cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2876
Views
10
Helpful
40
Replies

ASK THE EXPERT- CISCO ADAPTIVE SECURITY APPLIANCE (ASA) 5500 SERIES

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Michael K. Jones about the Cisco ASA 5500 Series which is a multi-function security/VPN device which delivers a suite of rich, market-proven security and VPN services without compromising features or performance. Michael is the senior product line manager for the Cisco Adaptive Security Appliance (ASA) 5500 and Cisco PIX Security Appliance families.

 

Remember to use the rating system to let Michael know if you have received an adequate response.

 

Michael might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 1. Visit this forum often to view responses to your questions and the questions of other community members.

40 Replies 40

Hey Don,

Anti-X/NW AV mainly pertains to the full inline protection capabilities offered by the AIP-SSM. By running full function IPS 5.0 software, the AIP-SSM effectively enables it's vast collection IPS and NW AV Signatures (from Trend micro) to mitigate threats popularly seen on today's networks. Hope this helps clarify your confusion.

Regards,

Nishant

Great question - I'll add some additional background to Nishant's response. The Cisco ASA 5500 Series provides a wide range of Anti-X services for our customers today, and those capabilities will continue to grow in the future as well. We use the term Anti-X to refer to the ever-growing range of threats that exist in networks today. These threats include things like worms, spyware, peer-to-peer file sharing, other forms of malware, directed attacks, and much more. When a Cisco ASA 5500 Series appliance is combined with one of our Advanced Inspection and Prevention Security Services Modules (AIP SSM for short), customers get a wide range of high performance IPS and Anti-X services.

There are two different forms of anti-virus generally accepted in the market today - "network-based antivirus" and "file-based antivirus." Network-based antivirus services look at network traffic flowing through and is designed to stop worms, spyware, and other forms of malware that are trying to spread throughout a network. File-based antivirus services look at things like email file attachments and HTTP/FTP downloads for viruses contained within. Today, the Cisco ASA 5500 Series with a AIP SSM module provides network-based antivirus services, and blocks the wide range of threats mentioned in my first paragraph above.

We have over 1400 signatures today for different threats, but we also utilize other technologies like anomaly detection to detect different threats. You can see all of the different signatures we support by accessing the "Cisco IPS Alert Center" via the URL below. Below is a just a sampling of the many threats the Cisco ASA 5500 Series protects customers from:

Peer-to-peer: KaZaA, Bittorrent, WinMX, eDonkey, Bearshare, Soulseek, Limewire, etc.

Instant Messaging: AIM, MSN, Yahoo, Jabber, ICQ, IRC, etc.

Worms: Slammer, Blaster, Witty, Code Red, NIMDA, etc.

Backdoors: Subseven, Trinoo, Back Orifice, Netspy, etc.

Directed attacks: Buffer overflows, SQL injection, shell/command execution, stack/heap attacks, etc.

http://www.cisco.com/pcgi-bin/front.x/ipsalerts/ipsalertsHome.pl

I hope this clarifies things further for you.

Regards,

Mike Jones

ELENA OKULOVA
Level 1
Level 1

Michael, I also beg you to clarify indeed on "antivirus" stuff that can be noticed in marketing descriptions of ASA5500. Since ASA5500 and PIX run same software (I believe) - and I did not find any docs on antivirus features, except that an IPS AIM can be installed in ASA5500 chassis, but IPS it is not an antivirus either.

We are all waiting on an inline antivirus device from Cisco - this is what several other vendors have and what we have to use in our solutions.

Hi there

Please look at my recent response to this thread about the wide range of IPS and Anti-X services that we provide, including "network-based antivirus" services - it provides a good overview of the types of services we provide. These services are available and shipping today. As mentioned in other posts in this forum, the Cisco ASA 5500 Series combines technology from all of our different market-leading security appliance product families, such as a the Cisco PIX 500 Series Security Appliances, Cisco VPN 3000 Concentrators, and Cisco IPS 4200 Series Sensors. You can read more about the specific software features available on the Cisco ASA 5500 Series in a recently posted software datasheet:

http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802c1d00.html

Regards,

Mike Jones

pxh
Level 1
Level 1

Hi Mike,

We are planning to use VPN and FW features on two ASA 5520 boxes. Can we run Active/Active with those two services enabled?

By default, each 5520 can handle up to 300 concurrent VPN clients. Can two boxes handle 600 concurrent users in A/A configuration?

Thanks

PH

Hi PH,

Currently Active/Active FO is supported for Firewall traffic only, while the Active/Standby configuration supports both Firewall and VPN traffic.

Regarding your second question, if you cluster two or more ASA appliances you can linearly increase the number of VPN peers terminated by the cluster.

Regards,

Nishant

Nishant -

So if I read your reply right, Active/Active will not let the ASA act as a VPN concentrator as well as a firewall?

Is this correct, or is the firewall Active/Active while the VPN connections are clustered (if both appliances are configured properly)?

Thanks.

...Nick

Hi Nick

That is correct, today VPN services on the Cisco ASA 5500 Series are not virtualized, which is a requirement before you can use them with our Active/Active stateful failover services. Since this is a public forum, I cannot speak to when this capability may appear on the Cisco ASA 5500 Series.

However, you can use the integrated VPN clustering and load balancing capabilities of the Cisco ASA 5500 Series today and provide simultaneous firewall, IPS, Anti-X, etc services for those connections. This gives you additional VPN headend capacity that can scale linearly, but does not provide stateful failover for those connections.

Your other option is deploy the systems as an Active/Standby failover pair, which provides complete stateful failover for firewall and VPN services. It also allows you to use all of the other services that the Cisco ASA 5500 Series has to offer, like full-featured IPS/Anti-X services. You can also take advantage of our "VPN Plus" and "VPN Premium" licenses to further extend the overall VPN capacity of the platforms you deploy.

I hope this clarifies the questions that you had.

Regards,

Mike Jones

Nick Egloff
Level 1
Level 1

The ASA5500 family in theory looks like a good consolidation of features into a single appliance (or pair for redundancy).. How does the performance compare to some of the A/S models for PIX, Concentrator, etc, and when you are looking at consolidating (for example, we have A/S PIX 515E and a VRRP pair of VPN3015s that a pair of these *might* replace), how does performance compare when it's performing multiple services vs the standalone appliances?

Also, from a design question, the PIX had a separate interface for failover - does this as well, or does it just use the internal interface to exchange updates?

Is there any plan to make additional interfaces available in this appliance, or is it capped at 4 GE?

Thanks for being available in this forum to answer questions like this!! :-)

...Nick

Hi Nick,

You can find the various performance points as well as capacities at www.cisco.com/go/asa. Please refer the At A Glance document to find a comparison between the pure Firewall performance versus the Firewall and full inline IPS (via the AIP-SSM card) running concurrently.

Regarding the failover question, the ASA replicates the PIX LAN based failover behavior, so you will need a dedicated interface to run the failover updates between units.

Regarding the additonal interfaces, yes definitely the plan is to provide additional I/O capability on the ASA series. These interface cards can be used in the SSM slot on the appliance and will provide increased port density for diverse 10/100/1000 Mbps port terminations.

Regards,

Nishant

Nishant -

Thanks for the reply; I know better (grin) than to ask for an exact date for the expandability, but is there at least a 'quarter' in which they are looking to provide this?

We are looking to replace a few 515e's that have currently 2 DMZs and they want to add an extranet segment to this; obviously, by the time I take up failover, internal and external, that only leaves me 1 interface for both DMZs and an extranet too... So I'm a little port-bound.

I like the featuresets, and will look at the performance data, but I really need some interfaces, or will need to further break out the data via multiple virtual interfaces, 802.1q and VACLS or something along those lines. Any idea of even planned timelines on this would be great

Thanks.

...Nick

Hi Nick

Please keep in mind that Cisco ASA 5500 Series appliances support 802.1q VLAN-based virtual interfaces today. As you note, you can use those capabilities to create a multi-DMZ environment and tie into all the critical VLANs in your network environment. For example, the Cisco ASA 5540 supports up to 100 VLANs. As Nishant said, we will have further I/O expansions capabilities in the future, but since this is a public forum we cannot give out specific timeframes.

Regards,

Mike Jones

pxh
Level 1
Level 1

Hi Mike,

Thank you for the information in the previous question.

Can ASA do URL web filtering? The presentation material provided at the Federal Security seminar in DC on 6/16/05 states that

"On-board URL filtering and blocking services

No need for separate server and traffic re-direct"

Is the URL filtering feature available now? If not, when will it be available? is it a standard or upgrade feature?

Can a standby ASA box accept remote access VPN requests after the active ASA box reaches the limit of vpn connections?

thanks

PH

Hi PH

Glad we can help. The Cisco ASA 5500 Series integrates with several market-leading URL filtering solutions from Websense and Secure Computing/N2H2. These solutions provide very robust URL filtering/Employee Internet Management services, supporting a large number of highly categorized URLs, extensive reporting capabilities, flexible usage policies, etc. These systems do require a seperate server or appliance to deploy these services, but they do provide significantly more advanced URL filtering services than you can find in other "all-in-one" solutions that have integated URL filtering.

Regarding your question about remote access VPN scalability, what you are describing sounds like two systems dynamically changing from an Active/Standby to Active/Active failover model - that is not supported. However, you can use the VPN clustering and load balancing services that the Cisco ASA 5500 Series provides to do essentially what you are asking about - it will dynamically load balance remote access VPN connections over 2 or more appliances that are in a cluster.

I hope this clarifies your questions.

Regards,

Mike Jones

j.hato
Level 1
Level 1

Hi Moderator,

1. Is it Cisco ASA 5500 support web URL filtering?

2. Will Cisco ASA 5500 control user traffic, let say user "A" can only goes online 5 MByte a day and or can download 10 MByte a day from Internet.

3. WIll Cisco ASA 5500 have a scheduled policy or timely access-list? Let say access-list 1 for 08.00AM to 17.00PM access-list 2 for 17:00PM to 21.00PM

Thanks in advance

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: