防火墙入侵于检测——————3、思科 PIX 防火墙和 ASA 防火墙产品线

思科 PIX 防火墙和思科 ASA自适应安全工具模型和特点

PIX防火墙家族

ASA自适应安全工具家族

思科PIX 防火墙 501 安全工具 

• Designed for small offices andteleworkers

• 7500 concurrent connections

• 60-Mbps throughput

• Interface support

– Supports one 10/100BASE-T* Ethernetinterface (outside)

– Has four-port 10/100 switch (inside)

• VPN throughput

– 3-Mbps 3DES

– 4.5-Mbps 128-bit AES

• Ten simultaneous VPN peers

100BASE-Tspeed option is available in release 6.3.

PIX防火墙 501: 前面板 LEDs

PIX防火墙 501: 后面板

PIX防火墙506E 安全工具 

• Is designed for remote offices and small-to medium-sized businesses

• Provides 25,000 concurrent connections

• Provides 100-Mbps clear text throughput

• Supports Two interfaces

– 10/100BASE-T*

– Two VLANs*

• Provides VPN throughput

– 17-Mbps 3DES

– 30-Mbps 128-bit AES

• Provides 25 simultaneous VPN peers

*100BASE-Tspeed option is available in PIX Firewall Security Appliance Software v6.3 for506E only. Two VLANs are supported in release 6.3(4).

PIX防火墙 506E:前面板 LEDs

PIX防火墙 506E:后面板

PIX防火墙 515E 安全工具 

• Isdesigned for small- to medium-sized businesses and enterprise networks

• Provides130,000 concurrent connections

• Provides190-Mbps clear text throughput

• ProvidesInterface support

– Up tosix 10/100 Fast Ethernet interfaces

– Up to25 VLANs

– Up tofive contexts

• Supportsfailover

– Active/standby

– Active/active

• SupportsVPNs (2,000 tunnels)

– Siteto site

– Remoteaccess

PIX防火墙 515E:前面板 LEDs

PIX防火墙 515E:后面板

PIX防火墙515E:固定接口连接器

PIXFirewall 515E: Expansion Slot Option Cards

PIXFirewall 515E: Fast Ethernet Card Port Numbering

PIXFirewall 525 Security Appliance 

• Isdesigned for enterprise networks

• Provides280,000 concurrent connections

• Provides330-Mbps clear text throughput

• ProvidesInterface support

– Up toten 10/100 Fast Ethernet interfaces

– Up to100 VLANs

– Up to50 contexts

• Supportsfailover

– Active/standby

– Active/active

• SupportsVPNs (2,000 tunnels)

– Siteto site

– Remoteaccess

PIXFirewall 525: 前面板 LEDs

PIXFirewall 525: 后面板

PIXFirewall 525: 固定接口连接器

PIXFirewall 525: Expansion Cards and VACs

PIXFirewall 535 Security Appliance

• Isdesigned for enterprise and service providers

• Provides500,000 concurrent connections

• Provides1.65-Gbps clear text throughput

• ProvidesInterface support

– Up to14 Fast and Gigabit Ethernet interfaces

– Up to150 VLANs

– Upto  50 contexts

• Supportsfailover

– Active/standby

– Active/active

• SupportsVPNs (2,000 tunnels)

– Siteto site

– Remoteaccess

PIX535: Front Panel LEDs

PIX535: Back Panel

PIXFirewall 535: Option Cards

ASA 5500 自适应安全工具家族

ASA自适应安全工具家族

思科ASA5510 自适应安全工具 

• Delivers all-in-one enterprise, remoteoffice, and small- to medium-sized business security and VPN gateway

• Provides 64,000 concurrent connections

• Provides 300-Mbps firewall throughput

• Provides interface support

– Up to five 10/100 Fast Ethernetinterfaces

– Up to ten VLANs

• Supports failover

– Active/standby

• Supports VPNs

– Site to site

– Remote access

– WebVPN

• Supports AIP-SSM-10 (optional)

思科ASA5520 自适应安全工具 

• Delivers all-in-one enterprise and small-to medium-sized business headend security and VPN gateway

• Provides 130,000 concurrent connections

• Provides 450-Mbps firewall throughput

• Provides Interface support

– Four 10/100/1000 Gigabit Ethernetinterfaces

– One 10/100 Fast Ethernet  interface

– Up to 25 VLANs

– Up to 10 contexts

• Supports failover

– Active/standby

– Active/active

• Supports VPNs

– Site to site

– Remote access

– WebVPN

• Supports AIP-SSM-10 (optional)

思科ASA5540 自适应安全工具 

• Delivers all-in-one enterprise and small-to medium-sized business headend security and VPN Gateway

• Provides 280,000 concurrent connections

• Provides 400-Mbps firewall throughput

• Provides Interface support

– Four 10/100/1000 Gigabit Ethernetinterfaces

– One 10/100 Fast Ethernet interface

– Up to 100 VLANs

– Up to 50 contexts

• Supports failover

– Active/standby

– Active/active

• Supports VPNs

– Site to site (5,000 peers)

– Remote access

– WebVPN

• Supports AIP-SSM-20 (optional)

ASA5500 Series: 前面板

ASA5500 Series: 后面板

ASA5500 Series: 连接器

ASA5500  后面板

安全服务模块（ FWSM，Firewall Services Module ）

• 在 Cisco 6500 系列交换机和 Cisco 7600 系列 Internet 路由器上集成

• High-performance module designed toprovide additional security services

• Diskless (Flash-based) design forimproved reliability

• Gigabit Ethernet port for out-of-bandmanagement

FWSM的关键特性

1. 高性能， 5Gbit/s 的吞吐量，全双工防火墙功能。
2 ． 每秒 300 万个数据包的吞吐量。
3 ． 支持 100 个 VLAN 。
4 ． 100 万个并发连接。
5 ． LAN 故障倒换
6 ． OSPF 协议和 RIP 协议支持
7 ． 每台设备支持多个 FWSM 模块。

FWSM在 Catalyst6500 中的安装

FWSM在 Cisco7609 路由器中的安装

AIP-SSM

如何防御攻击？

IDS&IPS 区别

PIX 防火墙安全工具授权

License类型

• UR: Allows installation and use of themaximum number of interfaces and RAM supported by the platform.

• Restricted: Limits the number ofinterfaces supported and the amount of RAM available within the system (nocontexts and no failover).

• Active/standby failure: Places onesecurity appliance in a failover mode for use alongside a security appliancethat has a UR license. Only one unit can be actively processing user traffic;the other unit acts as a hot standby.

• Active/active failover: Places a securityappliance that has a UR license in a failover mode for use alongside anothersecurity appliance that has a UR license, or two UR licenses. Both units canactively process traffic while serving as a backup for each other. 

Appliesto PIX Firewall 515/515E, 525, and 535

VPN加密许可

• DES license 

– Provides 56-bit DES

• 3DES/AES license

– Provides 168-bit 3DES

– Provides up to 256-bit AES

PIX515E, 525, and 535 Licensing

ASA 系列产品Licensing

ASA 安全上下文授权

默认

• Two contexts

可行的 ContextLicenses

• 5 contexts

• 10 contexts

• 20 contexts

• 50 contexts

Upgrade Licenses

• From Five to Ten contexts

• From Ten to 20 contexts

• From 20 to 50 contexts

PIX与ASA

• SSL-VPN ： PIX 不支持

• AIP-SSM 模块 : PIX 不支持

• VPN 集群及负载均衡： PIX 不支持

• FLASH 卡： PIX 不支持

• AUX 接口： PIX 不支持

汇 总

• 当前有 8 个 PIX 防火墙和 ASA 自适应安全工具模型 .

– 思科 500 PIX 防火墙系列 : 501, 506E, 515E, 525, and 535

– 思科 ASA 5500 Series: 5510, 5520 and 5540

• Your security appliance licensedetermines the level of service and available features of your securityappliance, and the number of interfaces it supports.

• Restricted, unrestricted, and failoverlicenses are available for PIX Firewall Security Appliance models 515E, 525,and 535.

• The Cisco Firewall Services Module forthe Cisco Catalyst 6500 Switches and the Cisco 7600 Series Internet Routersprovides an alternative to the security appliance.

参考：CIsco