Cisco Integrated Firewall Solutions [Cisco IOS Firewall]

Cisco ASA 5500 Series Adaptive Security Appliance, Cisco PIX Security Appliance, Cisco IOS Firewall in Cisco Integrated Services Routers and Aggregation Services Routers, and the Firewall Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Networks are more critical to business success than ever before. They support key applications and processes and provide a common infrastructure for converged data, voice, and video services. Cisco® understands the security challenges that organizations face today, and empowers its customers to safely engage in business by providing them with best in-class security solutions. Instead of only providing point products that set a base level of security, Cisco's philosophy is to embed security throughout the network and integrate security services in all of its products-resulting in greater security, and making security a transparent, scalable, and manageable aspect of the business infrastructure.

Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX® security appliances, the Cisco IOS® Advanced Security Feature Set, and the security services modules for Cisco Catalyst® 6500 Series Switches and Cisco 7600 Series Routers are integrated security solutions that best represent the Cisco security philosophy. Each of these products integrates comprehensive firewall, intrusion prevention, and VPN technologies in a cost-effective, single-box format. Customers implementing these integrated solutions benefit from enhanced security, lower cost of ownership, and lower operational costs-all resulting from the increased intelligence sharing of integrated security services in a single platform.

Integrated Firewall Solutions to Meet Every Need

The Cisco ASA 5500 Series, Cisco PIX security appliances, Cisco IOS Firewall, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are Cisco flexible integrated firewall solutions. Based on modular, scalable platforms, each offering is designed with a particular feature set to better secure different network environments. These solutions can be independently deployed to secure specific areas of the network infrastructure, or can be combined for a layered, defense-in-depth approach following the design best practices described in the Cisco SAFE Blueprint. Rounding out the integrated firewall solutions, Cisco provides a comprehensive security management product portfolio, ranging from Cisco security appliance and Cisco IOS Software security features and embedded device managers, to standalone management applications, helping to ensure that customers can effectively manage their Cisco security infrastructure investments.

Cisco ASA 5500 Series

Cisco ASA 5500 Series Adaptive Security Appliances are purpose-built solutions that bring together market-proven, best-in-class security and VPN services with an innovative, adaptive architecture. The result is a powerful multifunction network security appliance better able to protect small and medium-sized business (SMB), enterprise, and data center networks and, at the same time, reduce the overall deployment and operations costs associated with this new level of security.

The Cisco ASA 5500 Series uses technology developed for the Cisco PIX 500 Series Security Appliance, the Cisco IPS 4200 Series Intrusion Prevention System, and the Cisco VPN 3000 Series Concentrator. These technologies converge in the Cisco ASA 5500 Series to deliver a platform that stops the broadest range of threats. The Cisco ASA 5500 Series delivers application security, Content Security, and "clean" VPN connectivity across its product portfolio (Figure 1). This breadth of security enables protection of any network segment, including the most common threat conduits such as remote sites, LAN-attached internal users, and remote access VPNs.

Figure 1. Cisco ASA 5500 Series Appliance Portfolio

Cisco ASA 5505	Cisco ASA 5510	Cisco ASA 5520	Cisco ASA 5540	Cisco ASA 5550	Cisco ASA 5580
Small Office	Medium-SIzed Branch	Enterprise	Enterprise Edge	Enterprise Edge/HQ	Data Center

Note: Figure 1 provides general guidelines. Network environments should be scaled based upon requirements.

The Cisco ASA 5500 Series provides strong application security through intelligent, application-aware inspection engines that examine network flows at Layers 4-7. The result is a more secure network including Web, voice, and 3G-mobile wireless services. To defend networks from application-layer attacks and to give businesses more control over the applications and protocols used in their environments, these inspection engines incorporate extensive application and protocol knowledge and employ security enforcement technologies that include protocol anomaly detection, and application and protocol state tracking. Also included are attack detection and mitigation techniques such as application/protocol command filtering, content verification, and URL deobfuscation. These inspection engines also deliver control over instant messaging, peer-to-peer file sharing, and tunneling applications, enabling businesses to enforce usage policies and free up network bandwidth for critical business applications.

While increasing network security, the Cisco ASA 5500 Series also decreases deployment and operational costs. Its broad VPN and security services profile makes it a single device for many uses, enabling platform standardization. It can be deployed as a converged threat-prevention device at the central site by using its access control, application inspection, and worm, virus, and other malware mitigation technologies. It can also be used as a dedicated remote-access device using its VPN capabilities. It serves equally well in the network interior for interdepartmental access control and to guard against worms, viruses, and other malicious code that internal users may unwittingly bring into the network. In small business and branch office environments, the Cisco ASA 5500 Series serves as an "all-in-one" device offering comprehensive threat prevention and VPN services while suiting the budgets and operational models of such deployments. This adaptive "single device, many uses" approach reduces the number of platforms that must be deployed and managed while offering a common operating and management environment across all those deployments. This approach simplifies configuration, monitoring, troubleshooting, and security staff training. To further minimize operations costs, the Cisco ASA 5500 Series is also highly network-aware, enabling it to insert gracefully into the network without disrupting legitimate traffic and applications (Table 1).

Table 1. Cisco ASA 5500 Series Firewall Performance

Firewall Performance

Cisco ASA 5505: 150 Mbps

Cisco ASA 5510: 300 Mbps

Cisco ASA 5520: 450 Mbps

Cisco ASA 5540: 650 Mbps

Cisco ASA 5550: 1.2 Gbps

Cisco ASA 5580-20: 6.5 Gbps

Cisco ASA 5580-40: 14 Gbps

Cisco PIX Security Appliances

The market-leading Cisco PIX family of security appliances delivers robust user and application policy enforcement, multivector attack protection, and secure connectivity services in cost-effective, easy-to-deploy solutions. These purpose-built appliances provide a wealth of integrated security and networking services, including advanced application-aware firewall services, market-leading voice over IP (VoIP) and multimedia security, robust site-to-site and remote-access IP Security (IPsec) VPN connectivity, award-winning resiliency, intelligent networking services, and flexible management solutions. The Cisco PIX family of security appliances (Figure 2) ranges from compact "plug-and-play" desktop appliances for small and home offices to modular gigabit appliances with superior investment protection for enterprise and service-provider environments. Cisco PIX security appliances provide robust security, performance, and reliability for network environments of all sizes.

Cisco PIX security appliances integrate a broad range of advanced firewall services to protect businesses from the constant barrage of threats on the Internet and in business network environments (Figure 2). As a secure foundation, Cisco PIX security appliances provide rich stateful inspection firewall services, tracking the state of all network communications and preventing unauthorized network access. Building upon those services, Cisco PIX security appliances deliver strong application-layer security through intelligent, application-aware inspection engines that examine network flows at Layers 4-7. To defend networks from application-layer attacks and to give businesses more control over the applications and protocols used in their environments, these inspection engines incorporate extensive application and protocol knowledge and employ security enforcement technologies that include protocol anomaly detection, application and protocol state tracking, Network Address Translation (NAT) services, and attack detection and mitigation techniques such as application/protocol command filtering, content verification, and URL deobfuscation. These inspection engines also give businesses control over instant messaging, peer-to-peer file sharing, and tunneling applications, enabling businesses to enforce usage policies and free up network bandwidth for legitimate business applications.

Figure 2. Cisco PIX Security Appliance Portfolio

Cisco PIX 501	Cisco PIX 506E	Cisco PIX 515E	Cisco PIX 525	Cisco PIX 525	Cisco PIX 535
Teleworker/ SOHO (1-20 Users)	Small Branch (20-99 Users)	Medium-Sized Branch (100-999 Users)	Enterprise Branch (100-999 Users)	Enterprise Edge	Enterprise HQ Data Center

Note: Figure 2 provides general guidelines. Network environments should be scaled on applications requirements, not solely on the size of the network.

Built upon a hardened, purpose-built operating system that delivers rich security services, Cisco PIX security appliances provide the highest levels of security and have earned many industry evaluations and certifications, including Common Criteria Evaluation Assurance Level (EAL) 4 status for Firewall and IPsec certification. Cisco PIX security appliances provide market-leading protection for a wide range of VoIP other multimedia standards, including H.323 Version 4, Session Initiation Protocol (SIP), Cisco Skinny Client Control Protocol (SCCP), Real-Time Streaming Protocol (RTSP), Media Gateway Control Protocol (MGCP), and others, helping businesses secure deployments of a wide range of current and next-generation VoIP and multimedia applications.

Cisco PIX security appliances deliver a wealth of configuration, monitoring, and troubleshooting options, giving businesses the flexibility to use the methods that best meet their needs. Management solutions range from centralized, policy-based management tools to integrated, Web-based management, to support for remote-monitoring protocols such as Simple Network Management Protocol (SNMP) and syslog. The integrated Cisco Adaptive Security Device Manager (ASDM) provides a world-class Web-based management interface that greatly simplifies the deployment, ongoing configuration, and monitoring of a single Cisco PIX security appliance-without requiring any software (other than a standard Web browser and Java plug-in) to be installed on an administrator's computer. Administrators can also remotely configure, monitor, and troubleshoot Cisco PIX security appliances using a command-line interface (CLI). Secure CLI access is available using several methods, including Secure Shell (SSHv2) Protocol, Telnet over IPsec, and out-of-band through a console port. Cisco PIX security appliances also include robust auto-update capabilities, a set of revolutionary secure remote-management services that help ensure that firewall configurations and software images are kept up to date. In addition, Cisco PIX security appliances are supported by several configuration and monitoring tools available from Cisco Technology Developer Partners.

Table 2 summarizes the firewall performance of each Cisco PIX security appliance model.

Table 2. Cisco PIX Security Appliance Firewall Performance

Firewall Performance

Cisco PIX 501: 60 Mbps

Cisco PIX 506E: 100 Mbps

Cisco PIX 515E: 190 Mbps

Cisco PIX 525: 330 Mbps

Cisco PIX 535: 1.7 Gbps

Cisco IOS Firewall

The Cisco IOS Firewall is a stateful-inspection firewall option available for Cisco 1800, 2800, and 3800 Series Integrated Services Routers; Cisco 800 and 7200 Series Routers; Cisco ASR 1000 Series Routers; and Cisco 7301 Routers. Cisco IOS Firewall is supported on all integrated services routers with Cisco IOS Software Advanced Security or higher feature sets. Zone-based Cisco IOS Firewall is also supported at multigigabit rates on the Cisco ASR 1000 Series Aggregation Services Routers for the WAN and Internet edge. Cisco IOS Firewall is an ideal single-box security and routing solution for protecting the WAN entry point into the network. The primary features of Cisco IOS Firewall include stateful firewall with denial of service (DoS) protection; enhanced application, traffic, and user awareness to identify, inspect, and control applications; advanced protocol inspection for voice, video, and other applications; per-user, per-interface, or subinterface security policies; tightly integrated identity services to provide per-user authentication and authorization; and ease of management. Fine-grained role-based access enables secure, logical separation of router administration between network operations and security operations staff.

Cisco IOS Firewall not only helps enable a single point of protection at the perimeter of a network, it also makes security policy enforcement an inherent component of the network itself. The Cisco IOS Firewall runs on numerous Cisco IOS Software-based routers. It represents the best option for customers-regardless of office size-that want to use the network infrastructure for security, while continuing to take advantage of Cisco IOS Software capabilities, including quality of service (QoS), multiprotocol, multicast, and advanced routing support (Figure 3).

Figure 3. Cisco IOS Firewall Portfolio

Cisco 871	Cisco 1841	Cisco 2801	Cisco 2811	Cisco 2821	Cisco 2851	Cisco 3825	Cisco 3845	Cisco ASR 1000 Series
SOHO ECT	Small Branch	Medium-Sized Branch	Medium-Sized Branch	Medium-Sized Branch	Medium-Sized Branch	Enterprise Branch	Enterprise Branch	Enterprise WAN Edge

Note: Figure 3 provides general guidelines. Network environments should be scaled on the applications requirements, not solely on the size of the network.

Cisco ASR 1000 Series: A Powerful New Paradigm for the WAN Edge

The new Cisco ASR 1000 Series Aggregation Services Router uses the Cisco QuantumFlow Processor-the industry's first massive parallel processor hardware and software architecture-to deliver high-performance integrated threat control services such as firewall, deep packet inspection, and logging services, concurrent with WAN and Internet edge routing.

Cisco ASR 1000 Series routers make a compelling case for integrating attack identification and prevention into the enterprise WAN and Internet edge router:

• Cisco IOS Firewall services scale up to 5/10 Gbps. Zone-based firewall policies can be applied on all Cisco ASR 1000 Series router interfaces.

• Deep packet inspection with NBAR is processed at multigigabit rates, along with high-speed logging (40K sessions per second) using Cisco NetFlow v9.

Cisco IOS Firewall is supported on all Cisco aggregation services routers with the Cisco IOS XE ASR 1000 Series RP1 Advanced IP Services software image and Advanced Enterprise Services options.

Cisco ASR 1000 Series firewall performance falls between the Cisco 7200 Series and the Firewall Services Module for the Cisco 7600 Series and Cisco Catalyst 6500 Series-delivering up to 10 times the performance of the Cisco 7200 Series (to 10 Gbps) with unparalleled WAN interface availability in a carrier-class design.

For more information on the Cisco ASR 1000 Series, visit http://www.cisco.com/go/asr1000.

The integrated Cisco IOS Firewall uses a sophisticated firewall engine capable of dynamically controlling traffic flows based on application-level intelligence, providing enhanced security for complex applications. The Cisco IOS Firewall also includes advanced application inspection and control for HTTP and e-mail. The Cisco IOS Firewall HTTP Inspection Engine enforces protocol conformance and prevents malicious or unauthorized behavior such as port 80 tunneling, malformed packets, and Trojans from passing through. The HTTP Inspection Engine gives Cisco IOS Firewall the intelligence to not only block non-HTTP traffic, but to help ensure traffic that is assumed to be HTTP is legitimate Web browsing and not instant messaging or other traffic trying to gain access through the firewall. The result is that network administrators have greater control of applications passing through the firewall.

Cisco integrated services routers also include an intrusion prevention system (IPS) that takes advantage of Cisco IPS technology. Cisco IOS IPS is an inline, deep-packet-inspection-based solution that helps Cisco routers effectively mitigate network attacks. Because Cisco IOS IPS is inline, it can drop traffic, enabling the router to respond immediately to security threats and protect the network.

Additional Cisco IOS Firewall capabilities include voice traversal support; IPv6 support; transparent firewall; URL filtering; support for individual firewall contexts for VRF environments; Cisco Network Admission Control (NAC) support; failover support; Network Address Translation (NAT); time-based access lists; Java Applet blocking; peer router authentication; real-time alerts; audit trails; and event logging. Cisco IOS Firewall is CC EAL4 certified, and Cisco IOS IPsec is FIPS 140-2 certified.

Cisco IOS Firewall can be managed through a convenient CLI using several methods, including Telnet, SSH, or out-of-band through a console port. Alternatively, Cisco IOS Firewall can be configured and monitored using the Cisco Router and Security Device Manager (SDM), an intuitive and secure Web-based device management tool embedded within Cisco IOS Firewalls. Cisco SDM simplifies device and security configuration through smart wizards that enable customers to quickly and easily deploy, configure, and monitor a Cisco IOS Firewall without requiring extensive knowledge of the Cisco IOS CLI. In addition, beginning with Cisco IOS Software Release 12.3, Cisco IOS Firewall incorporates Cisco AutoSecure, a feature that eliminates the complexity of securing a router by automating the configuration of security features and the removal of insecure features enabled by default. This feature simplifies the security process, enabling a rapid implementation of security policies and procedures to ensure secure networking services. Cisco IOS Firewall can also be configured and monitored using tools available from Cisco Technology Developer Partners.

Table 3 shows the firewall performance of different Cisco IOS router platforms running Cisco IOS Firewall. The performance numbers reflect the results of testing with stateful inspection applied to http traffic containing 64 KB objects.

Table 3. Cisco IOS Firewall Performance

Firewall Performance	Firewall Performance
Cisco 870: 32 Mbps	Cisco 2821: 208 Mbps
Cisco 1812: 40 Mbps	Cisco 2851: 264 Mbps
Cisco 1841: 42 Mbps	Cisco 3825: 287 Mbps
Cisco 2801: 45 Mbps	Cisco 3845: 405 Mbps
Cisco 2811: 51 Mbps	Cisco ASR 1000 Series: 5 or 10 Gbps

Cisco FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The module provides the fastest firewall data rates in the industry: 5 Gbps throughput; 100,000 connections per second (cps); and 1 million concurrent connections. Up to four Cisco FWSMs can be installed in the same chassis, providing an unmatched 20 Gbps of firewalling capacity per chassis. The Cisco FWSM can also be combined with other Cisco security services modules such as the Intrusion Detection Services Module (IDSM-2), IPsec VPN Service Module (VPNSM), and the Network Analysis Module (NAM-1 and NAM-2). This modular approach allows customers to take advantage of their existing switching and routing infrastructures while obtaining the highest performance available in the industry; no costly upgrades are needed. The FWSM is an optimal solution for enterprise and service provider data centers, and enterprise campus distribution points.

Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Series Router, the Cisco FWSM allows any port on the device to operate as a firewall port and integrates stateful firewall security inside the network infrastructure. This becomes especially important where rack space is at a premium. The Cisco Catalyst 6500 Series is the IP services switch of choice for customers requiring intelligent services such as firewall services, intrusion detection, and VPN services, along with multilayer LAN, WAN, and MAN switching capabilities (Figure 4).

Figure 4. Cisco FWSM for Catalyst 6500 Series Switches and Cisco 7600 Series Routers

The Cisco FWSM is based on Cisco PIX technology and uses the same time-tested Cisco PIX operating system-a secure, real-time operating system. The Cisco FWSM offers a unique combination of performance and security on the same platform, using proven Cisco PIX technology for inspecting packets.

The Cisco FWSM is supported by the CiscoView Device Manager for Cisco Catalyst 6500 Series Switches to perform initial setup and to provide graphical VLAN virtualization across all services. Cisco PIX Device Manager, the embedded manager for advanced configuration, monitoring, and troubleshooting, can also be launched from CiscoView Device Manager. Additionally, the Cisco FWSM is supported by Cisco Technology Developer Partners for configuration, monitoring, and reporting.

When to Deploy Each Cisco Integrated Firewall Solution

Cisco ASA 5500 Series, Cisco PIX security appliances, Cisco IOS Firewall, and the Cisco FWSM all incorporate leading-edge firewall technologies and have many benefits and features in common; however, each solution has been designed for specific environments. Tables 4-8 show the similarities and differences of these solutions, and provide general guidelines to help network designers decide when to deploy each solution and how to take maximum advantage of their individual capabilities.

Table 4. Features and Benefits Common to the Cisco ASA 5500 Series, Cisco PIX Security Appliance, Cisco IOS Firewall, and the Cisco FWSM

Feature	Benefit
Stateful Inspection Firewall	Provides robust network and application security by enforcing administrator-defined access control policies while performing deep packet inspection and tracking the state of all network communications.
Application/Protocol Inspection and Control	Delivers enhanced application and protocol security by using specialized inspection engines capable of examining data streams at Layers 4-7.
Dynamic, Per-User Authentication and Authorization	Provides flexible user authentication and authorization via the high-performance cut-through proxy mechanism and integration with Cisco Secure Access Control Sever (ACS) using RADIUS and TACACS+ protocols. This allows for integration into numerous user databases, including Microsoft Active Directory, Microsoft Windows NT domains, Lightweight Directory Access Protocol (LDAP) directories, and one-time password systems.
Dynamic and Static NAT and Port Address Translation (PAT)	Provides extensive NAT application and protocol support and protects internal network addresses from the outside, providing an additional level of security.
Content Filtering	Improves employee productivity through integration with leading third-party URL filtering solutions; supports URL filtering and blocks malicious Java applets.
Remote Management	Offers a wealth of remote-management methods for configuration, monitoring, and troubleshooting. Management solutions range from highly scalable, centralized management tools to integrated, Web-based management to support for remote-monitoring protocols such as Simple Network Management Protocol (SNMP) and syslog.
Administrative Access Control Based on Authentication, Authorization, and Accounting (AAA)	Provides granular control for administrative access based on the AAA services provided by the TACACS+ and RADIUS protocols. This allows administrators to enforce access policies to the level of what services and commands are allowed to each admin user or group.
Multiple DMZ support	Supports additional physical or virtual network interfaces that can provide protected access to servers (such as Web, e-mail, FTP, or DNS) on a shared network (DMZ).
Extensive Multimedia Support, Including Streaming Video, Streaming Audio, and Voice Applications	Provides rich stateful inspection firewall services for wide range of VoIP standards and other multimedia standards, allowing businesses to securely take advantage of the many benefits that converged data, voice, and video networks provide, such as improved productivity and competitive advantage.
DoS Attack Protection	Provides several mechanisms to block and mitigate DoS attacks, such as TCP Intercept, TCP SYN cookies, DNS Guard, Flood Defender, Flood Guard, Mail Guard, and Unicast Reverse Path Forwarding (uRPF).
Secure Dynamic Routing	Supports Message Digest Algorithm 5 (MD5)-based and plain-text routing authentication for Routing Information Protocol (RIP) and Open Shortest Path First (OSPF), preventing route spoofing and various routing-based DoS attacks.
Firewall Virtualization	Enables the device to be partitioned into multiple virtual firewalls or security contexts. Organizations can manage each virtual firewall separately and can segregate business units or other functional areas on the same physical infrastructure. Similarly, service providers can use firewall virtualization to support and segregate multiple customers on a single physical device.

Table 5. When to Choose Cisco ASA 5500 Adaptive Security Appliances

Customer Requirement	Cisco ASA 5500 Security Appliance Benefit
Purpose-Built, Best-in-Class, "converged" Security Appliance	Cisco ASA 5500 Series devices provide state-of-the-art integrated network security services, including stateful inspection firewall, IPS, VPN, worm and malware mitigation, network antivirus, and VPN clustering services, along with a modular security services slot. Cisco ASA 5500 Series devices are fully compatible with Cisco PIX devices; appliances from both families can be used to meet customer requirements.
Single Security Appliance with Multiple Uses for Headends and Branch Offices	Cisco ASA 5500 Series appliances can be deployed as converged threat prevention devices at central sites by using their access control, application inspection, and worm, virus, and malware mitigation technologies. They can be deployed as remote-access devices using their IPsec and SSL VPN capabilities. In the network interior, they can be used for interdepartmental access control and to guard against worms, viruses, and other malicious code internal users may unwittingly bring into the network. In each of these instances, the Cisco ASA device represents the most feature-rich Cisco solution.
Converged Appliance with Reduced Operating Costs	The "single device, many uses" approach reduces the number of platforms that must be deployed and managed, while offering a common operating and management environment across all those deployments. This approach simplifies configuration, monitoring, troubleshooting, and security staff training.
High Availability	When configured as failover pairs, Cisco ASA 5500 Series appliances provide stateful failover, with synchronized connection-state and device-configuration data. This helps ensure that network sessions are automatically transitioned between appliances with full transparency to users.

Table 6. When to Choose Cisco PIX Security Appliances

Customer Requirement	Cisco PIX Security Appliance Benefit
Purpose-Built, Best-in-Class, All-in-One Security Appliance	Cisco PIX security appliances provide state-of-the-art, integrated network security services, including stateful inspection firewall, protocol and application inspection, VPNs, inline intrusion prevention, and rich multimedia and voice security services. Cisco PIX security appliances are fully compatible with Cisco ASA 5500 Series devices; deployments can use both to meet customer requirements.
Dedicated Device for Enterprise Headends and Data Centers	Cisco PIX security appliances are security-specialized and run a hardened, embedded operating system, eliminating the common security holes of general-purpose operating systems and providing an unmatched system of overall security.
Separated Security Infrastructure	Cisco PIX security appliances can be implemented as dedicated security systems that provide advanced security features that allow an effective segregation of the security infrastructure from the rest of the network.
High Availability	Like the Cisco ASA 5500 Series appliances, when configured as failover pairs, Cisco PIX security appliances provide stateful failover with synchronized connection-state and device-configuration data. This helps ensure that network sessions are automatically transitioned between appliances, with full transparency to users.
Appliances for the Small Office and Home Office	The Cisco PIX 501 Security Appliance provides a wide range of rich, integrated security services, advanced networking services, and powerful remote management capabilities in a compact, all-in-one security solution. It delivers enterprise-class security for small office and teleworker environments, in a reliable, easy-to-deploy, purpose-built appliance.

Table 7. When to Choose Cisco IOS Firewall

Customer Requirement	Cisco IOS Firewall Benefit
One-Box Solution Combining Powerful Security, QoS, Multiprotocol Routing, Integrated WAN Interfaces, and Voice Application Support	The Cisco IOS Software Advanced Security Feature Set provides a comprehensive, integrated security solution, including stateful packet filtering, intrusion detection and prevention, per-user authentication and authorization, VPN capability, extensive QoS mechanisms, multiprotocol routing, voice application support, and integrated WAN interface support in one box.
Ability to Use the Network Infrastructure for Security	Cisco IOS Firewall can be loaded on existing Cisco IOS Software-based routers, providing greater investment protection in the network infrastructure. Reusing the same hardware chassis and components not only reduces the cost of ownership, but also the costs of operation-the same management infrastructure can be used and no additional staff training is required.
Extensive VPN and Firewall Support in a Single Device	Deploying Cisco IOS Firewall with Cisco IOS encryption and QoS VPN features enables secure, low-cost transmissions over public networks. Cisco IOS Firewall provides the most extensive VPN support, including but not limited to Dynamic Multipoint VPN (DMVPN), IPsec stateful failover, Easy VPN Remote, Easy VPN Server, site-to-site VPNs, Advanced Encryption Standard (AES), VPN acceleration cards, Voice and Video-Enabled VPN (V3PN), and VPN QoS.
High-Performance, Highly-Available WAN Headend and Internet Edge	Turn on embedded, high-performance security services in Cisco ASR 1000 Series without affecting WAN routing performance. An integrated "all-in-one" router approach simplifies operations, reducing costs and the time to qualify, deploy, and maintain the WAN infrastructure. High-Performance, Next-Generation Router for New and Faster WAN Edge Services • 10X+ platform performance compared to Cisco 7200 Series • 10 Gbps firewall, and NAT along with on-board multi-gigabit IPsec acceleration • High-speed embedded deep packet inspection using Network-Based Address Recognition (NBAR) • Cisco QuantumFlow Processor, the industry's first massive parallel processor hardware and software architecture • Positioned between Cisco 7200 Series and Cisco Catalyst 6500 Series/7600 Series Unparalleled WAN Availability with Carrier-Class Design • Control and data plane separation for maximum system availability • Redundant control plane for rapid failover with zero packet loss • Redundant forwarding engines with stateful failover for minimal packet loss • Software redundancy with dual Cisco IOS Software images on board • Modular Cisco IOS XE Software for process re-startability, fault management, in-service software upgrades (ISSUs) Operational Excellence • Optimize WAN costs with bandwidth utilization, network consolidation, service integration, and power efficiency • "Future-proof" hardware and software architecture • Scalable and flexible QoS for optimal application performance • Embedded and accelerated Cisco Performance Routing and scalable NetFlow v9

Table 8. When to Choose Cisco FWSM

Customer Requirement	Cisco FWSM Benefit
Service Provider and Large Enterprise Headends and Data Centers	The performance, scalability and virtualization capabilities of the Cisco FWSM make it ideally suited for service providers and large enterprise headends and data centers. The Cisco FWSM provides the highest firewall performance in the industry: 5 Gbps throughput; 100,000 cps; and 1 million concurrent connections. Up to four Cisco FWSMs can be deployed in the same chassis for a total of 20 Gbps of throughput. A single FWSM can support up to 1000 virtual interfaces (256 per context), and a single chassis can scale up to a maximum of 4000 VLANs. A single FWSM can be partitioned into up to 100 virtual firewalls (security contexts). Using the Cisco FWSM Resource Manager, organizations can limit the resources allocated to any security context at any time, which helps to ensure that one security context does not interfere with another.
Ability to Use Network and Switching Infrastructure at the Headend or Data Center	The Cisco FWSM can be deployed in existing Cisco Catalyst 6500 Series Switches or Cisco 7600 Series Routers, providing greater investment protection and integration with high-speed switching and routing. In addition, the FWSM can be deployed in transparent Layer 2 bridging mode or in Layer 3 routing mode. A transparent Layer 2 firewall simplifies network integration and allows traffic to be firewalled within the same subnet without any routing involved.
High Availability	The Cisco FWSM can be deployed in pairs to provide intra- or inter-chassis stateful failover services that help ensure resilient network protection for the most critical environments. Modules configured in failover mode continuously synchronize their connection state and device configuration data; in the event of failure, modules fail over with full transparency to users.

Figure 5 illustrates how Cisco integrated firewall solutions can be deployed together to secure an enterprise network.

Figure 5. How Cisco Integrated Security Solutions Secure Your Enterprise Network

Cisco Security Management Solutions

In addition to the embedded device managers in Cisco firewall solutions, Cisco provides integrated security management applications for customers that want to manage more than the few devices that the embedded managers are designed for.

For customers looking for comprehensive security policy administration for Cisco firewall solutions, Cisco provides the Cisco Security Manager (CS-Manager). Cisco Security Manager is a powerful but very easy-to-use solution to centrally provision all aspects of device configuration and security policies for Cisco firewalls, virtual private networks (VPNs), and Intrusion Prevention Systems (IPS). The solution effectively manages even small networks consisting of fewer than ten devices, but also scales to efficiently manage large-scale networks composed of thousands of devices. Scalability is achieved through intelligent policy-based management techniques that can simplify administration.

For centralized security information management, Cisco offers the Cisco Security Monitoring, Analysis and Response System (MARS). Cisco Security MARS is a family of high-performance, scalable threat-mitigation appliances that fortify network devices and security countermeasures. By combining network topology intelligence, context correlation, analysis, and auto-mitigation capabilities, Cisco Security MARS is able to identify, manage, and eliminate network attacks and maintain compliance. Cisco Security Manager and Cisco Security MARS are integrated to decrease OPEX and increase ROI for firewall deployments.

For example, trouble ticket resolution can be expedited by selecting a firewall syslog event in CS-MARS, which will display the access-list rule in Cisco Security Manager that generated the syslog.

Ordering Information

To place an order, visit the Cisco Ordering Home Page.

Additional Information

For more information, please visit the following links:

• Cisco ASA 5500 Series Adaptive Security Appliances: http://www.cisco.com/go/asa

• Cisco PIX Security Appliances: http://www.cisco.com/go/pix

• Cisco ASR 1000 Series Aggregation Services Routers: http://www.cisco.com/go/asr1000

• Cisco IOS Firewall: http://www.cisco.com/go/firewall

• Router security from Cisco: http://www.cisco.com/go/routersecurity

• Cisco Firewall Services Module: http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/index.html

• Cisco PIX Device Manager: http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/index.html

• Cisco Security Device Manager: http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html