防火牆入侵於檢測——————3、思科 PIX 防火牆和 ASA 防火牆產品線
思科 PIX 防火牆和思科 ASA自適應安全工具模型和特點
PIX防火牆家族
ASA自適應安全工具家族
思科PIX 防火牆 501 安全工具
•Designed for small offices andteleworkers
•7500 concurrent connections
•60-Mbps throughput
•Interface support
–Supports one 10/100BASE-T* Ethernetinterface (outside)
–Has four-port 10/100 switch (inside)
•VPN throughput
–3-Mbps 3DES
–4.5-Mbps 128-bit AES
•Ten simultaneous VPN peers
100BASE-Tspeed option is available in release 6.3.
PIX防火牆 501: 後皮膚
PIX防火牆506E 安全工具
•Is designed for remote offices and small-to medium-sized businesses
•Provides 25,000 concurrent connections
•Provides 100-Mbps clear text throughput
•Supports Two interfaces
–10/100BASE-T*
–Two VLANs*
•Provides VPN throughput
–17-Mbps 3DES
–30-Mbps 128-bit AES
•Provides 25 simultaneous VPN peers
*100BASE-Tspeed option is available in PIX Firewall Security Appliance Software v6.3 for506E only. Two VLANs are supported in release 6.3(4).
PIX防火牆 506E:前皮膚 LEDs
PIX防火牆 506E:後皮膚
PIX防火牆 515E 安全工具
•Isdesigned for small- to medium-sized businesses and enterprise networks
•Provides130,000 concurrent connections
•Provides190-Mbps clear text throughput
•ProvidesInterface support
–Up tosix 10/100 Fast Ethernet interfaces
–Up to25 VLANs
–Up tofive contexts
•Supportsfailover
–Active/standby
–Active/active
•SupportsVPNs (2,000 tunnels)
–Siteto site
–Remoteaccess
PIX防火牆 515E:前皮膚 LEDs
PIX防火牆 515E:後皮膚
PIX防火牆515E:固定介面聯結器
PIXFirewall 515E: Expansion Slot Option Cards
PIXFirewall 515E: Fast Ethernet Card Port Numbering
PIXFirewall 525 Security Appliance
•Isdesigned for enterprise networks
•Provides280,000 concurrent connections
•Provides330-Mbps clear text throughput
•ProvidesInterface support
–Up toten 10/100 Fast Ethernet interfaces
–Up to100 VLANs
–Up to50 contexts
•Supportsfailover
–Active/standby
–Active/active
•SupportsVPNs (2,000 tunnels)
–Siteto site
–Remoteaccess
PIXFirewall 525: 前皮膚 LEDs
PIXFirewall 525: 後皮膚
PIXFirewall 525: 固定介面聯結器
PIXFirewall 525: Expansion Cards and VACs
PIXFirewall 535 Security Appliance
•Isdesigned for enterprise and service providers
•Provides500,000 concurrent connections
•Provides1.65-Gbps clear text throughput
•ProvidesInterface support
–Up to14 Fast and Gigabit Ethernet interfaces
–Up to150 VLANs
–Upto 50 contexts
•Supportsfailover
–Active/standby
–Active/active
•SupportsVPNs (2,000 tunnels)
–Siteto site
–Remoteaccess
PIX535: Front Panel LEDs
PIX535: Back Panel
PIXFirewall 535: Option Cards
ASA 5500 自適應安全工具家族
ASA自適應安全工具家族
思科ASA5510 自適應安全工具
•Delivers all-in-one enterprise, remoteoffice, and small- to medium-sized business security and VPN gateway
•Provides 64,000 concurrent connections
•Provides 300-Mbps firewall throughput
•Provides interface support
–Up to five 10/100 Fast Ethernetinterfaces
–Up to ten VLANs
•Supports failover
–Active/standby
•Supports VPNs
–Site to site
–Remote access
–WebVPN
•Supports AIP-SSM-10 (optional)
思科ASA5520 自適應安全工具
•Delivers all-in-one enterprise and small-to medium-sized business headend security and VPN gateway
•Provides 130,000 concurrent connections
•Provides 450-Mbps firewall throughput
•Provides Interface support
–Four 10/100/1000 Gigabit Ethernetinterfaces
–One 10/100 Fast Ethernet interface
–Up to 25 VLANs
–Up to 10 contexts
•Supports failover
–Active/standby
–Active/active
•Supports VPNs
–Site to site
–Remote access
–WebVPN
•Supports AIP-SSM-10 (optional)
思科ASA5540 自適應安全工具
•Delivers all-in-one enterprise and small-to medium-sized business headend security and VPN Gateway
•Provides 280,000 concurrent connections
•Provides 400-Mbps firewall throughput
•Provides Interface support
–Four 10/100/1000 Gigabit Ethernetinterfaces
–One 10/100 Fast Ethernet interface
–Up to 100 VLANs
–Up to 50 contexts
•Supports failover
–Active/standby
–Active/active
•Supports VPNs
–Site to site (5,000 peers)
–Remote access
–WebVPN
•Supports AIP-SSM-20 (optional)
ASA5500 Series: 前皮膚
ASA5500 Series: 後皮膚
ASA5500 Series: 聯結器
ASA5500 後皮膚
安全服務模組( FWSM,Firewall Services Module )
•在Cisco 6500 系列交換機和Cisco 7600 系列Internet 路由器上整合
•High-performance module designed toprovide additional security services
•Diskless (Flash-based) design forimproved reliability
•Gigabit Ethernet port for out-of-bandmanagement
FWSM的關鍵特性
1. 高效能, 5Gbit/s的吞吐量,全雙工防火牆功能。
2. 每秒 300 萬個資料包的吞吐量。
3. 支援 100 個 VLAN。
4. 100 萬個併發連線。
5. LAN 故障倒換
6. OSPF 協議和 RIP 協議支援
7. 每臺裝置支援多個 FWSM 模組。
2. 每秒 300 萬個資料包的吞吐量。
3. 支援 100 個 VLAN。
4. 100 萬個併發連線。
5. LAN 故障倒換
6. OSPF 協議和 RIP 協議支援
7. 每臺裝置支援多個 FWSM 模組。
FWSM在 Catalyst6500 中的安裝
FWSM在 Cisco7609 路由器中的安裝
AIP-SSM
如何防禦攻擊?
IDS&IPS 區別
PIX 防火牆安全工具授權
License型別
•UR: Allows installation and use of themaximum number of interfaces and RAM supported by the platform.
•Restricted: Limits the number ofinterfaces supported and the amount of RAM available within the system (nocontexts and no failover).
•Active/standby failure: Places onesecurity appliance in a failover mode for use alongside a security appliancethat has a UR license. Only one unit can be actively processing user traffic;the other unit acts as a hot standby.
•Active/active failover: Places a securityappliance that has a UR license in a failover mode for use alongside anothersecurity appliance that has a UR license, or two UR licenses. Both units canactively process traffic while serving as a backup for each other.
Appliesto PIX Firewall 515/515E, 525, and 535
VPN加密許可
•DES license
–Provides 56-bit DES
•3DES/AES license
–Provides 168-bit 3DES
–Provides up to 256-bit AES
PIX515E, 525, and 535 Licensing
ASA 系列產品Licensing
ASA安全上下文授權
預設
•Two contexts
可行的 ContextLicenses
•5 contexts
•10 contexts
•20 contexts
•50 contexts
Upgrade Licenses
•From Five to Ten contexts
•From Ten to 20 contexts
•From 20 to 50 contexts
PIX與ASA
•SSL-VPN:PIX不支援
•AIP-SSM模組: PIX不支援
•VPN叢集及負載均衡:PIX不支援
•FLASH卡: PIX不支援
•AUX介面:PIX不支援
匯 總
•當前有8個PIX 防火牆和ASA 自適應安全工具模型.
–思科500 PIX 防火牆系列: 501, 506E, 515E, 525, and 535
–思科ASA 5500 Series: 5510, 5520 and 5540
•Your security appliance licensedetermines the level of service and available features of your securityappliance, and the number of interfaces it supports.
•Restricted, unrestricted, and failoverlicenses are available for PIX Firewall Security Appliance models 515E, 525,and 535.
•The Cisco Firewall Services Module forthe Cisco Catalyst 6500 Switches and the Cisco 7600 Series Internet Routersprovides an alternative to the security appliance.
參考:CIsco
相關文章
- 防火牆入侵於檢測——————4、思科安全裝置防火牆
- 防火牆入侵於檢測——————2、思科安全技術和特性防火牆
- 八種防火牆產品評測(企業級防火牆)(轉)防火牆
- 防火牆入侵於檢測——————5、Translations and Connections防火牆
- 防火牆入侵於檢測————7、日誌服務防火牆
- WAb防火牆與傳統防火牆防火牆
- 防火牆防火牆
- 防火牆入侵於檢測——————1、GNS3的安裝與使用防火牆S3
- 防火牆(firewall)防火牆
- SQL防火牆SQL防火牆
- 防火牆IPTABLES防火牆
- RouterOS防火牆ROS防火牆
- iptables防火牆防火牆
- 防火牆配置防火牆
- 關於諾頓防火牆防火牆
- 抗DoS、DDoS防火牆產品大檢閱(轉)防火牆
- 海信防火牆、海信入侵檢測、海信VPN、海信IPPS防火牆
- AutoRun病毒防火牆如何使用 AutoRun病毒防火牆教程防火牆
- 軟體防火牆與硬體防火牆詳解防火牆
- 全面分析防火牆及防火牆的滲透(轉)防火牆
- CentOS8檢視防火牆狀態,開啟/關閉防火牆CentOS防火牆
- 基於iptables防火牆堵漏防火牆
- CentOS 防火牆操作CentOS防火牆
- 防火牆介紹防火牆
- CentOS 7.0防火牆CentOS防火牆
- linux 防火牆Linux防火牆
- 防火牆透明模式防火牆模式
- 配置防火牆示例防火牆
- 電影:防火牆防火牆
- 防火牆部署案例防火牆
- ubuntu 關閉防火牆命令 ubuntu怎樣關閉防火牆Ubuntu防火牆
- 選用單防火牆DMZ還是雙防火牆DMZ(轉)防火牆
- Mac有防火牆嗎?關於Mac防火牆常見的問題解答Mac防火牆
- Ceph 和防火牆的故事防火牆
- 檢視看防火牆狀態防火牆
- 防火牆入侵於檢測————6、Access Control Lists and Content Filtering防火牆Filter
- 對Cisco Secure PIX 525防火牆的介紹(1)防火牆
- 防火牆 搜尋 釋出 防火牆是什麼?怎麼理解?防火牆