Cisco Firepower 下一代防火墙

合集下载

思科FirePOWER 管理中心

思科 FirePOWER 管理中心思科 FirePOWER™管理中心通过一体式的集中简化管理，提高思科®网络安全解决方案的效力。

产品概述思科 Firepower 管理中心（前身为 FireSIGHT 管理中心）是运行在许多不同平台上的特定思科安全产品的管理中枢。

它可以对防火墙、应用控制、入侵防御、URL 过滤和高级恶意软件保护进行全面、统一的管理。

管理中心是面向以下解决方案集中管理事件和策略的地方：●思科 Firepower 下一代防火墙 (NGFW)●具备 FirePOWER 服务的 Cisco ASA●思科 Firepower 下一代 IPS (NGIPS)●面向 ISR 的思科 Firepower 威胁防御●思科高级恶意软件防护 (AMP)思科 Firepower 管理中心提供有关您的网络中存在的用户、应用、设备、威胁和漏洞的丰富情报。

它也使用这些信息分析网络的漏洞。

然后它会根据具体情况，就应该要部署的安全策略以及应该要调查的安全事件，为您提供量身定制的建议。

管理中心提供易于使用的策略界面来控制访问和防范已知攻击。

它集成了高级恶意软件保护和沙盒技术，可以提供工具来跟踪整个网络中的恶意软件感染。

它将所有这些功能整合到单一管理界面中。

从防火墙管理到应用控制，乃至恶意软件爆发调查与补救，都能在这个单一平台上轻松实现。

图 1.集中管理策略、事件和设备企业级管理思科Firepower 管理中心发现不断变化的网络资源和操作的实时信息。

您可以在全面掌握情况的前提下作出明智的决策（见图 1）。

除了提供广泛的情报外，管理中心还可提供深入的详细信息，包括：●趋势和高级统计。

帮助您及时了解某个时间点的安全状况及变化情况（改善或恶化）。

●事件详细信息、合规性和调查分析。

提供安全事件期间发生的事件的详细信息。

帮助您改善防御，支持漏洞遏制工作并协助法律执行行动。

●工作流程数据。

您可以将此数据轻松导出到其他解决方案，以改善事件响应管理。

思科Firepower新世代防火牆(NGFW)产品说明书

資料表思科 Firepower 新世代防火牆(NGFW)思科 Firepower ® NGFW （新世代防火牆）是業界首款完全整合、聚焦於威脅，並具備整合管理功能的新世代防火牆。

在遭受攻擊之前、中、後，思科 Firepower NGFW 獨家提供進階威脅保護。

阻止更多威脅使用業界領先的思科® 進階惡意程式防護 (AMP) 和沙箱技術，阻止已知和未知的惡意軟體。

獲得更多深入分析使用思科 Firepower 新世代 IPS ，在環境中享有卓越的可視性。

使用自動風險排名及影響旗標，為您的團隊排列處理威脅的優先順序。

及早偵測，盡快行動思科年度安全報告指出，不同企業從感染到偵測的平均時間為 100 天。

將此時間縮短，一天以內即可完成。

降低複雜程度獲得整合管理，以及緊密整合的資安功能之間的自動威脅關聯，包括應用程式防火牆、NGIPS 和 AMP 。

讓網路發揮更大效益增強資安並善用您既有的投資，整合其他思科與第三方的網路及資安解決方案（選用）。

效能亮點支援服務讓您的 IT 員工可以隨時直接聯絡思科技術表 1 簡要說明思科 Firepower 4100 系列 NFGW 、9300 系列資安設備，以及精選思科 ASA 5500-X 設備的效能亮點。

表 1.設備功能亮點功能思科 Firepower 機型思科 ASA 5500-FTD-X 機型211021202130214041104120414041509300（1 個 SM-24 模組）9300（1 個 SM-36 模組） 9300（1 個 SM-44 模組） 9300（3 個 SM-44 模組） 5506- FTD-X5506W- FTD-X5506H- FTD-X5508- FTD-X5516- FTD-X5525- FTD-X5545- FTD-X5555- FTD-X輸送量 FW + AVC （思科 Firepower 威脅防禦） 2.0 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps 12 Gbps 20 Gbps25 Gbps30 Gbps30 Gbps42 Gbps54 Gbps135 Gbps250 Mbps250 Mbps250 Mbps450 Mbps850 Mbps1100 Mbps1500Mbps1750 Mbps輸送量︰FW + AVC + NGIPS （思科 Firepower 威脅防禦） 2.0 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps 10 Gbps 15 Gbps20 Gbps24 Gbps24 Gbps34 Gbps53 Gbps133 Gbps125 Mbps125 Mbps125 Mbps250 Mbps450 Mbps650 Mbps1000Mbps1250 Mbps1 平均封包大小為 1024 位元組的 HTTP 階段作業 21024 位元組的 TCP 防火牆效能請注意：NGFW 的效能會因網路及流量而異。

思科 Firepower 4110

产品手册思科 Firepower 下一代防火墙思科 Firepower™下一代防火墙 (NGFW) 是业内首款专注于威胁防御的下一代防火墙，它将多种功能完全集于一身，采用统一管理，可在攻击前、攻击中和攻击后提供独一无二的高级威胁防护。

阻止更多威胁使用行业领先的思科®高级恶意软件防护(AMP) 和沙盒技术遏制各种已知和未知恶意软件。

获得更高可视性思科 Firepower 下一代 IPS 可对您的环境提供卓越的可视性。

它能自动确定风险评级和影响标记，从而帮助您的团队确定事务优先级。

加快检测和响应速度思科年度安全报告确定各企业的从感染到检测的中值时间为 100 天。

而思科能够将检测时间缩短至不到一天。

降低复杂性通过紧密集成应用防火墙、NGIPS 和 AMP 等安全功能实现统一管理和自动威胁关联。

让您的网络发挥更多价值选择性地集成其他的思科和第三方网络和安全解决方案，提高安全性和利用现有投资。

性能亮点表 1 概括列出思科 Firepower NGFW 4100 系列和 9300 安全设备及特定思科 ASA 5500-X 设备的性能亮点。

Table 1. 性能亮点功能思科 Firepower 型号思科 ASA 5500-FTD-X 型号4110 4120 4140 4150 带 1 个SM-24 模块的 930带 1 个SM-36 模块的 930带 1 个SM-44 模块的 930带 3 个SM-44 模块的 9305506-FTD-X5506W-FTD-X5506H-FTD-X5508-FTD-X5516-FTD-X5525-FTD-X5545-FTD-X5555-FTD-X防火墙吞吐量 (ASA)35 Gbps 60 Gbps 70 Gbps 75 Gbps 75 Gbps 80 Gbps 80 Gbps 234 Gbps 750 Mbps750 Mbps750 Mbps1 Gbps 1.8 Gbps2 Gbps3 Gbps4 Gbps吞吐量：防火墙+ AVC（Firepower 威胁防御）12 Gbps 20 Gbps 25 Gbps 30 Gbps 30 Gbps 42 Gbps 54 Gbps 135 Gbps 250 Mbps250 Mbps250 Mbps450 Mbps850 Mbps1100 Mbps1500 Mbps1750 Mbps吞吐量：防火墙+ AVC + NGIPS（Firepower 威胁防御）10 Gbps 15 Gbps 20 Gbps 24 Gbps 24 Gbps 34 Gbps 53 Gbps 133 Gbps 125 Mbps125 Mbps125 Mbps250 Mbps450 Mbps650 Mbps1000 Mbps1250 Mbps1吞吐量计算基于数据包平均大小为 1024 字节的 HTTP 会话。

网络安全产品排名

网络安全产品排名1. Cisco Firepower NGFW: 该产品被广泛认为是网络安全领域的佼佼者，它提供了先进的防火墙功能、威胁情报和入侵防御系统。

2. Palo Alto Networks Next-Generation Firewall: 作为一家领先的网络安全公司，Palo Alto Networks的防火墙产品被认为是高度可靠的，并提供了广泛的安全功能。

3. Fortinet FortiGate: Fortinet的防火墙产品是业界广受认可的，它提供了强大的防火墙保护、应用程序控制和威胁情报功能。

4. Check Point Firewall: Check Point是一家备受推崇的网络安全公司，其防火墙产品提供了高级防护功能和网络流量控制。

5. Symantec Endpoint Protection: Symantec是一家知名的网络安全公司，其终端防护产品被普遍认为是高效的，并且具备强大的威胁检测和阻止功能。

6. McAfee Total Protection: McAfee是一家领先的网络安全公司，其全面保护产品提供了多层次的防护措施，包括防火墙、反恶意软件和数据保护功能。

7. Trend Micro Deep Security: Trend Micro的网络安全产品被广泛用于保护云环境和虚拟化环境，它提供了高级的威胁防御和安全性管理功能。

8. SonicWall Next-Generation Firewall: SonicWall的防火墙产品提供了先进的网络安全功能，包括入侵防御、应用程序控制和虚拟专用网络支持。

9. Juniper Networks SRX Series: Juniper Networks的防火墙产品被认为是高度可靠的，并提供了高级的保护策略和攻击防御功能。

10. Sophos XG Firewall: Sophos的防火墙产品被广泛用于保护中小型企业，它提供了全面的安全功能，包括网络防火墙、反恶意软件和Web过滤。

具备 FirePOWER 服务的 Cisco ASA 防火墙

产品手册具备 FirePOWER 服务的 Cisco ASA 防火墙了解业内首款注重威胁防护的自适应下一代防火墙(NGFW)。

该款产品专为威胁和高级恶意软件防护的新纪元而设计。

具备 FirePOWER 服务的 Cisco® ASA 防火墙可在攻击前、攻击中和攻击后的整个攻击过程中提供集成的威胁防御。

为什么呢？将Cisco ASA 防火墙经验证的安全功能与业界领先的Sourcefire®威胁和高级恶意软件防护(AMP) 功能结合到单个设备中。

该解决方案独创性地扩展了 Cisco ASA 5500-X 系列下一代防火墙的功能，远非目前其他NGFW 解决方案所能企及。

无论是小型或中型企业，还是分布式企业或单个数据中心需要保护，具备FirePOWER 服务的Cisco®ASA 可以在 NGFW 解决方案中提供所需的规模和环境。

一流的多层防护具备 FirePOWER 服务的 Cisco ASA 将独特的、注重威胁防护的下一代安全服务带到 Cisco ASA 5500-X 系列下一代防火墙及 Cisco ASA 5585-X 自适应安全设备防火墙之中。

它可针对已知的高级威胁提供综合防护，包括对针对性恶意软件攻击与持续性恶意软件攻击的防护（图 1）。

Cisco ASA 是全世界部署最为广泛的企业级状态防火墙。

具备FirePOWER 服务的 Cisco ASA 具有以下综合功能：●站点到站点和远程接入 VPN 以及高级群集可提供高安全性、高性能访问和高可用性，以确保业务连续性。

●精细的应用可视性与可控性(AVC) 支持超过3000 项基于应用层和风险的控制，这些控制可调用定制的入侵防御系统 (IPS) 威胁检测策略，从而优化安全效力。

●业内领先的具备 FirePOWER 下一代 IPS (NGIPS) 的 Cisco ASA 可提供高效的威胁防护以及对用户、基础设施、应用及内容的完全情景感知，从而能够检测多途径威胁并实现防御响应的自动化。

思科Firepower 新世代防火墙(NGFW)

資料表思科 Firepower 新世代防火牆 (NGFW)思科 Firepower ® NGFW （新世代防火牆）是業界首款完全整合、聚焦於威脅，並具備整合管理功能的新世代防火牆。

在遭受攻擊之前、中、後，思科 Firepower NGFW 獨家提供進階威脅保護。

遏止更多威脅獲得更多深入分析及早偵測，盡快行動降低複雜程度讓您的網路發揮更大效益效能亮點支援服務讓您的 IT 員工可以隨時直接聯絡思科技術表 1 簡要說明思科 Firepower 4100 系列 NFGW 、9300 系列資安設備，以及精選思科 ASA 5500-X 設備的效能亮點。

表 1.設備功能亮點1平均封包大小為 1024 個位元組的 HTTP 工作階段21024 個位元組的 TCP 防火牆效能注意：NGFW 效能會因網路和流量而有所不同。

請諮詢您的思科代表，尋求詳細的建置規模指引。

效能會因新軟體版本所做變更而有所變化。

思科 Firepower 2100 系列：業界首款啟用威脅檢查時，仍能維持效能不變的中程 NGFW思科 Firepower 4100 系列：業界第一款 40 Gbps 介面的 1RU NGFW思科 Firepower 9300：超高效能的 NGFW ，可隨著需求成長而擴充思科 ASA 5500-X 系列：分公司、工業應用及網際網路邊際裝置適用的機型Firepower NGFWv ︰適用於虛擬和雲端環境的 NGFW平台影像支援思科 Firepower NGFW 包括應用程式可視性與控制 (AVC)、選購的新世代入侵防禦系統 (NGIPS)、思科® 進階惡意程式防護 (AMP) 網路版以及 URL 過濾功能。

思科 Firepower 2100 系列、4100 系列和 9300 設備皆使用思科 Firepower 威脅防禦軟體影像。

也可以使用思科 Firepower 2100 系列、4100 系列及 9300 裝置支援思科調適型安全設備 (ASA) 軟體映像。

摆脱被动防御：思科下一代终端安全

• • • • • • • • 对所有文件进行持续分析和记录追溯功能基于行为的感染指标设备和文件轨迹爆发控制低事件率漏洞防御内置沙盒和防病毒检测功能
样，他们才能随着保护对象的演变而进行持续保护。借助持续实时网络感知，可视性能够史无前例地与威胁检测紧密集成，从此改变了网络威胁防御方式。持续网络发现的概念造就了我们的 Firepower™ 下一代入侵防御系统 (NGIPS)，该系统最终成为各种下一代入侵防御系统 (NGIPS) 的基础。而且，按照 Gartner 的定义，实时网络感知已经成为 NGIPS 的一个关键要求。而现在，我们的思科 Firepower™ 管理中心技术就是基于实时网络感知。
保护终端的全新模式
当前的威胁形势再次迫使我们转变思维并提供有效的安全解决方案，为各种终端（PC、Mac、Linux、移动设备等）供保护。当今的恶意软件不是已经侵入终端，就是正在向终端渗透。高级恶意软件具有动态性，可以利用各种攻击媒介危害环境。它们形式多变，随着时间推移不断发动攻击，并且可以快速从终端盗取数据。此类恶意软件（包括多态恶意软件和环境感知型恶意软件）很擅长伪装自己并规避传统安全工具，从而导致漏洞发生。因此，问题已不再是恶意软件会不会穿透防御并到达终端，而是它们何时会穿透防御并到达终端。遗憾的是，终端威胁检测方面的许多最新改进还不足以解决这些问题。其中一些改进包括：在沙盒中执行文件以进行检测和分析，使用虚拟仿真层阻止来自用户和操作系统的恶意软件，以及使用基于信誉的应用白名单区分可接受的应用与恶意应用。近来，攻击链模拟和分析检测开始发挥作用。这些积极的开发活动确实起到一定作用，许多公司（包括思科）都已开始实施。但它们在本质上仍然是 “静态”的。攻击者了解这些安全技术的静态性质，他们可能会围绕这些技术的相关局限性进行创新，从而突破网络和终端防御。

深信服下一代防火墙介绍

深信服下一代防火墙介绍首先，深信服下一代防火墙提供了灵活的网络接入控制。

它可以根据企业的安全策略和网络需求，对网络流量进行全面的访问控制，包括对不同用户、应用程序、协议和端口的控制。

这样，企业可以根据自己的需求设置合适的访问控制规则，确保网络安全。

其次，深信服下一代防火墙具有高性能和高吞吐量。

它采用了先进的硬件和软件技术，能够支持高速和大流量的网络传输，确保网络的稳定和畅通。

无论是小型企业还是大型企业，都能够获得可靠的网络性能和安全保护。

此外，深信服下一代防火墙还拥有强大的安全功能。

它可以对网络流量进行实时的深度检测和分析，对潜在的威胁进行精确识别和阻止。

同时，它还具备入侵防御和漏洞管理等功能，能够有效地抵御各种网络攻击和漏洞利用。

此外，下一代防火墙还支持安全策略的自动化管理和动态调整，能够实时地适应不断变化的网络环境和威胁。

另外，深信服下一代防火墙还提供了高级的应用控制功能。

它能够对网络流量中的应用程序进行识别和控制，包括P2P文件共享、社交媒体和视频流等。

企业可以根据自己的需求，对不同的应用程序进行限制或优化，提高网络的安全性和效率。

此外，深信服下一代防火墙还具备全面的报告和日志功能。

它能够记录和分析企业网络中的所有活动和事件，包括流量、攻击、安全策略等。

这对于监控网络安全、分析网络行为以及合规性审计都非常有帮助。

总而言之，深信服下一代防火墙是一种先进、全面和智能化的网络安全设备。

它具备灵活的网络接入控制、高性能和高吞吐量、强大的安全功能、高级的应用控制功能以及全面的报告和日志功能。

通过使用下一代防火墙，企业可以更好地保护自己的网络免受各种威胁的侵害，提高网络的安全性和可靠性。

思科网络安全产品方案

ASA 5525-X/ ASA 5545-X/ ASA 5555-X
Firepower 2110/2120
Firepower 2130/2140
ASA 5585-X
Firepower
Firepower 9300
4110/4120/4140/4150 （SM24/SM36/SM44）
NGFWs 定位SMBs 和分布式企业，集中安全威胁防御，低TCO, 通过FDM简
1M
FPR 2120
3 Gbps 3 Gbps
1.2 M
FPR 2130
4.75 Gbps 4.75 Gbps
2M
FPR 2140
8.5 Gbps 8.5 Gbps
3.5 M
Maximum new connections per second, with AVC
1. 思科全球最大市场份额的安全公司
3. 世界最大的威胁情报公司
我们有哪些安全产品
下一代防火墙
入侵检测防御
内网威胁防御
邮件/Web 安全
准入控制和安全管理
ASA 5505/
分支/远程站点 5506/5508
ASA下一代防火墙 ASA 5512-X / 5515-X
下一代入侵防御恶意代码检测沙盒分析系统 Sourcefire AMP(网络和终端) AMP ThreatGrid
电源 – 缺省/可选
4-Core 16GB
6-Core 16GB
6-Core 8 GB
8-Core 8 GB
1 x 100GB Default 2nd Optional SSD for MSP 800GB
1x 250W 固定 AC 1x 250W 固定 AC

下一代数据中心使用CiscoASA防火墙保护您的网络

解决方案概述下一代数据中心：使用Cisco ASA 防火墙保护您的网络当今的网络攻击数量激增且复杂性高，这要求数据中心实施能够令人高度放心的保护措施。

当今的攻击针对个人客户数据及公司知识产权。

因为失窃、失去客户信任及品牌形象受损而造成财务损失的可能性很大。

在这个快速变化的攻击形势下，基本的状态防火墙已不足以拦截复杂的攻击。

深入检测每个网络流会直接降低应用性能。

此外，安全设备架构必须采用虚拟应用，并在传统和下一代软件定义网络 (SDN) 环境中提供具有始终如一的高性能的相同功能集。

下一代数据中心安全解决方案必须：●易于扩展●提供深度防御方法以缩短应用延迟并提高性能●提供灵活的插入选项●高度可用且可以有弹性地进行扩展适用于所有环境的灵活性能现代数据中心的发展由多个因素形成。

服务器和应用虚拟化的快速发展尤其要求脱离传统的静态网络拓扑。

应用不再与数据中心网络中具有预先确定的物理位置的特定计算硬件关联。

在通过 SDN 及其他方法引入的以应用为中心的新可编程模型中，也不再继续强调基于 VLAN 的分段和基本动态路由。

在未来几年里，将继续不断提高可编程能力以实现数据中心转型。

由于许多相互依赖的应用现在托管于相同的物理服务器硬件上，因此将这些连接迁移到外部网络设备变得极其低效，且成本高昂。

应用响应时间与网络延迟呈线性关系，甚至个别消费者开始期望获得以前实时财务应用独有的那种服务级别。

如果客户无法等待，那么您的数据中心除了变得更快之外，别无选择。

由于所有应用环境中都越来越多地提出对低延迟或零延迟的要求，因此对于任何数据中心安全设备而言，功能模块化和相互依赖性最小化都是必需的。

即使这类设备实现多项功能，其架构也应使得它能够通过进行最少数量的必要检查制定策略决策。

如果可以根据特定终端的信誉拒绝入站连接，则几乎没有理由使用防火墙周期完全检测应用负载。

Cisco®ASA 系列下一代防火墙依靠此深度防御方法，在部署专用高级保护模块以更详细地检查其余流量之前，拦截最基本的 TCP/IP 攻击。

思科ASA FirePOWER销售

用户受益: • 主机和应用的识别 • 应用的可视化与行为控制 • 自动调优的IPS规则 • 恶意文件的拦截和轨迹跟踪 • 网络设备联动策略
C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
ASA5500-X 集成FirePOWER服务
C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
ASA 9.2.2 版本需要运行FirePOWER服务软件
版本5.3.1
所有SKU基于K9
Cisco Confidential
12
Performance and Scalability
Cisco Confidential
16
ASA FirePOWER的License类型
• AVC（Application Visibility Control）
ASA FirePOWER设备自带，也叫Apps License。
• IPS License(1或3年)
提供入侵防御和基于情景的用户、应用控制，自动联动响应的功能。可以直接在ASA FirePOWER设备上增加该License。
以上Package订购，均可选1或3年。
C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
ASA FirePOWER的License订购举例(ASA5515)
• 选择ASA 5515-X FirePOWER的IPS和Apps功能：

思科Firepower下一代防火墙（NGFW）数据表说明书

Data SheetCisco Firepower Next-Generation Firewall (NGFW) Prevent breaches, get deep visibility to detect and stop threats fast, and automate your network and security operations to save time and work smarter.Model OverviewCisco Firepower 2100 SeriesThe industry’s first midrange NGFWs delivering sustainable performance when threat inspection is enabledCisco Firepower 4100 Series:The industry’s first 1RU NGFWs with 40-GbpsinterfacesCisco Firepower 9300:Ultra-high-performance NGFW, expandable as yourneeds growCisco ASA 5500-X Series:Models for branch offices, industrial applications, and the Internet edgeFirepower NGFWv:The NGFW for virtual and cloud environmentsPlatform Image SupportThe Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional Next-Gen IPS (NGIPS), Cisco® Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances use the Cisco Firepower Threat Defense software image. Alternatively, Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances can support the Cisco Adaptive Security Appliance (ASA) software image.Management OptionsCisco Firepower NGFWs may be managed in a variety of ways depending on the way you work, your environment, and your needs.The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco Firepower NGFW, the Cisco Firepower NGIPS, and Cisco AMP for Networks. It also provides threat correlation for network sensors and Advanced Malware Protection (AMP) for Endpoints.The Cisco Firepower Device Manager is available for local management of 2100 Series and select 5500-X Series devices running the Cisco Firepower Threat Defense software image.The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 2100 Series, 4100 Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across Cisco security devices running the ASA software image, enabling greater management efficiency for the distributed enterprise.Firepower DDoS MitigationAlso available on the Cisco Firepower 4100 Series and 9300 appliances is tightly integrated, comprehensive, behavioral DDoS mitigation for both network and application infrastructure protection. This DDoS mitigation is Radware’s Virtual DefensePro (vDP). It is available from and supported directly by Cisco.Cisco Firepower 2100 Series AppliancesThe Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that optimizes firewall, crypto graphic, and threat inspection functions simultaneously. The series’ firewall throughput range addresses use cases from the Internet edge to the data center. Network Equipment Building Standards (NEBS)- compliance is supported by the Cisco Firepower 2100 Series platform.Cisco Firepower 4100 Series AppliancesThe Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput range addresses data center and internet edge use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint. Cisco Firepower 4100 Series supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. Network Equipment Building Standards (NEBS)-compliance is supported by the Cisco Firepower 4120 platform.Cisco Firepower 9300 Security ApplianceThe Cisco Firepower 9300 is a scalable (beyond 1 Tbps when clustered), carrier-grade, modular platform designed for service providers, high-performance computing centers, large data centers, campuses, high-frequency trading environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional throughput. Cisco Firepower 9300 supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. It is also available in Network Equipment Building Standards (NEBS)-compliant configurations.Cisco ASA 5500-FTD-X Series AppliancesThe Cisco ASA 5500-FTD-X Series is a family of eight threat-focused NGFW security platforms. Their throughput range addresses use cases from the small or branch office to the Internet edge. They deliver superior threat defense in a cost-effective footprint.Cisco Firepower NGFW Virtual (NGFWv) AppliancesCisco Firepower NGFWv is available on VMware, KVM, and the Amazon Web Services (AWS) and Microsoft Azure environments for virtual, public, private, and hybrid cloud environments. Organizations employing SDN can rapidly provision and orchestrate flexible network protection with Firepower NGFWv. As well, organizations using NFV can further lower costs utilizing Firepower NGFWv.Performance Testing MethodologiesCisco uses a variety of testing methodologies in a lab environment to ensure the performance specifications we report are as close to real world as possible. Firewall performance is affected by many factors including network environment, packet sizes, packet type, TLS encryption, and more.Two modes of firewall testing exist: static or real world. Static testing leverages performance and security testing tools in a simulated environment. Real-world testing uses samples of live traffic on a production or side-car network. While static testing does not completely mimic performance in a real-world networking environment, we review and modify the static methodology to ensure the results are as close to real-world as possible.The following are test methodologies used for measurements listed in Table 1. Change in performance vs change in packet size is not linear, so extrapolation from a single test is not possible for the almost unlimited variety of network environments. Testing security efficacy or security service performance under loaded conditions adds even more complexity. For these reasons we rely on the 1024B HTTP Test.1024B HTTP Test (256KB Object)This number is to compare with other vendors at a 256KB object size. It uses a larger and commonly tested packet size for every simulated session. With the protocol overhead, the average frame size is around 1024 bytes. This represents typical production conditions for most firewall deployments.1500B UDP vs 64B UDPThis test uses a transactional UDP profile with either 1500B or 64B frames. Due to the stateless nature of UDP, it creates very little impact on a stateful NGFW. Many vendors use this profile to measure maximum firewall performance, however it is only practical as a comparison point. This test does not represent real-world conditions, therefore Cisco only uses it as a legacy metric for ASA performance. For NGFW products, various UDP packet size should only be used to test latency and not overall performance.Performance Specifications and Feature HighlightsTable 1 summarizes the capabilities of the Cisco Firepower NGFWv, Firepower 2100 Series, and 4100 Series and 9300 appliances as well as the Cisco ASA 5500-FTD-X appliances when running the Cisco Firepower Threat Defense image. All numbers are derived with two-way traffic evaluation to replicate the best security posture.Table 1. Cisco Firepower Threat Defense (FTD) Performance Specifications and Feature Highlights for Physical and Virtual AppliancesNote: Throughput assumes HTTP sessions.Performance will vary depending on features activated, and network traffic protocol mix, packet size characteristics and hypervisor employed (NGFWv). Performance is subject to change with new software releases. Consult your Cisco representative for detailed sizing guidance.Table 2 summarizes the performance and capabilities of the Cisco Firepower 2100, 4100 Series and 9300 appliances when running the ASA image. For Cisco ASA 5500-X Series performance specifications with the ASA image, please visit the Cisco ASA with FirePOWER Services data sheet.Table 2. ASA Performance and Capabilities on Firepower Appliances211021202130214041104120414041509300 9300 9300 9300Newconnections per second 18000 28000 40000 75000 150,000 250,000 350,000 800,000 800,0001.2 million 1.8 million 4 millionIPsec VPN throughput (450B UDP L2L test) 500 Mbps 700 Mbps 1 Gbps 2 Gbps 8 Gbps 10 Gbps 14 Gbps 15 Gbps 15 Gbps 18 Gbps 20 Gbps60 Gbps 3/ 40 GbpsIPsec/Cisco AnyConnect/Apex site-to-site VPN peers 1500 3500 7500 10000 10,000 15,000 20,000 20,000 20,000 20,000 20,000 60,0003/ 20,000Maximum number of VLANs 400 600 750 1024 1024 1024 1024 1024 1024 1024 1024 1024Security contexts (included; maximum) 2; 25 2; 25 2; 30 2; 40 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250HighavailabilityActive/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndbyActive/a ctive and active/st andby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndbyClustering - - --Up to 16 appliances Up to 16 appliances Up to 16 appliances Up to 16 appliances Up to 5 appliances with 3 security modules each Up to 5 appliance s with three security modules each Up to 5 appliance s with three security modules eachUp to 5 appliance s with 3 security modules eachScalability VPN Load BalancingVPN Load Balancing, Firewall ClusteringCentralized management Centralized configuration, logging, monitoring, and reporting are performed by Cisco Security Manager or alternatively in the cloud with Cisco Defense Orchestrator Adaptive Security Device ManagerWeb-based, local management for small-scale deployments1 Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under ideal test conditions.2“Multiprotocol” refers to a traffic profile consisting primarily of TCP -based protocols and applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS. 3In unclustered configuration.Table 3.Operating Requirements for Firepower NGFWv Virtual AppliancesHardware SpecificationsTables 4, 5, and 6 summarize the hardware specifications for the 2100 Series, 4100 Series, and 9300 Series, respectively. Table 7 summarizes regulatory standards compliance. For Cisco ASA 5500-X Series hardware specifications, please visit the Cisco ASA with FirePOWER Services data sheet.Table 4. Cisco Firepower 2100 Series Hardware Specifications1 Dual power supplies are hot-swappable.2 Fans operate in a 3+1 redundant configuration where the system will continue to function with only3 operational fans. The 3 remaining fans will run at full speed.3 FPR-2130 platform is designed to be NEBS ready. The availability of NEBS certification is pending.Table 5. Cisco Firepower 4100 Series Hardware Specifications1 Dual power supplies are hot-swappable.Table 6. Cisco Firepower 9300 Hardware Specifications* Minimum turn-on voltage is -44V DCTable 7. Cisco Firepower 2100 Series, 4100 Series and Cisco Firepower 9300 NEBS, Regulatory, Safety, and EMC ComplianceCisco Trust Anchor TechnologiesCisco Trust Anchor Technologies provide a highly secure foundation for certain Cisco products. They enable hardware and software authenticity assurance for supply chain trust and strong mitigation against a man-in-the-middle compromise of software and firmware.Trust Anchor capabilities include:●Image signing: Cryptographically signed images provide assurance that the firmware, BIOS, and othersoftware are authentic and unmodified. As the system boots, the system’s software signatures are checked for integrity.●Secure Boot: Secure Boot anchors the boot sequence chain of trust to immutable hardware, mitigatingthreats against a system’s foundational state and the software that is to be loaded, regardless of a user’s privilege level. It provides layered protection against the persistence of illicitly modified firmware.●Trust Anchor module: A tamper-resistant, strong-cryptographic, single-chip solution provides hardwareauthenticity assurance to uniquely identify the product so that its origin can be confirmed to Cisco, providing assurance that the product is genuine.Firepower DDoS MitigationFirepower DDoS Mitigation is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco on the following Cisco Firepower 9300 and 4100 series appliances:Radware vDP is an award-winning, real-time, behavioral DDoS attack mitigation solution that protects organizations against multiple DDoS threats. Firepower DDoS mitigation defends your application infrastructure against network and application degradation and outage.DDoS Mitigation: Protection SetFirepower’s vDP DDoS mitigation consists of patent-protected, adaptive, behavioral-based real-time signature technology that detects and mitigates zero-day network and application DDoS attacks in real time. It eliminates the need for human intervention and does not block legitimate user traffic when under attack.The following attacks are detected and mitigated:●SYN flood attacks●Network DDoS attacks, including IP floods, ICMP floods, TCP floods, UDP floods, and IGMP floods●Application DDoS attacks, including HTTP floods and DNS query floods●Anomalous flood attacks, such as nonstandard and malformed packet attacksPerformanceThe performance figures in Table 8 apply to all Cisco Firepower 4100 series models.Table 8. Key DDoS Performance Metrics for Cisco Firepower 4100 SeriesThe performance figures in Table 9 are for Cisco Firepower 9300 with 1 to 3 Security Modules irrespective of Security Module type (SM-24, SM-36 or SM-44).Table 9. Key DDoS Performance Metrics for Cisco Firepower 9300 with 1, 2, or 3 Security Modules.Ordering InformationCisco Smart LicensingThe Cisco Firepower NGFW is sold with Cisco Smart Licensing. Cisco understands that purchasing, deploying, managing, and tracking software licenses is complex. As a result, we are introducing Cisco Smart Software Licensing, a standardized licensing platform that helps customers understand how Cisco software is used across their network, thereby reducing administrative overhead and operating expenses.With Smart Licensing, you have a complete view of software, licenses, and devices from one portal. Licenses are easily registered and activated and can be shifted between like hardware platforms. Additional information is available here: https:///web/ordering/smart-software-licensing/index.html. Related information, on Smart Licensing Smart Accounts, is available here: https:///web/ordering/smart-software-manager/smart-accounts.html.Cisco Smart Net Total Care Support: Move Quickly with Anytime Access to Cisco Expertise and ResourcesCisco Smart Net Total Care™ is an award-winning technical support service that gives your IT staff direct anytime access to Technical Assistance Center (TAC) engineers and resources. You receive the fast, expert response and the dedicated accountability you require to resolve critical network issues.Smart Net Total Care provides the following device-level support:●Global access 24 hours a day, 365 days a year to specialized engineers in the Cisco TAC●Anytime access to the extensive online knowledge base, resources, and tools●Hardware replacement options include 2-hour, 4-hour, Next-Business-Day (NDB) advance replacement, aswell as Return For Repair (RFR)●Ongoing operating system software updates, including both minor and major releases within your licensedfeature set●Proactive diagnostics and real-time alerts on select devices with Smart Call HomeIn addition, with the optional Cisco Smart Net Total Care Onsite Service, a field engineer installs replacement parts at your location and helps ensure that your network operates optimally. For more information on Smart Net Total Care please visit: https:///c/en/us/services/portfolio/product-technical-support/smart-net-total-care.html.Select Part NumbersTables 10, 11, and 12 provide details on part numbers for Cisco Firepower NGFW solutions. Please consult the Ordering Guide for additional configuration options and accessories.Table 10. Cisco Firepower 2100 Series: Select Product ComponentsTable 11. Cisco Firepower 4100 Series: Select Product ComponentsTable 12. Cisco Firepower 9300: Select Product Components*Note: Firepower 9300 may also be deployed as a dedicated threat sensor, with fail-to-wire network modules. Please contact your Cisco representative for details.Table 13. Cisco Firepower NGFW VirtualNote: These optional security services licenses can be ordered with 1-, 3-, or 5-year subscriptions.Warranty InformationFind warranty information on at the Product Warranties page.Cisco ServicesCisco offers a wide range of service programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco Services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services for security, visit https:///go/services/security.Cisco CapitalFlexible payment solutions to help you achieve your objectivesCisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.More Information for Service ProvidersFor information about Cisco Firepower in service provider environments, please visit:●https:///c/en/us/solutions/enterprise-networks/service-provider-security-solutions/More Information about Firepower NGFWsFor further information about Cisco Firepower NGFWs, please visit:●https:///go/ngfwMore Information about Cisco Anyconnect●Cisco AnyConnect Secure Mobility Clienthttps:///go/anyconnect●Cisco AnyConnect Ordering Guidehttps:///c/dam/en/us/products/security/anyconnect-og.pdf。

Cisco ASA 5585-X 下一代防火墙产品数据表说明书

Data SheetCisco ASA 5585-X Next-Generation FirewallToday’s enterprise networks struggle to keep up with a mobile workforce. Users expect on-demand access from their many devices, even as applications multiply and push performance levels. And of course security remains a priority. How do you scale and still preserve the integrity of the network? Start with the Cisco® ASA 5585-X Next-Generation Firewall, a compact yet high-density firewall that delivers tremendous scalability, performance, and security in a two-rack-unit (2RU) footprint.Using a single firewall blade, the Cisco ASA 5585-X meets the growing needs of dynamic organizations by providing eight times the performance density, very high VPN session counts, twice as many connections per second, and four times the connection capacity of any competitive firewall.Firewall FeaturesSupport for Layer 3 and Layer 4 stateful firewall inspection features, including access control and network address translation, enables organizations to keep existing stateful inspection policies that are essential for compliance regulations. The context-aware Cisco Intrusion Prevention System (IPS) services provide the capability to act more intelligently and aggressively against threats that pose a significant risk to organizations.In addition to comprehensive stateful inspection capabilities, Layer 7 next-generation policies act intelligently on contextual information. Cisco AnyConnect® technology provides information on the type and location of a mobile device before it accesses the network, so that administrators can maintain high levels of network protection and control. Threat intelligence feeds from Cisco Collective Security Intelligence (CSI) use the global footprint of Cisco security deployments to analyze approximately one-thir d of the world’s Internet traffic for near-real-time protection from zero-day threats.Flexible Deployment OptionsThe Cisco ASA 5585-X supports two hardware blades in a single 2RU chassis. The bottom slot (slot 0) hosts the ASA stateful inspection firewall module, while the top slot (slot 1) can be used for adding a dedicated Cisco IPS, Cisco ASA with FirePOWER Services, or a second stateful inspection firewall module. Multiple integrated security services within a single chassis provide broad deployment flexibility and investment protection. The ability to add a second stateful inspection firewall module doubles the firewall performance for superior scalability, performance density, and security for data center use cases. In addition, the top slot can optionally be populated with up to two Cisco ASA 5585-X I/O modules for high interface density for mission-critical data centers that require exceptional flexibility and security.ClusteringUsing Cisco ASA Software Release 9.0 and later, customers can combine up to 16 Cisco ASA 5585-X firewall modules in a single cluster for up to 640 Gbps of throughput, 2 million connections per second, and more than 100 million concurrent connections . This “pay as you grow” model enables organizations to purchase what they need today and dynamically add more when their performance needs grow. To protect high-performance data centers from internal and external threats, the cluster can be augmented by adding IPS modules.Cisco ASA software clustering delivers a consistent scaling factor, irrespective of the number of units in the cluster, for a linear and predictable increase in performance. Complexity is reduced, as no changes are required to existing Layer 2 and Layer 3 networks. Support for data center designs based on the Cisco Catalyst® 6500 Series Virtual Switching System (VSS) and the Cisco virtual PortChannel (vPC) as well as the Link Aggregation Control Protocol (LACP) provides high availability (HA) with better network integration.For operational efficiency, Cisco ASA clusters are easy to manage and troubleshoot. Policies pushed to the master node are replicated across all the units within the cluster. The health, performance, and capacity statistics of the entire cluster, as well as individual units within the cluster, can be assessed from a single management console. Hitless software upgrades are supported for ease of device updates.Clustering supports HA in both active/active and active/passive modes. All units in the cluster actively pass traffic, and all connection information is replicated to at least one other unit in the cluster to support N+1 HA. In addition, single and multiple contexts are supported, along with routed and transparent modes. A single configuration is maintained across all units in the cluster using automatic configuration sync. Clusterwide statistics are provided to track resource usage.Cisco TrustSec IntegrationUsing Cisco ASA Software Release 9.0 and later, the Cisco ASA 5585-X provides context awareness through the integration of identity-based firewall security and Cisco TrustSec® security group tags for enhanced visibility and control. Identity-based firewall security provides more flexible access control to enforce policies based on user and group identities and the point of access. Administrators can write policies that correspond to business rules, a process that increases security, enhances ease of use, and requires fewer policies to manage. Similarly, Cisco TrustSec integration enables security group tags to be embedded into the network, providing administrators with the ability to develop and enforce better, more precise policies.Cut Costs While Improving Performance and SecurityThe Cisco ASA 5585-X Next-Generation Firewall delivers superior scalability, performance, and security to handle high data volumes without sacrificing performance. Most firewalls require up to 16RUs and 5100 watts to scale to the level of performance that the Cisco ASA 5585-X achieves with only 2RUs and 785 watts. This performance helps enterprises meet the increasing demands for network connectivity without the need to invest in additional data center space and incur the corresponding maintenance costs.Based on tests conducted by Cisco, the Cisco ASA 5585-X significantly reduces initial procurement costs by 80 percent, power consumption costs by 85 percent, and rack space requirements by 88 percent in addition to significant reductions in overall integration and management complexity and costs. In addition, you can install up to two firewall modules in a single Cisco ASA 5585-X chassis, providing scalability to 80 Gbps.Table 1 gives the capabilities of the four Cisco ASA 5585-X models.Table 1. Cisco ASA 5585-X Next-Generation Firewall Capabilities and CapacitiesEdge Edge Data center Data centerUnlimited Unlimited Unlimited Unlimited1 Maximum throughput with UDP traffic measured under ideal test conditions.2“Multiprotocol” refers to a traffic profile consisting primarily of TCP-based protocols and applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.3 Available for the firewall feature set.4 VPN throughput and maximum peers depend on the ASA device configuration and VPN traffic patterns, including average packet size. These elements should be taken into consideration as part of your capacity planning. Throughput represents the maximum possible IPsec throughput. Maximum sessions may be further limited by your throughput requirements. AnyConnect licenses required. See the AnyConnect Ordering Guide for details. Maximum sessions may be further limited by your throughput requirements.5 AnyConnect licenses required. See the AnyConnect Ordering Guide for details. Maximum sessions may be further limited by your throughput requirements.6 Available for the firewall feature set.Form factor2RU, 19-in. rack-mountable2RU, 19-in. rack-mountable2RU, 19-in. rack-mountable2RU, 19-in. rack-mountableDimensions (H x W x D) 3.47 x 19 x 26.5 in. (8.8x 48.3 x 67.3 cm) 3.47 x 19 x 26.5 in. (8.8x 48.3 x 67.3 cm) 3.47 x 19 x 26.5 in. (8.8x 48.3 x 67.3 cm) 3.47 x 19 x 26.5 in. (8.8x 48.3 x 67.3 cm) Weight50 lb (22.7 kg) with 1 SSP and single power supply 62 lb (28.2 kg) with 2 modules per chassis and dual power supplies 50 lb (22.7 kg) with 1 SSP and single power supply 62 lb (28.2 kg) with 2 modules per chassis and dual power supplies 50 lb (22.7 kg) with 1 SSP and single power supply 62 lb (28.2 kg) with 2 modules per chassis and dual power supplies 50 lb (22.7 kg) with 1 SSP and single power supply 62 lb (28.2 kg) with 2 modules per chassis and dual power supplies SafetyUL 60950-1, CAN/CSA-C22.2 No. 60950-1EN 60950-1, IEC 60950-1, AS/NZS 60950-1GB4943 UL 60950-1, CAN/CSA-C22.2 No. 60950-1EN 60950-1, IEC 60950-1, AS/NZS 60950-1GB4943 UL 60950-1, CAN/CSA-C22.2 No. 60950-1EN 60950-1, IEC 60950-1, AS/NZS 60950-1GB4943 UL 60950-1, CAN/CSA-C22.2 No. 60950-1EN 60950-1, IEC 60950-1, AS/NZS 60950-1GB4943 Electromagnetic compatibility (EMC)47CFR Part 15 (CFR 47) Class A, AS/NZS CISPR22 Class A, CISPR2 2 Class A, EN55022 Class A, ICES003 Class A, VCCI Class A EN61000-3-2, EN61000-3-3, KN22 Class A, CNS13438 Class A, EN50082-1, EN55024, CISPR24, EN300386, KN 61000-4 Series47CFR Part 15 (CFR 47) Class A, AS/NZS CISPR22 Class A, CISPR2 2 Class A, EN55022 Class A, ICES003 Class A, VCCI Class A EN61000-3-2, EN61000-3-3, KN22 Class A, CNS13438 Class A, EN50082-1, EN55024, CISPR24, EN300386, KN 61000-4 Series47CFR Part 15 (CFR 47) Class A, AS/NZS CISPR22 Class A, CISPR2 2 Class A, EN55022 Class A, ICES003 Class A, VCCI Class A EN61000-3-2, EN61000-3-3, KN22 Class A, CNS13438 Class A, EN50082-1, EN55024, CISPR24, EN300386, KN 61000-4 Series47CFR Part 15 (CFR 47) Class A, AS/NZS CISPR22 Class A, CISPR2 2 Class A, EN55022 Class A, ICES003 Class A, VCCI Class A EN61000-3-2, EN61000-3-3, KN22 Class A, CNS13438 Class A, EN50082-1, EN55024, CISPR24, EN300386, KN 61000-4 SeriesNote: Performance numbers were tested and validated with Cisco ASA Software Release 8.4.Cisco ASA 5585-X I/O ModulesMission-critical data centers running Cisco ASA Software Release 8.4.4 and later can use the top slot of the Cisco ASA 5585-X to add up to two Cisco ASA 5585-X I/O modules for exceptional flexibility and security. With two Cisco ASA 5585-X I/O modules, a single Cisco ASA 5585-X can support up to twenty 10 Gigabit Ethernet ports or up to fifty 1 Gigabit Ethernet ports. Using the Cisco ASA 5585-X Divider, the top slot is partitioned into two half-slots, with each I/O module occupying one half-slot. When only one I/O module is installed, a half-slot blank cover is required to cover the empty half-slot.Table 2 describes each of the Cisco ASA 5585-X I/O modules in more detail.Table 2. Cisco ASA 5585-X I/O ModulesTable 3 lists the 10 Gigabit Ethernet Enhanced Small Form-Factor Pluggable (SFP+) and 1 Gigabit Ethernet SFPs that are supported.Table 3. Supported SFP and SFP+ ModulesOptional DC Power SuppliesService providers and data centers that require data-center-powered equipment can purchase Cisco ASA 5585-X data center power supply modules with built-in fans. These power supplies deliver up to 1150 watts of data center power for Cisco ASA 5585-X Next-Generation Firewalls. Two data center power supplies are required for each Cisco ASA 5585-X chassis. The minimum software required is Cisco ASA Software Release 8.4.5.Warranty InformationFind warranty information on at the Product Warranties page.Ordering InformationHelp customers understand all the components or parts they need to purchase in order to install and use the product.To place an order, visit the Cisco How to Buy homepage.Table 4 lists part numbers for customer convenience.Table 4. Ordering InformationTo Download the SoftwareVisit the Cisco Software Center to download Cisco ASA Software.Service and SupportCisco services help you protect your network investment, improve network operations, and prepare your network for new applications to extend network intelligence and the power of your business.Included in the "Operate" phase of the service lifecycle are the Cisco Security IntelliShield® Alert Manager Service, Cisco SMARTnet™ services, the Cisco SP Base, and Cisco Services for IPS. These services are suitable for enterprise, commercial, and service provider customers.Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.Cisco Services for IPS supports modules, platforms, and bundles of platforms and modules that feature Cisco IPS capabilities. Cisco SMARTnet and Cisco SP Base support other products in this family.For More InformationFor more information, please visit the following links:●Cisco ASA 5500-X Series Next-Generation Firewalls:/en/US/products/ps6120/index.html●Cisco ASA with FirePOWER Services:/c/en/us/products/security/asa-firepower-services/index.html●Cisco IPS for ASA 5585-X Data Sheet:/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78_459036.pdf●Cisco FirePOWER for ASA 5500-X data sheet:/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-732253.html●Cisco Cloud Web Security:/en/US/products/ps11720/index.html●Cisco TrustSec Solutions:/en/US/netsol/ns1051/index.html●Cisco AnyConnect®:/go/anyconnect●Cisco AnyConnect® Ordering Guide:/c/en/us/products/security/anyconnect-secure-mobility-client/sales-resources-listing.html● Cisco Security Manager:/en/US/products/ps6498/index.html●Cisco Adaptive Security Device Manager:/en/US/products/ps6121/index.html●Cisco Security Services:/en/US/products/svcs/ps2961/ps2952/serv_group_home.html●Cisco ASA 5500-X Series Next-Generation Firewall Licensing Information:/en/US/products/ps6120/products_licensing_information_listing.html。

洞悉未知威胁,山石网科发布新版智能下一代防火墙

科下一代防火墙产品的基础上全面实现智能下一代防把智能安全与下一代防火墙完美结合，将以往被动的、
火墙功能，其首次采用的 “ 未知威胁检测引擎”和 “ 异机械式的防御改变为智能的风险预警和管控，打造了跨网络的快速发展将网常行为检测引擎”两大智能引擎，以及全新的安全可时代的下一代智能防火墙产品。 “一 Nhomakorabea。
”罗东平表示，作为网络安全厂商，山石网科必须
让安全产品诞生在威胁进行破坏之前，给用户提供最及
时的安全保护。圜
据介绍，传统防火墙采用基于代码特征的检测方式，
９０Ｆ：ＩＮＡＮＣｌＡＬＣＯＭＰＵＴＥＲＯＦ＂ＣＨＩＮＡ
视化界面和策略联动成为新版的亮点。两大引擎通过络安全催生到一个全新的高度，安全产品的迭代趋势更对用户网络运行产生的 “ 行为大数据”进行系统分析，
利用策略联动实时减缓风险，实现发现、可视、控制
的安全闭环。
加明显，智能安全将是未来网络安全的重要组成部分之
洞悉未知威胁，山石网科发布新版智能下一代防火墙
本刊记者李庆莉
只能发现特征库中所涵盖的威胁类型。一旦恶意代码采用代码混淆或加密等方式进行变种，成为未知威胁，传统防火墙则无法识别。采用了 “ 未知威胁检测引擎 “ 和” 异常行为检测引擎”新产品突破了传统安全检测技术的瓶颈，根据主机应用层行为异常和多维度业务动态安全模型，有效发现恶意软件，大幅提升了攻击检测的灵敏度和准确性。 “ 如果把传统防火墙比作大楼门卫，其主要负责检查出入人员的证件，那么新版防火墙更像是大楼的 “ 监控系统 ”，通过布设在大楼每个角落的摄像头，时时发现安全隐患。”山石网科ＣＴＯ刘向明说。

山石网科下一代防火墙基础配置指南说明书

山石网科下一代防火墙基础配置指南StoneOS 5.5R8/R9/R10Hillstone Networks Inc.服务热线：400 828 6655目录目录 (2)1设备管理 (4)1.1终端Console管理 (4)1.2网页WebUI登录 (4)1.3恢复出厂设置 (6)1.3.1通过CLI命令行操作 (6)1.3.2通过WebUI图形化界面操作 (6)1.3.3通过硬件CLR操作 (7)1.4设备系统（StoneOS）升级 (8)1.4.1通过Sysloader升级 (8)1.4.2通过CLI命令行升级 (10)1.4.3通过WebUI升级 (10)1.5许可证安装 (11)1.5.1通过CLI命令行安装 (11)1.5.2通过WebUI安装 (12)2基础上网配置 (12)2.1接口配置 (12)2.2路由配置 (14)2.3策略配置 (16)2.4源地址转换配置（SNAT） (18)3常用功能配置 (20)3.1PPPoE拨号配置 (20)3.2动态地址分配（DHCP）配置 (22)3.3DNS服务器配置 (24)3.4IP-MAC地址绑定配置 (25)3.5端到端IPSec VPN配置 (28)3.5.1配置第一阶段P1提议 (29)3.5.2配置ISAKMP网关（一阶段） (30)3.5.3配置第二阶段P2提议 (31)3.5.4配置IKE VPN隧道（二阶段） (32)3.5.5配置Tunnel隧道接口 (34)3.5.6配置隧道路由和安全策略 (36)3.5.7查看VPN状态 (38)3.6远程接入SCVPN配置 (39)3.7目的NAT（DNAT）配置 (47)3.7.1IP地址映射 (47)3.7.2IP+端口映射 (50)4补充说明 (54)5附件 (54)1设备管理安全网关支持本地与远程两种环境配置方法，可以通过CLI 和WebUI 两种方式进行配置。

CLI 同时支持Console、Telnet、SSH 等主流通信管理协议。

深信服下一代防火墙互联网出口解决方案

深信服下一代防火墙互联网出口解决方案深信服下一代防火墙互联网出口解决方案是一种基于最新技术的网络安全解决方案，旨在为企业提供更加可靠和高性能的互联网访问。

该解决方案包含了多种功能和特性，能够有效地解决企业在互联网出口方面的安全和性能问题。

首先，深信服下一代防火墙互联网出口解决方案具有强大的安全功能。

它通过综合利用态势感知、漏洞管理、恶意代码检测等技术，有效地识别和阻止各种网络威胁。

与传统防火墙相比，它能够更加准确地识别和拦截零日漏洞攻击、APT攻击等高级威胁。

同时，它还能够进行实时的威胁情报共享，及时更新安全策略，提高网络的安全性。

其次，深信服下一代防火墙互联网出口解决方案具有高性能的特点。

它采用了多种技术手段来提高网络的吞吐量和响应速度。

其中包括多核并发处理技术、硬件加速技术等。

这些技术的应用可以大大提升网络的性能，降低延迟，提高用户的访问体验。

此外，深信服下一代防火墙互联网出口解决方案还具有灵活的管理功能。

它提供了一种集中式的管理平台，能够对整个网络进行统一管理和监控。

管理员可以通过该平台对防火墙进行配置、更新安全策略、查看网络的状态等。

同时，它还支持灵活的授权模式，使管理员可以对不同部门或用户进行不同级别的授权和管理。

另外，深信服下一代防火墙互联网出口解决方案还具有高可靠性的特点。

它支持冗余配置和热备份，能够在设备故障时自动切换，保证网络的持续可用性。

同时，它还支持实时的故障检测和告警功能，能够及时发现和解决网络故障，提高网络的稳定性。

最后，深信服下一代防火墙互联网出口解决方案还具有良好的可扩展性。

它支持根据企业需求进行灵活的模块化扩展，可以根据业务需求增加新的功能和特性。

同时，它还支持弹性伸缩，能够根据网络负载自动调整资源的分配，提高系统的扩展性和适应性。

综上所述，深信服下一代防火墙互联网出口解决方案是一种功能丰富、性能卓越、安全可靠的网络安全解决方案。

它能够帮助企业全面提升网络安全性，提高网络性能，降低运维成本，是企业在互联网出口方面的理想选择。

思科推出下一代防火墙集群

龙源期刊网
思科推出下一代防火墙集群
作者：陈曲
来源：《中国信息化周报》2013年第21期
为了解决传统防火墙集群方式出现的问题，思科日前推出了下一代防火墙集群ASA。

该
产品有以下特点：首先，具备线性弹性性能扩展能力，该产品通过“无状态负载均衡”的方式来实现集群内防火墙的流量负载均担。

通过将防火墙集群部署在两台路由设备中间，使流量通过等价路由、策略路由或者链路捆绑方式分担到防火墙。

当需要性能扩展时，并联新的防火墙在网络中即可。

当出现链路故障中的流量异步时，该产品利用自有的防火墙寻回算法，自动将流量送回有对应会话的防火墙进行处理。

同时，如果对端路由设备链路负载均担算法不够均匀，该产品也可以按照设定，自动负载均衡到其他防火墙，解决了负载均衡不均的问题。

其次，该产品可以将原来的两台防火墙的双活模式扩展为三活、四活到最大8台设备同时工作在主用状态。

任何一台防火墙的会话，均匀的备份到其他防火墙上。

如果这台防火墙出现故障，其他防火墙同时帮忙处理这台防火墙的业务流量，实现无缝切换。

再次，该产品采用单点管理方式，令维护人员通过一个管理界面统一管理群内所有防火墙。

这其中包括单点配置、单点查看各种统计信息、日志功能。

另外，能够实现基于群的故障查询，例如，群内抓取数据包，查看群内数据包处理流程，会话查询等。

最后，该产品能够对防火墙的吞吐、新建会话、并发连接、NAT连接进行性能扩展，提
供多活冗余方式，实现单台设备故障的无缝切换。

思科Firepower NGFW

产品手册思科 Firepower NGFW思科 Firepower ® NGFW （下一代防火墙）是业内首款专注于威胁防御的下一代防火墙，它将多种功能完全集于一身，采用统一管理，可在攻击前、攻击中和攻击后提供独一无二的高级威胁防护。

阻止更多威胁获得更出色的可视性加快检测和响应速度降低复杂性让您的网络发挥更多价值主要性能参数表 1 概括列出思科 Firepower 4100 系列 NGFW 、9300 系列安全设备及特定思科 ASA 5500-X 设备的主要性能参数。

表 1.设备主要性能参数1 吞吐量计算基于数据包平均大小为 1024 字节的 HTTP 会话 21024 字节 TCP 防火墙性能注：NGFW 性能根据网络和流量特征而异。

如在确定合适的产品方面需要帮助，请咨询您的思科代表。

性能可能会随软件更新而发生变化。

思科 Firepower 2100 系列：业内首批能够在启用威胁检测时维持稳定性能的中档 NGFW思科 Firepower 4100 系列：业内首批采用 40 Gbps 接口的 1RU NGFW思科 Firepower 9300：可随需求增长而扩展的超高性能 NGFW思科 ASA 5500-X 系列：适合分支机构、工业应用和互联网边缘的型号Firepower NGFWv：适用于虚拟环境和云环境的 NGFW平台映像支持思科 Firepower NGFW 包括应用可视性与可控性 (AVC)、可选的下一代 IPS (NGIPS)、面向网络的思科®高级恶意软件保护 (AMP)，以及 URL 过滤功能。

思科 Firepower 2100 系列、4100 系列和 9300 设备使用思科 Firepower 威胁防御软件映像。

此外，思科 Firepower 2100 系列、4100 系列和 9300 设备也支持思自适应安全设备 (ASA) 软件映像。

管理选项思科 Firepower NGFW 提供多种管理选项，您可以根据自己的工作方式、实际环境和具体需求进行选择。

希尔斯通t系列智能下一代防火墙t3860 t5060 t5860用户指南说明书

Hillstone T-Series Intelligent Next-Generation FirewallT3860 / T5060 / T5860According to the latest research 66 percent of security breaches go undetected for 7-8 months. And, more than 85 percent of breaches originate from the web with drive-by downloads being the top web threat. This implies two things: First, a user does not have to click on anything to become infected with malware; and second, all organizations have infected hosts inside their network.Hillstone ,s T-Series intelligent Next-Generation Firewall (iNGFW) is an application-aware firewall that continuously monitors the network. It can identify attacks on all operating systems, applications, devices and browsers. It provides visibility into every stage of an attack and it can detect security breaches within minutes/seconds. It prioritizes hosts with the greatest security risks and provides contextual information about the threat. Security administrators can drill-down into the attack, including packet captures, to analyze all threat details.Hillstone ,s T-Series is designed for mid to large sized enterprises that need advanced levels of security, enhanced visibility, and continuous network uptime.TM- Outbound link load balancing includes policy based routing, ECMPand weighted, embedded ISP routing and dynamic detection- Inbound link load balancing supports SmartDNS and dynamicdetection- Automatic link switching based on bandwidth and latency- Link health inspection with ARP, PING, and DNSVPN• IPSec VPN:- IPSEC Phase 1 mode: aggressive and main ID protection mode- Peer acceptance options: any ID, specific ID, ID in dialup user group - Supports IKEv1 and IKEv2 (RFC 4306)- Authentication method: certificate and pre-shared key- IKE mode configuration support (as server or client)- DHCP over IPSEC- Configurable IKE encryption key expiry, NAT traversal keep alivefrequency- Phase 1/Phase 2 Proposal encryption: DES, 3DES, AES128, AES192,AES256- Phase 1/Phase 2 Proposal authentication: MD5, SHA1, SHA256,SHA384, SHA512- Phase 1/Phase 2 Diffie-Hellman support: 1,2,5- XAuth as server mode and for dialup users- Dead peer detection- Replay detection- Autokey keep-alive for Phase 2 SA• IPSEC VPN realm support: allows multiple custom SSL VPN logins associated with user groups (URL paths, design)• IPSEC VPN configuration options: route-based or policy based• IPSEC VPN deployment modes: gateway-to-gateway, full mesh,hub-and-spoke, redundant tunnel, VPN termination in transparent mode• One time login prevents concurrent logins with the same username • SSL portal concurrent users limiting• SSL VPN port forwarding module encrypts client data and sends the data to the application server• SSL VPN tunnel mode supports clients that run iOS, Android, and Windows XP/Vista including 64-bit Windows OS’• Host integrity checking and OS checking prior to SSL tunnel connections • MAC host check per portal• Cache cleaning option prior to ending SSL VPN session• L2TP client and server mode, L2TP over IPSEC, and GRE over IPSEC• View and manage IPSEC and SSL VPN connectionsUser and Device Identity• Local user database• Remote user authentication: LDAP, Radius, Active Directory• Single-sign-on: Windows AD• 2-factor authentication: 3rd party support, integrated token server with physical and SMS• User and device-based policiesIPS• 7,000+ signatures, protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia• IPS Actions: default, monitor, block, reset (attackers IP or victim IP, incoming interface) with expiry time• Packet logging option• Filter Based Selection: severity, target, OS, application or protocol• IP exemption from specific IPS signatures• IDS sniffer mode• IPv4 and IPv6 rate based DOS protection with threshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep,TCP/UDP/SCIP/ICMP session flooding (source/destination)• Active bypass with bypass interfaces• Provides predefined template of defense configuration• Predefined prevention configurationThreat Protection• Breach Detection- Near real-time breach detection (seconds/minutes)- Detailed description and severity of malware closely resembling attack - Pcap files and log files provide corroborating evidence- Confidence level provides certainty of attack• Network Behavior Analysis- L3-L7 baseline traffic compared to real-time traffic to revealanomalous network behavior- Built-in mitigations technologies include: session limits, bandwidthlimits and blocking- Graphical depiction of anomalous behavior compared to baseline and upper and lower thresholds• Network Risk Index quantifies the threat level of the network based on the aggregate host index.• Host Risk Index quantifies the host threat level based on attack severity, detection method, and confidence level.• Over 1.3 million AV signatures• Botnet server IP blocking with global IP reputation database• Flow-based Antivirus: protocols include HTTP, SMTP, POP3, IMAP,FTP/SFTP• Flow-based web filtering inspection• Manually defined web filtering based on URL, web content and MIME header• Dynamic web filtering with cloud-based real-time categorization database: over 140 million URLs with 64 categories (8 of which are security related)• Additional web filtering features:- Filter Java Applet, ActiveX or cookie- Block HTTP Post- Log search keywords- Exempt scanning encrypted connections on certain categories forprivacy• Web filtering profile override: allows administrator to temporarily assign different profiles to user/group/IP• Web filter local categories and category rating override• Proxy avoidance prevention: proxy site category blocking, rate URLs by domain and IP address, block redirects from cache & translation sites, proxy avoidance application blocking, proxy behavior blocking (IPS)• Inspect SSL encrypted traffic.Application Control• Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk• Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference• Actions: block, reset session, monitor, traffic shapingHigh Availability• Redundant heartbeat interfaces• Active/Passive• Standalone session synchronization• HA reserved management interface• Failover:- Port, local & remote link monitoring- Stateful failover- Sub-second failover- Failure notification• Deployment Options:- HA with link aggregation- Full mesh HA- Geographically dispersed HAAdministration• Management access: HTTP/HTTPS, SSH, telnet, console• Central Management: Hillstone Security Manager (HSM), web service APIs• System Integration: SNMP, syslog, alliance partnerships• Rapid deployment: USB auto-install, local and remote script execution • Dynamic real-time dashboard status and drill-in monitoring widgets • Language support: EnglishLogs & Reporting• Logging facilities: local memory and storage (if available), multiple syslog servers and multiple Hillstone Security Audit (HSA) platforms • Encrypted logging and log integrity with HSA scheduled batch log uploading• Reliable logging using TCP option (RFC 3195)• Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets• Comprehensive event logs: system and administrative activity audits, routing & networking, VPN, user authentications, WiFi related events • IP and service port name resolution option• Brief traffic log format optionProduct Specification4GE Bypass Extension ModuleIOC-4XFP8SFP+ Extension Module4SFP+ Extension Module4 x SFP+, SFP+ module not included(1)IPS Throughput data is obtained under 1M-byte-payload HTTP traffic with test of 32K-byte scanning.(2) AV Throughput data is obtained under 1M-byte-payload HTTP traffic with file attachment.(3) IPSec Throughput data is obtained under Preshare Key AES256+SHA-1 configuration and 1400-byte packet size packet .Unless specified otherwise, all performance, capacity and functionality are based on StoneOS 5.5R1. Results may vary based on StoneOS® version and deployment.。