Comparison Between 5510 Base / Security plus
Base License
50,000 Maximum Firewall Connections
5×10/100 Integrated Network Interfaces
50 Maximum VLANs Support
No High Availability (fail over) supported Supports
No Security Contexts (Virtual Firewalls)
No Support for VPN / VPN Load Balancing
Security Plus License
130,000 Maximum Firewall Connections
2×10/100/1000 and 3×10/100 Integrated Network Interfaces
100 Maximum VLANs
Active/Active and Active/Standby fail over
Supports 2 Virtual Firewalls (included) and 5 maximum.
General Features
Firewall throughput is 300 Mbps and VPN throughput is 170 Mbps , Can accommodate 1 xSSM
Cisco Firewall
A firewall is the guarantee of a secure network. In order to provide reliable security firewall security itself is a primary concern in this regard there are multiple solutions being offered by Cisco , However Firewall security becomes a transparent, scalable, and manageable aspect of the business infrastructure.
The new product introduces by cisco a couple of years back replacing PIX and is ASA. Adaptive Security Algorithm is used by the PIX/ASA security appliances for stateful application inspection and facilitates to secure use of applications and services. Some applications require special handling by the security appliance and specific application inspection engines are provided for this purpose.
Some of protocols supported by CISCO ASA application inspection is as under however it keeps on increasing day by day (I have tried my level best to identify every protocol):
FTP, SUN RPC, SQL*NET, SCCP, MGCP, Exchange, NetShow, VDOLive, GTP (3G Wireless), CTIQBE, PPTP, RSH, SIP, H.323,NAT/PAT of DNS, FTP, ICMP, ESP-IKE, ILS, SIP, X Display, SCCP (Skinny), RTSP, TAPI/JAPI.
The new product introduces by cisco a couple of years back replacing PIX and is ASA. Adaptive Security Algorithm is used by the PIX/ASA security appliances for stateful application inspection and facilitates to secure use of applications and services. Some applications require special handling by the security appliance and specific application inspection engines are provided for this purpose.
Some of protocols supported by CISCO ASA application inspection is as under however it keeps on increasing day by day (I have tried my level best to identify every protocol):
FTP, SUN RPC, SQL*NET, SCCP, MGCP, Exchange, NetShow, VDOLive, GTP (3G Wireless), CTIQBE, PPTP, RSH, SIP, H.323,NAT/PAT of DNS, FTP, ICMP, ESP-IKE, ILS, SIP, X Display, SCCP (Skinny), RTSP, TAPI/JAPI.
Cisco Firewall watches application-level traffic. In the case of FTP it will inspects the FTP sessions and performs preparation of dynamic secondary data connection than Tracks FTP command-response sequence , produces audit trail and finally NAT embedded IP address
PIX/ASA is truly stateful firewall with rich application and protocol inspection including UDP. In order to monitor the state of UDP conversations, the PIX /ASA supports the stateful failover protocols: IPSec, IKE , All TCP, All UDP
Intrusion prevention module in the ASA is both signature and pattern based, this IPS module can also use the Meta Event Generator to determine if certain behaviors are undesired and make an inline permit/deny action and can be integrated with different reporting and management systems .
PIX/ASA 7.0 provides visibility and control of Instant Messaging, Peer-to-Peer, and other tunneling applications (As GoToMyPC.com). in order to protect against the successive attacks like continous scan cisco ASA have a great command # ip verify reverse path , beside this you can limit embryonic connections both TCP and UDP to avoid DOS attack
HTTP inspection provides some additional facilities
- Validate that the content-type passed in the response message is one of those listed in the request message’s accept-type field.
- Allow or disallow non-http traffic on port-80 (all or none).
- Allow or disallow peer-to-peer networks: emule, limewire Kazaa
- Allow or disallow Instant Messengers : Yahoo, MSN, AOL
- Configure the minimum and maximum size of an http message body.
- Configure maximum URL length
- Configure permissible transfer encoding methods
- Verify that the content-type specified in the header is the same as that being passed in the body of the http message.
DNS attacks are more command now a days so DNS query inspection in cisco PIX /ASA which tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the security appliance. DNS guard also monitors the message exchange to verify that the ID of the DNS reply matches the ID of the DNS query
Cisco Firewall supports main features that provides protection
1. Firewall (application awareness , Statefull inspection)
2. Unified communication Security
3. SSL/IPSec VPN
4. Intrusion prevention
5. Content Security
2. Unified communication Security
3. SSL/IPSec VPN
4. Intrusion prevention
5. Content Security
No comments:
Post a Comment