As mobile devices and Web 2.0 applications proliferate, it becomes harder to secure corporate perimeters. Traditional firewall and IPS solutions are not enough to keep up with the fast-changing threat landscape. A key component of Cisco Secure Borderless Network architecture, the Cisco® ASA 5500 Series Intrusion Prevention System (IPS) solution provides superior real-time protection for your critical information assets using innovative IPS with Global Correlation, firewall, and VPN technology. The Cisco ASA 5500 Series IPS solution delivers intrusion prevention capabilities using a hardware-accelerated IPS module, the Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP SSM).
IPS technology extends firewall protection by blocking threats including worms, trojans, viruses, distributed denial of service attacks, reconnaissance, and attacks against operating system and application vulnerabilities. Cisco IPS with Global Correlation increases the efficacy of traditional IPS. With updates every 5 minutes, Cisco IPS with Global Correlation provides the fastest and most accurate threat protection with real-time global intelligence from Cisco IPS, firewall, email, and web appliances.
In addition to securing your network, the Cisco ASA 5500 Series IPS solution also helps you meet compliance mandates. Whether your mandate is the Payment Card Industry (PCI) standard in retail, the Federal Financial Institutions Examination Council (FFIEC) in banking, or the Health Insurance Portability and Accountability Act (HIPAA) in healthcare, the Cisco ASA 5500 Series IPS solution helps ensure that your network is safe and your compliance requirements are met.
Figure 1. Cisco ASA 5500 Series IPS Solution
Features and Benefits
The Cisco ASA 5500 Series IPS solution delivers high performance and powerful security protection in a single easy-to-deploy platform (see Figure 1).
Superior Security Protection
The Cisco ASA 5500 Series IPS solution counteracts threats including worms, trojans, viruses, distributed denial of service attacks, reconnaissance, and exploits against application and operating system vulnerabilities before they enter your network. Whether you have an IPv6 network, IPv4 network, or hybrid IPv6 and IPv4 network, the solution provides:
• Wide-ranging IPS capabilities: The Cisco ASA 5500 Series IPS solution delivers all the IPS capabilities available on Cisco IPS 4200 Series Sensors. The Cisco AIP SSM can be deployed inline in the traffic path or in promiscuous mode, in which a copy of the traffic is sent to the Cisco AIP SSM for inspection. The Cisco ASA 5500 Series IPS solution provides protection against tens of thousands of known attacks. And with Cisco anomaly detection, your network can be protected against day-zero threats before signature updates are available.
• Global Correlation: Provides real-time updates on the global threat environment beyond your perimeter by adding reputation analysis, reducing the window of threat exposure, and providing continuous feedback. With these new capabilities, Cisco IPS sensors can detect more threats, detect them earlier and more accurately, and protect critical assets from malicious attacks.
• Comprehensive and timely attack protection: The Cisco ASA 5500 Series IPS solution delivers protection against tens of thousands of known exploits and millions more potential unknown exploit variants using specialized IPS detection engines and thousands of signatures. Cisco Services for IPS provides signature updates through a global intelligence team working 24 hours a day to help ensure that you are protected against the latest threats.
• Day-zero attack protection: The Cisco ASA 5500 Series IPS solution provides powerful protection against day-zero attacks. Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available.
• Application inspection and control: The application inspection engines in the Cisco ASA 5500 Series IPS solution provide granular control of who and what can enter the network. You can prevent access to potentially dangerous URLs. Rogue callers can be blocked. With blacklists, you can stop infected file attachments from entering your network.
• Wireless protection: The Cisco ASA 5500 Series IPS solution is tightly integrated with the Cisco Wireless LAN Controller to help keep intruders out of your wireless network. The Cisco Wireless LAN Controller blocks intruders based on real-time threat intelligence from the Cisco ASA 5500 Series IPS solution.
• Unified Communications protection: Strong protection of voice-over-IP (VoIP) protocols, Cisco Unified CallManager, and devices helps ensure the constant uptime of your critical voice network. The Cisco ASA 5500 Series IPS solutionuses dedicated voice engines and comprehensive voice signatures to protect your voice network from intruders and attacks.
High Performance
The Cisco ASA 5500 Series IPS solution is hardware accelerated to provide the highest level of performance that does not negatively affect firewall or VPN throughput. With the Cisco AIP SSM-40, the Cisco ASA 5500 Series IPS solution can achieve up to 650 Mbps of firewall and IPS throughput.
Today, almost every important application uses the Internet. VoIP, e-commerce, streaming video, and Web 2.0 applications enable higher productivity and employee collaboration. These networked applications pose different and varying demands on resources such as connection rates, concurrent connections, flow length, and transaction size. From a performance perspective, there is a spectrum of application types ranging from media-rich environments that feature converged content to highly transactional environments populated by rapid-fire, lightweight connections. The Cisco ASA 5500 Series IPS solution is optimized for both media-rich and transactional environments.
Advanced Policy Provisioning
Policy provisioning simplifies management, reduces chances of mistakes, and allows you to focus on important tasks at hand. With the Cisco ASA 5500 Series IPS solution, you can apply unified policies with the Cisco Modular Policy Framework (MPF) and assign IPS policies within the Cisco AIP SSM:
• Cisco Modular Policy Framework: The Cisco MPF provides a powerful mechanism to assign Cisco ASA firewall, VPN, and IPS policies in one place. With the Cisco MPF, the Cisco ASA firewall passes traffic to the AIP SSM for inspection on a flow-by-flow, as-needed basis.
• Cisco IPS policy provisioning: For IPS policy provisioning, the Cisco AIP SSM is the only product that provides Risk Rating-based policy provisioning. Instead of tuning individual signatures, you assign IPS policies based on risk. All events are assigned a Risk Rating number between 0 and 100 based on the risk level of the event. Based on the Risk Rating, different policy actions can be assigned, such as drop packet, alarm, and log.
Flexible Management
Cisco can provide you the right management solutions, whether you have five Cisco ASA 5500 Series IPS solutions or thousands.
• Cisco Security Management Suite: The Cisco Security Management Suite is a powerful management application suite that scales up to thousands of devices and helps you manage the IPS, firewall, and VPN capabilities of your Cisco ASA 5500 Series IPS solution. The suite includes Cisco Security Manager and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS). With Cisco Security Manager, you can at one click apply security policies or perform software updates to hundreds or thousands of Cisco ASA appliances. Cisco Security MARS can collect and correlate data from the Cisco ASA 5500 Series IPS solution and other security devices to identify problems and recommend corrective actions.
• Cisco IPS Manager Express: An all-in-one IPS management and reporting application for small deployments, Cisco IPS Manager Express enables you to provision, monitor, troubleshoot, and provide reports on up to five Cisco IPS devices. A customizable dashboard with more than 10 drag-and-drop gadgets allows you to personalize it to your needs (see Figure 2).
Figure 2. Cisco IPS Manager Express
Table 1 provides Cisco ASA 5500 Series IPS solution specifications.
Table 1. Cisco ASA 5500 Series IPS Solution Specifications
Feature
Cisco ASA 5505 IPS Solution (base license/security plus license)
Cisco ASA 5510 IPS Solution (base license/ security plus license)
Cisco ASA 5520 IPS Solution
Cisco ASA 5540 IPS Solution
IPS
Maximum firewall + IPS throughput
75 Mbps with AIP SSC-5
150 Mbps with AIP SSM-10
225 Mbps with AIP SSM-10
375 Mbps with AIP SSM-20
450 Mbps with AIP SSM-40
500 Mbps with AIP SSM-20
650 Mbps with AIP SSM-40
Threat protection
25,000+ threats
25,000+ threats
25,000+ threats
25,000+ threats
Day-zero protection with anomaly detection
No
Yes
Yes
Yes
Custom signature support
No
Yes
Yes
Yes
Virtual sensors
1
4
4
4
Firewall
Maximum firewall throughput (Mbps)
150
300
450
650
Maximum firewall connections
10,000/25,000
50,000/130,000
280,000
400,000
Maximum firewall connections per second
4,000
9,000
12,000
25,000
VPN
Maximum Triple Data Encryption Standard/ Advanced Encryption Standard (3DES/AES) VPN throughput (Mbps)
100
170
225
325
Maximum site-to-site and remote-access VPN user sessions
10/25
250
750
5000
Maximum SSL VPN user sessions*
25
250
750
2500
Bundled SSL VPN user sessions
2
2
2
2
* Beginning with Cisco ASA Software v7.1, SSL VPN (Web VPN) capability requires a license. Systems include 2 SSL VPN users by default for evaluation and remote management purposes
Table 2 provides Cisco AIP SSM specifications.
Table 2. Cisco AIP SSM Specifications
Feature
Cisco AIP SSC-5
Cisco AIP SSM-10
Cisco AIP SSM-20
Cisco AIP SSM-40
Technical Specifications
Management and monitoring interface
Uses host ASA 5505 management interface
1 Ethernet 10/100 port
1 Ethernet 10/100 port
1 Ethernet 10/100/1000 port
Memory
512 MB
1 GB
2 GB
4 GB
Minimum flash
512 MB
256 MB
256 MB
2 GB
Environmental Operating Ranges
Operating
Temperature
32 to 104ºF (0 to 40ºC)
32 to 104ºF (0 to 40ºC)
32 to 104ºF (0 to 40ºC)
32 to 104ºF (0 to 40ºC)
Relative humidity
5 to 95% noncondensing
5 to 95% noncondensing
5 to 95% noncondensing
5 to 95% noncondensing
Nonoperating
Temperature
-13 to 158ºF (-25 to 70ºC)
-13 to 158ºF (-25 to 70ºC)
-13 to 158ºF (-25 to 70ºC)
-13 to 158ºF (-25 to 70ºC)
Relative humidity
5 to 95% noncondensing
5 to 95% noncondensing
5 to 95% noncondensing
5 to 95% noncondensing
Altitude
0 to 15,000 ft (4570 m)
0 to 15,000 ft (4570 m)
0 to 15,000 ft (4570 m)
0 to 15,000 ft (4570 m)
Power and Mean Time between Failure
Power consumption
30W maximum
90W maximum
90W maximum
90W maximum
Mean time between failure (MTBF)
874,070 hours (100 years)
299,588 hours (31 years)
309,296 hours (35 years)
221,679 hours (25 years)
Physical Specifications
Dimensions (HxWxD)
0.68 x 3.55 x 5,2 in (1.73 x 9.02 x 13.21 cm)
1.70 x 6.80 x 11.00 in. (4.32 x 17.27 x 27.94 cm)
1.70 x 6.80 x 11.00 in. (4.32 x 17.27 x 27.94 cm)
1.70 x 6.80 x 11.00 in. (4.32 x 17.27 x 27.94 cm)
Weight
0.42 lb (0.19 kg)
3.00 lb (1.36 kg)
3.00 lb (1.36 kg)
2.58 lb (1.17 kg)
Regulatory and Standards Compliance
Safety
UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001
UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001
UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001
UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001
Electromagnetic compatibility (EMC)
CE marking, FCC Part 15 Class A, AS/NZS 3548 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
CE marking, FCC Part 15 Class A, AS/NZS 3548 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
CE marking, FCC Part 15 Class A, AS/NZS 3548 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
CE marking, FCC Part 15 Class A, AS/NZS 3548 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
Ordering Information
To place an order, visit the Cisco Ordering Homepage. See Table 3 for ordering information.
Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Card 5 (AIP SSC-5)
ASA-SSC-AIP-5-K9=
Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module 10 (AIP SSM-10)
ASA-SSM-AIP-10-K9=
Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module 20 (AIP SSM-20)
ASA-SSM-AIP-20-K9=
Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module 40 (AIP SSM-40)
ASA-SSM-AIP-40-K9=
Service and Support
Cisco offers a wide range of service programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services for security, visit http://www.cisco.com/go/services/security.
Cisco Services for IPS
Cisco Services for IPS is an integral part of the Cisco ASA 5500 Series IPS solution and enables operators to receive time-critical signature file updates and alerts. Part of the Cisco Technical Support Services portfolio, Cisco Services for IPS allows your Cisco ASA 5500 Series IPS solution to stay current on the latest threats so that malicious or damaging traffic is accurately identified, classified, and stopped. Cisco Services for IPS features include:
• Signature file updates and alerts
• Registered access to Cisco.com for online tools and technical assistance
The Cisco ASA 5500 Series IPS solution and Cisco AIP SSMs are subject to export controls. For guidance, refer to the export compliance website at http://www.cisco.com/wwl/export/crypto/. For specific export questions, contact export@cisco.com.
