Selling ASA at the Edge Partner Play Overview

© 2012 Cisco and/or its affiliates. All rights reserved.

Selling ASA at the Edge Partner Training

June 7, 2012

Dixie Fisher

Sandeep Jain

Kevin Cheong

Play Overview:

Dixie Fisher

Partner Incentives:

Kevin Cheong

Selling the ASA:

Sandeep Jain


Selling ASA at the Edge Partner Play Overview

Dixie Fisher Security Program Manager

June 7, 2012

Play Objectives

Play Assets

Qualifying Questions

Call to Action

This play is designed to help you position and sell:

• Cisco’s differentiation with its context-aware approach

to network security

• The ASA product line for customers’ accelerating edge requirements • The new ASA Midrange 5500-X Security Appliances • The ASA 5585-X with ASA CX

• Integrated services: IPS, Cisco AnyConnect VPN client, and botnet filters

• Playbrief

• Call Guide

• Email

• Seminar in a Box

• What is the scale of your security requirements?

• Are you experiencing greater bandwidth requirements from your firewall?

• Are you looking for ways to increase your network security without increasing complexity?

• Are you interested in adding security services to your infrastructure? • Can you tell in near real time if there is a threat to your

network security?

ASA Midrange 5500-X Security Appliances:

• Built on the proven ASA security platform

• Market-leading security services

• Enable security services, quickly and easily

• Lower deployment and operations costs


Selling ASA at the Edge Partner Incentives

Kevin Cheong APJ Security Business Development Manager

June 7, 2012

Tier 1 Top Seller Incentive

Fast Track

ASA Distributor Partner Rewards

• Reward top performing Tier 1 partners with US$1000 Amazon e-vouchers

• Top 7 resellers per region will be given this award based on their total ASA 5500-X net booking to Cisco by the end of Q4FY12 – Region 1 consists of Australia and New Zealand – Region 2 consists of India – Region 3 consists of Singapore, Thailand, Indonesia and South Korea

• Incentive period will be from June 1 to July 31, 2012. Payouts will be from Sept 1

• Partners will need to register their participation on the ASA Rewards site: http://www.cisco.com/web/AP/partners/promo/ASArewards/index.html

• Once registered, Cisco will track bookings against the names of companies registered. Partners will be notified from Sept 1st, 2012

http://www.cisco.com/web/AP/partners/promo/ASArewards/index.html



ASA Midrange Rewards and Registration page

• ASA 5512-X, 5515-X, 55525-X in Fast Track from May 1 • Get fast quotes, competitive pricing, and quick availability on

high-volume core networking products

• Take advantage of Fast Track promotions, product availability, and co-marketing tools

• Fast Track Partner Central Page: http://www.cisco.com/web/partners/sell/promotions/fast_track.html

• Partner Price Catalog – www.cisco.com/go/fasttrack

http://www.cisco.com/web/partners/sell/promotions/fast_track.html

http://www.cisco.com/web/partners/sell/promotions/fast_track.html

http://www.cisco.com/go/fasttrack

Every Units Sold Points amount

ASA 5512-K7/K8/K9 4 25000

ASA 5512-IPS-K8/K9 3 25000

ASA 5515-K7/K8/K9 3 25000

ASA 5515-IPS-K8/K9 2 25000

ASA 5525-K7/K8/K9 2 25000

ASA 5525-IPS-K8/K9 1 25000

ASA 5525-CU-K9 1 25000

ASA 5545-K7/K8/K9 1 25000

ASA 5545-IPS-K8/K9 1 25000

ASA 5545-CU-2AC-K9 1 25000

ASA 5555-K7/K8/K9 1 50000

ASA 5555-IPS-K8/K9 1 50000

ASA 5555-CU-2AC-K9 1 50000

1. Eligible Country : ANZ + Asia & Korea 2. Open to Tier 2 Gold and Silver as well, but need to sign as CCR Guest member 3. Partner doesn’t need to claim this sales 4. CCR points will be allocated automatically in every week. 5. www.cisco-connectrewards.com

http://www.cisco-connectrewards.com/




Selling ASA at the Edge

June 7, 2012

Product Manager

Sandeep Jain

Cisco SecureX

Cisco ASA 5500-X New Product Overview

Services

Software

Management

Competition

Customers

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2012 Cisco and/or its affiliates. All rights reserved.

Services (TS, AS, Partner)

Network (Enforcement)

Secure Unified Access

Enabling BYOD

Transformation

Protecting Network Edges

Threat Defense

Securing Cloud

Transition

Virtualization & Cloud

Application Visibility & Control

Authorizing Content Usage

Threat Intelligence (Visibility)

Contextual Policy

Services:

Network:


Threat Defense


Application Visibility & Control

Threat Intelligence:

Contextual Policy:

Cisco Web Security Appliance

Cisco VPN

Cisco ISE Security and SMX

Cisco Advanced Services Partner Shared Services

Cisco AnyConnect

Cisco Cloud Web Security

Cisco WLAN Controller

Cisco ASA

Cisco IPS

Cisco Virtual Security Gateway

Cisco Nexus® 1000V Series

Cisco Router Security

Cisco Email and Web Security

Cisco ASA (CX)

Cisco Router Security

Cisco Web Security

Cisco ASA

Network and Cisco Prime™ NCS

Router Switch Appliance Cloud Virtual

Services

Network


Threat Defense


App Visibility & Control

Threat Intelligence

Contextual Policy

C O N T E X T

Cisco ASA CX

Next Generation Context-Aware Firewall

Cisco TrustSec 2.1 and ISE 1.1 Comprehensive Network Visibility and

Control

Cisco ASA Mid-Range Appliances Multi-Gigabit, Context-Aware Appliances for Internet

Edge Deployments


5 new models to meet varied throughput demands

ASA 5512-X 1 Gbps Firewall Throughput

ASA 5515-X 1.2 Gbps Firewall Throughput




1. Multi-Gig Performance To meet growing throughput requirements

2. Accelerated Integrated

Services No extra hardware required To support changing business needs

3. Next-gen services enabled

platform To provide investment protection

Comprehensive Solutions from the SOHO to the Data Center

Multi-Service (Firewall/VPN and IPS)

Per

form

ance

an

d S

cala

bili

ty

Data Center Campus Branch Office Internet Edge

ASA 5585-X SSP-20 (10 Gbps, 125K cps)



ASA 5585-X SSP-10 (4 Gbps, 50K cps) ASA 5555-X

(4 Gbps,50K cps)

NEW ASA 5545-X (3 Gbps,30K cps)

NEW ASA 5525-X

(2 Gbps,20K cps)

NEW ASA 5512-X

(1 Gbps, 10K cps)

NEW

ASA 5515-X (1.2 Gbps,15K cps)

NEW

ASA 5510 (300 Mbps, 9K cps)

ASA 5510 + (300 Mbps, 9K cps)

ASA 5520 (450 Mbps, 12K cps)

ASA 5540 (650 Mbps, 25K cps)

ASA 5550 (1.2 Gbps, 36K cps)

Firewall/VPN Only

SOHO

ASA 5505 (150 Mbps, 4K cps)

At-A-Glance

64Bit Multi-Core Processor Up to 16GB of Memory Built-In Multi-Core Crypto Accelerator Hardware Dedicated IPS Acceleration Card Up to 14 1GE Ports Copper & Fiber I/O options Firewall, VPN & IPS Services Dedicated OOB Management Port NG Firewall & Context-Aware Ready

Performance

Density

Flexibility

Integrated Services

Context-Aware Security

Management Consolidation

ASA 5500-X H/W Features

Customer Benefits

NGFW Component ASA 5512-X through ASA

5555-X

User-Identity Based Firewall Policies

✔ (Available since ASA 8.4.2; No License

Required)

Application-Visibility and Control

✔ (ASA CX*-Ready; ScanSafe**-Ready;

To be made available as a service)

Integrated IPS ✔

(Does not require a separate hardware module)

*ASA CX enables Context Security and is being delivered as a hardware module on 5585-X; Announced at RSA with availability around Q2 CY2012.

** ScanSafe Connector on ASA will be made available in next software release (ASA 9.0).

ASA 5515-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

ASA 5512-X

1 RU Appliances

Hard Drive Slots (provided for future expansion; hard drive currently not being shipped)

6 GE ports

8 GE ports

1 Expansion Slot 6-port GE or 6-port SFP

Dual Power Supplies

ASA 5512-X

ASA 5515-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

ASA 5512-X/

Sec Plus ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X

Performance

Max Firewall

EMIX Firewall

Concurrent Threat Mitigation

(Firewall + IPS)

Max IPSec VPN Throughput

1 Gbps

500 Mbps

250 Mbps

200 Mbps

1.2 Gbps

600 Mbps

400 Mbps

250 Mbps

2 Gbps

1 Gbps

600 Mbps

300 Mbps

3 Gbps

1.5 Gbps

900 Mbps

400 Mbps

4 Gbps

2 Gbps

1.3 Gbps

700 Mbps

Platform Capabilities

Max Firewall Conns

Max Conns/Sec

Max PPS (64 Byte UDP)

Max VLANS Supported

HA Support

Max IPSec/SSL VPN peers

100,000/250,000

10,000

450,000

50/100

No/Yes

250

250,000

15,000

500,000

100

Yes

250

500,000

20,000

700,000

200

Yes

750

750,000

30,000

900,000

300

Yes

2500

1,000,000

50,000

1,100,000

500

Yes

5000

Test done with HTTP 1.1 traffic with varying response sizes

0

100

200

300

400

500

600

700

1KB 4KB 11KB 16KB

Thro

ughp

ut in

Mbp

s

ASA5525-X FG310B

0

100

200

300

400

500

600

700

Thro

ughp

ut in

Mbp

s

ASA5525-X FG310B

ASA 5525-X vs FG310B

Data Sheet: 800 Mbps

Data Sheet: 600 Mbps

ASA 5510 through ASA 5550

ASA 5512-X through ASA 5555-X

Thro

ugh

pu

t Firewall 300 Mbps – 1.2 Gbps 1 Gbps – 4 Gbps (4X)

IPS 150 Mbps – 650 Mbps 250 Mbps – 1.3 Gbps

VPN 170 Mbps – 425 Mbps 200 Mbps – 700 Mbps

Har

dw

are

Memory 1GB – 4GB 4GB – 16GB (4X)

CPU Single Core Multi-Core, Multi-threaded

Redundant Power Supply

No Yes (5545-X, 5555-X)

Expansion slot use

IPS or Content Security or I/O Expansion

Only for I/O Expansion

Serv

ices

IPS Requires separate hardware

module

No hardware module required (IPS acceleration h/w on 5525-X, 5545-X,

5555-X)

IPS available on ASA 5555-X

Content Security

Requires separate hardware module

No hardware module required (ScanSafe connector to be made

available in subsequent software rel.)

Licenses IPS License (All Products)

Sec Plus License (ASA 5512-X)

NEW

ASA 5512-X ASA 5510

ASA 5510 ASA 5512-X

300 Mbps Firewall 250 Mbps FW+IPS 200 Mbps VPN 5 FE Data + Mgmt 1 GB RAM SEC PLUS Lic. For HA

1 Gbps Firewall 250 Mbps FW+IPS 200 Mbps VPN 6 GE Data + 1 GE Mgmt 4 GB RAM SEC PLUS Lic. For HA

ASA 5515-X ASA 5510 SEC PLUS

ASA 5510 SEC PLUS ASA 5515-X

1 Gbps Firewall 250 Mbps FW+IPS 200 Mbps VPN 5 FE Data + Mgmt 1 GB RAM

1.2 Gbps Firewall 400 Mbps FW+IPS 250 Mbps VPN 6 GE Data + 1 GE Mgmt 8 GB RAM

ASA 5525-X ASA 5520

ASA 5520 ASA 5525-X

450 Mbps Firewall 450 Mbps FW+IPS 225 Mbps VPN 5 FE Data + Mgmt 1 GB RAM

2 Gbps Firewall 600 Mbps FW+IPS 300 Mbps VPN 8 GE Data + 1 GE Mgmt 8 GB RAM

ASA 5545-X ASA 5540

ASA 5540 ASA 5545-X

650 Mbps Firewall 650 Mbps FW+IPS 325 Mbps VPN 4 GE Data + 1 FE Mgmt 2 GB RAM

3 Gbps Firewall 900 Mbps FW+IPS 400 Mbps VPN 8 GE Data + 1 GE Mgmt 12 GB RAM Dual Power Supplies

ASA 5555-X

ASA 5550

ASA 5550 ASA 5555-X

1.2 Gbps Firewall No IPS 425 Mbps VPN 8 GE Data + 1 FE Mgmt. 4 GB RAM

4 Gbps Firewall 1.3 Mbps FW+IPS 700 Mbps VPN 8 GE ports + 1GE Mgmt port 16 GB RAM Dual Power Supplies

New

New

New

New

New

SMBs & branch office

SMBs & branch office

Med-Large business HQ and high throughput branch office

Med-Large business HQ

Large business HQ

Up to 4x More Throughput More Default & Expansion I/O Up to 4x More Memory Next-Gen Services Capable No Extra Hardware for IPS Dual Power Supplies


Fire

wal

l A

SA 8

.6.1

.1

IPS

IPS

7.1

.4

Clo

ud

W

eb S

ecu

rity

A

SA 9

.0*

Clo

ud

A

VC

A

SA 9

.0*

On

-bo

x

Web

Se

curi

ty

ASA

CX

*

On

-bo

x

AV

C

ASA

CX

*

Rem

ote

Acc

ess

ASA

8.6

.1.1

Now Q3 CY2012 Later

* On Roadmap

Cloud Web Security/AVC via ScanSafe Integration in ASA 9.0 software release

Bo

tnet

Filt

er

• Uses both traditional signature-based and reputation-based methods to prevent threats

• Reputation of an IP address is decided through complex algorithms based on data shared by

– More than 600 third-party feeds

– More than 700,000 (and growing) global network of Cisco devices

– More than 10,000 servers that process roughly 500 GB of data every day

• Reputation helps catch zero-day threats and APTs (Advanced Persistent Threats)

• Helps meet regulatory compliance (such as PCI, HIPPA, SOX)

• Provides superior threat mitigation with passive OS fingerprinting and reputation

• Offers deployment flexibility by using user identity based security policies

Licensed Feature

Cisco® ASA

• Botnet traffic filter

– Scans all traffic, all ports, and all protocols

– Monitors command and control traffic from internal bots to external hosts

– Detects infected clients by tracking rogue “phone-home” traffic

• Powerful anti-malware data promotes accuracy

– Provides guidance now for blocking Botnet communication

– Dynamic discovery provides real time identification of malware communication flexibility by using user identity based security policies

Wide Range of Connectivity Options

Mobile Access

IPsec VPN Tunneling

DTLS (Voice and Video)

Tunneling

Clientless VPN Access

SSL VPN Tunneling

Powered by the Cisco ASA

• Allow “engineering” to access Facebook but no Facebook games

• Check HTTP responses for Antivirus/Malware scanning

• Stop credit card or SSN information to be uploaded to Internet

• Don’t allow all users access to gambling related websites

• Control what websites users can or cannot access (Acceptable Use Policy)

• Open certain HTTPS connections and check for threats

• Don’t allow users in “contractors” domain to upload any document that contains “ABC Confidential” to Internet

• Customizable regular expression for DLP

ASA deployed in Branch Office

ScanSafe Cloud Security

ASA deployed in Head Office

* ASA 9.0 (next software release)

Use Cases provided by ScanSafe Cloud Security

Web Server

New

LOCAL Business Context

Who

What

How

Where

When

Within YOUR Network

GLOBAL

Situational Threat Intelligence

Outside YOUR Network

Reputation

Interactions

APP Applications

URL Sites

New

• Hardware module on 5585-X • Q2 CY 2012

• ASA CX SSP-10 • ASA CX SSP-20

• Q3 CY 2012 • ASA CX SSP-40 • ASA CX SSP-60

• Service on 5500-X mid-range • Q4 CY 2012

Delivery Timeline

© 2011 Cisco and/or its affiliates. All rights reserved. # © 2011 Cisco and/or its affiliates. All rights reserved. #

Runs on ASA 5512-X through ASA 5555-X only

All software functionality up to ASA 8.4.2

Firewall, Botnet Protection & VPN Services

SMP enabled ASA OS

64bit Software Architecture

EtherChannel Support for within and across Base & Expansion I/O Modules

Environment Monitoring Support

Jumbo Frame Support

External USB Drive Support

New


• On-box Management Software for

Firewall, IPS & VPN

• ASDM (version 6.6.1)

• Manage and monitor on a single appliance

• CLI

• Off-box Management Software

• CSM (version 4.3-upcoming release)

• Manage, monitor & report on up to 2500 ASA 5500-X appliances

• Cisco IPS Manager Express (version 7.2.1)

• Manage and monitor up to 10 IPS Service Modules


Cisco Checkpoint

Expected Data Sheet Performance ✔

✖ For proper sizing of the firewall, Checkpoint

recommends to use “Appliance Selection Tool” and not the data sheet

IPS Performance and Efficacy ✔

✖ Checkpoint’s lofty IPS performance numbers in the

data sheet are with only a handful signatures turned on. Moreover, unlike Cisco IPS, their IPS is just signature-based and does not use reputation.

Full-contextual policy ✔*

✖ Besides the 5-tuple firewall policy, Checkpoint

provides only application and user visibility. Cisco ASA on the other hand provides additional context

elements – device type, device OS and device security posture.

* ASA 9.0

ASA 5515-X 4207

Har

dw

are

CPU Intel i3-540 Processor 3.06 GHz

2 cores/4 Threads 4 MB Intel Smart Cache

Intel Atom D525 1.8 GHz

2 cores/4 Threads 1 MB L2 Cache

Base I/O 6 + 1 4

Max Ethernet Ports 12 + 1 8

IPS hardware accelerator No (present from 5525-X onwards)

No

VPN hardware accelerator Yes No

Perf

orm

ance

Data Sheet Firewall Max (UDP 1500 byte)

1.2 Gbps 3 Gbps

Actual Firewall Max 1.2 Gbps 900 Mbps*

Data Sheet Firewall EMIX (Real-world Throughput)

600 Mbps Not published

Actual Firewall EMIX 600 Mbps 350 Mbps*

Data Sheet IPS 450 Mbps 2 Gbps (Default Profile)

Not Published (Recommended Profile)

Actual IPS Media Rich 450 Mbps 250 Mbps* (Default profile)

75 Mbps* (Recommended Profile)

* Performance tests to be published and verified by third party

Customer Ask: Enterprise class FW + IPS 1Gbps

Data Sheet Check Point Security Power

$9,000


Cisco Fortinet

Expected Data Sheet Performance ✔

✖ Fortinet Firewall perf. negatively impacted with

• Fragmented Traffic • Traffic requiring services (IPS, A/V etc.) • Traffic headed out of ports not on same ingress NP • Traffic requiring payload inspection e.g. SIP, FTP etc.

IPS Performance and Efficacy ✔

✖ IPS traffic is handled by the CPU instead of NP

IPS inspection stops after 200KB No OS Fingerprintning

No Risk rating No ability to modify existing signatures


✖ Besides the 5-tuple firewall policy, Fortinet provides only application and user visibility. Cisco ASA on the other hand provides additional context elements – device type, device OS and device security posture.

* ASA 9.0


Feature Cisco Palo Alto Networks

IPS protection against zero-day threats using IP

reputation

✔ IPS gets information about “bad IPs” through global network of more than 700,000 Cisco

devices

✖

Comprehensive Web Security

✔* Instead of using 3rd party web security

solutions, Cisco uses ScanSafe (Palo Alto used SurControl earlier, then later they started

using BrightCloud)

✖


Through integration with ISE (Identity Services Engine), ASA can provide more than

application and user visibility

✖

Remote Access clients for mobile devices

✔ Cisco AnyConnect supports iPad, iPod, iPhone, Android. Also, on ASA one can create policies to allow/deny certain devices and even based

on OS version

✖

* Roadmap


• Dual Power Supplies on 5545-X and 5555-X – Data center deployment must – Upsell opportunity from 5525-X even for VPN

deployment scenarios

• Rich I/O Port Density – Fiber port availability even on low-end models (5512, 5515)

• EtherChannel across Base and Expansion I/O • USB Thumb Drive Support to Store PCAPs, Config files etc. • Significant IPS Throughput – ASA 5555-X supports 1Gbps+

IPS

• The new ASA Midrange 5500-X Security Appliances delivers: • Multi-Gigabit Performance

• Accelerated Integrated Services

• Next-generation services enabled platform

• Lower deployment and operations costs

• Customers receive CTMP trade-in credit on legacy ASA

• Partner incentives for you!

Thank you. Thank you.

Documents

Selling ASA at the Edge Partner Play Overview