Adaptive Security Appliance 5500 Series How to Sell 1
Adaptive Security Appliance 5500 Series Key to Building the Cisco Self-Defending Network How to Sell © 2005 Cisco Systems, Inc. All rights reserved. 1 Agenda • Evolving Network Security Challenges • ASA 5500 Overview • Addressing Customer Pain Points • Positioning and Sales Opportunities © 2005 Cisco Systems, Inc. All rights reserved. 2 The Network Has Evolved Applications Everywhere, Everyone Interconnected Sales Automation HR Apps MRP ERP FINANCE PARTNERS HEADQUARTERS Reached Mostly by Web/Extranet MANUFACTURING SALES HR Departmental Applications Available Throughout CUSTOMER TELEWORKER © 2005 Cisco Systems, Inc. All rights reserved. Remote Offices 3 Implementing Security New Challenges Rapidly changing threats can bypass or overwhelm traditional security perimeters Breadth of services and management solutions driving increases in cost of operations Security services can disrupt network traffic, access and applications © 2005 Cisco Systems, Inc. All rights reserved. 4 What’s on the mind of the IT Professional? • Help! - I have to respond more rapidly and proactively to changes in business conditions • Show me how to use IT investments to go “on the offense” • Help me with my pain: – operational complexity – virus/worm outbreaks – application abuse Approaching the NETWORK in a new way can help solve these challenges © 2005 Cisco Systems, Inc. All rights reserved. 5 Evolution of Cisco Security Strategy Cisco Self-Defending Network SDN Phase III “Adaptive Threat Defense” • Mutual awareness among & between security services & network intelligence • Increases security effectiveness, enables proactive response • Consolidates services, improves operations efficiency • Application recognition and inspection for secure application delivery/optimization SDN Phase II “Collaborative Security Systems” Point Products • Multiple Security Appliances • Separate management software • Security becomes a Network-Wide System: Endpoints + Network + Policies • Multiple services and devices working in coordination to thwart attacks with active management • NAC, IBNS, SWAN SDN Phase I “Integrated Security” • Making every network element a point of defense Routers, Switches, Appliances. Endpoints • Secure Connectivity (V3PN, DMVPN), Threat Defense, Trust & Identity • Network Foundation Protection © 2005 Cisco Systems, Inc. All rights reserved. 6 Adaptive Threat Defense in Action Convergence Enables More Effective Security Access Control, Packet Inspection Identity, Virtualization, QoS Segmentation, Traffic Visibility Application Intelligence, Content Inspection, Virus Mitigation Firewall Services Network Intelligence IPS & NW-AV Services App Inspection, Use Enforcement, Web Control Application Security Malware/Content Defense, Anomaly Detection Traffic/Admission Control, Proactive Response Anti-X Defenses Containment & Control Catalyst CSA Cisco Router Cisco DDoS VPN Cisco Router VPN Access Catalyst Quarantine VLAN NAC CSA © 2005 Cisco Systems, Inc. All rights reserved. PIX Identity-Based Networking Cisco IPS CSA 7 Introducing Cisco Adaptive Security Appliances Delivering Adaptive Threat Defense and VPN Solutions Converged Adaptive Threat Defense and Secure VPN Services Application Security, Worm/Virus Mitigation, Malware Protection and Threat-Protected VPN Minimize Deployment and Operations Costs Platform Standardization, Unified Management, Network Awareness Technology Extensibility to Address New Threats Purpose-Built Adaptive Identification and Mitigation Architecture Enables Unprecedented Extensibility and Policy Control The Cisco ASA 5500 Series © 2005 Cisco Systems, Inc. All rights reserved. 8 Cisco ASA 5510, 5520 and 5540 Appliances Platform Overview • Versatile family with a common platform serves multiple needs – Enterprise, mid-market, SMB, and branch office deployments • Unified management simplifies ongoing operations – Converged configuration and monitoring across all services • Technology extensibility delivers investment protection – FW, VPN, IPS and NW-AV security services as-needed – Built for future technology extensibility – avoid “forklift” upgrades Platform Architecture & Performance • Adaptive multi-processor/co-processor architecture provides solution with optimal flexibility and concurrent service performance • Modular design for investment protection • High performance: –ASA 5510: up to 300Mbps –ASA 5520: up to 450Mbps –ASA 5540: up to 650Mbps © 2005 Cisco Systems, Inc. All rights reserved. 9 Cisco ASA 5500 Series Convergence of Robust, Market-Proven Technologies Market-Proven Technologies Adaptive Threat Defense, Secure VPN Connectivity Firewall Technology Cisco PIX App Inspection, Use Enforcement, Web Control Application Security IPS Technology Cisco IPS Malware/Content Defense, Anomaly Detection Anti-X Defenses NW-AV Technology Cisco IPS, AV VPN Technology Cisco VPN 3000 Network Intelligence Cisco Network Services © 2005 Cisco Systems, Inc. All rights reserved. Traffic/Admission Control, Proactive Response Network Containment & Control Secure VPN Connectivity 10 Cisco ASA 5500 Series: Breadth and Depth Industry First! Scalable, Multi-Function, Feature Rich Application Security • • • • Anti-X Defense • Network-based worm and virus mitigation • Spyware, adware, malware detection and control • Accurate Prevention Technology for reliable, proactive response • On-box event correlation and proactive response Containment & Control • Layer 3 and 4 access control services • Stateful packet inspection • Flexible user, network and application policy grouping Secure VPN Connectivity • • • • Cisco Networking Services Intelligence Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls Advanced VoIP/multimedia security Zero-touch, automatically updateable IPSec remote access Flexible and secure SSL VPN services QoS/routing-enabled site-to-site VPN Integrated threat mitigation protect against VPN-delivered threats • Low Latency • Services Virtualization • Diverse Topologies • Network Segmentation & Partitioning • Multicast Support • Routing, Resiliency, Load-Balancing © 2005 Cisco Systems, Inc. All rights reserved. 11 Cisco ASA 5510/5520/5540 Series Product Tour Four 10/100/1000 Copper Gigabit Ports Sleek, High Performance 1 Rack Unit (RU) Design One 10/100 Out of Band Management Port* Diskless Architecture for High Reliability One Expansion Slot for Add’l Accelerated Services or I/O Single Field Upgradeable AC or DC Power Supply Two USB 2.0 Ports for Future Expansion (Credentials, Failover, and more) Compact Flash for Software, Config, and Log Storage © 2005 Cisco Systems, Inc. All rights reserved. Console and AUX Ports Five Status LEDs (Power, Status, Active, VPN, Flash) 12 Cisco ASA Security Services Module (SSM) 10 & 20 Product Tour High Performance Module for Additional Services Diskless (Flash-Based) Design for Improved Reliability Gigabit Ethernet Port for Out-of-Band Management, etc. Thumbscrews for Easy Insertion and Removal Note: Cisco also plans to offer a 4-port copper/SFP I/O only module in the future. Advanced Inspection and Prevention Module © 2005 Cisco Systems, Inc. All rights reserved. 13 High Performance Worm/Virus Outbreak Prevention Comprehensive Analysis: De-obfuscation Application Layer Inspection Protocol Anomaly Detection Heuristic Analysis Traffic Normalization MS Blaster Slammer Outbreak Prevention: Virus Detection Dynamic Outbreak Updates Public Internet Code Red ASA 5500 NIMDA W32.Tomorrow’s-Threat Accurate Enforcement: Real-Time Correlation Risk Rating Attack Drop Session Removal & Resets Leverages depth of Anti-X Defense features to stop malicious worms and viruses…and without a performance loss! © 2005 Cisco Systems, Inc. All rights reserved. 14 Network-Based Malware Prevention User Behavior: Web Surfing Email Attachments Peer-to-Peer File Sharing “Free” Software Downloads Internet Delivers: Spyware Adware Keystroke Logger Trojan Software Public Internet ASA 5500 ASA 5500 Mitigates: Filters Spyware Communications Controls Transmission of Confidential Data Blocks Trojan Software Leverages depth of Anti-X Defense features to proactively control and contain spyware, adware and other types of malicious code © 2005 Cisco Systems, Inc. All rights reserved. 15 Companies Are Opening Port 80 Attacks Enter Through Web-enabled Applications Internal Users 98 % Internet access Rich media 43 % IM traffic 43% 55% Web enabled apps Web services “…75% of successful attacks against Web servers are entering through applications and not at the network level.” Port 80 43 % Internet 64% of enterprises have opened Port 80 on their firewalls for their growing web application traffic © 2005 Cisco Systems, Inc. All rights reserved. Source: Aug 2002 InfoWorld/Network Computing survey of IT Professionals 80 – HTTP John Pescatore, VP and Research Director, Gartner, June 2002. 16 Application Inspection and Control Application Security Features Enable Inspection and Control: Stateful Layer 3-7 Inspection Application and Access Control Dynamic Protocol Descriptor Updates Quality of Service Enables Control of: Peer-to-peer: Kazaa and Gnutella Instant Messaging HTTP and Port 80 Tunneled Applications Voice over IP And many more! Public Internet ASA 5500 Valid Business Traffic Invalid Peer to Peer, Tunneled Apps Designed from the ground up for reliable dynamic control of the application layer © 2005 Cisco Systems, Inc. All rights reserved. 17 VPN Services for Any Deployment Scenario Robust IPSec and SSL VPN Services with Threat Prevention Access Scenarios: Site-to-Site Connectivity Managed Desktop Employee Desktop Kiosk Access Full or Limited Network Access Partner Access Supply Partner Extranet Branch Office Site-to-Site Public Internet Account Manager Mobile User Employee at Home Unmanaged Desktop ASA 5500 Converged IPSec, WebVPN, Firewall, IPS: Inspect/Control VPN Sessions Single RA VPN Device Infrastructure Unified User Management Uniform Resiliency & Load Balancing QoS for Site-to-Site Traffic Provides secure access for any user from any location from a single device and management infrastructure © 2005 Cisco Systems, Inc. All rights reserved. 18 Deployment and Operations Costs Complexity Drives Higher Equipment and Personnel Costs Teleworker Enterprise Branch Enterprise HQ Service Applications Cost Implications • Branch: Firewall, VPN • Four different classes of devices to purchase, configure, troubleshoot and manage • HQ Perimeter: Firewall, IPS, NW-AV, VPN • Data Center: Firewall, IPS • HQ Internal: Firewall, IPS • Numerous sources of reporting data • Numerous devices that can impact network access and applications • Service gaps for attacks… increased damage clean up © 2005 Cisco Systems, Inc. All rights reserved. 19 Decreasing Deployment and Operations Costs Platform Standardization and Unified Management Teleworker Enterprise: Single Platform, Many Uses Decreases costs through: Full Service IPSec & Internal Firewalling and Threat Mitigation • Single system for management SSL andVPN monitoring Enterprise • Common operating platform decreases complexity Branch • Simplified troubleshooting and fault isolation VPN, Networkdeployments •S-S Simplified Enterprise HQ Anti-Virus, and •Worm Ease of staff training Protection Edge Firewalling and Traffic MicroInspection SMB: All-in-One Security Device Remote Access Single Device and Extranet Decreases costs through: Security Solution: FW, IPS, AV, SSL, • Broader protection which minimizes and IPSec damage clean-up Small and • Fewer devices to manage Medium • Adding new services as needed without Business performance trade-off ASA 5500 Intro © 2004 2005 Cisco Systems, Inc. All rights reserved. Critical Resource Protection Service Provider: Multiple Services Decreases costs through: • Unified management, monitoring, provisioning Multiple Service SPnew Managed • Adding services without Offerings and Service provisioning new equipment Robust • Ease of staff training Management 20 Comprehensive Management, Monitoring & Response Converged Services Reduces Complexity and Costs Device Management System Management • Integrated, web-based mgmt • Converged configuration – FW, IPS, VPN, AV • Real-time monitoring tools Cisco Adaptive Security Device Manager (ASDM) • Multi-device integrated mgmt • Enterprise-scale provisioning CiscoWorks VPN/Security Management (VMS) System Monitoring and Response Auditing • Multi-platform event management and response • Sophisticated data reduction and correlation Cisco Security MARS CiscoWorks SIMS © 2005 Cisco Systems, Inc. All rights reserved. Solsoft Policy Server • Device posture validation against industry “best practices” and regulatory compliance Cisco Security Auditor 21 Top Competitive Differentiators THESE POINTS ENCAPSULATE THE SELLING STRATEGY: • Differentiating from Focused-Function Competitors: – Comprehensive suite of services to thwart broadest range of threats – Decrease ops costs by standardizing on one platform – customizable for numerous deployment scenarios – More-effective security through services consolidation – Low price • Differentiating from Both Focused and Multi-Function Competitors: – Only multi-function product built on deployment proven technologies – Fast – high concurrent services performance – High platform investment protection – no forklifts! – Multi-function at focused-function price – great value! – Part of a greater whole – Self-Defending Networks © 2005 Cisco Systems, Inc. All rights reserved. 22 Cisco ASA, PIX, IPS 4200, and VPN 3000 Purchasing Criteria ASA is compatible with all existing PIX, IPS & VPN 3000 deployments, and often delivers additional functionality: Application ASA in PIX Environments ASA in IPS Environments Additional ASA Services • ASA can be used in place of PIX 515E and 525 and complements PIX 501, 506E and 535 • Extends full threat mitigation to typical SMB environments • Full IPS services • Worm mitigation • Anti-virus • Deeper application inspection • SSL VPN • VPN clustering • Modular services slot • ASA provides converged firewall and IPS • IPS 4200 provides full management separation • Full firewall services • Full VPN services • Modular services slot • ASA provides remote access and site-to-site VPN ASA in VPN 3000 services for all sites Environments • Integrated with VPN 3000 © 2005 Cisco Systems, Inc. Allclusters rights reserved. • Increased throughput • Stateful VPN failover • QoS, OSPF for S-S VPN • Integrated threat mitigation services 23 Cisco Integrated Services Routers and ASA 5500 Series Adaptive Security Appliance Integrated Services Routers • Preference for dedicated security devices • Preference for and familiarity with IOS-based devices • Delivers latest threat mitigation innovations • Delivers latest networking and security collaboration innovations • Most feature rich remote access VPN solution • Most feature rich site-to-site VPN solution • Dedicated function ensures maximum software versioning simplicity • Consolidates maximum network and security functions on single platform • Leverage existing router investment Tailored Solutions for Every Deployment Environment © 2005 Cisco Systems, Inc. All rights reserved. 24 ASA 5500 Pricing and Part Numbers Cisco ASA 5510 Base System (50 VPN Peers, 3 FE) DC System (50 VPN Peers, 3 FE) Security Plus System (150 VPN Peers, 5 FE, A/S HA) System w/ AIP-SSM-10 (50 VPN Peers, 3 FE) SKU $3,495 $4,695 $4,495 $7,995 SKU Cisco ASA 5520 Base System (300 VPN Peers, 4 GE + 1 FE) DC System (300 VPN Peers, 4 GE + 1 FE) System w/ AIP-SSM-10 (300 VPN Peers, 4 GE + 1 FE) System w/ AIP-SSM-20 (300 VPN Peers, 4 GE + 1 FE) $7,995 $9,195 $12,495 $15,995 Base System (500 VPN Peers, 4 GE + 1 FE) $16,995 DC System (500 VPN Peers, 4 GE + 1 FE) $18,195 System w/ AIP-SSM-20 (500 VPN Peers, 4 GE + 1 FE) $24,995 25 Cisco ASA 5500 Security Services Modules © 2005 Cisco Systems, Inc. All rights reserved. ASA5520-BUN-K9 ASA5520-DC-K8 ASA5520-AIP10-K9 ASA5520-AIP20-K9 SKU Cisco ASA 5540 Advanced Inspection and Prevention Model 10 Advanced Inspection and Prevention Model 20 ASA5510-BUN-K9 ASA5510-DC-K8 ASA5510-SEC-BUN-K9 ASA5510-AIP10-K9 $6,000 $10,000 ASA5540-BUN-K9 ASA5540-DC-K8 ASA5540-AIP20-K9 SKU ASA-SSM-AIP-10-K9 ASA-SSM-AIP-20-K9 25 Sales Opportunities with Cisco ASA 5500 Series Many opportunities exist to upsell Cisco ASA 5500 Series to drive additional revenue: – Advanced Inspection and Prevention Security Services Module (AIP SSM 10/20) – Sell Bundles! – Cisco Services for IPS license (supports AIP SSM) – Security Plus license (ASA 5510) for active/standby failover, increased VPN Peers – VPN Plus (ASA 5520 and 5540), VPN Premium licenses (ASA 5540) – Security Contexts (virtual firewalls) licenses – GTP (3G Mobile Wireless) inspection license © 2005 Cisco Systems, Inc. All rights reserved. 26 For more go to: www.cisco.com/go/asa © 2005 Cisco Systems, Inc. All rights reserved. 27
© Copyright 2024