Cisco ASA 5500 Series Nebojte se jí

Cisco ASA 5500 Series
Nebojte se jí ☺
Tomáš Chott at Cisco
[email protected]
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Agenda
Cisco ASA 5500 Series Software Feature Overview
Cisco ASA 5500 Series Platforms and Modules
Cisco ASDM 6.0
Teleworker Deployment Model
Demo Scenario
Configuration tasks
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Cisco ASA 5500 Series: Breadth and Depth
I d t First
Industry
Fi t Scalable,
S l bl Multi-Function,
M lti F
ti
Feature
F t
Rich
Ri h A
Appliance
li
Firewall with
Application Layer
Security
Multi layer packet and traffic analysis
Multi-layer
Advanced application and protocol inspection services
Network application controls
Advanced VoIP/multimedia security
IPS and Anti-X
Defenses
Real-time protection from application and OS level attacks
Network-based worm and virus mitigation
Spyware, adware, malware detection and control
On-box event correlation and proactive response
Access Control
and
Authentication
Flexible user and network based access control services
Stateful packet inspection
Integration with popular authentication sources including
Microsoft Active Directory
Directory, LDAP
LDAP, Kerberos
Kerberos, and RSA SecurID
SSL and IPSec
Connectivity
Threat protected SSL and IPSec VPN services
Zero-touch, automatically updateable IPSec remote access
Flexible clientless and full tunneling
g client SSL VPN services
QoS/routing-enabled site-to-site VPN
Cisco Intelligent
Networking
Services
Low latency
Diverse topologies
Multicast support
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Services virtualization
Network segmentation & partitioning
Routing, resiliency, load-balancing
3
Cisco ASA 5500 Series Product Lineup
p
Solutions Ranging from SMB to Large Enterprise
Target Market
Performance
Max Firewall
Max Firewall + IPS
Max IPSec VPN
Max IPSec/SSL VPN Peers
Platform Capabilities
p
Max Firewall Conns
Max Conns/Second
Packets/Second (64 byte)
Base I/O
VLANs Supported
pp
HA Supported
Presentation_ID
Cisco
ASA 5505
Cisco
ASA 5510
Cisco
ASA 5520
Cisco
ASA 5540
Cisco
ASA 5550
Teleworker /
Branch Office /
SMB
SMB and
SME
Enterprise
Medium
Enterprise
Large
Enterprise
150 Mbps
Future
100 Mbps
25/25
300 Mbps
300 Mbps
170 Mbps
250/250
450 Mbps
375 Mbps
225 Mbps
750/750
650 Mbps
450 Mbps
325 Mbps
5000/2500
1.2 Gbps
N/A
425 Mbps
5000/5000
10,000/25,000
3,000
85,000
8-port FE switch
3/20 (trunk)
Stateless A/S
(Sec Plus)
50,000/130,000
6,000
190,000
5 FE
50/100
A/A and A/S
(Sec Plus)
280,000
9,000
320,000
4 GE + 1 FE
150
A/A and A/S
400,000
20,000
500,000
4 GE + 1 FE
200
A/A and A/S
650,000
28,000
600,000
8 GE + 1 FE
250
A/A and A/S
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Wide-Range of Cisco ASA 5500 Series
Security Service Modules (SSMs)
IPS Security Services Module (AIP SSM)
• Provides full-featured IPS and IDS services
for protection of critical network assets
• Available in two models: SSM-10 and SSM-20
• Delivers up to 450 Mbps of IPS throughput
• Has thumbscrews for easy insertion/removal
• 10/100/1000 out
out-of-band
of band management port
• Supported on ASA 5510, 5520, and 5540
Anti-X Security Services Module (CSC SSM)
• Provides full-featured
full featured Anti-X
Anti X services
(anti-virus, anti-spyware, anti-spam,
anti-phishing, URL filtering, and more)
• Available in two models SSM-10 and SSM-20
• Anti-virus
Anti virus and anti
anti-spyware
spyware services licensed
by number of users, others optional add-on
• Supported on ASA 5510, 5520, and 5540
4P
4-Port
GE Services
S
i
Module
M d l (4GE SSM)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• I/O module offers four copper 10/100/1000
ports in addition to four SFP ports for
improved flexibility and network segmentation
• Customers
C t
can use up-to
t four
f
ports
t total
t t l outt
of these eight ports, with the ability to mix and
match copper and optical GE ports
• Supported on ASA 5510, 5520, and 5540
5
Cisco Adaptive Security Device Manager v6.0
Introduces a Wealth of New Features and Usability Enhancements
Fresh new interface
provides easy access to
all services offered by
ASA
Security Dashboards
Packet Tracer
Packet Capture
Provides live ACL
hitcount in firewall rule
table for easy policy
auditing
Real-Time Syslog Viewer
Syslog
S
l to
t ACL
correlation features
New Wizards
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Typické požadavky zákazníka
Překlad adres - NAT
Kontrola provozu na L2-L7
Podpora dynamických aplikací
Připojení
p j
p
poboček
Remote Access VPN
Web VPN ((SSL VPN))
Ochrana proti hrozbám z
internetu
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Teleworker Deployment Model
E
Easy
t Install
to
I t ll Modern
M d
N t
Networking
ki S
Services
i
Business VLAN
Internet VLAN
Secure access to both Home
and Internet VLANs
DHCP and Dynamic DNS
services
Power Over Ethernet for IP
Phones and WiFi Access Points
PPPoE support
Backup ISP support
(Security Plus)
Home VLAN
Secure access for a wide
range of applications
through the Internet VLAN
DHCP Server Services
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
ASA poprvé
#Show version
#Show run
#Show flash
#Configure terminal
(config)#Configure factory-default
#Write memory / Write erase
#Reload
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
Configuration tasks
Povolení pouze autorizovaného přístupu
SSH přístup
Logging
gg g
DHCP
Povolení provozu pomocí ACL
NAT
Inspekce provozu
AAA pravidla
O h
Ochrana
protiti útokům
út ků
Monitoring
...
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Demo scenario
VLAN 10 – INSIDE
VLAN 20 – OUTSIDE
VLAN 30 – DMZ
HTTP server
172.16.1.10
Povolit HTTP
HTTP, ICMP
Povolit HTTP
172.16.1.1
10.0.0.0/24
Inside E0/1
DMZ E0/7
Outside E0/0
10.0.0.1
HTTP server
Internet
DHCP
Povolit vše, inspekce HTTP, FTP
Syslog server
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Externí dema
SSL VPN demo
https://vpndemo-external cisco com
https://vpndemo-external.cisco.com
ASDM demo
http://www.cisco.com/go/asdm
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Q and A
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14