You are on page 1of 44

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 1 Cisco Confidential Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 1
ASA CX Overview
Cristian Venegas, CCIE #29210
Consulting Systems Engineer - Security
MCO - LATAM
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2



Overview
Hardware Architecture
Software Architecture
Management Architecture
Presales
Wrap up
ASA CX and Prime Security Manager (PRSM)
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 3
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Context-Aware Firewall
Active/Passive
Authentication
Application Visibility and
Control
Reputation Filtering
URL Filtering
Secure Mobility
SSP-10 and SSP-20
More form factors in
roadmap
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
ASA SSP
CX SSP
Order separate blades or chassis bundle

Requires ASA version 8.4.4
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Build-in
Configuration, Eventing,
and Reporting
Off-box
Multi-device Manager for
ASA CX
Supports 25 Chassis
(estimate)
Role Based Access Control
Virtual Machine or
UCS Virtual Appliance

Virtual Machine supports
VMWare ESX 4.1
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 7
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Two Hard Drives
Raid 1 (Event Data)
10GE and GE ports
Two GE
Management Ports
New
8 GB eUSB
(System)
New
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
ASA CX
SSP-10 SSP-20
Processors Multi-core 64-bit Multi-core 64-bit
Maximum Memory 12 GB (6 GB per blade) 24 GB (12 Gb per blade)
Maximum Storage
8 GB eUSB,
600 GB Hard Disk
Raid1 / Hotswappable
8 GB eUSB,
600 GB Hard Disk
Raid1 / Hotswappable
Ports
2 x 10 Gb SFP+
8 x 1Gb Cu
2 x 1Gb Cu Mgmt
2 x 10Gb SFP+
8 x 1Gb Cu
2 x 1Gb Cu Mgmt
Crypto Chipset Yes Yes
2006 Cisco Systems, Inc. All rights reserved. Cisco Security Deployment Mentoring Bootcamp v1.0 10

Packet Processing Flow Diagram
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Use MPF to direct traffic to the CX blade:





PRSM Multi-device applies this when connecting to CX:
policy-map global_policy
class class-default
cxsc fail-open auth-proxy

service-policy global_policy global
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Realm: Logical group of trusted Directory Servers (AD or LDAP)

Active Directory
One Realm
One Domain (joins the domain)
AD Agent for passive authentication
Kerberos, NTLM, or Basic for active authentication

LDAP
Multiple Realms
Basic authentication only

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Is identity required?
Use identity when available
Passive Auth only
Require identity
Passive Auth if available,
then Active Auth
Require authentication
Active Auth only

How to identify user?
Basic
NTLM
Kerberos
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Requires HTTP request to initiate authentication
1. ASA CX sees HTTP request from a client to a remote website
2. ASA CX redirects the client to the ASA inside interface (port 885 by default)
Redirect is via a proxy redirect to the client (HTTP return code 307) spoofing
the remote website
3. Sends client authentication request (HTTP return code 401)
4. After authentication, ASA CX redirects the client back to the remote website
(HTTP return code 307)
After authentication, ASA CX uses IP address to track user
All application traffic will now be associated with the user
Supported directories include
Microsoft Active Directory
OpenLDAP
IBM Tivoli Directory Server
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Endpoint must be domain member and user must be logged in
Supported for all applications
Utilizes an agent
Agent gathers information from Active Directory server and caches
information
ASA CX/PRSM queries agent for user information
ASA CX/PRSM queries Active Directory server for group membership
Two agents available
Cisco Active Directory Agent (AD agent): legacy Windows application
Context Directory Agent (CDA): newer agent
Stand alone, Linux based server, can be run as VM
Intuitive, web-based GUI with Cisco IOS style CLI
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Active Directory
AD Agent or CDA (RADIUS
server)
ASA CX
Clients
WMI
RADIUS
LDAP
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Decrypt TLS/SSL traffic across any port
Self-signed (default) certificate or customer certificate/key
Based on FQDN, URL Category, User/Group, Device type,
IP address, or Port
FQDN and URL Category are determined using server certificate


SSH decryption planned for a future release
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Two separate sessions with separate certificates and keys
ASA CX acts as a CA and issues a certificate for the web server
Corporate
Network
Web Server
1. Negotiate
algorithms.
1. Negotiate
algorithms.
2. Authenticate
server certificate.
3. Generate
proxied server
certificate.
4. Client Authenticates
server certificate.
5. Generate
encryption keys.
5. Generate
encryption keys.
6. Encrypted
data channel
established.
6. Encrypted
data channel
established.
ASA CX
Cert is generated
dynamically with
destination name
but signed by
Proxy. Browser
must accept
signers cert.
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Allow or Deny the transaction based on full context

Other possible actions:
Create Event (on by default)
Capture Packets (off by default)

Also applied to HTTP Traffic:
File Filtering Profile
Apply added filtering based on MIME type
Reputation Profile
Apply added filtering based reputation score of destination
(default profile drops -6.0 and below and is not active)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
-10 +10 -5 +5 0
Default web reputation profile
Dedicated or hijacked sites
persistently distributing
key loggers, root kits and
other malware. Almost
guaranteed malicious.
Aggressive Ad syndication
and user tracking networks.
Sites suspected to be
malicious, but not confirmed
Sites with some history of
Responsible behavior
or 3
rd
party validation
Phishing sites, bots, drive
by installers. Extremely
likely to be malicious.
Well managed,
Responsible content
Syndication networks and
user generated content
Sites with long history of
Responsible behavior.
Have significant volume
and are widely accessed
Block
(-10 through -6)
Allow
(-5.9 through +10)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Auth/Access
Policy
Broad
AVC
TLS
Proxy
TCP
Proxy
Access
Policy
HTTP
Inspector
Packet
Egress
Active
Auth
(One possible flow. May be different for other traffic.)
Determine
Protocol and
Application
Check L3/L4
and Identity
Access
Policies
Handle TCP
3-way
handshake
Proxy
encryption to
decrypt traffic
for inspection
Determine
Application,
URL Category,
Reputation,
User Agent
If passive auth
not available,
authenticate
using NTLM,
Kerberos, or
Basic auth
Allow or Deny
verdict based
on access
policy
Return packet
back to the
ASA SSP with
an allow
verdict
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
CLI
Syslog
SNMP

Manager
Syslog
Server or
SIEM
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
CLI
Syslog
SNMP

Manager
Syslog
Server or
SIEM
X
Admin
CLI
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

ASA CX PRSM
Admin
HTTPS HTTPS
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
RESTful XML

ASA CX PRSM
Reliable
Binary
Logging
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

ASA CX PRSM
Cisco SIO
Application
Identification
Updates
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

Applications and features
Improved application identification and new features like SSH decryption
Platform Support
SSP-40, SSP-60, 5500-X
Intrusion Prevention
Next-generation IPS capabilities
Cisco Integration
Better interoperability with other Cisco products like Anyconnect, ISE, Trustsec
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Application Visibility and Control
URL Filtering Including Custom Categories
Web Reputation
User Identification Via AD Agent, NTLM, Kerberos
User Device Identification Using AnyConnect / User Agent Strings
SSL Decryption
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
ASA CX SSP-10 ASA CX SSP-20
Throughput (Multi-protocol) 2 Gbps 5 Gbps
Concurrent Connections 500,000 1,000,000
New Connections / Second 40,000 75,000
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Deepest Granular Application Control
Differentiation - Visibility with Best In Class Policy Controls
Examination of 75,000 micro-apps Relevant Application Behavior and Control
Intuitive categorization
Leverages SIO to receive frequent updates


Firewall First! Robust Stateful Inspection and Context-Awareness
Differentiation - Industrys Most Trusted FW
Leverage existing L3 / L4 policies for deterministic access control; ease into L7 policies
according to your business requirements and pace of change
Layered approach provides better operational control
Not forced to choose between a next-generation and a classic firewall
Allow access to LinkedIn for legitimate business usage
While blocking installation of third-party applications
Block port- and protocol-hopping applications
Without having to write dozens of new policies




2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
PRSM: Centralized Management & Reporting
Application
Visibility &
Control

WebAVC
+ NBAR 2

Web Security
Essentials

URL Filtering +
Reputation

CX SSP
Identity, Onbox Mgmt & Reporting
ASA SSP
1Y, 3Y, 5Y
subscriptions
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Initial promo over two quarters to capture
existing customer install base:
CX Spare List Price for ASA 5585-X SSP-10
~ US$ 12,000
CX Spare List Price for ASA 5585-X SSP-20
~ US$ 15,000


15,000
30,000 29,995
59,995
39,995
71,995
-
20,000
40,000
60,000
80,000
ASA 5585-X SSP-10 ASA 5585-X SSP-20
L
i
s
t

P
r
i
c
e

(
U
S

$
)
CX Spare Price ASA Price ASA CX Bundle Price
Prices: Initial Promo:
Security Plus bundle = US$ 20,000 in
addition to ASA CX appliance bundle price


2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
$13K
$23K
$29K
$52K
$48K
$86K
$-
$20
$40
$60
$80
$100
5585-X SSP-10 5585-X SSP-20
A
V
C

+

W
S
E

L
i
s
t

(
U
S
$

0
0
0
s
)
AVC+WSE List (1Y) AVC+WSE List (3Y)
$4K
$6K
$9K
$14K
$15K
$23K
$-
$20
$40
$60
$80
$100
5585-X SSP-10 5585-X SSP-20
A
V
C

L
i
c
e
n
s
e

L
i
s
t

(
U
S
$

0
0
0
s
)
AVC List (1Y) AVC List (3Y) AVC List (5Y)
$11K
$21K
$25K
$47K
$41K
$79K
$-
$20
$40
$60
$80
$100
5585-X SSP-10 5585-X SSP-20
W
S
E

L
i
c
e
n
s
e

L
i
s
t

(
U
S
$
)
WSE List (1Y) WSE List (3Y) WSE List (5Y)
AVC WSE
AVC + WSE
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
PID Form Factor LIST PRICE
PRSMv9-SW-5-K9 VM $3,000
PRSMv9-SW-10-K9 VM $6,000
PRSMv9-SW-25-K9 VM $12,500
PRSMv9-HW-25-K9 UCS $24,000
Ordering and Pricing Guide available on CEC:
http://wwwin.cisco.com/stg/products/appliances/asacx/
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
WSA / ScanSafe ASA CX
Premium
Deep
Best-of-breed, pure-play
Proxy-based (WSA)
Cloud-based (ScanSafe)
Essentials
Broad
Firewall-based
1-box (web security
and firewall)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
URL Filtering
Web Reputation
Web Applications (like
Facebook, LinkedIn, Twitter)
User identification
SSL Decryption
Policy actions: allow/block
End user notification
Top N reports
Caching (WSA)
AV Scanning
Data Loss Prevention
Explicit Proxy (WSA)
SOCKS Proxy* (WSA)
No backhauling (SS)
Addl policy actions:
Time-based controls,
warn
Inline firewall
Non-web applications (like
Skype, Oracle, SAP)
Network protocols (like SMTP,
DNS, ICMP)
Layer 3-7 access rules
Networking capabilities like
NAT, Routing, VPN
Inbound Threat Prevention*
WSA / SS
ASA CX
* Roadmapped
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
I want a secure web gateway
I need caching and AV scanning
I need explicit proxy
Position WSA
I need to secure my distributed environment
without backhauling the traffic
I need to secure highly mobile knowledge
workers without backhauling the traffic
Position ScanSafe
I need a next-generation firewall
I need a 1-box solution for ease of
deployment and ease of management
Position ASA CX
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Position WSA
Position ScanSafe
Position ASA CX
30,000 user financial organization replacing
BlueCoat
Retail organization with 100 small branch outlets
that will have direct internet access; need web
security
5,000 user K-12 school replacing Websense
software for URL filtering; prospect of a 1-box
solution is exciting to them
Thank you.

You might also like