Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved.
Selling ASA at the Edge Partner Training
June 7, 2012
Dixie Fisher
Sandeep Jain
Kevin Cheong
© 2012 Cisco and/or its affiliates. All rights reserved.
Selling ASA at the Edge Partner Play Overview
Dixie Fisher Security Program Manager
June 7, 2012
This play is designed to help you position and sell:
• Cisco’s differentiation with its context-aware approach
to network security
• The ASA product line for customers’ accelerating edge requirements • The new ASA Midrange 5500-X Security Appliances • The ASA 5585-X with ASA CX
• Integrated services: IPS, Cisco AnyConnect VPN client, and botnet filters
• What is the scale of your security requirements?
• Are you experiencing greater bandwidth requirements from your firewall?
• Are you looking for ways to increase your network security without increasing complexity?
• Are you interested in adding security services to your infrastructure? • Can you tell in near real time if there is a threat to your
network security?
ASA Midrange 5500-X Security Appliances:
• Built on the proven ASA security platform
• Market-leading security services
• Enable security services, quickly and easily
• Lower deployment and operations costs
© 2012 Cisco and/or its affiliates. All rights reserved.
Selling ASA at the Edge Partner Incentives
Kevin Cheong APJ Security Business Development Manager
June 7, 2012
• Reward top performing Tier 1 partners with US$1000 Amazon e-vouchers
• Top 7 resellers per region will be given this award based on their total ASA 5500-X net booking to Cisco by the end of Q4FY12 – Region 1 consists of Australia and New Zealand – Region 2 consists of India – Region 3 consists of Singapore, Thailand, Indonesia and South Korea
• Incentive period will be from June 1 to July 31, 2012. Payouts will be from Sept 1
• Partners will need to register their participation on the ASA Rewards site: http://www.cisco.com/web/AP/partners/promo/ASArewards/index.html
• Once registered, Cisco will track bookings against the names of companies registered. Partners will be notified from Sept 1st, 2012
• ASA 5512-X, 5515-X, 55525-X in Fast Track from May 1 • Get fast quotes, competitive pricing, and quick availability on
high-volume core networking products
• Take advantage of Fast Track promotions, product availability, and co-marketing tools
• Fast Track Partner Central Page: http://www.cisco.com/web/partners/sell/promotions/fast_track.html
• Partner Price Catalog – www.cisco.com/go/fasttrack
Every Units Sold Points amount
ASA 5512-K7/K8/K9 4 25000
ASA 5512-IPS-K8/K9 3 25000
ASA 5515-K7/K8/K9 3 25000
ASA 5515-IPS-K8/K9 2 25000
ASA 5525-K7/K8/K9 2 25000
ASA 5525-IPS-K8/K9 1 25000
ASA 5525-CU-K9 1 25000
ASA 5545-K7/K8/K9 1 25000
ASA 5545-IPS-K8/K9 1 25000
ASA 5545-CU-2AC-K9 1 25000
ASA 5555-K7/K8/K9 1 50000
ASA 5555-IPS-K8/K9 1 50000
ASA 5555-CU-2AC-K9 1 50000
1. Eligible Country : ANZ + Asia & Korea 2. Open to Tier 2 Gold and Silver as well, but need to sign as CCR Guest member 3. Partner doesn’t need to claim this sales 4. CCR points will be allocated automatically in every week. 5. www.cisco-connectrewards.com
© 2012 Cisco and/or its affiliates. All rights reserved.
Selling ASA at the Edge
June 7, 2012
Product Manager
Sandeep Jain
Cisco SecureX
Cisco ASA 5500-X New Product Overview
Services
Software
Management
Competition
Customers
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2012 Cisco and/or its affiliates. All rights reserved.
Services (TS, AS, Partner)
Network (Enforcement)
Secure Unified Access
Enabling BYOD
Transformation
Protecting Network Edges
Threat Defense
Securing Cloud
Transition
Virtualization & Cloud
Application Visibility & Control
Authorizing Content Usage
Threat Intelligence (Visibility)
Contextual Policy
Services:
Network:
Secure Unified Access
Threat Defense
Virtualization & Cloud
Application Visibility & Control
Threat Intelligence:
Contextual Policy:
Cisco Web Security Appliance
Cisco VPN
Cisco ISE Security and SMX
Cisco Advanced Services Partner Shared Services
Cisco AnyConnect
Cisco Cloud Web Security
Cisco WLAN Controller
Cisco ASA
Cisco IPS
Cisco Virtual Security Gateway
Cisco Nexus® 1000V Series
Cisco Router Security
Cisco Email and Web Security
Cisco ASA (CX)
Cisco Router Security
Cisco Web Security
Cisco ASA
Network and Cisco Prime™ NCS
Router Switch Appliance Cloud Virtual
Services
Network
Secure Unified Access
Threat Defense
Virtualization & Cloud
App Visibility & Control
Threat Intelligence
Contextual Policy
C O N T E X T
Cisco ASA CX
Next Generation Context-Aware Firewall
Cisco TrustSec 2.1 and ISE 1.1 Comprehensive Network Visibility and
Control
Cisco ASA Mid-Range Appliances Multi-Gigabit, Context-Aware Appliances for Internet
Edge Deployments
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2012 Cisco and/or its affiliates. All rights reserved.
5 new models to meet varied throughput demands
ASA 5512-X 1 Gbps Firewall Throughput
ASA 5515-X 1.2 Gbps Firewall Throughput
ASA 5525-X 2 Gbps Firewall Throughput
ASA 5545-X 3 Gbps Firewall Throughput
ASA 5555-X 4 Gbps Firewall Throughput
1. Multi-Gig Performance To meet growing throughput requirements
2. Accelerated Integrated
Services No extra hardware required To support changing business needs
3. Next-gen services enabled
platform To provide investment protection
Comprehensive Solutions from the SOHO to the Data Center
Multi-Service (Firewall/VPN and IPS)
Per
form
ance
an
d S
cala
bili
ty
Data Center Campus Branch Office Internet Edge
ASA 5585-X SSP-20 (10 Gbps, 125K cps)
ASA 5585-X SSP-60 (40 Gbps, 350K cps)
ASA 5585-X SSP-40 (20 Gbps, 200K cps)
ASA 5585-X SSP-10 (4 Gbps, 50K cps) ASA 5555-X
(4 Gbps,50K cps)
NEW ASA 5545-X (3 Gbps,30K cps)
NEW ASA 5525-X
(2 Gbps,20K cps)
NEW ASA 5512-X
(1 Gbps, 10K cps)
NEW
ASA 5515-X (1.2 Gbps,15K cps)
NEW
ASA 5510 (300 Mbps, 9K cps)
ASA 5510 + (300 Mbps, 9K cps)
ASA 5520 (450 Mbps, 12K cps)
ASA 5540 (650 Mbps, 25K cps)
ASA 5550 (1.2 Gbps, 36K cps)
Firewall/VPN Only
SOHO
ASA 5505 (150 Mbps, 4K cps)
At-A-Glance
64Bit Multi-Core Processor Up to 16GB of Memory Built-In Multi-Core Crypto Accelerator Hardware Dedicated IPS Acceleration Card Up to 14 1GE Ports Copper & Fiber I/O options Firewall, VPN & IPS Services Dedicated OOB Management Port NG Firewall & Context-Aware Ready
Performance
Density
Flexibility
Integrated Services
Context-Aware Security
Management Consolidation
ASA 5500-X H/W Features
Customer Benefits
NGFW Component ASA 5512-X through ASA
5555-X
User-Identity Based Firewall Policies
✔ (Available since ASA 8.4.2; No License
Required)
Application-Visibility and Control
✔ (ASA CX*-Ready; ScanSafe**-Ready;
To be made available as a service)
Integrated IPS ✔
(Does not require a separate hardware module)
*ASA CX enables Context Security and is being delivered as a hardware module on 5585-X; Announced at RSA with availability around Q2 CY2012.
** ScanSafe Connector on ASA will be made available in next software release (ASA 9.0).
ASA 5515-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
ASA 5512-X
1 RU Appliances
Hard Drive Slots (provided for future expansion; hard drive currently not being shipped)
6 GE ports
8 GE ports
1 Expansion Slot 6-port GE or 6-port SFP
Dual Power Supplies
ASA 5512-X
ASA 5515-X
ASA 5525-X
ASA 5545-X
ASA 5555-X
ASA 5512-X/
Sec Plus ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
Performance
Max Firewall
EMIX Firewall
Concurrent Threat Mitigation
(Firewall + IPS)
Max IPSec VPN Throughput
1 Gbps
500 Mbps
250 Mbps
200 Mbps
1.2 Gbps
600 Mbps
400 Mbps
250 Mbps
2 Gbps
1 Gbps
600 Mbps
300 Mbps
3 Gbps
1.5 Gbps
900 Mbps
400 Mbps
4 Gbps
2 Gbps
1.3 Gbps
700 Mbps
Platform Capabilities
Max Firewall Conns
Max Conns/Sec
Max PPS (64 Byte UDP)
Max VLANS Supported
HA Support
Max IPSec/SSL VPN peers
100,000/250,000
10,000
450,000
50/100
No/Yes
250
250,000
15,000
500,000
100
Yes
250
500,000
20,000
700,000
200
Yes
750
750,000
30,000
900,000
300
Yes
2500
1,000,000
50,000
1,100,000
500
Yes
5000
Test done with HTTP 1.1 traffic with varying response sizes
0
100
200
300
400
500
600
700
1KB 4KB 11KB 16KB
Thro
ughp
ut in
Mbp
s
ASA5525-X FG310B
0
100
200
300
400
500
600
700
Thro
ughp
ut in
Mbp
s
ASA5525-X FG310B
ASA 5525-X vs FG310B
Data Sheet: 800 Mbps
Data Sheet: 600 Mbps
ASA 5510 through ASA 5550
ASA 5512-X through ASA 5555-X
Thro
ugh
pu
t Firewall 300 Mbps – 1.2 Gbps 1 Gbps – 4 Gbps (4X)
IPS 150 Mbps – 650 Mbps 250 Mbps – 1.3 Gbps
VPN 170 Mbps – 425 Mbps 200 Mbps – 700 Mbps
Har
dw
are
Memory 1GB – 4GB 4GB – 16GB (4X)
CPU Single Core Multi-Core, Multi-threaded
Redundant Power Supply
No Yes (5545-X, 5555-X)
Expansion slot use
IPS or Content Security or I/O Expansion
Only for I/O Expansion
Serv
ices
IPS Requires separate hardware
module
No hardware module required (IPS acceleration h/w on 5525-X, 5545-X,
5555-X)
IPS available on ASA 5555-X
Content Security
Requires separate hardware module
No hardware module required (ScanSafe connector to be made
available in subsequent software rel.)
Licenses IPS License (All Products)
Sec Plus License (ASA 5512-X)
NEW
ASA 5512-X ASA 5510
ASA 5510 ASA 5512-X
300 Mbps Firewall 250 Mbps FW+IPS 200 Mbps VPN 5 FE Data + Mgmt 1 GB RAM SEC PLUS Lic. For HA
1 Gbps Firewall 250 Mbps FW+IPS 200 Mbps VPN 6 GE Data + 1 GE Mgmt 4 GB RAM SEC PLUS Lic. For HA
ASA 5515-X ASA 5510 SEC PLUS
ASA 5510 SEC PLUS ASA 5515-X
1 Gbps Firewall 250 Mbps FW+IPS 200 Mbps VPN 5 FE Data + Mgmt 1 GB RAM
1.2 Gbps Firewall 400 Mbps FW+IPS 250 Mbps VPN 6 GE Data + 1 GE Mgmt 8 GB RAM
ASA 5525-X ASA 5520
ASA 5520 ASA 5525-X
450 Mbps Firewall 450 Mbps FW+IPS 225 Mbps VPN 5 FE Data + Mgmt 1 GB RAM
2 Gbps Firewall 600 Mbps FW+IPS 300 Mbps VPN 8 GE Data + 1 GE Mgmt 8 GB RAM
ASA 5545-X ASA 5540
ASA 5540 ASA 5545-X
650 Mbps Firewall 650 Mbps FW+IPS 325 Mbps VPN 4 GE Data + 1 FE Mgmt 2 GB RAM
3 Gbps Firewall 900 Mbps FW+IPS 400 Mbps VPN 8 GE Data + 1 GE Mgmt 12 GB RAM Dual Power Supplies
ASA 5555-X
ASA 5550
ASA 5550 ASA 5555-X
1.2 Gbps Firewall No IPS 425 Mbps VPN 8 GE Data + 1 FE Mgmt. 4 GB RAM
4 Gbps Firewall 1.3 Mbps FW+IPS 700 Mbps VPN 8 GE ports + 1GE Mgmt port 16 GB RAM Dual Power Supplies
New
New
New
New
New
SMBs & branch office
SMBs & branch office
Med-Large business HQ and high throughput branch office
Med-Large business HQ
Large business HQ
Up to 4x More Throughput More Default & Expansion I/O Up to 4x More Memory Next-Gen Services Capable No Extra Hardware for IPS Dual Power Supplies
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2012 Cisco and/or its affiliates. All rights reserved.
Fire
wal
l A
SA 8
.6.1
.1
IPS
IPS
7.1
.4
Clo
ud
W
eb S
ecu
rity
A
SA 9
.0*
Clo
ud
A
VC
A
SA 9
.0*
On
-bo
x
Web
Se
curi
ty
ASA
CX
*
On
-bo
x
AV
C
ASA
CX
*
Rem
ote
Acc
ess
ASA
8.6
.1.1
Now Q3 CY2012 Later
* On Roadmap
Cloud Web Security/AVC via ScanSafe Integration in ASA 9.0 software release
Bo
tnet
Filt
er
• Uses both traditional signature-based and reputation-based methods to prevent threats
• Reputation of an IP address is decided through complex algorithms based on data shared by
– More than 600 third-party feeds
– More than 700,000 (and growing) global network of Cisco devices
– More than 10,000 servers that process roughly 500 GB of data every day
• Reputation helps catch zero-day threats and APTs (Advanced Persistent Threats)
• Helps meet regulatory compliance (such as PCI, HIPPA, SOX)
• Provides superior threat mitigation with passive OS fingerprinting and reputation
• Offers deployment flexibility by using user identity based security policies
Licensed Feature
Cisco® ASA
• Botnet traffic filter
– Scans all traffic, all ports, and all protocols
– Monitors command and control traffic from internal bots to external hosts
– Detects infected clients by tracking rogue “phone-home” traffic
• Powerful anti-malware data promotes accuracy
– Provides guidance now for blocking Botnet communication
– Dynamic discovery provides real time identification of malware communication flexibility by using user identity based security policies
Wide Range of Connectivity Options
Mobile Access
IPsec VPN Tunneling
DTLS (Voice and Video)
Tunneling
Clientless VPN Access
SSL VPN Tunneling
Powered by the Cisco ASA
• Allow “engineering” to access Facebook but no Facebook games
• Check HTTP responses for Antivirus/Malware scanning
• Stop credit card or SSN information to be uploaded to Internet
• Don’t allow all users access to gambling related websites
• Control what websites users can or cannot access (Acceptable Use Policy)
• Open certain HTTPS connections and check for threats
• Don’t allow users in “contractors” domain to upload any document that contains “ABC Confidential” to Internet
• Customizable regular expression for DLP
ASA deployed in Branch Office
ScanSafe Cloud Security
ASA deployed in Head Office
* ASA 9.0 (next software release)
Use Cases provided by ScanSafe Cloud Security
Web Server
New
LOCAL Business Context
Who
What
How
Where
When
Within YOUR Network
GLOBAL
Situational Threat Intelligence
Outside YOUR Network
Reputation
Interactions
APP Applications
URL Sites
New
• Hardware module on 5585-X • Q2 CY 2012
• ASA CX SSP-10 • ASA CX SSP-20
• Q3 CY 2012 • ASA CX SSP-40 • ASA CX SSP-60
• Service on 5500-X mid-range • Q4 CY 2012
Delivery Timeline
© 2011 Cisco and/or its affiliates. All rights reserved. # © 2011 Cisco and/or its affiliates. All rights reserved. #
Runs on ASA 5512-X through ASA 5555-X only
All software functionality up to ASA 8.4.2
Firewall, Botnet Protection & VPN Services
SMP enabled ASA OS
64bit Software Architecture
EtherChannel Support for within and across Base & Expansion I/O Modules
Environment Monitoring Support
Jumbo Frame Support
External USB Drive Support
New
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # © 2012 Cisco and/or its affiliates. All rights reserved.
• On-box Management Software for
Firewall, IPS & VPN
• ASDM (version 6.6.1)
• Manage and monitor on a single appliance
• CLI
• Off-box Management Software
• CSM (version 4.3-upcoming release)
• Manage, monitor & report on up to 2500 ASA 5500-X appliances
• Cisco IPS Manager Express (version 7.2.1)
• Manage and monitor up to 10 IPS Service Modules
© 2011 Cisco and/or its affiliates. All rights reserved. # © 2011 Cisco and/or its affiliates. All rights reserved. #
Cisco Checkpoint
Expected Data Sheet Performance ✔
✖ For proper sizing of the firewall, Checkpoint
recommends to use “Appliance Selection Tool” and not the data sheet
IPS Performance and Efficacy ✔
✖ Checkpoint’s lofty IPS performance numbers in the
data sheet are with only a handful signatures turned on. Moreover, unlike Cisco IPS, their IPS is just signature-based and does not use reputation.
Full-contextual policy ✔*
✖ Besides the 5-tuple firewall policy, Checkpoint
provides only application and user visibility. Cisco ASA on the other hand provides additional context
elements – device type, device OS and device security posture.
* ASA 9.0
ASA 5515-X 4207
Har
dw
are
CPU Intel i3-540 Processor 3.06 GHz
2 cores/4 Threads 4 MB Intel Smart Cache
Intel Atom D525 1.8 GHz
2 cores/4 Threads 1 MB L2 Cache
Base I/O 6 + 1 4
Max Ethernet Ports 12 + 1 8
IPS hardware accelerator No (present from 5525-X onwards)
No
VPN hardware accelerator Yes No
Perf
orm
ance
Data Sheet Firewall Max (UDP 1500 byte)
1.2 Gbps 3 Gbps
Actual Firewall Max 1.2 Gbps 900 Mbps*
Data Sheet Firewall EMIX (Real-world Throughput)
600 Mbps Not published
Actual Firewall EMIX 600 Mbps 350 Mbps*
Data Sheet IPS 450 Mbps 2 Gbps (Default Profile)
Not Published (Recommended Profile)
Actual IPS Media Rich 450 Mbps 250 Mbps* (Default profile)
75 Mbps* (Recommended Profile)
* Performance tests to be published and verified by third party
© 2011 Cisco and/or its affiliates. All rights reserved. # © 2011 Cisco and/or its affiliates. All rights reserved. #
Cisco Fortinet
Expected Data Sheet Performance ✔
✖ Fortinet Firewall perf. negatively impacted with
• Fragmented Traffic • Traffic requiring services (IPS, A/V etc.) • Traffic headed out of ports not on same ingress NP • Traffic requiring payload inspection e.g. SIP, FTP etc.
IPS Performance and Efficacy ✔
✖ IPS traffic is handled by the CPU instead of NP
IPS inspection stops after 200KB No OS Fingerprintning
No Risk rating No ability to modify existing signatures
Full-contextual policy ✔*
✖ Besides the 5-tuple firewall policy, Fortinet provides only application and user visibility. Cisco ASA on the other hand provides additional context elements – device type, device OS and device security posture.
* ASA 9.0
© 2011 Cisco and/or its affiliates. All rights reserved. # © 2011 Cisco and/or its affiliates. All rights reserved. #
Feature Cisco Palo Alto Networks
IPS protection against zero-day threats using IP
reputation
✔ IPS gets information about “bad IPs” through global network of more than 700,000 Cisco
devices
✖
Comprehensive Web Security
✔* Instead of using 3rd party web security
solutions, Cisco uses ScanSafe (Palo Alto used SurControl earlier, then later they started
using BrightCloud)
✖
Full-contextual policy ✔*
Through integration with ISE (Identity Services Engine), ASA can provide more than
application and user visibility
✖
Remote Access clients for mobile devices
✔ Cisco AnyConnect supports iPad, iPod, iPhone, Android. Also, on ASA one can create policies to allow/deny certain devices and even based
on OS version
✖
* Roadmap
© 2011 Cisco and/or its affiliates. All rights reserved. # © 2011 Cisco and/or its affiliates. All rights reserved. #
• Dual Power Supplies on 5545-X and 5555-X – Data center deployment must – Upsell opportunity from 5525-X even for VPN
deployment scenarios
• Rich I/O Port Density – Fiber port availability even on low-end models (5512, 5515)
• EtherChannel across Base and Expansion I/O • USB Thumb Drive Support to Store PCAPs, Config files etc. • Significant IPS Throughput – ASA 5555-X supports 1Gbps+
IPS
• The new ASA Midrange 5500-X Security Appliances delivers: • Multi-Gigabit Performance
• Accelerated Integrated Services
• Next-generation services enabled platform
• Lower deployment and operations costs
• Customers receive CTMP trade-in credit on legacy ASA
• Partner incentives for you!