© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 9 of 20
Feature
Benefit
transparent bridging modes
•
Gives administrators granular control over protocols, and provides custom regular expression matching tools for
businesses to craft environment-specific signatures
•
Uses auto-update capability to download the latest threat information from Cisco.com (refer to Cisco Services for
IPS for more information)
These features are available only when an AIP SSM is installed in a Cisco ASA 5500 Series appliance.
Multi-Vector Threat
Protection
•
Incorporates a variety of technologies to defend businesses from many popular forms of attacks, including DoS
attacks, fragmented attacks, replay attacks, and malformed packet attacks
•
Provides advanced attack protection features such as DNSGuard, FloodGuard, FragGuard, MailGuard, IPVerify,
and TCP intercept to identify and stop a wide range of attacks
•
Delivers advanced TCP stream reassembly and traffic normalization services to assist in detecting hidden
application and protocol layer attacks
URL Filtering
•
Enables robust employee Web usage management and control through integration with Websense- and Secure
Computing/N2H2- based URL filtering solutions
•
Supports HTTPS and FTP Web request filtering through enhanced Websense integration
ActiveX and Java Filtering
•
Provides optional filtering of ActiveX and Java applets to prevent downloads of malware and the resulting damage
malware can create
Network Containment and Control Services
Stateful Inspection Firewall
Services
•
Provides wide range of perimeter network security services to prevent unauthorized network access
•
Delivers robust stateful inspection firewall services that track the state of all network communications
•
Provides flexible access-control capabilities for more than 100 predefined applications, services, and protocols,
with the ability to define custom applications and services
•
Supports inbound and outbound access control lists (ACLs) for interfaces, time-based ACLs, and per-user or -
group policies for improved control over network and application usage
•
Simplifies management of security policies by giving administrators the ability to create reusable network and
service object groups that can be referenced by multiple security policies, simplifying initial policy definition and
ongoing policy maintenance
Access Control Services
•
Delivers a flexible solution for defining access control policies by including support for outbound ACLs (in addition
to inbound ACLs), allowing access controls to be enforced as network traffic enters or exits an interface
•
Gives administrators greater control over resource usage by defining time-based ACLs, when certain ACL entries
are active, with custom time ranges applied to selected ACLs
•
Offers a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs without the need to
remove and replace ACL entries
•
Enables the creation of security policies based on interface name instead of IP address, a feature that is
especially useful in broadband environments where the external interface is typically assigned a dynamic IP
address
•
Provides powerful reporting and troubleshooting capabilities that help enable collection of detailed statistics on
which ACL entries are triggered by network traffic attempting to traverse a security appliance
•
Gives precise control over which ACL entry-related syslog events are generated
•
Supports dynamic downloading and enforcement of ACLs on a per-user basis, upon user authentication with the
firewall
Object Grouping
•
Enables administrators to group network objects (such as devices, networks, and services) into logical groups to
greatly simplify access control rule definition and maintenance
NAT and PAT Services
•
Provides rich dynamic, static, and policy-based NAT and PAT services
•
Simplifies deployment of Cisco ASA 5500 Series appliances by eliminating the requirement for address translation
policies to be in place before allowing network traffic to flow—now, only hosts and networks that require address
translation will need to have address translation policies configured