform by enabling the fourth Fast Ethernet port and removing the restriction on the out of band management port so that it can be repurposed to a general traffic port if desired Integration into switched network environments is simplified with this license as support for up to 10 VLANs is enabled Furthermore this upgrade licens...

Page 16: ...products listed in Table 3 for site to site VPN connectivity Table 3 Site to Site VPN Compatibility Between Cisco ASA 5500 Series and VPN Products VPN Gateway Versions Supported Cisco ASA 5500 Series Appliances Cisco ASA Software Version 7 0 1 and later Cisco IOS Software Routers Cisco IOS Software Release 12 1 6 T and later Cisco PIX Security Appliances Cisco PIX Security Appliance Software Versi...

Page 17: ...forms Supported Cisco ASA 5510 Adaptive Security Appliance Cisco ASA 5520 Adaptive Security Appliance Cisco ASA 5540 Adaptive Security Appliance Minimum RAM Cisco ASA 5510 256 MB Cisco ASA 5520 512 MB Cisco ASA 5540 1024 MB Minimum System Flash Memory 64 MB Expansion Cards Supported Cisco AIP SSM AIP SSM 10 AIP SSM 20 ORDERING INFORMATION To place an order visit the Cisco Ordering Home Page or ref...

Page 18: ...sion 7 0 Cisco Adaptive Security Device Manager Version 5 0 SERVICE AND SUPPORT Cisco offers a wide range of services programs to accelerate customer success These innovative service programs are delivered through a unique combination of people processes tools and partners resulting in high levels of customer satisfaction Cisco services help you protect your network investment optimize network ope...

Page 19: ...ssia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright 2005 Cisco Systems Inc All rights reserved CCSP CCVP the Cisco Square Bridge logo Follow Me Browsing and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQuick Stu...

Page 20: ... 2005 Cisco Systems Inc All rights reserved Important notices privacy statements and trademarks of Cisco Systems Inc can be found on cisco com Page 20 of 20 ...

Reviews: