Documente Academic
Documente Profesional
Documente Cultură
Wide-ranging IPS capabilities: The Cisco ASA 5500 Series IPS Solution delivers all the IPS capabilities available on Cisco IPS 4200 Series Sensors. The ASA 5500 Series IPS Solution technology can be deployed inline in the traffic path or in promiscuous mode, in which a copy of the traffic is sent to the IPS for inspection. The Cisco ASA 5500 Series IPS Solution provides protection against tens of thousands of known attacks. And with Cisco anomaly detection and Global Correlation, your network can be protected against day-zero threats before signature updates are available.
Global Correlation: Cisco Global Correlation provides real-time updates on the global threat environment beyond your perimeter by adding reputation analysis, reducing the window of threat exposure, and providing
2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 8
Data Sheet
continuous feedback. With these new capabilities, Cisco IPS sensors can detect more threats, detect them earlier and more accurately, and protect critical assets from malicious attacks.
Comprehensive and timely attack protection: The Cisco ASA 5500 Series IPS Solution delivers protection against tens of thousands of known exploits and millions more potential unknown exploit variants using specialized IPS detection engines and thousands of signatures. Cisco Services for IPS provides signature updates through a global intelligence team working 24 hours a day to help ensure that you are protected against the latest threats.
Zero-day attack protection: The Cisco ASA 5500 Series IPS Solution provides powerful protection against zero-day attacks. Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available.
Application inspection and control: The application inspection engines in the Cisco ASA 5500 Series IPS Solution provide granular control of who and what can enter the network. You can prevent access to potentially dangerous URLs, block rogue callers, and use blacklists to stop infected file attachments from entering your network.
Wireless protection: The Cisco ASA 5500 Series IPS Solution is tightly integrated with the Cisco Wireless LAN Controller to help keep intruders out of your wireless network. The Cisco Wireless LAN Controller blocks intruders based on real-time threat intelligence from the Cisco ASA 5500 Series IPS Solution.
Unified Communications protection: Strong protection of voice-over-IP (VoIP) protocols, and Cisco Unified Communications Manager helps ensure the constant uptime of your critical voice network. The Cisco ASA 5500 Series IPS Solution uses dedicated voice engines and comprehensive voice signatures to protect your voice network from intruders and attacks.
High Performance
The Cisco ASA 5500 Series IPS Solution is hardware-accelerated to provide the highest level of performance without negatively affecting firewall or VPN throughput. With the Cisco IPS Security Services Processors, the Cisco ASA 5500 Series IPS Solution can achieve up to 10 Gbps of IPS throughput. Today, almost every important application uses the Internet. VoIP, e-commerce, streaming video, and Web 2.0 applications enable higher productivity and employee collaboration. These networked applications pose different and varying demands on resources such as connection rates, concurrent connections, flow length, and transaction size. From a performance perspective, the spectrum of application types ranges from media-rich environments that feature converged content to highly transactional environments populated by rapid-fire, lightweight connections. The Cisco ASA 5500 Series IPS Solution is optimized for both media-rich and transactional environments.
Cisco Modular Policy Framework: The Cisco MPF provides a powerful mechanism to assign Cisco ASA firewall, VPN, and IPS policies in one place. With the Cisco MPF, the Cisco ASA firewall passes traffic to the IPS for inspection on a flow-by-flow, as-needed basis.
Cisco IPS policy provisioning: For IPS policy provisioning, Cisco IPS technologies are the only products that provide Risk Rating-based policy provisioning. Instead of tuning individual signatures, you assign IPS policies based on risk. All events are assigned a Risk Rating number between 0 and 100 based on the risk
2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 8
Data Sheet
level of the event. Based on the Risk Rating, different policy actions can be assigned, such as drop packet, alarm, and log.
Flexible Management
Cisco can provide the right management solutions for you, whether you have five Cisco ASA 5500 Series IPS devices or thousands.
Cisco Security Management Suite: The Cisco Security Management Suite is a powerful management application suite that scales up to thousands of devices and helps you manage the IPS, firewall, and VPN capabilities of your Cisco ASA 5500 Series IPS Solution. The suite includes Cisco Security Manager and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS). With Cisco Security Manager, you can, at one click, apply security policies or perform software updates to hundreds or thousands of Cisco ASA appliances. Cisco Security MARS can collect and correlate data from the Cisco ASA 5500 Series IPS Solution and other security devices to identify problems and recommend corrective actions.
Cisco IPS Manager Express: An all-in-one IPS management and reporting application for small deployments, Cisco IPS Manager Express enables you to provision, monitor, troubleshoot, and provide reports on up to five Cisco IPS devices. A customizable dashboard with more than 10 drag-and-drop gadgets allows you to personalize it to your needs (Figure 2).
Figure 2.
IPS Maximum IPS throughput 75 Mbps with AIP-SSC-5 150 Mbps with AIP-SSM-10 225 Mbps with AIP-SSM-10 375 Mbps with AIP-SSM-20 450 Mbps with AIP-SSM-40 Threat protection Zero-day protection with anomaly detection Custom signature support Virtual sensors Firewall Maximum firewall 150 300 450 650 25,000+ threats No No 1 25,000+ threats Yes Yes 4 25,000+ threats Yes Yes 4 25,000+ threats Yes Yes 4 500 Mbps with AIP-SSM-20 650 Mbps with AIP-SSM-40
2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 8
Data Sheet
Feature
throughput (Mbps) Maximum firewall connections VPN Maximum Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) VPN throughput (Mbps) Maximum site-to-site and remote-access VPN user sessions Maximum SSL VPN user 1 sessions Bundled SSL VPN user sessions 100 170 225 325 10,000/25,000 50,000/130,000 280,000 400,000
10/25
250
750
5,000
25 2
250 2
750 2
2,500 2
Table 2 provides Cisco ASA 5500 Series IPS Solution specifications for Cisco 5585 appliances.
Table 2.
Feature IPS Maximum IPS throughput Threat protection Day-zero protection with anomaly detection Custom signature support Virtual sensors Firewall Maximum firewall throughput Maximum firewall connections VPN Maximum VPN throughput 1 Gbps IPsec VPN peers SSL VPN peer license levels 5000 Up to 5000 2 Gbps 10,000 Up to 5000 2 Gbps 10,000 Up to 10,000 5 Gbps 10,000 Up to 10,000 2 Gbps (real-world HTTP), 5 5 Gbps (real-world HTTP), Gbps (jumbo frames) 10 Gbps (jumbo frames) 2,000,000 3,000,000 10 Gbps (real-world HTTP), 20 Gbps (jumbo frames) 4,000,000 20 Gbps (real-world HTTP), 40 Gbps (jumbo frames) 8,000,000 2 Gbps 25,000+ threats Yes Yes 4 3 Gbps 25,000+ threats Yes Yes 4 5 Gbps 25,000+ threats Yes Yes 4 10 Gbps 25,000+ threats Yes Yes 4
Beginning with Cisco ASA Software Release 7.1, SSL VPN (Web VPN) capability requires a license. Systems include 2 SSL VPN users by default for evaluation and remote management purposes
Page 4 of 8
2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Data Sheet
Feature
Cisco AIP-SSC-5
Cisco AIP-SSM-10
Cisco AIP-SSM-20
Cisco AIP-SSM-40
Environmental Operating Ranges Operating Temperature Relative humidity Nonoperating Temperature Relative humidity Altitude -13 to 158F (-25 to 70C) 5 to 95% noncondensing 0 to 15,000 ft (4570 m) -13 to 158F (-25 to 70C) 5 to 95% noncondensing 0 to 15,000 ft (4570 m) -13 to 158F (-25 to 70C) 5 to 95% noncondensing 0 to 15,000 ft (4570 m) -13 to 158F (-25 to 70C) 5 to 95% noncondensing 0 to 15,000 ft (4570 m) 32 to 104F (0 to 40C) 5 to 95% noncondensing 32 to 104F (0 to 40C) 5 to 95% noncondensing 32 to 104F (0 to 40C) 5 to 95% noncondensing 32 to 104F (0 to 40C) 5 to 95% noncondensing
Power and Mean Time Between Failure Power consumption Mean time between failure (MTBF) Physical Specifications Dimensions (HxWxD) Weight 0.68 x 3.55 x 5,2 in (1.73 x 9.02 x 13.21 cm) 0.42 lb (0.19 kg) 1.70 x 6.80 x 11.00 in. (4.32 x 17.27 x 27.94 cm) 3.00 lb (1.36 kg) 1.70 x 6.80 x 11.00 in. (4.32 x 17.27 x 27.94 cm) 3.00 lb (1.36 kg) 1.70 x 6.80 x 11.00 in. (4.32 x 17.27 x 27.94 cm) 2.58 lb (1.17 kg) 30W maximum 874,070 hours (100 years) 90W maximum 299,588 hours (31 years) 90W maximum 309,296 hours (35 years) 90W maximum 221,679 hours (25 years)
Regulatory and Standards Compliance Safety UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001 CE marking, FCC Part 15 Class A, AS/NZS 3548 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3 UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001 CE marking, FCC Part 15 Class A, AS/NZS 3548 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3 UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001 CE marking, FCC Part 15 Class A, AS/NZS 3548 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3 UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001 CE marking, FCC Part 15 Class A, AS/NZS 3548 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
Environmental Operating Ranges Operating Temperature Relative humidity Nonoperating Temperature Relative humidity Altitude -40F to +158F (-40C to +70C) -40F to +158F (-40C to +70C) -40F to +158F (-40C to +70C) -40F to +158F (-40C to +70C) +50F to +95F (+10C to +35C) 10% to 90% (noncondensing) +50F to +95F (+10C to +35C) 10% to 90% (noncondensing) +50F to +95F (+10C to +35C) 10% to 90% (noncondensing) +50F to +95F (+10C to +35C) 10% to 90% (noncondensing)
5% to 95% (noncondensing) 5% to 95% (noncondensing) 5% to 95% (noncondensing) 5% to 95% (noncondensing) 0 to 30,000 ft (9144 m) 0 to 30,000 ft (9144 m) 0 to 30,000 ft (9144 m) 0 to 30,000 ft (9144 m)
Power and Mean Time Between Failure Power consumption Mean time between failure (MTBF) 30W maximum 109,887 hrs 30W maximum 102,869 hrs 30W maximum 87,829 hrs 30W maximum 78,136 hrs
2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 8
Data Sheet
Cisco IPS SSP-10 Physical Specifications Dimensions (HxWxD) Weight 1.70 x 6.80 x 12.25 in. (4.32 x 17.27 x 31.12 cm) 3.00 lb (1.36 kg)
1.70 x 6.80 x 12.25 in. (4.32 x 17.27 x 31.12 cm) 3.00 lb (1.36 kg)
1.70 x 6.80 x 12.25 in. (4.32 x 17.27 x 31.12 cm) 3.00 lb (1.36 kg)
1.70 x 6.80 x 12.25 in. (4.32 x 17.27 x 31.12 cm) 3.00 lb (1.36 kg)
Regulatory and Standards Compliance Safety UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950 CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3 UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950 CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3 UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950 CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3 UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950 CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
Ordering Information
To place an order, visit the Cisco Ordering homepage. See Table 5 for ordering information.
Table 5. Ordering Information
Part Number
Product Name Cisco ASA 5505 Adaptive Security Appliance Cisco ASA 5505 50-User Adaptive Security Appliance with AIP-SSC-5 (chassis, software, 8 Fast Ethernet interfaces,10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license) Cisco ASA 5505 Unlimited-User Adaptive Security Appliance with Security Plus License and AIP-SSC-5 (chassis, software, 8 Fast Ethernet interfaces, 25 IPsec VPN peers, 2 SSL VPN peers, DMZ support, stateless Active/Standby high availability, 3DES/AES license Cisco ASA 5510 Adaptive Security Appliance Cisco ASA 5510 Adaptive Security Appliance with AIP-SSM-10 (chassis, software, 250 VPN peers, 4 Fast Ethernet interfaces, 3DES/AES) Cisco ASA 5510 Adaptive Security Appliance with Security Plus License and AIP-SSM-10 (chassis, software, 2 Gigabit Ethernet interfaces, 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 SSL VPN peers, Active/Active high availability, 3DES/AES) Cisco ASA 5510 Adaptive Security Appliance with Security Plus License and AIP-SSM-20 (chassis, software, 2 Gigabit Ethernet interfaces, 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 SSL VPN peers, Active/Active high availability, 3DES/AES) Cisco ASA 5520 Adaptive Security Appliance Cisco ASA 5520 Adaptive Security Appliance with AIP-SSM-10 (chassis, software, 750 VPN peers, 4 Gigabit Ethernet interfaces, 3DES/AES) Cisco ASA 5520 Adaptive Security Appliance with AIP-SSM-20 (chassis, software, 750 VPN peers, 4 Gigabit Ethernet interfaces, 3DES/AES) Cisco ASA 5520 Adaptive Security Appliance with AIP-SSM-40 (chassis, software, 750 VPN peers, 4 Gigabit Ethernet interfaces, 3DES/AES) Cisco ASA 5540 Adaptive Security Appliance Cisco ASA 5540 Adaptive Security Appliance with AIP-SSM-20 (chassis, software, 5000 VPN peers, 4 Gigabit Ethernet interfaces, 3DES/AES) Cisco ASA 5540 Adaptive Security Appliance with AIP-SSM-40 (chassis, software, 5000 VPN peers, 4 Gigabit Ethernet interfaces, 3DES/AES) Cisco ASA 5585 Adaptive Security Appliances Cisco ASA 5585-X Firewall Edition SSP-10 IPS SSP-10 bundle includes 8 Gigabit Ethernet interfaces, 2 Gigabit Ethernet management interfaces, 5000 IPsec VPN peers, 2 SSL VPN peers, DES license Cisco ASA 5585-X Firewall Edition SSP-10 IPS SSP-10 bundle includes 8 Gigabit Ethernet interfaces, 2 Gigabit Ethernet management interfaces, 5000 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license Cisco ASA 5585-X Firewall Edition SSP-10 IPS SSP-10 bundle includes 8 Gigabit Ethernet interfaces, 2 10 Gigabit Ethernet SFP+ interfaces, 2 Gigabit Ethernet management interfaces, 5000 IPsec VPN peers, 2 SSL VPN peers, dual AC power, 3DES/AES license Cisco ASA 5585-X Firewall Edition SSP-20 IPS SSP-20 bundle includes 8 Gigabit Ethernet interfaces, 2 Gigabit Ethernet management interfaces, 10,000 IPsec VPN peers, 2 SSL VPN peers, DES license
ASA5505-50-AIP5-K9 ASA5505-U-AIP5P-K9
ASA5510-AIP10-K9 ASA5510-AIP10SP-K9
ASA5510-AIP20SP-K9
ASA5540-AIP20-K9 ASA5540-AIP40-K9
ASA5585-S20P20-K8
2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 8
Data Sheet
Product Name Cisco ASA 5585-X Firewall Edition SSP-20 IPS SSP-20 bundle includes 8 Gigabit Ethernet interfaces, 2 Gigabit Ethernet management interfaces, 10,000 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license Cisco ASA 5585-X Firewall Edition SSP-20 IPS SSP-20 bundle includes 8 Gigabit Ethernet interfaces, 2 10 Gigabit Ethernet SFP+ interfaces, 2 Gigabit Ethernet management interfaces, 10,000 IPsec VPN peers, 2 SSL VPN peers, dual AC power, 3DES/AES license Cisco ASA 5585-X Firewall Edition SSP-40 IPS SSP-40 bundle includes 6 Gigabit Ethernet interfaces, 4 10 Gigabit Ethernet SFP+ interfaces, 2 Gigabit Ethernet management interfaces, 10,000 IPsec VPN peers, 2 SSL VPN peers, dual AC power, DES license Cisco ASA 5585-X Firewall Edition SSP-40 IPS SSP-40 bundle includes 6 Gigabit Ethernet interfaces, 4 10 Gigabit Ethernet SFP+ interfaces, 2 Gigabit Ethernet management interfaces, 10,000 IPsec VPN peers, 2 SSL VPN peers, dual AC power, 3DES/AES license Cisco ASA 5585-X Firewall Edition SSP-60 IPS SSP-60 bundle includes 6 Gigabit Ethernet interfaces, 4 10 Gigabit Ethernet SFP+ interfaces, 2 Gigabit Ethernet management interfaces, 10,000 IPsec VPN peers, 2 SSL VPN peers, dual AC power, 3DES/AES license Cisco ASA 5585-X Firewall Edition SSP-60 IPS SSP-60 bundle includes 6 Gigabit Ethernet interfaces, 4 10 Gigabit Ethernet SFP+ interfaces, 2 Gigabit Ethernet management interfaces, 10,000 IPsec VPN peers, 2 SSL VPN peers, dual AC power, 3DES/AES license Security Services Modules Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Card 5 (AIP-SSC-5) Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module 10 (AIP-SSM-10) Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module 20 (AIP-SSM-20) Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module 40 (AIP-SSM-40) Security Services Processors Cisco ASA 5585-X IPS Security Services Processor 10 s with 8 GE Cisco ASA 5585-X IPS Security Services Processor 20 (SSP-20) with 8 GE Cisco ASA 5585-X IPS Security Services Processor 40 (SSP-40) with 6 GE,4 SFP+ Cisco ASA 5585-X IPS Security Services Processor-60 (SSP-60) with 6 GE,4 SFP+
ASA5585-S40P40-K8
ASA5585-S40P40-K9
ASA5585-S60P60-K8
ASA5585-S60P60-K9
Signature file updates and alerts Registered access to Cisco.com for online tools and technical assistance Access to the Cisco Technical Assistance Center Cisco IPS software updates Advance replacement of failed hardware
For more information about Cisco Services for IPS, visit http://www.cisco.com/en/US/products/ps6076/serv_group_home.html.
2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 8
Data Sheet
Export Considerations
The Cisco ASA 5500 Series IPS Solution and Cisco AIP SSMs are subject to export controls. For guidance, refer to the export compliance website at http://www.cisco.com/wwl/export/crypto/. For specific export questions, contact export@cisco.com.
Additional Information
For more information about the Cisco ASA 5500 Series IPS Solution, visit http://www.cisco.com/go/asaips. For more information about Cisco IPS solutions, visit http://www.cisco.com/go/ips. For more information about Cisco ASA 5500 Series Adaptive Security Appliances, visit http://www.cisco.com/go/asa. For information about Cisco IDS and IPS sensors and software versions that have reached end-of-sale status, visit http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_eol_notices_list.html. For more information about Cisco Security Manager, Cisco Security MARS, and Cisco IPS Manager Express, visit
Printed in USA
C78-459036-05
10/10
2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 8