Cisco ASA5500-SC-5= - ASA 5500 Security Context, ASA 5500 Series Datasheet

DATA SHEET

CISCO ASA SOFTWARE VERSION 7.0

Cisco® ASA 5500 Series adaptive security appliances deliver numerous market-leading, high-performance security and
VPN services for small and medium-sized businesses (SMBs), enterprises, and service providers—in addition to providing
unprecedented services flexibility and extensibility and lower deployment and operations costs.

PRODUCT OVERVIEW

Cisco® ASA 5500 Series adaptive security appliances are purpose-built solutions that combine best-of-breed security and VPN services with the
innovative Cisco Adaptive Identification and Mitigation (AIM) architecture. Designed as a key component of the Cisco Self-Defending Network,
the Cisco ASA 5500 Series provides proactive threat defense that stops attacks before they spread through the network, controls network activity and
application traffic, and delivers flexible VPN connectivity. The result is a powerful multifunction network security appliance family that provides the
security breadth and depth for protecting SMBs and enterprise networks while reducing the overall deployment and operations costs and
complexities associated with providing this new level of security.

The Cisco ASA 5500 Series delivers a powerful combination of multiple market-proven technologies in a single platform, making it operationally
and economically feasible to deploy comprehensive security services to more locations. And its multifunction security profile virtually eliminates the
difficult—and risky—decision of making trade-offs between robust security protection and the operational costs associated with multiple devices in
numerous locations.

The Cisco ASA 5500 Series helps businesses more effectively and efficiently protect their networks while delivering exceptional investment
protection through the following key elements:

• Market-proven security and VPN capabilities—Full-featured, high-performance firewall, intrusion prevention system (IPS), network antivirus,

and IP Security/Secure Sockets Layer (IPSec/SSL) VPN technologies deliver robust application security, user- and application-based access
control, worm and virus mitigation, malware protection, and remote user and site connectivity.

• Extensible Adaptive Identification and Mitigation services architecture—Taking advantage of a modular services processing and policy

framework, the Cisco Adaptive Identification and Mitigation architecture enables the application of specific security or network services on
a per traffic flow basis, delivering highly granular policy controls and anti-x protection with streamlined traffic processing. The efficiencies
of the Cisco ASA 5500 Series AIM architecture, as well as software and hardware extensibility through user-installable security services
modules (SSMs), advance the evolution of existing services as well as deployment of new services without requiring a platform replacement
or performance compromise. As the architectural foundation of the Cisco ASA 5500 Series, AIM enables highly customizable security policies
and unprecedented services extensibility to help protect against the fast-evolving threat environment.

• Reduced deployment and operations costs—These multifunction appliances allow for platform, configuration, and management standardization,

helping decrease the costs of deployment and ongoing operations.

MARKET-PROVEN SECURITY AND VPN CAPABILITIES

The Cisco ASA 5500 Series leverages Cisco’s expertise in developing industry-leading and award-winning security and VPN solutions, and
integrates the latest technologies from Cisco PIX® 500 Series Security Appliances, Cisco IPS 4200 Series Intrusion Prevention Systems, and
Cisco VPN 3000 Series Concentrators. By combining these technologies, the Cisco ASA 5500 Series delivers an unmatched, best-of-breed solution
that stops the broadest range of threats and provides businesses with flexible, secure connectivity options. The breadth and depth of security and
networking services provided by the Cisco ASA 5500 Series enable it to protect any area of the network, including the most common threat vectors
such as mobile users, remote sites, and unmanaged desktops and servers. As a key component of the Cisco Adaptive Threat Defense and flexible

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Page 1 of 19

secure connectivity strategies, these security appliances converge a wide range of security and VPN technologies to provide rich application security,
anti-x defenses, network containment and control, and secure connectivity.

APPLICATION SECURITY

The Cisco ASA 5500 Series provides strong application layer security through 30 intelligent, application-aware inspection engines that examine
network flows at Layers 2–7. To defend networks from application layer attacks and give businesses control over use of applications and protocols
in their environments, these inspection engines incorporate extensive application and protocol knowledge and employ security enforcement
technologies that include application and protocol command filtering, protocol anomaly detection, and application and protocol state tracking. As
another layer of application inspection and control, these inspection engines also incorporate attack detection and mitigation techniques such as
buffer overflow defenses, content filtering and verification, and URL deobfuscation services. Inspection engines are available for a wide range of
popular applications and protocols, including Web, file transfer, e-mail, voice and multimedia, database, operating system, and third-generation (3G)
Mobile Wireless services. These inspection engines also give businesses control over threats such as instant messaging, peer-to-peer file sharing, and
other tunneling applications, allowing businesses to enforce usage policies and protect network bandwidth for legitimate business applications.

ANTI-X DEFENSES

The Cisco ASA 5500 Series provides advanced, high-performance protection against network and application layer attacks, denial-of-service (DoS)
attacks, and malware, including worms, network viruses, Trojan horses, spyware, and adware. Effective anti-x defense requires broad attack detection
coupled with advanced analysis techniques, resulting in highly accurate threat classification that helps ensure appropriate mitigation actions are taken
with no impact on legitimate network traffic.

Advanced Detection Techniques

To help ensure that threats do not go unnoticed, the Cisco ASA 5500 Series offers numerous methods to identify policy violations, anomalous
activity, and vulnerability exploitation. They include stateful pattern recognition for stopping attacks hidden inside a data stream; protocol analysis
to validate network traffic; traffic anomaly detection to identify attacks that cover multiple sessions and connections; protocol anomaly detection to
identify attacks based on observed deviations in the normal RFC behavior of a protocol or service; and Layer 2 analysis to detect man-in-the-middle
attacks. Specialized safeguards “scrub” network traffic to prevent “detection evasion” attempts; these safeguards include IP fragmentation reassembly
and normalization, TCP stream reassembly and normalization, TCP evasion control, IP antispoofing, and deobfuscation.

Combined with the extensive detection techniques are two innovative analysis and correlation technologies from Cisco Systems® that help enable
accurate mitigation of the detected threats: Risk Rating and the Meta Event Generator.

Risk Rating

The Cisco ASA 5500 Series uses the innovative Cisco Risk Rating technology to help ensure that malicious attacks are stopped without impacting
legitimate traffic. Going beyond the typical single-factor methods in determining threat risk, Cisco Risk Rating incorporates four measures to
accurately determine the risk of an event:

• Event severity—Rating indicating the relative impact of the threat

• Signature fidelity—Rating indicating the accuracy of the signature

• Asset value—Customizable value indicating the importance of the attack target (low value for a print server in a wiring closet, a high value for

an e-commerce server in a data center, for example)

• Attack relevancy—Value based on susceptibility of the target to the attack type

These four factors combine to produce an accurate threat rating that allows for confident mitigation actions to take place.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

© 2005 Cisco Systems, Inc. All rights reserved.

Page 2 of 20

Cisco Meta Event Generator

To quickly and accurately identify and stop worms that can rapidly propagate and cause extensive damage, the Cisco ASA 5500 Series includes
Cisco Meta Event Generator technology, which provides unique on-device correlation capabilities. This is achieved through real-time modeling of
worm behavior, including correlation of multiple event types and the time between individual events. As worms attempt to move through a network,
they propagate through the transmission of multiple packets, which in many cases appear to be legitimate traffic. The generator uses its real-time
correlation services to identify the initial packets associated with worm propagation and stops the follow-on packets necessary to complete the worm
infestation. Thus the worm cannot reach the intended target intact so is, in fact, ineffectual.

SECURE CONNECTIVITY SERVICES

The Cisco ASA 5500 Series provides robust site-to-site and remote-access VPN services, enabling businesses to create secure connections across
public networks to mobile users, remote sites, and business partners. An integrated approach to security is provided, enabling organizations to gain
the connectivity and cost benefits of the Internet, without compromising the integrity of the corporate security policy.

By integrating VPN services with the wide range of security services offered by the Cisco ASA 5500 Series, businesses benefit from a stronger, more
secure VPN connectivity. Integrated Cisco Adaptive Threat Defense capabilities help ensure that VPNs do not become a conduit for network attacks
such as worms, viruses, malware, or hacking. Detailed application and access control policies can also be applied to VPN traffic, so individuals and
groups of users have access only to the services and resources to which they are entitled. Additionally, customized quality-of-service (QoS) policies
can be applied on a per-user, -group, -tunnel, or -flow basis, helping ensure that the appropriate priority and bandwidth restrictions are applied to
specific network traffic flows.

Remote-Access VPN

The Cisco ASA 5500 Series offers flexible technologies that deliver tailored solutions to suit connectivity requirements, providing employees’
company-managed desktops with robust, customizable remote access through an IPSec VPN. For situations where endpoints are not company­managed, such as extranets, Internet kiosks, or employee-owned desktops, the Cisco ASA 5500 Series delivers WebVPN for SSL-based remote
access. Taking advantage of Cisco remote-access expertise, enterprises can deploy a single, integrated platform with broad support for core enterprise
applications.

• Flexible platform—Offers both IPSec and SSL-based VPN services on a single platform, eliminating the need to provide parallel solutions. The

Cisco ASA 5500 Series eliminates the inefficiencies and added costs of deploying separate, distinct platforms for both SSL and IPSec VPNs.

• Resilient clustering—Allows remote-access deployments to scale cost-effectively by evenly distributing VPN sessions across Cisco ASA 5500

Series and Cisco VPN 3000 Series platforms without requiring any user intervention. This highly resilient capability eliminates any single point
of failure, allows businesses to scale their VPN headends as needed, and gives businesses excellent investment protection.

• Cisco Easy VPN—Delivers a uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture. Cisco ASA 5500 Series

appliances dynamically push the latest VPN security policies to remote VPN devices and clients, helping ensure that those remote endpoints have
up-to-date policies in place before the connection is established, thereby offering the ultimate flexibility, scalability, and ease of use. Furthermore,
the Cisco ASA 5500 Series provides VPN client software with “auto-update” capabilities that help enable automated version upgrades for Cisco
VPN Client software operating on remote desktops.

Site-to-Site VPN

Using the standards-based site-to-site VPN capabilities provided by the Cisco ASA 5500 Series, businesses can securely extend their networks across
low-cost Internet connections to business partners and remote and satellite offices worldwide.

• VPN infrastructure for today’s applications—The Cisco ASA 5500 Series provides a VPN infrastructure capable of converged voice, video,

and data across a secure IPSec network, by combining robust site-to-site VPN support with rich inspection capabilities, QoS, dynamic routing,
and stateful failover features, allowing businesses to take advantages of the many benefits of converged networks.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

© 2005 Cisco Systems, Inc. All rights reserved.

Page 3 of 20

• Robust security and performance—Branch and remote offices extend a company’s reach into important markets and locations. Cisco ASA 5500

Series-based VPN solutions help enable secure, high-speed communications between multiple locations, offering the performance, reliability, and
availability that businesses need to communicate.

Intelligent Network Integration

The Cisco ASA 5500 Series takes advantage of more than 20 years of Cisco networking leadership and innovation, and delivers a wide range of
intelligent networking services for seamless integration into today’s diverse network environments. Key network integration services include:

• Layer 2 transparent firewall—Provides the ability to rapidly deploy Cisco ASA 5500 Series appliances into existing networks without requiring

any addressing changes, and delivers high-performance stealth Layers 2–7 security services and provides protection against network layer attacks
with integration in complex routing, high-availability, and multicast environments.

• Services virtualization—Enables the logical partitioning of a single Cisco ASA 5500 Series appliance into multiple virtual firewalls, each with its

own unique policies and administration; this capability is ideal for enterprises consolidating multiple firewalls into a single Cisco ASA 5500
Series appliance, or for service providers that offer managed firewall or hosting services.

• Standard 802.1q-based VLAN support—Provides easy integration into switched network environments.

• Open Shortest Path First (OSPF) dynamic routing services—Improve networking resiliency by detecting network outages within seconds, and

routing around them.

• Protocol Independent Multicast (PIM) Sparse Mode v2 and bidirectional PIM routing support—Provide secure delivery of mission-critical

real-time enterprise applications, collaborative computing applications, and streaming multimedia services.

• IPv6 support—Allows secure deployment of next-generation IPv6 networks, as well as hybrid environments that require simultaneous, dual-stack

support of IPv4 and IPv6.

• Quality of Service (QoS)—Low-Latency Queuing (LLQ) and Traffic Policing features support applications with demanding QoS requirements,

such as voice or video, helping ensure an end-to-end network QoS policy; latency-sensitive traffic can be prioritized ahead of file transfer and
other more delay-tolerant traffic.

• IP phone “zero-touch provisioning” services—Simplifies IP phone deployments by helping the phones register with the correct Cisco

CallManager systems and download any additional configuration information and software images.

• Resilient architecture—Provides businesses with both stateful Active/Active and Active/Standby high-availability services, as well as VPN

device clustering, to help maximize throughput and network uptime; the Cisco ASA 5500 Series also supports “zero-downtime software
upgrades,” which allow businesses to install software maintenance releases on failover pairs without affecting connections or network uptime;
additionally, integrated dynamic load-balancing capabilities provide high session scalability and resiliency for remote-access VPN deployments.

UNIQUE ADAPTIVE IDENTIFICATION AND MITIGATION SERVICES ARCHITECTURE

Through its unique Adaptive Identification and Mitigation services architecture, the Cisco ASA 5500 Series brings a new level of security and policy
control to networks (Figure 1). The AIM architecture allows businesses to adapt and extend the security services profile of the Cisco ASA 5500
Series through highly customizable flow-specific security policies that tailor security needs to application requirements while providing performance
and security service extensibility through user-installable SSMs. This adaptable architecture enables businesses deploy security services when and
where they are needed, such as tailoring inspection techniques to specific application and user needs or adding additional intrusion prevention and
anti-x services such as those delivered by the Adaptive Inspection and Prevention (AIP) SSM. Furthermore, the AIM architecture enables the
integration of future threat identification and mitigation services, further extending the outstanding investment protection provided by the Cisco
ASA 5500 Series, and allowing businesses to adapt their network defenses to new threats as they arise.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

© 2005 Cisco Systems, Inc. All rights reserved.

Page 4 of 20

Figure 1. Cisco Adaptive Identification and Mitigation Architecture

Using the powerful policy framework offered by the Cisco ASA 5500 Series, administrators can orchestrate detailed policies that define what specific
services are applied to individual traffic flows. Services include more than 30 different application- and protocol-specific inspection engines, QoS
policies, anti-x services, and other inspection and network services. Policies can be based on numerous criteria, including network addresses, traffic
types, VPN tunnel, and application or destination target. By enabling the selection of specific security or network services on a per-flow basis, this
architecture allows security services to be implemented in a highly granular fashion in support of specific security policies.

REDUCED DEPLOYMENT AND OPERATIONS COSTS

While increasing network security, the Cisco ASA 5500 Series also decreases deployment and operational costs. Its broad VPN and security
services profile makes it a single device for many uses, providing platform and management standardization. It can be deployed as a converged threat
prevention device by using its access control, application inspection, and worm, virus, and other malware mitigation technologies. It can be used as
a dedicated VPN termination device by using its highly scalable site-to-site IPSec and SSL remote-access VPN capabilities. Alternatively, it serves
equally well in the network interior for interdepartmental access control and to guard against worms, viruses, and other malicious code that internal
users may unwittingly bring into a network. In small business and branch office environments, the Cisco ASA 5500 Series serves as an “all-in-one”
solution, offering comprehensive threat prevention and VPN services better suiting the budgets and operational models of such deployments. This
adaptive “single platform, many uses” approach reduces the number of platforms that must be deployed and managed. This common operating
environment also simplifies configuration, monitoring, troubleshooting, and security staff training. To further minimize operations costs, the Cisco
ASA 5500 Series is highly network-aware—it can be inserted gracefully into the network without disrupting legitimate traffic and applications.

Flexible Management Solutions Lower Operations Costs

Cisco ASA 5500 Series adaptive security appliances deliver a wealth of configuration, monitoring, and troubleshooting methods, giving businesses
flexibility to use the methods that best meet their needs. Management solutions range from centralized, policy-based management tools to integrated,
Web-based management to support remote-monitoring protocols such as Simple Network Management Protocol (SNMP) and syslog. These
appliances additionally provide up to 16 levels of customizable administrative roles, so that businesses can grant administrators and operations
personnel the appropriate level of access to each appliance; for example, monitoring only access, read-only access to the configuration, network
configuration only, firewall configuration only, and so on.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

© 2005 Cisco Systems, Inc. All rights reserved.

Page 5 of 20

Next-Generation Centralized Management Solutions

Cisco ASA 5500 Series appliances running Cisco ASA Software Version 7.0 can be centrally managed using the upcoming follow-on software
release to CiscoWorks VPN/Security Management Solution (VMS) 2.3. This highly scalable, next-generation, three-tier management solution will
include the following features:

• Comprehensive configuration and software image management

• Device hierarchy with “Smart Rules”-based configuration inheritance

• Customizable administrative roles and access privileges

• Comprehensive enterprise change management and auditing

• Intelligent discovery and optimization of security policies and object groups

• “Touchless” software image management for remote Cisco ASA 5500 Series appliances

• Support for dynamically addressed appliances

Attack Mitigation and Event Monitoring Solutions

Network-based attacks can be easily and accurately identified, managed, and eliminated within commercial or enterprise environments using the
Cisco Security Monitoring, Analysis, and Response System. Cisco Security Monitoring, Analysis, and Response System appliances analyze and
correlate security events, syslog, and NetFlow data from a wide variety of desktop, server, and network security solutions to determine the actual
attack path and provide mitigation options, thus simplifying security incident management for environments where dedicated security analysts may
not be available.

Additionally, Cisco offers the CiscoWorks Security Information Management Solution (CiscoWorks SIMS), which is well-suited for large
enterprises and managed security services providers with dedicated security analysts who require in-depth data collection, forensic analysis,
audit and compliance, and reporting for complex, multi-vendor networks.

World-Class Device Management Solutions

The integrated Cisco Adaptive Security Device Manager (ASDM) provides a world-class Web-based management interface that greatly simplifies the
deployment, ongoing configuration, and monitoring of a single Cisco ASA 5500 Series appliance—without requiring any software (other than
a standard Web browser and Java Plug-In) to be installed on an administrator’s computer. Intelligent setup and VPN wizards provide easy integration
into any network environment, and informative monitoring features, including a dashboard and real-time syslog viewer, provide vital device and
network health status and event monitoring at a glance.

Alternatively, administrators can remotely configure, monitor, and troubleshoot their Cisco ASA 5500 Series appliances using a command-line
interface (CLI). Secure CLI access is available using several methods, including Secure Shell (SSHv2) Protocol, Telnet over IPSec, and out-of-band
access through a console port.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

© 2005 Cisco Systems, Inc. All rights reserved.

Page 6 of 20