© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Defending Your Network with the Cisco Firewall Product Family

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Introducing the Cisco Firewall Product Family Cisco IOS Firewall Features When to Choose a Cisco IOS Firewall Solution Introducing Cisco PIX 500 Series Security Appliances Introducing Cisco ASA 5500 Series Adaptive Security Appliances Developing an Effective Firewall Policy Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco Firewall Product Family Cisco IOS Firewall Cisco PIX 500 Series Security Appliances FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Cisco ASA 5500 Series Adaptive Security Appliances

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco IOS Firewall Features Stateful inspection firewall Application and protocol inspection and control Dynamic, per-user authentication and authorization Dynamic and static NAT and PAT Content filtering Remote management Administrative access control with AAA Multiple DMZ support Extensive multimedia support, including streaming video, streaming audio, and voice applications DoS protection Secure dynamic routing Firewall virtualization

© 2006 Cisco Systems, Inc. All rights reserved. SND v When to Use a Cisco IOS Firewall Choose the Cisco IOS Firewall when you need: A one-box solution with powerful security, QoS, multiprotocol routing, integrated WAN interfaces, and voice application support To leverage network infrastructure for security Extensive VPN support integrated with a firewall in a single device EnvironmentRouters and Switches Small and home officeCisco 800 Series, 1700 Series, and 1800 Series Routers Branch and extranet environments Cisco 2600 and 3600 Series Multiservice Platforms and Cisco 2800 Series Integrated Services Routers, Cisco 3700 Series Multiservice Access Routers, and 3800 Series Integrated Services Routers VPN and WAN aggregation points; high-throughput environments Cisco 7200 Series Routers, 7301 Router, and 7400 Series Routers; Cisco Route Switch Modules; Cisco Catalyst 5000 and Catalyst 6000 Series Switches

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco PIX 500 Series Security Appliances Small to Medium Business Price and Performance Gigabit Ethernet Enterprise Remote and Branch Office Cisco PIX 515E Cisco PIX 525 Cisco PIX 535 Cisco PIX 501 Cisco PIX 506E Small and Home Office Service Provider Functionality

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco PIX 500 Series Security Appliance Features Features and uses are as follows: Typically used for site-to-site VPNs Restricts access to network resources Implemented at the physical perimeter between customer intranet and the intranet of the other company. Determines whether traffic crossing in either direction is authorized Contains limited intrusion detection system capability Provides a dedicated hardware appliance Has little or no impact on network performance

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco Catalyst 6500 Series Firewall Services Module Firewall Services Module for Cisco Catalyst 6500 Series Cisco Catalyst 6500 Series, Cisco 7600 Router Series Runs in Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Designed for high-end enterprise and service providers Based on Cisco PIX Security appliance technology Provides feature parity with Cisco PIX Firewall Software Version 7.0 Supports multiple performance and redundancy features

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco ASA 5500 Series Adaptive Security Appliances Adaptive Threat Defense and Secure Connectivity Application Inspection, Use Enforcement, Web Control, Application Security Malware-Content Defense, Anomaly Detection, Anti-X Defenses Traffic-Admission Control, Proactive Response, Network Containment and Control Secure Connectivity IPsec and SSL VPN Market-Proven Technologies Firewall Technology Cisco PIX IPS Technology Cisco IPS Network Antivirus Technology Cisco IPS, Antivirus VPN Technology Cisco VPN 3000 Series Concentrator Network Intelligence Cisco Network Services

© 2006 Cisco Systems, Inc. All rights reserved. SND v Adaptive Solution with Converged Best-of- Breed Security Services Access Breaches, Session Abuse, Port Scans, Malformed Packets Application Misuse, DoS and Hacking, Known Attacks Infected Traffic IPS Attack detection Granular packet inspection Application control Dynamic response Firewall Access control services Packet inspection Protocol validation Accurate enforcement Robust resiliency Network Antivirus Virus mitigation Spyware, adware, and malware detection and control Malicious mobile code mitigation VPN SSL VPN IPsec VPN User-based security Group-based management Clustering Tunneled Traffic, Limited Protections

© 2006 Cisco Systems, Inc. All rights reserved. SND v Migrating from Cisco PIX to Cisco Security Appliance Key business and technology drivers: Lower total operating expenditures Lower capital expenditures High-performance worm, spyware, malware, and attack mitigation services Adaptive solution with converged best-of-breed security services Highly flexible and scalable VPN services Consistent user experience

© 2006 Cisco Systems, Inc. All rights reserved. SND v Best Practices for Firewall Policy Development Trust no one Base all filtering decisions on a sound firewall policy that balances security and business needs Deny physical access to firewall devices Only allow necessary protocols Use logs and alerts Segment security zones Do not use a firewall as a server Do not use a firewall as a workstation Set connection limits Restrict access to firewalls

© 2006 Cisco Systems, Inc. All rights reserved. SND v Best Practices for Firewall Policy Development (Cont.) Combine firewall technologies Use firewalls as part of a comprehensive security solution Maintain your installation

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Cisco firewall products range from Cisco IOS Firewalls on routers, Cisco PIX 500 Series Security Appliances, FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, and Cisco ASA 5500 Series Adaptive Security Appliances. The Cisco IOS Firewall provides stateful, application, and protocol inspection along with other key firewall features. The Cisco IOS Firewall provides security solutions to small and home offices, branch, extranet, and VPN and WAN aggregation points using Cisco routers, Cisco Catalyst switches, and Cisco Route Switch Modules. Cisco PIX 500 Series Security Appliances provide a range of requirements and network sizes. The FWSM has comparable features and can be installed in the Cisco Catalyst 6500 Series Switches or Cisco 7600 Series Routers.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary (Cont.) Cisco ASA 5500 Series Adaptive Security Appliances delivers complete consistency with Cisco PIX 500 Series Security Appliances providing: –Firewall and IPsec VPN services –Web-based Cisco ASDM, and CLI management capabilities –Support for the same monitoring capabilities as the Cisco PIX 500 Series Security Appliances running Cisco PIX Software Version 7.0 Using industry experience and best practices is the best way to develop an effective firewall policy.

© 2006 Cisco Systems, Inc. All rights reserved. SND v