ISA500
Next Generation SB UTM solution
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
A Layered Solution and Defense in Depth
(Layered: several systems work in parallel, addressing different layers,
different entry points)
Infrastructure
Secure Access
Traffic Control
Port–Based
Security
Spanning Tree
Protection
Policy Enforcement
Disable Unused
Services
Hardened
Devices
Anti–Spoofing
Services
Firewall
Unauthorized Access
Prevention
Enable Necessary
Services
Intrusion Prevention
Virus Prevention
Worm Mitigation
Security Connectivity
Virtual Private Network
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Cisco’s Broad Security Portfolio
ASA 5585-X SSP-60
(40 Gbps, 350K cps)
Looking for :
multi-threat
protections
Easy to use
solution
Affordable for
both solution and
support
Enterprise-grade
Performance and Scalability
For SMB
ASA 5585-X SSP-40
(20 Gbps, 200K cps)
Multi-Services with
depth protections
ASA 5585-X SSP-20
(10 Gbps, 125K cps)
Scalable performance
ASA 5585-X SSP-10
ASA 5555-X (4 Gbps, 50K cps)
(4 Gbps,50K cps)
ASA 5545-X
(3 Gbps,30K cps)
ASA 5525-X
(2 Gbps,20K cps)
ASA 5515-X
(1.2 Gbps,15K cps)
ASA 5512-X
(1 Gbps, 10K cps)
NEW
NEW
NEW
ISA570
NEW
NEW
NEW
ASA 5540
(650 Mbps, 25K cps)
ASA 5550
(1.2 Gbps, 36K cps)
Firewall/VPN Only
ASA 5520
(450 Mbps, 12K cps)
ASA 5510 +
ASA 5510
(300 Mbps, 9K cps)
(300 Mbps, 9K cps)
ASA 5505
(150 Mbps, 4K cps)
SMB
Max 500 Mbps
SOHO
© 2010 Cisco and/or its affiliates. All rights reserved.
Branch Office
Internet
Edge
Campus
Data
Center
Cisco Confidential
3
 ISA500 are Cisco all-in-one security appliances/UTMs targeted for single networks
or smaller deployments.
 ASA is scalable for multi site networks , enterprise grade support, Cisco End-ToEnd borderless architecture
UTM
FW
VPN
Small Business:
100 employees, Few Sites, All-In-One Solution
STAC support, Web GUI, OnPlus Reporting
Enterprise, Commercial, Mid Market:
High Availability, Several Sites, Central
Management, Granular Policies, TAC support
•
•
ISA500
For SB customers who need
All-in-one security
VPN/FW deployment flexibility
Security appliance integrated with routing &
switching capabilities Managed services offerings
Price range $450 - $1250
•
•
•
•
ASA5510 and higher (Gig performance)
For customers who need higher scalability and
performance
Street Price starts at $2000+
Part of SecureX
•
RV series:
•
For SB customers who need simple to use router
with basic security
•
Street Price starts at $50
•
•
•
•
•
ASA5505
Entry level performance
Add modules (IPS etc.)
Same config/software as 5510 and higher
Ideal for branch, Cisco software , start at 500 $
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
How do I protect my business from
SPAM, Phishing, and Virus ?
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
You are 100% correct:
with a Cisco Security Appliance
X
© 2010 Cisco and/or its affiliates. All rights reserved.
X
X
Cisco Confidential
6
Unified Threat Management (UTM)
Virtual
Private
Networking
Email
Safety and
Spam
Filtering
Business
Grade
Firewall
UTM
Intrusion
Prevention
System
http://dangerous-website.com
http://inappropriate-website.com
URL
Filtering
Productivity
Not just a Firewall!
A comprehensive Security Solution for Small Businesses
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
• ISA500 will replace SA500 Series; ISA500 moves to Cisco Security
Features
ISA Security Features Highlights
SA500
Cisco IPSec VPN (EzVPN) Server and
No
client for remote IPSec VPN
(Generic IPSec)
Cisco AnyConnec SSL VPN Server
No
and client for remote SSLVPN VPN
(ODM SSLVPN)
Cisco Hardware VPN client for
Teleworker
No
Web Reputation filtering
Trend Micro
Web URL filtering
Trend Micro
Spam Filter
Trend Micro
Network Reputation
No
ISA500
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Cisco
Zone based firewall
No
Cisco
Cisco cloud security reports
No
Cisco
•Ease adoption for existing Cisco solution adopters
•Ease migration to future enterprise solutions
•Simplify support
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
2
Superior & up-to-date security threat intelligence
Cisco Security Essential
1
Constant threat and
vulnerability
collection & analysis
by Cisco SIO
3
Dynamic,
new Internet
threats
• Web URL Filtering
• Web Threat protection
• Spam filtering
• Network reputation filtering
Real-time query and periodical download of
security data feeds
Business
ISA500
Clean traffic
Cloud Based Solution Keeping Security Protections Up-to-Date
With Ease
• Seamless security protection
• Low maintenance and operation efforts
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Small Business Premise
Remote
office
Public Servers
Spying
spoofing
Mobile
worker
Internet
Threats
(hacker,
malware)
SOHO
Remote
Internet
Conf. room
visitor
Site to site VPN
Remote access VPN
o Cisco VPN client
o Cisco AnyConnect client
Teleworker VPN client mode
Infected PC
Desk/office
Anywhere
contractor
Staff
 SPI Firewall, DMZ

Zone based Firewall
 Spam filter for email protection

Secure WLAN

Rogue AP detection

Guest access management

Port based authentication
access with 802.1X

IPS/AV for internal traffic
 Intrusion Prevention (IPS) with
hardware acceleration
 Web URL filtering and threat
protection
 Application control
Blue = New in ISA500
SB Networks
Manage Internal Threat
and Access Control
Prevent Internet Threat
 Network Reputation Filter
© 2010 Cisco and/or its affiliates. All rights reserved.
IT Services
Inside
ISA500
Secure Remote
Access
Finance & App.
Servers
 Gateway Anti-virus (AV)
Cisco Confidential
10
Cisco ISA500 Model Overview
Security Appliance UTM Models
Hardware
Ports
Wireless
(802.11b/g/n, 2.4 GHz)
ISA570
ISA570 ISA570W
7 GE
10 GE
Yes (on ISA550W)
Yes (on ISA570W)
No
Yes
Firewall
VPN
AV
200 Mbps
65 Mbps
60 Mbps
500 Mbps
125 Mbps
120 Mbps
IPS
80 Mbps
150 Mbps
UTM *
Max Connections
45 Mbps
15,000
80 Mbps
40,000
50/25
100/50
Security Acceleration HW
Performance
ISA550
ISA550
SA550W
VPN tunnel (IPSec/SSL)
* UTM performance is measured by http traffic. Actual performance may vary depending on network traffic, conditions, and
services enabled
• All SKUs are bundled SKUs
• Bundle SKUs include hardware and comprehensive security subscription service suite
Package Selection
Wired
Low-end
Wireless
Product
Bundle
Wired
High-end
Wireless
SKU
1-year
ISA550-BUN1-K9
3-year
ISA550-BUN3-K9
1-year
ISA550W-BUN1-K9
3-year
ISA550W-BUN3-K9
1-year
ISA570-BUN1-K9
3-year
ISA570-BUN3-K9
1-year
ISA570W-BUN1-K9
3-year
ISA570W-BUN3-K9
List*
$443
$653
$524
$706
$792
$1,202
$921
$1,286
Renewal SKUs for the Comprehensive Security subscription service suite will also be available
* Subject to change
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Cisco® Security
Appliance
Internet
Trend Micro
ProtectLink
Gateway Service
• Stateful Firewall protects the office from the outside. Data connection only
possible from the inside and only between the hosts intended.
• Zone based firewall also defines firewalls between hosts inside my office
(e.g. guest network, printers, sales department, HR). Zones are being
placed in predefines security classes with automatic rules.
• AntiVirus, AntiSpam, Webfilter increase productivity and filter threats before
they even enter my network.
• IPS looks inside allowed traffic and searches for Virus patterns or blocks
specific applications (Peer-To-Peer, Chat etc.)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Security Services
Description
Anti-Virus & AntiSpyware
Supports various applications,
including web, email, and file
transfer applications. The
solution scans traffic from not
just HTTP (web) but also SMTP,
FTP, NetBIOS, and CIFS
protocols to identify and prevent
infected files from downloading
into users' devices
Spam Filter
Stop spam at connection level
IPS
Block malicious attacks
Application Access
Control
Block unproductive app. usage
Network Reputation
Block malicious sender
Web URL Filter
Block unwanted web site access
by category, domain, and URI
Web Threat
Protection
Prevent dangerous web site
access
© 2010 Cisco and/or its affiliates. All rights reserved.
• Contains 7 security services
managed through one ISA500
Comprehensive Security license
One license
Cisco AnyConnect Mobile Client
(SSLVPN)
Cisco Confidential
14
15
• Zone-Based Firewall
Firewall is inter-Zone firewall, intra-Zone traffic will not be checked.
• Zone Definition
Zone is a group of VLAN/interfaces that have similar functions of
features
Each VLAN/interface can join only one Zone
Each Zone can have multiple VLANs/interfaces
• Firewall Consists of three types of ACL rules
Default Policies, User Defined ACL and System Generated ACL
• Session-Based Firewall
Packets belonging to the same session will have the same action.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
16
•
User can configure firewall rules for controlling traffic from a particular
source to a particular destination
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
17
• Security Level (0 to 100)
Each Zone is assigned a Security Level
The Zone with higher security level CAN access the lower one
The Zone with lower level CANNOT access the higher one
Five security levels, trusted(100), VPN(75), Public(50), Guest(25)
and Untrusted(0)
User can override the default policy by adding user defined ACL.
From \ To
Trusted (100)
VPN (75)
Public (50)
Guest (25)
Untrusted (0)
Trusted (100)
Deny
Permit
Permit
Permit
Permit
VPN (75)
Deny
Deny
Permit
Permit
Permit
Public (50)
Deny
Deny
Deny
Permit
Permit
Guest (25)
Deny
Deny
Deny
Deny
Permit
Untrusted (0)
Deny
Deny
Deny
Deny
DenyCisco Confidential
© 2010 Cisco and/or its affiliates. All rights reserved.
17
18
Network Reputation Detection
SMTP Server IP checked
URL keyword/website checked
URL reputation checked
URL category checked
Protecting against network and
application-level attacks
Virus checked
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
19
• General Settings
Enable or disable AV,
specify the zones to
scan for viruses, and
configure the
preventive actions
for different types of
traffic
Select zones for A/V
processing.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
20
• Web URL Filtering
1. HTTP request
2. Block and Whitelists checked (Content Filtering)
3. Web URL filtering (Query URL’s category and Action)
4. Report Delivered
5. Access this website
1
2
3
4
URL
OK?
5
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
21
Internet
Web URL Filter
Access
User
LAN Zone
© 2010 Cisco and/or its affiliates. All rights reserved.
VOICE Zone
Guest Zone
Cisco Confidential
21
• Choosing Reputation Threshold and filling in warning
message when blocked URL
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
23
• Network Reputation
1. Any packet from LAN to WAN.
2. Check destination ip with local Database.
3. If it’s not in Database, then PASS.
4. If it’s in Database, then DROP.
1
2
Packets
To WAN
Check
DB
3
Safe
IP?
PASS
4
DROP
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
24
• If you have two ISP links, one for WAN1 and the other for WAN2, you
can configure the WAN redundancy to determine how the two ISP links
are used
ISP B
© 2010 Cisco and/or its affiliates. All rights reserved.
ISP A
Cisco Confidential
24
25
Load Balancing can be used
to stack the WAN bandwidth.
User can decide the weight
percentage between WAN
links.
20%
ISP B
© 2010 Cisco and/or its affiliates. All rights reserved.
80%
ISP A
Cisco Confidential
25
26
Load Balancing - Based on Real-time Bandwidth can adjust the weight of WAN links
dynamically according to the remaining bandwidth of each WAN.
WAN1, WAN2 Base
Bandwidth Setting
WAN1, WAN2 Used
Bandwidth
WAN1
Remaining
Bandwidth
WAN2
Remaining
Bandwidth
WAN1 : WAN2
Weight Ratio
T0
50M, 10M
0M, 0M
50M
10M
50:10
T1
50M, 10M
20M, 5M
30M
5M
30:5
T2
50M, 10M
50M, 5M
0M
5M
0:1
T3
50M, 10M
50M, 10M
0M
0M
50:10
Dynamical weight adjustment (10M – 5M) = 5M
:
(50M – 20M) = 30M
5 : 30
ISP B
© 2010 Cisco and/or its affiliates. All rights reserved.
ISP A
Cisco Confidential
26
27
If a failure is detected on the primary link, then all Internet traffic is
directed to the backup link.
When the primary link regains connectivity, all Internet traffic is directed
to the primary link and the backup link becomes idle.
ISP B
© 2010 Cisco and/or its affiliates. All rights reserved.
ISP A
Cisco Confidential
27
28
•
•
Configuring Authentication Server and Authenticated VLAN
Authentication mode options have Forced Authorized/Unauthorized or
Auto mode
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
29
Every user belongs to one group and only one
Local database, LDAP and AAA authentication
Service privileges are bound to a group
Available Services are:
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
30
• Address Group is a set of Address Objects
Address Group can be used in ACL Rules and VPN Settings
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
31
802.11n
2.4GHZ band
Multiple SSID support
Various Security Modes
MAC filtering
VLANs
Scheduling
WPS
Captive Portal
Rogue AP detection
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
Example of Use Case – Internet & Guest
Access Gateway @ A Dental Office
Key Applications:
 Secure wireless connectivity for mobile
device
Internet
 Visitor Internet access with intranet
isolation
ISA
Guest hotspot
WLAN Intranet
ISA500 Solution:
 WiFi with multi-SSID
 Zone Firewall with guest vlan
 Captive portal
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Example of Use Case – Teleworker Device
Key Applications:
 Secure always-on company
network connection
 Company and family networks
isolation and policies support
Internet
ISA
ISA500 Solution:
Family networks
Company VPN
networks
 Cisco EzVPN hardware client
 Split tunneling support
 Zone firewall
 802.1x
 UTM mult-threat protections
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
33
Helps an SMB partner gain deeper insight into
customer
network usage & security performance, provide
recommendations and informed advice based on
capture trends.
Targeted Availability Nov 2012
Requires ON100 Subscription
Detailed security reports from the Cisco ISA500:
-Network Resource Utilization - VPN usage, Web usage
(Top visited sites, Web category), Mail usage, FTP usage,
Bandwidth Utilization
-Security Performance - Virus attacks, Firewall attacks, Web
Threats, Intrusions, Spam
-Appliance Status - Device Utilization (CPU, Memory, Flash),
Up / Down Stats, Login Attempts
•
View security service reports and events in a separate, consolidated dashboard
•
Schedule security reports to be automatically and directly sent to their customers
•
Personalize reports and add custom recommendations based on observations of data and trends captured
in reports
•
Store reports safely in the cloud without hassle of local storage
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
Key Benefits:
OnPlus Adv. Security Service
Partner Value, Partner Margins
Security Reports
Network Usage
Reports
Appliance Status
Reports
 Easy to manage –
single interface for all
technologies
 Easy to start – Cisco
hosted
OnPlus Baseline
Dashboard View
Device Discovery & Topology etc.
 Support contract status
• Cfg Back-up and Restore
 Firmware Upgrade
 Event Monitoring
 etc.
Cisco
OnPlus
 Profitability – enable
managed security
service
VAR
Customer B
Site 1
Customer A
Notes:
ISA500
Site 2
Connected devices: Switch, Router, Security Appliance, NAS, Printer, iPad, Iphone, etc.
© 2010 Cisco and/or its affiliates. All rights reserved.
• Partner focus
• Not meant for end
users or SP today
• User can still use
device GUI via
https
Cisco Confidential
36
Reports can be generated
individually or grouped, on
demand or scheduled
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
Security
Reports
Service
OnPlus
Security
• Security Report
Virus, Firewall attacks,
Intrusions, Spam, Web Threat, Web Filter
• Resource Usage
VPN, Web, Mail, FTP, Bandwidth
• Appliance Status
Partner Value, Partner Margins
CPU, Flash, Memory Util, Failed Logins
Remote
Network
Management
Threat
Protection
Services
Security
Platform
•
•
•
•
•
Customer Dashboard
Network Topology
Device Connectivity
Backup & Restore
Upgrades, Maintenance
OnPlus
• Anti-virus, Anti-spam
• IPS, Anti-spyware
• URL Filtering, Web Threat
protection
• Network Reputation
ISA5xx
• Firewall, VPN, Routing &
Switching
*Post Market Introduction