Firewall Network Security - Cisco ASA 5500 Series SSL/IPsec VPN Edition

The Cisco® ASA 5500 Series Adaptive Security Appliance is a purpose-built platform that combines best-in-class security and VPN services for small and medium-sized business (SMB) and enterprise applications. The Cisco ASA 5500 Series enables customization for specific deployment environments and options, with special product editions for SSL/IPsec VPN, Firewall Network Security, Content Security, and Intrusion Prevention.

The Cisco ASA 5500 Series SSL/IPsec VPN Edition enables organizations to gain the connectivity and cost benefits of Internet transport without compromising the integrity of corporate security policies. By converging Secure Sockets Layer (SSL) and an IP Security (IPsec) VPN service with comprehensive threat defense technologies, the Cisco VPN client delivers highly customizable network access tailored to the requirements of diverse deployment environments while providing advanced endpoint and network-level security (Figure 1).

Figure 1. A Customizable VPN Service for any Deployment Scenario

Cisco ASA 5500 Series SSL/IPSEC VPN Edition

The Cisco ASA 5500 Series SSL/IPsec VPN Edition offers flexible VPN technologies for any connectivity scenario, with scalability up to 5000 concurrent users per device. It provides easy-to-manage, full-tunnel network access through SSL, Datagram Transport Layer Security (DTLS), IPsec VPN client technologies, advanced clientless SSL VPN capabilities, and network-aware site-to-site VPN connectivity, enabling secure connections across public networks to mobile users, remote sites, contractors, and business partners. Costs associated with VPN deployment and operations are reduced by eliminating ancillary equipment required to scale and secure a VPN.

Benefits of the Cisco ASA 5500 Series SSL/IPsec VPN Edition include:

Network Remote Access

×

Full network access provides network-layer remote-user connectivity to virtually any application or network resource and is often used to extend access to managed computers such as company-owned laptops. Connectivity is available through the automatically downloaded Cisco AnyConnect VPN Client, the Cisco IPsec VPN Client, and the Microsoft and Mac OS X Layer 2 Tunneling Protocol (L2TP)/IPsec VPN clients. The Cisco AnyConnect VPN Client will automatically adapt its tunneling protocol to the most efficient method based on network constraints and is the first VPN product to use the DTLS protocol to provide an optimized connection for latency-sensitive traffic, such as voice over IP (VoIP) traffic or TCP-based application access. By supporting SSL, DTLS, and IPsec-based remote-access VPN technologies, the Cisco ASA 5500 Series delivers unsurpassed flexibility to meet the needs of the most diverse deployment scenarios.

• Network remote access

Remote-User Connectivity

×

Full network access provides network-layer remote-user connectivity to virtually any application or network resource and is often used to extend access to managed computers such as company-owned laptops. Connectivity is available through the automatically downloaded Cisco AnyConnect VPN Client, the Cisco IPsec VPN Client, and the Microsoft and Mac OS X Layer 2 Tunneling Protocol (L2TP)/IPsec VPN clients. The Cisco AnyConnect VPN Client will automatically adapt its tunneling protocol to the most efficient method based on network constraints and is the first VPN product to use the DTLS protocol to provide an optimized connection for latency-sensitive traffic, such as voice over IP (VoIP) traffic or TCP-based application access. By supporting SSL, DTLS, and IPsec-based remote-access VPN technologies, the Cisco ASA 5500 Series delivers unsurpassed flexibility to meet the needs of the most diverse deployment scenarios.

• User connectivity

Clientless Remote Access

×

Clientless remote access provides access to network applications and resources, regardless of location, without the need for desktop VPN client software. Using the ubiquity of SSL encryption available in Internet browsers, the Cisco ASA 5500 Series delivers clientless access to any Web-based application or resource, terminal services applications such as Citrix, and optimized Microsoft Outlook Web access and Lotus iNotes, as well as access to common thick-client applications like e-mail and calendering, instant messaging, FTP, Telnet, and SSH. Additionally, the superior content rewriting capabilities of the Cisco ASA 5500 Series help ensure reliable rendering of complex Web pages with Java, JavaScript, ActiveX, Flash, and other sophisticated content.

• Superior clientless network access

High-Speed Internet via VPN

×

Secure, high-speed internet communications are possible between multiple office locations. Support for quality of service (QoS) and routing across the VPN helps ensure reliable, business-quality delivery of latency-sensitive applications like voice, video, and terminal services.

• Network-aware Site-to-Site VPNs

VPN Security: Cisco ASA 5500

×

VPNs are a primary source of malware infiltration into networks. Malware includes worms, viruses, spyware, keyloggers, Trojan horses, and rootkits. The depth and breadth of intrusion prevention, antivirus, application-aware firewall, and VPN security capabilities in the Cisco ASA 5500 Series minimizes the risk that the VPN connection will become a conduit for security threats.

• Threat-protected VPN

Cost-effective VPN - VPN Products

×

Scaling and securing VPNs often requires additional load balancing and security equipment, which increases both equipment and operational costs. The Cisco ASA 5500 Series integrates these functions, delivering an unprecedented level of network and security integration among the VPN products available today. And by offering support for flexible tunneling options on a single platform, the Cisco ASA 5500 Series provides customers with cost-effective VPN alternatives to deploying parallel VPN infrastructures.

• Cost-effective VPN service and operations

Scalability and resiliency

×

The Cisco ASA 5500 Series can support up to 5000 simultaneous user sessions per device, with the ability to scale to tens of thousands of simultaneous user sessions through integrated clustering and load-balancing capabilities. Stateful failover features deliver high-availability services for unsurpassed uptime.

• Scalability and resiliency

Customizable Remote-Access VPN Features

Find out more about the Cisco VPN client remote-access features by clicking on the links in the table below:

Feature		Included
Cisco Networking - Full network access × Cisco networking: The Cisco ASA 5500 Series SSL/IPsec VPN Edition provides broad application and network resource access through network tunneling features available in either the Cisco AnyConnect VPN Client Cisco AnyConnect VPN Client Features
Optimised Network Access × The Cisco AnyConnect VPN Client automatically adapts its tunneling to the most efficient method possible based on network constraints. The DTLS protocol is automatically used to provide an optimised connection for latency-sensitive traffic, such as VoIP traffic or TCP-based application access. HTTP over SSL is used to ensure availability of network connectivity through locked-down environments, including those using Web proxy servers. Data compression may be used to reduce the amount of data transmitted. Optimised Network Access
Operating System Compatibility × Operating system compatibility and OS support is available on Cisco for the following systems: Windows 2000, XP x86 and 64-bit Windows Vista x86 Mac OS X Power PC and Intel 10.4 and 10.5 Linux Intel (2.6.x kernel) Broad Operating System Support
Installing Cisco: Deployment × Cisco: Deployment options: Pre-deployment, including Microsoft Installer Automatic headend deployment (administrative rights are required for initial installation) via ActiveX (Windows only) and Java Connection modes: Standalone via system icon Browser initiated (Weblaunch) Clientless portal initiated Command line interface (CLI) initiated Deployment and Connection Options
Cisco AnyConnect: VPN Client × The Cisco AnyConnect VPN Client allows an administrator to automatically distribute software and policy updates from the headend security appliance, thereby eliminating administration associated with VPN client software updates Ease of Client Administration
VPN Client: Consistent User Experience × Full tunnel client mode supports remote-access users requiring a consistent LAN-like user experience. Multiple delivery methods and small download size help ensure broad compatibility and rapid download of the Cisco AnyConnect VPN Client Consistent User Experience
Advanced IP Network Connectivity × Access to internal IPv4 and IPv6 network resources Centralized split tunneling control for optimised network access IP address assignment mechanisms: Static Internal pool Dynamic Host Configuration Protocol (DHCP) RADIUS/Lightweight Directory Access Protocol (LDAP) Advanced IP Network Connectivity
Cisco VPN Client - Full network access × Cisco VPN Client offers clientless SSL VPN access, which allows precisely controlled Web-based access to specific network resources and applications from Internet kiosks, shared computers, extranet partners, employee-owned desktops, and company-owned employee desktops. Clientless Network Access
Programming Language Compatibility × The Cisco advanced transformation capability helps ensure programming language compatibility with web pages containing complex content and programming languages, including; HTML, Java, ActiveX, JavaScript, and Flash. Broad, Reliable Compatibility
Clientless VPN & Integrated Optimisation × Cisco is a clientless VPN with integrated optimisation for resource-intensive applications, such as Microsoft Outlook Web Access and Lotus iNotes, delivers exceptional response times and low latency to provide a high-quality SSL VPN end-user experience. Integrated Clientless Application Optimisation
Cisco Clientless Portal × The enhanced Cisco clientless portal features group-based customization features for detailed access, ease of use, and a customizable user experience: Support for multilanguage clientless user portals User-customizable resource bookmarks Publishing of Really Simple Syndication (RSS)-based information resources for automatic updating of important real-time content Customisable User Experience
Clientless SSL VPN: Citrix Access × No extraneous helper applications are required for Citrix access over clientless SSL VPN, which helps ensure fast application initiation time and reduces the risk of desktop software conflicts. Fully Clientless Citrix Access
Integrated Client × Cisco provides integrated client and server application support via access to common client/server applications without the need for pre-deployed remote clients, granting rapid access to Telnet, SSH, Remote Desktop Protocol (RDP), and Virtual Network Computing (VNC) resources. Integrated Client/Server Application Support
Email Port Forwarding × Email port forwarding enables clientless access to popular thick client applications like Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), e-mail, online calendars, instant messaging, Telnet, SSH, and other client-initiated TCP applications via a small Java applet. Smart tunneling allows Microsoft Windows users access to TCP applications without the prerequisite of administrative rights and allows VPN administrators to grant only approved applications access to internal resources. Support for Common Thick-Client Applications
Browser Compatibility × Cisco cross browser support, includes browser compatibility with Microsoft Internet Explorer, Firefox, Opera, Safari, and Pocket Internet Explorer (PIE) to ensure broad connection compatibility from any location. Broad Browser Support
Advanced IP Networks × Access to internal IPv4 and IPv6 network resources. Advanced IP Network Connectivity
Cisco Authentication Solutions × The Cisco authentication solutions on the ASA 5500 Series provides a comprehensive set of options for authentication and authorization of users. Comprehensive Authentication and Authorisation Choices
Cisco Authentication Options × RADIUS RADIUS with Password Expiry (MSCHAPv2) to NT LAN Manager (NTLM) RADIUS OTP Support (state/reply message attributes) RSA SecurID Active Directory/Kerberos Embedded Certificate Authority (CA) Digital Certificate / Smartcard LDAP with Password Expiry and Aging Generic LDAP Support Combined certificate and username/password multifactor authentication Internal domain password prompting for simplified Single Sign On (SSO) SSL VPN virtual keyboard authentication for additional protection against keystroke loggers Authentication Options
Intelligent Services Gateway × Cisco Intelligent Services Gateway provides sophisticated authorisation capabilities: Policy mapping from RADIUS and LDAP Dynamic access policies directly leverage domain membership and posture status for creation of user policy Sophisticated Authorisation
Clientless SSL VPN - Single Sign On (SSO) × Technical details for Clientless SSL VPN with single sign on (SSO): Computer Associates Siteminder (Netegrity) RSA Access Manager (ClearTrust) Security Assertion Markup Language (SAML) Basic/NTLM authentication pass-through Forms-based authentication pass-through Single Sign On (SSO) for Clientless SSL VPN Users

Threat-Protected VPN Service

The Cisco ASA 5500 Series SSL/IPsec VPN Edition provides advanced security for VPN deployments through its integrated network and endpoint security technologies. Securing the VPN is necessary to ensure it prevents network attacks such as worms, viruses, spyware, keyloggers, Trojan horses, rootkits, or hacking. Detailed application and access control policy helps ensure that individuals and groups of users have access only to the applications and network services to which they are entitled (Figure 2).

Figure 2. Threat-Protected VPN Services Use Onboard Security to Protect Against VPN Threats

Network Security at the VPN Gateway

Worms, viruses, application-embedded attacks, and application abuse are among the greatest security challenges in today's networks. Remote access and remote-office VPN connectivity are common points of entry for such threats due to limited security capabilities on VPN devices. VPNs are often deployed without proper inspection and threat mitigation applied at the tunnel termination point at the headquarters location, which allows malware from remote offices or users to infiltrate the network and spread. With the converged threat mitigation capabilities of the Cisco ASA 5500 Series, customers can detect malware and stop it before it enters the network interior. For application-embedded attacks, such as spyware or adware spread through file-sharing peer-to-peer networks, the Cisco ASA 5500 Series deeply examines application traffic to identify a dangerous payload and drops its contents before it reaches its target and causes damage. The table below lists some VPN gateway security features provided by the Cisco VPN Client.

Feature		Included
Network Security at the VPN Gateway
Malware Mitigation and Virus Protection × Cisco antivirus provides extensive malware mitigation and virus protection against worms, viruses, spyware, keyloggers, Trojan horses, and rootkits. The Cisco ASA 5500 Series VPN gateway is a secure solution that eliminates threats before they spread throughout the network. Extensive Malware Mitigation
Application-Aware Firewall and Access Control × Cisco systems application-aware firewall provides traffic inspection that enables thorough user access control and helps prevent abuse of unwanted applications, such as peer-to-peer file sharing across the VPN connection. Application-Aware Firewall and Access Control
Intrusion Prevention System × The Cisco ASA 5500 Series intrusion prevention system guards against a multitude of network exploits. Intrusion Prevention
Cisco Access Restrictions × Cisco access restrictions provide permission or denial of access to confidential resources is based on flexible configuration policies and current posture status. Access Restrictions
Virtual LAN Mapping (VLAN Mapping) × Information about the CCS Leeds virtual LAN mapping (VLAN mapping) service: Enforcement of user and group-based traffic access restrictions are based on a configured VLAN. Virtual LAN (VLAN) Mapping
Network Security: Endpoint × SSL VPN deployments enable universal access from both secure and non-corporate-managed endpoints, and provide the ability to extend network resources to diverse user communities. With this extension of the network, the points for potential network security attacks also increase. Whether users are accessing the network from a corporate-managed PC, personal network-accessible device, or public terminal, Cisco Secure Desktop minimizes data such as cookies, browser history, temporary files, and downloaded content left behind after an SSL VPN session terminates. Cisco Secure Desktop's Pre-Connection Posture Assessment functionality is available on Windows. The Secure Vault is available on Windows 2000 & XP and the Cache Cleaner is available on Windows, Mac OS X and Linux (browser dependent). Endpoint posture checking for full network access users is also available through integration with the Cisco NAC Appliance and Cisco NAC Framework. Comprehensive Endpoint Security for SSL VPN
Pre-Connection Posture Assessment × The Host integrity verification checking on Cisco systems seeks to detect the presence of antivirus software, personal firewall software, and Windows service packs on the endpoint system prior to granting network access. A significantly expanded list of applications and versions are now supported through this mechanism. Frequent updates are available to support new product releases. Administrators also have the option of defining custom posture checks based on the presence of running processes. Pre-Connection Posture Assessment
Secure Desktop and Watermark Checking × Cisco Secure Desktop can detect the presence of a watermark on a remote system. The watermark can be used to identify assets that are corporate-owned and provide differentiated access as a result. The watermark checking capability includes system registry values, file existence matching a required CRC32 checksum, IP address range matching, and certificate issued by/to matching. Pre-Connection Asset Assessment
Data Protection: Cisco Security × Additional protection is provided for all data associated with the session, including passwords, file downloads, history, cookies, and cache files. Session data is encrypted to the secure vault of Cisco Secure Desktop. Comprehensive Session Protection
Data Cleansing and Data Cleanup × Data in the secure vault experiences data cleansing and is overwritten with the Cisco data cleanup functionality at the end of the session. End-of-Session Data Cleanup
Keylogger Detector × Cisco Secure Desktop includes a keylogger detector tool that performs an initial check for certain software-based keystroke logging software at the start of the session. The keystroke logger detection tool will flag up if an anomalous program begins running inside the secure vault, after session initiation, the user is prompted to stop the suspicious activity. Keystroke Logger Detection
Cisco Permissions: Guest Accounts × Users accessing the network from remote machines may not have administrator privileges on all systems with Cisco permissions. Cisco Secure Desktop can often be installed with only guest accounts. This helps to ensure delivery and installation on all systems for multiple users. Available with Guest Permissions
Advanced Endpoint Assessment × An advanced endpoint assessment option is available to automate the process of repairing out-of-compliance applications. Advanced Endpoint Assessment License
VPN Features and Internet Connections × Using the network-aware IPsec site-to-site VPN capabilities provided by the Cisco ASA 5500 Series SSL/IPsec VPN Edition, businesses can securely extend their networks across low-cost Internet connections to business partners and remote and satellite offices worldwide Network-Aware Site-to-Site VPN Features
QoS-Enabled × Supports latency-sensitive applications like voice, video, and terminal services. QoS-Enabled
Network Integration and Routing × Open Shortest Path First (OSPF) support across tunneling neighbors enables network topology awareness for ease of network integration. Network-Aware Routing
Cost-Effective VPN via Platform Integration × The Cisco ASA 5500 Series platform integration provides cost-effective VPN solutions by combining numerous functions-such as security and load balancing-that can reduce the number of devices required to scale and secure the VPN, thereby decreasing equipment costs, architectural complexity, and operational costs VPN Cost-Effectiveness Through Platform Integration
Network Security: Endpoint Security × Cisco network security and endpoint security provides onboard malware mitigation, IPS, and firewall capabilities increasing VPN security while decreasing the amount of equipment that needs to be deployed. Network and Endpoint Security
Load Balancing: Cisco Systems × Cisco systems integrated load balancing features enable multichassis clusters without expensive external load balancing equipment. Load Balancing

Firewall Network Security: Cisco ASA 5500 Series Platform Overview

The Cisco ASA 5500 Series delivers site-specific scalability, from small offices to enterprise headquarter locations, through its five models: 5505, 5510, 5520, 5540, and 5550 (Figure 3). Models 5510 and up share a common chassis, built with a foundation of concurrent services scalability, investment protection, and future technology extensibility. The table below lists the specifications of the Cisco ASA 5500 Series models.

Figure 3. The Cisco ASA 5500 Series

Specifications of Cisco ASA 5500 Series Adaptive Security Appliances:

Platform		Cisco ASA 5505	Cisco ASA 5510	Cisco ASA 5520	Cisco ASA 5540	Cisco ASA 5550
Maximum VPN Throughput		100 Mbps	170 Mbps	225 Mbps	325 Mbps	425 Mbps
Maximum Concurrent SSL VPN Sessions		25	250	750	2500	5000
Maximum Concurrent IPsec VPN Sessions		25	250	750	2500	5000
Interfaces		Eight 10/100 copper Ethernet ports with dynamic port grouping. Includes two Power over Ethernet (PoE) ports, three USB ports	Five 10/100 copper Ethernet ports, two USB ports	Four 10/100/1000 copper Ethernet ports, one out-of-band management port, two USB ports	Four 10/100/1000 copper Ethernet ports, one out-of-band management port, two USB ports	Eight Gigabit Ethernet ports, four small form factor-pluggable (SFP) fiber ports, one Fast Ethernet port
Profile		Desktop	1-RU	1-RU	1-RU	1-RU
Stateful Failover		No	Licensed feature	Yes	Yes	Yes
VPN load Balancing		No	Licensed feature	Yes	Yes	Yes
Devices include a license for two SSL VPN users for evaluation and remote management purposes. The total concurrent IPsec and SSL (clientless and tunnel-based) VPN sessions may not exceed the maximum concurrent IPsec session count shown in the chart. The SSL VPN session number may also not exceed the number of licensed sessions on the device. 2Upgrade is available with Cisco ASA 5510 Security Plus license.