Guest

Cisco ASA Next-Generation Firewall Services

Cisco ASA CX Context-Aware Security Data Sheet

Hierarchical Navigation

Downloads

Product Overview

Corporate networks are encountering the highest levels of change in history. Users require anywhere, anytime access to the network from a variety of company- and personally-owned mobile devices. In addition, applications have evolved to be highly dynamic and multifaceted, blurring the line between legitimate business applications and those that waste time and increase the company's exposure to internet-based threats. As a result, organizations must take a new approach to security - without abandoning time-tested methods - to unify the network's security framework, accelerate business innovation, and proactively protect against new and emerging threats.
Cisco® ASA CX Context-Aware Security is a modular security service that addresses these needs by blending a proven stateful inspection firewall with next-generation capabilities and a host of additional network-based security controls - for end-to-end network intelligence and streamlined security operations. Cisco ASA CX enables organizations to rapidly adapt to dynamic business needs while maintaining the highest levels of security. Like most next-generation firewalls, ASA CX delivers application and user ID awareness capabilities for enhanced visibility and control of network traffic. In addition, ASA CX enables administrators to:

• Control specific behaviors within allowed micro-applications

• Restrict web and web application usage based on reputation of the site

• Proactively protect against Internet threats

• Enforce differentiated policies based on the user, device, role, and application type

Unprecedented Network Visibility

Cisco ASA CX Context-Aware Security gives security administrators an unprecedented level of visibility into the traffic flowing through the network, including the users connecting to the network, the devices used, and the applications and websites that are accessed.
ASA CX uses Cisco security technologies to provide actionable intelligence to security administrators. For example, Cisco AnyConnect® provides information on the type and location of a mobile device before it can access the network. ASA CX also uses global threat intelligence from Cisco Security Intelligence Operations (SIO) to provide zero-day threat protection. Using these and other Cisco security technologies throughout the network, ASA CX delivers end-to-end network visibility for superior security control, including:

Robust authentication. In addition to passive authentication methods using Active Directory agent and Lightweight Directory Access Protocol (LDAP), Kerberos and NT LAN Manager are used to provide active authentication.

Device information. Cisco AnyConnect provides information on the specific types of user devices attempting to gain access to the network, as well as whether the device is located locally or remotely, enabling administrators to confidently allow devices while maintaining high levels of network protection and control.

Reputation-based threat defense. Threat intelligence feeds from Cisco SIO use the global footprint of Cisco security deployments (more than 2 million devices) to analyze approximately one-third of the world's Internet traffic from email, intrusion protection system (IPS), and web threat vectors. The feeds are updated every three to five minutes for near-real-time protection from zero-day threats.

Granular Application, User, and Device Control

Cisco ASA CX blocks port- and protocol-hopping applications such as Skype and other peer-to-peer applications, providing more effective security while requiring fewer policies. It enables policies to be written based on a wide range of contextual elements, including application, user, device, and location.
ASA CX also employs deep social networking controls. It recognizes more than 1000 applications and 75,000 micro-applications, enabling organizations to provide individual or group-based access to specific components of an application (Facebook for business use, for example) while disabling other components (such as Facebook games). Specific behaviors can also be blocked within allowed micro-applications for an additional layer of control.
Using Cisco AnyConnect, ASA CX shows the specific type of device attempting to gain access to the network, as well as information on whether the device is located within the network or is attempting remote access. With a clear understanding of the devices that are attempting to access network resources, administrators can confidently allow a multitude of devices while maintaining high levels of network protection and control.

Comprehensive Security Architecture

ASA CX extends the ASA platform to provide unprecedented visibility and control. Support for Layer 3 and Layer 4 stateful firewall features, including access control, network address translation, and stateful inspection, enables organizations to keep existing stateful inspection firewall policies that are essential for a host of compliance regulations, while adding Layer 7 context-aware rules that can act intelligently on contextual information. ASA CX uses the Cisco SecureX Architecture® to gain local intelligence from the Cisco AnyConnect Secure Mobility Client and near-real-time global threat intelligence from Cisco SIO. A proven firewall platform, combined with the power of local and global threat intelligence, provides a comprehensive, dynamic security architecture that is capable of addressing an organization's evolving security needs to enable growth, extensibility, and ongoing innovation.

Features and Benefits

Table 1 lists the features and benefits of Cisco ASA CX Context-Aware Security.

Table 1. Features and Benefits

Feature

Benefit

Application awareness

Enforces access policy based on more than 1000 commonly used applications and 75,000 micro-applications; provides granular access control based on "behavior" (for example, a file upload or a post on a social networking site) to further control user activity related to applications; controls port- and protocol-hopping applications that can evade classic security controls.

Identity-based firewalling

Provides differentiated access control based on user and user role; supports common identity mechanisms such as Active Directory agent, LDAP, Kerberos, and NT LAN Manager.

Device-type-based enforcement

Uses Cisco AnyConnect to identify the types of devices (such as iPads, iPhones, and Android devices) that are accessing the network, and controls which devices will be permitted or denied.

URL filtering

Enterprise-class, full-featured URL filtering solution enables granular control of Internet traffic.

Global threat intelligence

Uses the global footprint of Cisco security deployments for more comprehensive network protection. Cisco SIO delivers regularly updated threat intelligence feeds for near-real-time protection from zero-day malware.

Stateful firewall capabilities

In addition to enabling Layer 7 context-aware rules, provides extensive support for Layer 3 and Layer 4 stateful firewall features, including access control, network address translation, and stateful inspection.

Intuitive management solution

Preloaded with Cisco Prime Security Manager, a powerful, intuitive management solution that simplifies the management of context-aware firewalls.

Product Performance

Table 2 lists the capabilities and capacities of the Cisco ASA CX Context-Aware Security hardware for the ASA 5585-X appliance. For the capabilities and capacities of ASA CX software on the ASA 5500-X platform, please see the data sheets for ASA 5500-X appliances for small and branch offices or for the Internet edge.

Table 2. Cisco ASA CX Hardware Blade Capabilities and Capacities

Feature

ASA 5585-X CX SSP-10

ASA 5585-X CX SSP-20

Throughput

2 Gbps (multiprotocol)

5 Gbps (multiprotocol)

Maximum concurrent sessions

500,000

1,000,000

Connections per second

40,000

75,000

Supported applications

1000+

1000+

Supported micro-applications

75,000+

75,000+

URL categories

78

78

Number of URLs categorized

20+ million

20+ million

Languages for URL filtering

60+

60+

Number of web requests analyzed by Cisco SIO every day

30 billion

30 billion

Hardware Product Specifications

Table 3 provides a comparison of the Cisco ASA 5585-X CX Security Services Processor (SSP) 10 and 20 hardware blades.

Table 3. Hardware Product Specifications

Product Model

ASA 5585-X CX SSP-10

ASA 5585-X CX SSP-20

Technical Specifications

Memory

12 GB

24 GB

Disk storage

600 GB

600 GB

Hot-swappable hard disk

Yes

Yes

RAID level and controller

RAID 1, Software

RAID 1, Software

Minimum flash

8 GB

8 GB

Environmental Operating Ranges

Operating temperature

50ºF to 95ºF

(10ºC to 35ºC)

50ºF to 95ºF

(10ºC to 35ºC)

Relative humidity

10% to 90% (noncondensing)

10% to 90% (noncondensing)

Nonoperating temperature

-40ºF to 158ºF

(-40ºC to 70ºC)

-40ºF to 158ºF

(-40ºC to 70ºC)

Relative humidity

5% to 95% (noncondensing)

5% to 95% (noncondensing)

Altitude

0 to 30,000 ft

(9144m)

0 to 30,000 ft

(9144m)

Power Consumption and Mean Time Between Failures

Maximum peak

400W maximum

400W maximum

Steady State

Mean time between failures (MTBF)

109,887 hrs

87,829 hrs

Physical Specifications

Dimensions (HxWxD)

1.70 x 6.80 x 11.00 in.

(4.32 x 17.27 x 27.94 cm)

1.70 x 6.80 x 11.00 in.

(4.32 x 17.27 x 27.94 cm)

Weight

3.00 lb (1.36 kg)

3.00 lb (1.36 kg)

Management Features

Management and monitoring interface

2 Ethernet 10/100/1000 ports

2 Ethernet 10/100/1000 ports

Configuration, logging, and monitoring

On-box Cisco Prime Security Manager

On-box Cisco Prime Security Manager

Reporting

On-box Cisco Prime Security Manager

On-box Cisco Prime Security Manager

Centralized configuration, logging, monitoring, and reporting

Multidevice Cisco Prime Security Manager

Multidevice Cisco Prime Security Manager

Regulatory and Standards Compliance

Safety

UL 60950

CSA C22.2 No. 60950

EN 60950

IEC 60950

AS/NZS60950

UL 60950

CSA C22.2 No. 60950

EN 60950

IEC 60950

AS/NZS60950

Electromagnetic compatibility (EMC)

CE marking

FCC Part 15 Class A

AS/NZS CISPR22 Class A

VCCI Class A

EN55022 Class A

CISPR22 Class A

EN61000-3-2

EN61000-3-3

CE marking

FCC Part 15 Class A

AS/NZS CISPR22 Class A

VCCI Class A

EN55022 Class A

CISPR22 Class A

EN61000-3-2

EN61000-3-3

Platform Support/Compatibility

The ASA 5585-X CX SSP-10 and SSP-20 hardware blades are supported on Cisco ASA 5585-X platforms running Cisco ASA Software Release 8.4.4 and higher. ASA CX software is supported on the Cisco ASA 5500-X Series of next-generation midrange security appliances running Cisco ASA Software Release 9.1 and higher. Regardless of form factor, ASA CX is managed using Cisco Prime Security Manager.

Ordering Information

To place an order, visit the Cisco Ordering Home Page. Table 4 provides ordering information for Cisco ASA CX.

Table 4. Cisco ASA CX Ordering Information

Product Name

Part Number

Hardware - ASA 5500-X Series Midrange Appliances

ASA 5512-X with SW, 6GE Data, 1GE Mgmt, AC, DES, 120G SSD

ASA5512-SSD120-K8

ASA 5512-X with SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES, 120G SSD

ASA5512-SSD120-K9

ASA 5515-X with SW, 6GE Data, 1GE Mgmt, AC, DES, 120G SSD

ASA5515-SSD120-K8

ASA 5515-X with SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES, 120G SSD

ASA5515-SSD120-K9

ASA 5525-X with SW, 8GE Data, 1GE Mgmt, AC, DES, 120G SSD

ASA5525-SSD120-K8

ASA 5525-X with SW, 8GE Data, 1GE Mgmt, AC, 3DES/AES, 120G SSD

ASA5525-SSD120-K9

ASA 5545-X with SW, 8GE Data, 1GE Mgmt, AC, DES, 2 120G SSD

ASA5545-2SSD120-K8

ASA 5545-X with SW, 8GE Data, 1GE Mgmt, AC, 3DES/AES, 2 120G S

ASA5545-2SSD120-K9

ASA 5555-X with SW, 8GE Data, 1GE Mgmt, AC, DES, 2 120G SSD

ASA5555-2SSD120-K8

ASA 5555-X with SW, 8GE Data, 1GE Mgmt, AC, 3DES/AES, 2 120G SSD

ASA5555-2SSD120-K9

ASA 5512-X through 5555-X 120GB MLC SED SSD (spare)

ASA5500X-SSD120=

Hardware - ASA 5585-X Series Appliances

ASA 5585-X Chas with SSP10, CX SSP10, 16GE, 4GE Mgt, 1 AC, DES

ASA5585-S10C10-K8

ASA 5585-X Chas w/SSP10, CX SSP10, 16GE, 4GE Mgt, 1 AC, 3DES/AES

ASA5585-S10C10-K9

ASA 5585-X Chas w/SSP10, CX SSP10, 16GE, 4 SFP+, 2 AC, 3DES/AES

ASA5585-S10C10XK9

ASA 5585-X Chas with SSP20, CX SSP20, 16GE, 4GE Mgt, 1 AC, DES

ASA5585-S20C20-K8

ASA 5585-X Chas w/SSP20, CX SSP20, 16GE, 4GE Mgt, 1 AC, 3DES/AES

ASA5585-S20C20-K9

ASA 5585-X Chas w/SSP20, CX SSP20, 16GE, 4 SFP+, 2 AC, 3DES/AES

ASA5585-S20C20XK9

ASA 5585-X CX SSP-10 with 8GE, DES

ASA-SSP-CX10-K8=

ASA 5585-X CX SSP-10 with 8GE, 3DES/AES

ASA-SSP-CX10-K9=

ASA 5585-X CX SSP-20 with 8GE, DES

ASA-SSP-CX20-K8=

ASA 5585-X CX SSP-20 with 8GE, 3DES/AES

ASA-SSP-CX20-K9=

ASA CX Software Subscriptions: 1-Year Term

ASA 5512-X CX AVC and Web Security Essentials 1Year

ASA5512-AW1Y

ASA 5515-X CX AVC and Web Security Essentials 1Year

ASA5515-AW1Y

ASA 5525-X CX AVC and Web Security Essentials 1Year

ASA5525-AW1Y

ASA 5545-X CX AVC and Web Security Essentials 1Year

ASA5545-AW1Y

ASA 5555-X CX AVC and Web Security Essentials 1Year

ASA5555-AW1Y

ASA 5512-X CX Application Visibility and Control 1Year

ASA5512-AP1Y

ASA 5515-X CX Application Visibility and Control 1Year

ASA5515-AP1Y

ASA 5525-X CX Application Visibility and Control 1Year

ASA5525-AP1Y

ASA 5545-X CX Application Visibility and Control 1Year

ASA5545-AP1Y

ASA 5555-X CX Application Visibility and Control 1Year

ASA5555-AP1Y

ASA 5512-X CX Web Security Essentials 1Year

ASA5512-WS1Y

ASA 5515-X CX Web Security Essentials 1Year

ASA5515-WS1Y

ASA 5525-X CX Web Security Essentials 1Year

ASA5525-WS1Y

ASA 5545-X CX Web Security Essentials 1Year

ASA5545-WS1Y

ASA 5555-X CX Web Security Essentials 1Year

ASA5555-WS1Y

ASA 5585-X CX-10 AVC and Web Security Essentials 1Year

ASA5585-10-AW1Y

ASA 5585-X CX-10 Application Visibility and Control 1Year

ASA5585-10-AP1Y

ASA 5585-X CX-10 Web Security Essentials 1Year

ASA5585-10-WS1Y

ASA 5585-X CX-20 AVC and Web Security Essentials 1Year

ASA5585-20-AW1Y

ASA 5585-X CX-20 Application Visibility and Control 1Year

ASA5585-20-AP1Y

ASA 5585-X CX-20 Web Security Essentials 1Year

ASA5585-20-WS1Y

ASA CX Software Subscriptions: 3-Year Term

ASA 5512-X CX AVC and Web Security Essentials 3Year

ASA5512-AW3Y

ASA 5515-X CX AVC and Web Security Essentials 3Year

ASA5515-AW3Y

ASA 5525-X CX AVC and Web Security Essentials 3Year

ASA5525-AW3Y

ASA 5545-X CX AVC and Web Security Essentials 3Year

ASA5545-AW3Y

ASA 5555-X CX AVC and Web Security Essentials 3Year

ASA5555-AW3Y

ASA 5512-X CX Application Visibility and Control 3Year

ASA5512-AP3Y

ASA 5515-X CX Application Visibility and Control 3Year

ASA5515-AP3Y

ASA 5525-X CX Application Visibility and Control 3Year

ASA5525-AP3Y

ASA 5545-X CX Application Visibility and Control 3Year

ASA5545-AP3Y

ASA 5555-X CX Application Visibility and Control 3Year

ASA5555-AP3Y

ASA 5512-X CX Web Security Essentials 3Year

ASA5512-WS3Y

ASA 5515-X CX Web Security Essentials 3Year

ASA5515-WS3Y

ASA 5525-X CX Web Security Essentials 3Year

ASA5525-WS3Y

ASA 5545-X CX Web Security Essentials 3Year

ASA5545-WS3Y

ASA 5555-X CX Web Security Essentials 3Year

ASA5555-WS3Y

ASA 5585-X CX-10 AVC and Web Security Essentials 3Year

ASA5585-10-AW3Y

ASA 5585-X CX-10 Application Visibility and Control 3Year

ASA5585-10-AP3Y

ASA 5585-X CX-10 Web Security Essentials 3Year

ASA5585-10-WS3Y

ASA 5585-X CX-20 AVC and Web Security Essentials 3Year

ASA5585-20-AW3Y

ASA 5585-X CX-20 Application Visibility and Control 3Year

ASA5585-20-AP3Y

ASA 5585-X CX-20 Web Security Essentials 3Year

ASA5585-20-WS3Y

ASA CX Software Subscriptions: 5-Year Term

ASA 5512-X CX AVC and Web Security Essentials 5Year

ASA5512-AW5Y

ASA 5515-X CX AVC and Web Security Essentials 5Year

ASA5515-AW5Y

ASA 5525-X CX AVC and Web Security Essentials 5Year

ASA5525-AW5Y

ASA 5545-X CX AVC and Web Security Essentials 5Year

ASA5545-AW5Y

ASA 5555-X CX AVC and Web Security Essentials 5Year

ASA5555-AW5Y

ASA 5512-X CX Application Visibility and Control 5Year

ASA5512-AP5Y

ASA 5515-X CX Application Visibility and Control 5Year

ASA5515-AP5Y

ASA 5525-X CX Application Visibility and Control 5Year

ASA5525-AP5Y

ASA 5545-X CX Application Visibility and Control 5Year

ASA5545-AP5Y

ASA 5555-X CX Application Visibility and Control 5Year

ASA5555-AP5Y

ASA 5512-X CX Web Security Essentials 5Year

ASA5512-WS5Y

ASA 5515-X CX Web Security Essentials 5Year

ASA5515-WS5Y

ASA 5525-X CX Web Security Essentials 5Year

ASA5525-WS5Y

ASA 5545-X CX Web Security Essentials 5Year

ASA5545-WS5Y

ASA 5555-X CX Web Security Essentials 5Year

ASA5555-WS5Y

ASA 5585-X CX-10 AVC and Web Security Essentials 5Year

ASA5585-10-AW5Y

ASA 5585-X CX-10 Application Visibility and Control 5Year

ASA5585-10-AP5Y

ASA 5585-X CX-10 Web Security Essentials 5Year

ASA5585-10-WS5Y

ASA 5585-X CX-20 AVC and Web Security Essentials 5Year

ASA5585-20-AW5Y

ASA 5585-X CX-20 Application Visibility and Control 5Year

ASA5585-20-AP5Y

ASA 5585-X CX-20 Web Security Essentials 5Year

ASA5585-20-WS5Y

To Download the Software

Visit the Cisco Software Center to download Cisco ASA CX Software.

For More Information

For more information, please visit the following links:

• Cisco ASA CX Context-Aware Security: http://www.cisco.com/go/asacx.

• Cisco ASA 5500 Series Adaptive Security Appliances: http://www.cisco.com/go/asa.

• Cisco Prime Security Manager: http://www.cisco.com/go/prsm.

• Cisco Security Services: http://www.cisco.com/en/US/products/svcs/ps2961/ps2952/serv_group_home.html.