36 ([email protected]) cisco systems korea · highly effective netflow event typical firewall...
TRANSCRIPT
10G10G
(UTM)
© 2008 Cisco Systems, Inc. All rights reserved. 2
10G10G
© 2008 Cisco Systems, Inc. All rights reserved. 3
The Human NetworkChanging the Way We Live, Work, Play, and Learn
S/W
Rich MediaRich Media
WiKi
Social NetworkingWiKi Networking
© 2008 Cisco Systems, Inc. All rights reserved. 42.0
syslog 302013 TCP connection creation
syslog 302015 UDP connection creation
syslog 302017 GRE connection creation
syslog 302020 ICMP connection creation
L4L4
syslog 302015 UDP connection creation
----
----
L4 L4
© 2008 Cisco Systems, Inc. All rights reserved. 5
High-End
But Now Still…10G
Firewall Internet Internet
IDCInternet
ISP,
L4 L4 ACLACL ACL
L4 L4ACL
L4 L4
• 1~2Gbps •Multi-Giga
LB BW
• 4~10Gbps, Multi-Giga
BW
• Access-list • Deny All
© 2008 Cisco Systems, Inc. All rights reserved. 6
LB•LB Switch
BW • BW , Connection Rate
LB
• Deny, All Permit• ,
Cisco ASA 5580 Series Overview
• Connection ThroughputD t t Ult L L t
Highest Performance and Speed
N• Data center Ultra Low Latency
Highly Flexible Deployment
New
•
• NetFlow Security Event Monitoring
Highly Effective NetFlow Event
Cisco Cisco 10G10G !!!!!!
© 2008 Cisco Systems, Inc. All rights reserved. 7
Highest Performance and Speed
5~7Connection Rate
75
hput
Thro
ugh
Firewall Rules
© 2008 Cisco Systems, Inc. All rights reserved. 8
Highly Flexible Deployment
OS Quality of Service
V V VV V V
D DD D D D
Active-Active Failover L2
© 2008 Cisco Systems, Inc. All rights reserved. 9
Highly Effective NetFlow Event
Typical firewall syslog Cisco ASA5580 Netflow
g y
= Flow creation event
syslog 302013 TCP connection creation
syslog 302015 UDP connection creationsyslog 302013
syslog 302015
syslog 302017
syslog 302017 GRE connection creation
syslog 302020 ICMP connection creation
syslog 302017
syslog 302020
CiscoASA 5500
CiscoASA 5500
Netflow v9Netflow v9
CS-MARS 3rd PartyNetFlowCollector
CS-MARS 3rd PartyNetFlowCollector
© 2008 Cisco Systems, Inc. All rights reserved. 10
Remote Access VPN
Any PolicyAny Application Any Endpoint
IPSec SSL VPN
What’s New?• 10,000
© 2008 Cisco Systems, Inc. All rights reserved. 11
• 100,000
Cisco ASA 5580 H/W
총 8개의 Hard drive Bay총 8개의 Hard drive Bay Power Button과 상태 LEDPower Button과 상태 LED총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay Power Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LED총 8개의 Hard drive Bay총 8개의 Hard drive Bay Power Button과 상태 LEDPower Button과 상태 LED총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay총 8개의 Hard drive Bay Power Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LEDPower Button과 상태 LED
4RU Rack Mount Form Factor26.5” Chassis Depth
4RU Rack Mount Form Factor26.5” Chassis Depth
내부 Compact Flash- 소프트웨어와 config 저장
내부 Compact Flash- 소프트웨어와 config 저장
4RU Rack Mount Form Factor26.5” Chassis Depth
4RU Rack Mount Form Factor26.5” Chassis Depth
4RU Rack Mount Form Factor26.5” Chassis Depth
4RU Rack Mount Form Factor26.5” Chassis Depth
4RU Rack Mount Form Factor26.5” Chassis Depth
4RU Rack Mount Form Factor26.5” Chassis Depth
내부 Compact Flash- 소프트웨어와 config 저장
내부 Compact Flash- 소프트웨어와 config 저장
내부 Compact Flash- 소프트웨어와 config 저장
내부 Compact Flash- 소프트웨어와 config 저장
내부 Compact Flash- 소프트웨어와 config 저장
내부 Compact Flash- 소프트웨어와 config 저장
© 2008 Cisco Systems, Inc. All rights reserved. 12
Mounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and Back
Processing Engine- 20~40개의 Upgrade Kit 계획
Processing Engine- 20~40개의 Upgrade Kit 계획
Mounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and BackMounted on Rails for EasyAccess to Front and Back
Processing Engine- 20~40개의 Upgrade Kit 계획
Processing Engine- 20~40개의 Upgrade Kit 계획
Processing Engine- 20~40개의 Upgrade Kit 계획
Processing Engine- 20~40개의 Upgrade Kit 계획
Processing Engine- 20~40개의 Upgrade Kit 계획
Processing Engine- 20~40개의 Upgrade Kit 계획
© 2008 Cisco Systems, Inc. All rights reserved. 13
24 Giga Port 12 10GE
IDC Cisco 10G Firewall
Layer Typical Solution Cisco Solution DescriptionTypical Solution
Front End Network
Layer Typical Solution Cisco Solution Description
•DCReal 10G Firewall ASA5580 40
Typical Solution
•Security Net•Data Center Switch
L4 L4
L4 L4
10G
10G ASA5580-40 • Layer 1
•
N Ti A
L4 L4 10G
10G
•Application
N-Tier App•SLB network•Web,App,DB,MainFrame
L4L4 L4 L4 L4
•C6K FWSM, ACE
•
Storage
•
© 2008 Cisco Systems, Inc. All rights reserved. 14
Storage network
VPN Gateway Service
WANCisco ASA 5580
Cisco ASA
(IPsec & SSLVPN)
Cisco ASA withInternetwith VPNASA with
VPN
Remote VPN Users
© 2008 Cisco Systems, Inc. All rights reserved. 15
e ote Use s(IPsec & SSLVPN)
DEMO10G Firewall
© 2008 Cisco Systems, Inc. All rights reserved. 16
10Gbps
© 2008 Cisco Systems, Inc. All rights reserved. 17
© 2008 Cisco Systems, Inc. All rights reserved. 18
200M NAT
© 2008 Cisco Systems, Inc. All rights reserved. 19
© 2008 Cisco Systems, Inc. All rights reserved. 20
(UTM)(UTM)
© 2008 Cisco Systems, Inc. All rights reserved. 21
UTM ?
Spam, PhishingSpyware, Hackers
p , g
Unwelcome Visitors
Cisco Cisco ASAASA 5500 5500 S iS iInappropriateViruses
SerieseSerieseRemote Access
Inappropriate Web Browsing
Viruses
UTM = Unified Threat Management,
© 2008 Cisco Systems, Inc. All rights reserved. 22
UTM Cisco UTM
Cisco UTMCisco UTM
SP-1
ASA 5500
SP 2
ASA 5500 Firewall
IDS/IPS IPSec VPN
SSL VPN
SP-2
?
© 2008 Cisco Systems, Inc. All rights reserved. 23
UTM Traffic Flow
Cisco ASA 5500 Series
© 2008 Cisco Systems, Inc. All rights reserved. 24
( )
Cisco ASA 5500 Series Cisco ASA 5500 Series Cisco ASA 5500 SeriesCisco ASA 5500 SeriesAdvanced Inspection and Prevention Module (AIP SSM)
Cisco ASA 5500 SeriesContent Security and Control Module (CSC SSM)
Cisco ASA 5500 Series4-Port GE Services Module (4GE SSM)
© 2008 Cisco Systems, Inc. All rights reserved. 25
Cisco ASDM v6.1
Security Dashboards
Packet Tracer
Packet Capture WizardPacket Capture Wizard
© 2008 Cisco Systems, Inc. All rights reserved. 26
© 2008 Cisco Systems, Inc. All rights reserved. 27
10G ……
New
NewASA 5580-40 (10 20 Gbm
s
ASA 5550ASA 5580-20 (5-10 Gbps,
(10-20 Gbps, 150K conn/s)
Plat
form
ASA 5550 (1.2 Gbps, 36K conn/s)
ASA 5540 (650 Mbps, 2 K / )
( p ,90K conn/s)
5500
P
25K conn/s)ASA 5520 (450 Mbps, 12K conn/s)
ASA 5510ASA
5
ASA 5505 (150 Mbps, 4K conn/s)
ASA 5510 (300 Mbps, 9K conn/s)
Cis
co
© 2008 Cisco Systems, Inc. All rights reserved. 28
Teleworker Branch Office
InternetEdge Data CenterCampus
Why Cisco 10G Firewall?
Cisco 10G New
• Connection Rate
•Real 10GReal 10G
• OS
•Netflow
© 2008 Cisco Systems, Inc. All rights reserved. 29
10G
Why Cisco UTM?
/ASA 5500
D t C t
RemoteSite
ASA 5580-20A/S 5G
FW+IPSec VPN +Anti-X
Data Center
Corporate LANEnterprise Network
A/S 5G Firewall
ASA
Public Internet
Wireless LANDMZ
Network ASA 5580-40 A/A 10G Firewall
Business Partners
ASA 5580-20 Firewall + SSL/IPSec
VPN
ASA 5500FW+SSL/
IPSec VPNVPN+IPS
© 2008 Cisco Systems, Inc. All rights reserved. 30
