380 likes | 603 Views
ISA500 Next Generation SB UTM solution. Cisco’s Secure Network. A Layered S olution and Defense in Depth ( Layered: several systems work in parallel, addressing different layers, different entry points). Infrastructure. Secure Access. Traffic Control. Port–Based Security.
E N D
Cisco’s Secure Network A Layered Solution and Defense in Depth (Layered: several systems work in parallel, addressing different layers, different entry points) Infrastructure Secure Access Traffic Control Port–Based Security Spanning Tree Protection Policy Enforcement Disable Unused Services Hardened Devices Enable Necessary Services Firewall Anti–Spoofing Services Unauthorized Access Prevention Intrusion Prevention Virus Prevention Worm Mitigation Security Connectivity Virtual Private Network
Cisco Security Product PositioningCisco’s Broad Security Portfolio ASA 5585-X SSP-60(40 Gbps, 350K cps) NEW NEW NEW NEW NEW For SMB Enterprise-grade ASA 5585-X SSP-40(20 Gbps, 200K cps) Looking for : multi-threat protections Easy to use solution Affordable for both solution and support Multi-Services with depth protections Scalable performance ASA 5585-X SSP-20(10 Gbps, 125K cps) ASA 5585-X SSP-10(4 Gbps, 50K cps) ASA 5555-X (4 Gbps,50K cps) Performance and Scalability ASA 5545-X (3 Gbps,30K cps) ASA 5525-X (2 Gbps,20K cps) ASA 5515-X (1.2 Gbps,15K cps) ASA 5512-X (1 Gbps, 10K cps) ASA 5550 (1.2 Gbps, 36K cps) Firewall/VPN Only NEW ASA 5540 (650 Mbps, 25K cps) ASA 5510 (300 Mbps, 9K cps) ASA 5510 + (300 Mbps, 9K cps) ASA 5520 (450 Mbps, 12K cps) ISA570 ASA 5505 (150 Mbps, 4K cps) SMB Max 500 Mbps SOHO Branch Office Internet Edge Campus Data Center
Strategic Positioning • ISA500 are Cisco all-in-one security appliances/UTMs targeted for single networks or smaller deployments. • ASA is scalable for multi site networks , enterprise grade support, Cisco End-To-End borderless architecture UTM FW VPN
How do I protect my business from SPAM, Phishing, and Virus ?
Cisco Threat Defense – ISA500Unified Threat Management (UTM) Business Grade Firewall Intrusion Prevention System UTM Email Safety and Spam Filtering Virtual Private Networking Productivity http://dangerous-website.com URL Filtering http://inappropriate-website.com Not just a Firewall! A comprehensive Security Solution for Small Businesses
Cisco ISA500 Product Transitions • ISA500 will replace SA500 Series; ISA500 moves to Cisco Security Features • Ease adoption for existing Cisco solution adopters • Ease migration to future enterprise solutions • Simplify support
Cloud Based Threat Protections With Cisco Security Intelligence Operations (SIO) 2 Superior & up-to-date security threat intelligence 1 Cisco Security Essential • Web URL Filtering • Web Threat protection • Spam filtering • Network reputation filtering Constant threat and vulnerability collection & analysis by Cisco SIO Real-time query and periodical download of security data feeds 3 Dynamic, new Internet threats Business ISA500 Clean traffic Cloud Based Solution Keeping Security Protections Up-to-Date With Ease • Seamless security protection • Low maintenance and operation efforts
All-in-One Security – Protect Small Business in All Fronts Small Business Premise Remote office Finance & App. Servers Public Servers IT Services Site to site VPN Remote access VPN • Cisco VPN client • Cisco AnyConnect client Teleworker VPN client mode Spying spoofing Mobile worker Internet Threats (hacker, malware) Infected PC SB Networks Desk/office Anywhere Conf. room SOHO contractor visitor Staff Internet Remote Inside ISA500 Prevent Internet Threat Manage Internal Threat and Access Control Secure Remote Access • SPI Firewall, DMZ • Spam filter for email protection • Intrusion Prevention (IPS) with hardware acceleration • Web URL filtering and threat protection • Network Reputation Filter • Application control • Gateway Anti-virus (AV) • Zone basedFirewall • Secure WLAN • Rogue AP detection • Guest access management • Port based authentication access with 802.1X • IPS/AV for internal traffic Blue = New in ISA500
Cisco ISA500 Model Overview * UTM performance is measured by http traffic. Actual performance may vary depending on network traffic, conditions, and services enabled
ISA500 Product SKUs At A Glance • All SKUs are bundled SKUs • Bundle SKUs include hardware and comprehensive security subscription service suite Renewal SKUs for the Comprehensive Security subscription service suite will also be available * Subject to change
Cisco® Security Appliance How does it work Trend Micro ProtectLink Gateway Service Internet • Stateful Firewall protects the office from the outside. Data connection only possible from the inside and only between the hosts intended. • Zone based firewall also defines firewalls between hosts inside my office (e.g. guest network, printers, sales department, HR). Zones are being placed in predefines security classes with automatic rules. • AntiVirus, AntiSpam, Webfilterincrease productivity and filter threats before they even enter my network. • IPS looks inside allowed traffic and searches for Virus patterns or blocks specific applications (Peer-To-Peer, Chat etc.)
ISA500 Comprehensive Security Subscription Service Suite • Contains 7 security services managed through one ISA500 Comprehensive Security license One license Cisco AnyConnect Mobile Client (SSLVPN)
ISA500 Firewall - Overview • Zone-Based Firewall • Firewall is inter-Zone firewall, intra-Zone traffic will not be checked. • Zone Definition • Zone is a group of VLAN/interfaces that have similar functions of features • Each VLAN/interface can join only one Zone • Each Zone can have multiple VLANs/interfaces • Firewall Consists of three types of ACL rules • Default Policies, User Defined ACL and System Generated ACL • Session-Based Firewall • Packets belonging to the same session will have the same action.
Firewall - Access Control List • User can configure firewall rules for controlling traffic from a particular source to a particular destination
Firewall - Default Policies • Security Level (0 to 100) • Each Zone is assigned a Security Level • The Zone with higher security level CAN access the lower one • The Zone with lower level CANNOT access the higher one • Five security levels, trusted(100), VPN(75), Public(50), Guest(25) and Untrusted(0) • User can override the default policy by adding user defined ACL.
Security Services Overview Network Reputation Detection SMTP Server IP checked URL keyword/website checked URL reputation checked URL category checked Protecting against network and application-level attacks Virus checked
Anti-Virus – General configuration • General Settings • Enable or disable AV, specify the zones to scan for viruses, and configure the preventive actions for different types of traffic • Select zones for A/V processing.
Web URL Filtering - Overview • Web URL Filtering • 1. HTTP request • 2. Block and Whitelists checked (Content Filtering) • 3. Web URL filtering (Query URL’s category and Action) • 4. Report Delivered • 5. Access this website 1 2 3 4 URL OK? 5
Zone Based – Web URL Filtering Internet Web URL Filter Access User LAN Zone VOICE Zone Guest Zone
Web Reputation - Configuration • Choosing Reputation Threshold and filling in warning message when blocked URL
Network Reputation - Overview • Network Reputation • 1. Any packet from LAN to WAN. • 2. Check destination ip with local Database. • 3. If it’s not in Database, then PASS. • 4. If it’s in Database, then DROP. 1 2 3 Check DB Safe IP? Packets To WAN PASS 4 DROP
WAN Redundancy • If you have two ISP links, one for WAN1 and the other for WAN2, you can configure the WAN redundancy to determine how the two ISP links are used ISP B ISP A
Load Balancing - by Percentage / Link Bandwidth • Load Balancing can be used to stack the WAN bandwidth. User can decide the weight percentage between WAN links. 20% 80% ISP B ISP A
Load Balancing - Based on Real-time Bandwidth • Load Balancing - Based on Real-time Bandwidth can adjust the weight of WAN links dynamically according to the remaining bandwidth of each WAN. : (10M – 5M) = 5M (50M – 20M) = 30M Dynamical weight adjustment 5 : 30 ISP B ISP A
WAN Failover • If a failure is detected on the primary link, then all Internet traffic is directed to the backup link. When the primary link regains connectivity, all Internet traffic is directed to the primary link and the backup link becomes idle. ISP B ISP A
Port Based Access Control (Cont.) • Configuring Authentication Server and Authenticated VLAN • Authentication mode options have Forced Authorized/Unauthorized or Auto mode
User Management - Overview • Every user belongs to one group and only one • Local database, LDAP and AAA authentication • Service privileges are bound to a group • Available Services are:
Address and Service Management • Address Group is a set of Address Objects • Address Group can be used in ACL Rules and VPN Settings
Wireless Overview • 802.11n • 2.4GHZ band • Multiple SSID support • Various Security Modes • MAC filtering • VLANs • Scheduling • WPS • Captive Portal • Rogue AP detection
Example of Use Case – Internet & Guest Access Gateway @ A Dental Office Key Applications: • Secure wireless connectivity for mobile device • Visitor Internet access with intranet isolation Internet ISA Guest hotspot WLAN Intranet ISA500 Solution: • WiFi with multi-SSID • Zone Firewall with guest vlan • Captive portal
Example of Use Case – Teleworker Device Key Applications: • Secure always-on company network connection • Company and family networks isolation and policies support Internet ISA500 Solution: • Cisco EzVPN hardware client • Split tunneling support • Zone firewall • 802.1x • UTMmult-threat protections ISA Family networks Company VPN networks
OnPlus Managed Security with ISA500 Targeted Availability Nov 2012 Requires ON100 Subscription Helps an SMB partner gain deeper insight into customer network usage & security performance, provide recommendations and informed advice based on capture trends. Detailed security reports from the Cisco ISA500: • -Network Resource Utilization - VPN usage, Web usage (Top visited sites, Web category), Mail usage, FTP usage, Bandwidth Utilization • -Security Performance - Virus attacks, Firewall attacks, Web Threats, Intrusions, Spam • -Appliance Status - Device Utilization (CPU, Memory, Flash), Up / Down Stats, Login Attempts • View security service reports and events in a separate, consolidated dashboard • Schedule security reports to be automatically and directly sent to their customers • Personalize reports and add custom recommendations based on observations of data and trends captured in reports • Store reports safely in the cloud without hassle of local storage
Manage ISA500 With Cisco OnPlus Key Benefits: OnPlus Adv. Security Service • Easy to manage – single interface for all technologies • Easy to start – Cisco hosted • Profitability – enable managed security service Security Reports Network Usage Reports Appliance Status Reports OnPlus Baseline Cisco OnPlus • Dashboard View • Device Discovery & Topology etc. • Support contract status • Cfg Back-up and Restore • Firmware Upgrade • Event Monitoring • etc. Partner Value, Partner Margins VAR Customer A • Notes: • Partner focus • Not meant for end users or SP today • User can still use device GUI via https Device GUI Customer B ISA500 Site 1 Connected devices: Switch, Router, Security Appliance, NAS, Printer, iPad, Iphone, etc. Site 2
OnPlus Advanced Security Reports Reports can be generated individually or grouped, on demand or scheduled
Building a Security Practice with OnPlus OnPlus Security OnPlus Partner Value, Partner Margins ISA5xx *Post Market Introduction