Home

Cisco ASA5520-UC-BUN-K9 firewall (hardware)

1. For example your business can permit or deny calls from specific callers or domains or can apply specific black lists or white lists As another example you can extend your network policies to endpoints and applications to allow only calls from phones registered to the call control server or to deny applications such as instant messaging over SIP 2010 Cisco and or its affiliates All rights reserved This document is Cisco Public Information Page 2 of 8 Data Sheet ee Voice and Video Encryption Services For compliance or security policy reasons your organization might be required to provide confidentiality to voice and video traffic End to end encryption often leaves network security appliances blind to media and signaling traffic a situation that can compromise access control and threat prevention security functions This scenario can result in a lack of interoperability between the firewall and the encrypted voice leaving your business unable to satisfy both of your critical security requirements The Cisco ASA 5500 Series encryption proxy solution offers exceptional support TLS proxy for Cisco Unified Communications Systems It is a trusted device within the Cisco Unified Communications Manager authentication domain voice and video endpoints can securely authenticate and encrypt traffic The Cisco ASA 5500 Series appliance as a proxy can decrypt these connections apply the required threat protection and access control
2. and help ensure confidentiality by reencrypting the traffic onto the Cisco Unified Communications Manager servers This integration can give your organization the flexibility to deploy all of the required security countermeasures rather than settling for an inadequate subset Perimeter Security Services Perimeter security services include the following e SSL and IPsec VPN The Cisco ASA 5500 Series supports flexible secure connectivity using SSL or IPsec VPN services that deliver secure high speed voice and data communications among multiple office locations or remote users These appliances support quality of service QoS features to facilitate reliable business quality delivery of latency sensitive applications such as voice and video You can apply the QoS policies on a per user per group per tunnel or per flow basis so that the proper priority and bandwidth restrictions are applied to voice and video flows In addition preconnection posture assessment and security checks help ensure that VPN users do not inadvertently bring attacks to the network The Cisco SSL and IPsec solutions are ideally suited to protecting soft client unified communications traffic such as Cisco IP Communicator and Cisco Unified Mobile and Personal Communicators e Phone proxy The Cisco ASA phone proxy capability facilitates termination of Cisco SRTP and TLS encrypted endpoints for secure remote access The Cisco ASA phone proxy allows large scale deployments o
3. SIP SCCP H 323 MGCP RTP and RTCP TCP CTIQBE and Real Inspection and Control Time Streaming Protocol RTSP SIP Application Inspection and Control This feature facilitates deep inspection services for SIP traffic for both User Datagram Protocol UDP and TCP based SIP environments providing granular control for protection against unified communications attacks SIP application inspection and control delivers protocol conformance support for numerous SIP RFCs including RFC 3261 It delivers SIP state awareness and tracking and the ability to enforce mandatory header fields and absence of forbidden header fields thus protecting your business from attacks that use malformed packets The feature facilitates Network Address Translation NAT and Port Address Translation PAT based address translation support for SIP based IP phones and applications such as Microsoft Windows Messenger while delivering advanced services such as call forwarding call transfers and more This feature supports comprehensive threat defense features such as SIP state awareness and tracking the ability to rate limit SIP traffic to prevent DoS attacks preventing SIP traffic from specific proxies from blocking SIP traffic from rogue proxy servers and validation of RTP and RTCP for media SIP application inspection and control allows your business to configure granular unified communications policies These include permitting and denying callers and callees
4. SSP 40 or SSP 60 Unified 24 100 1000 2000 3000 5000 for e 3000 for 5000 for Communications phone phone phone proxy Proxy Maximum proxy proxy 10 000 for Sessions e 10 000 for 3000 for TLS proxy TLS proxy TLS proxy mobility mobility mobility proxy proxy proxy presence presence presence federation federation federation proxy proxy proxy e Option 2 Cisco ASA 5500 Series Unified Communications Edition bundles These appliances bundled with unified communications proxy licenses offer your business a single hardware and software product ID to deliver phone proxy mobility proxy presence federation and TLS proxy features along with the base firewall and VPN functions Note that bundles are not available on the ASA 5505 5510 5580 or 5585 Please order Unified Communications proxy licenses with ASA hardware Table 3 provides part numbers Table 3 Cisco ASA 5500 Series Unified Communications Edition Ordering Information Product Name Part Number Cisco ASA 5520 Adaptive Security Appliance for Unified Communications Security Cisco ASA 5520 Adaptive Security Appliance UC Security Edition includes 4 Gigabit Ethernet interfaces 1 Fast ASA5520 UC BUN K9 Ethernet interface 1000 UC proxy sessions 750 IPsec VPN peers 2 SSL VPN peers Active Active and Active Standby high availability 3DES AES Cisco ASA 5520 Adaptive Security Appliance UC Security Edition includes 4 Gigabit Ethernet
5. businesses to securely extend communications services to remote users mobile solutions and business to business collaboration Access Control Access control is a basic security function that allows only authorized access to resources and services within a system In a unified communications context this control is often related to providing network layer access control to the Cisco Unified Communications Manager and other application servers as a first line of defense against attack 2010 Cisco and or its affiliates All rights reserved This document is Cisco Public Information Page 1 of 1 Data Sheet a Restricting access to the Cisco Unified Communications Manager servers significantly reduces the risk of an attacker probing the system for vulnerabilities or exploiting access through unauthorized network channels Cisco ASA 5500 Series Adaptive Security Appliances are voice and video aware and can inspect and apply policy to the protocols SIP SCCP H 323 and MGCP used in modern unified communications Older network access control mechanisms such as access control lists ACLs cannot process these more complex protocols with the granularity and dynamism required by most organizations Unlike traditional data applications unified communications protocols dynamically negotiate how to communicate by exchanging port information within the signaling control channel Static access control mechanisms such as ACLs cannot track whic
6. Afafe CISCO Data Sheet Cisco ASA 5500 Series Unified Communications Deployments Cisco Unified Communications solutions unify voice video data and mobile applications on fixed and mobile networks enabling easy collaboration every time from any workspace Overview Cisco Unified Communications products can help businesses of all sizes streamline operations increase employee productivity optimize communications and enhance customer care Because protecting a unified communications based network from attacks is crucial to maintaining business continuity and integrity Cisco has built security features into its unified communications products and augments them with the Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500 Series Adaptive Security Appliances are ideal for small businesses branch offices enterprises and mission critical data center environments These multifunction appliances deliver market leading voice and video security services for unified communications including robust firewall full featured IP Security IPsec and Secure Sockets Layer SSL VPN intrusion prevention and content security features For unified communications deployments these platforms can protect up to 30 000 phones and deliver application inspection for a broad range of unified communications protocols including Skinny Client Control Protocol SCCP Session Initiation Protocol SIP H 323 Media Gateway Control Protocol MGCP C
7. SA 5500 Series across your network to protect your call control system endpoints applications and the underlying infrastructure from attacks These topologies include 2010 Cisco and or its affiliates All rights reserved This document is Cisco Public Information Page 3 of 8 Data Sheet a e Protection of call control servers By controlling access from clients to these servers the Cisco ASA 5500 Series can prevent malicious or unauthorized network connections that could affect performance or availability By statefully inspecting the connections to ascertain that they meet the access control policy and that the connection conforms to expected behavior the Cisco ASA platform provides a first line of defense for a secure unified communications deployment e Remote access security The Cisco ASA 5500 Series delivers SSL and IPsec VPN phone proxy mobility proxy and presence federation security services to secure teleworker phones Cisco Unified IP Phones and third party phones such as Apple iPhones mobile phones and business to business federation deployments e SIP trunk security Businesses are migrating to SIP trunk architectures to lower their communication costs The robust SIP security capabilities of the Cisco ASA 5500 Series provide protection from any attacks through SIP trunks e Trusted and untrusted boundaries You can position the Cisco ASA 5500 Series as a security device between a trusted and untrusted network to hel
8. andard RFCs the Cisco ASA 5500 Series provides an effective first line of defense for your critical systems In addition to checking protocol conformance the multifunction security services of the Cisco ASA 5500 Series can be extended to provide intrusion prevention services The Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module AIP SSM applies hardware based intrusion prevention system IPS features to inbound traffic to stop known attacks against unified communications call control and application servers A set of unified communications IPS signatures is available to protect against Cisco Unified Communications Manager and Cisco Unified Communications Manager Express Product Security Incident Response Team PSIRT vulnerabilities giving your IT administrators immediate protection without needing to patch unified communications servers right away The combination of protocol conformance and intrusion prevention provides a robust network layer defense against common unified communications threats Network Security Policy Enforcement Your unified communications deployments are probably subject to the security policy requirements established by your organization s security department With the sophisticated unified communications security features of the Cisco ASA 5500 Series your organization can apply granular application layer policies to the unified communications traffic to meet security compliance requirements
9. by configuring SIP Uniform Resource Identifier URI filters and inbound and outbound calls using white lists and black lists In addition SIP application inspection and control enables permitting and denying use of applications such as instant messaging over SIP or permitting and denying specific SIP methods including user defined methods H 323 Security Services H 323 Versions 1 4 along with Direct Call Signaling DCS and Gatekeeper Router Control Signaling GKRCS provide flexible security integration in a variety of H 323 controlled voice over IP VoIP environments These services support NAT and PAT including advanced features such as fax over IP FolP using the T 38 protocol an ITU standard that defines how to transmit FoIP in real time These services support threat prevention for H 323 traffic such as restricting call duration preventing H 225 Registration Admission and Status RAS packets from arriving out of state and validation of RTP and RTCP for media This can help your business configure granular policies for H 323 services such as filtering on calling and called phone numbers to prevent rogue callers and restricting services by filtering on specific media types SCCP Security Services Advanced SCCP inspection services support SCCP applications such as Cisco Unified IP Phones Cisco Unified Personal Communicator and Cisco IP Communicator to provide flexible security integration These services offer compr
10. ehensive threat defense such as the ability to set the maximum SCCP message length to prevent buffer overflow attacks the ability to tune timeouts for TCP SCCP connections and SCCP audio and video media connections and validation of RTP and RTCP for media The services can help your business configure granular policies for SCCP traffic such as enforcing only registered phone calls to send traffic through the Cisco ASA appliance and filtering on message IDs to allow or deny specific messages MGCP Security Services Rich MGCP security services facilitate NAT and PAT based address translation services for MGCP based connections between media gateways and call agents or media gateway controllers RTSP Security Services RTSP security services facilitate inspection of RTSP protocols used to control communications between the client and server for streaming applications such as Cisco IP TV Apple QuickTime and RealNetworks RealPlayer RTSP security services deliver NAT and PAT based address translation services for RTSP media streams to improve support in real time networking environments Fragmented and Segmented Multimedia This feature facilitates inspection of H 323 SIP and SCCP based voice and multimedia streams Stream Inspection that have been fragmented or segmented to prevent against these unique unified communications attacks Advanced TCP Security Engine The advanced TCP security engine protects your network from severa
11. es a secondary TLS session back to Cisco Unified Communications Manager The signaling and communications between endpoint and Cisco Unified Communications Manager remain functionally the same and the firewall can deliver its unified communications security services TLS proxy services support both SIP and SCCP endpoints for comprehensive integration with Cisco Unified IP Phones Perimeter Security Services Phone proxy delivers secure remote access without the need for a remote access VPN device It does so by terminating SCCP and SIP Cisco Unified IP Phone endpoints encrypted with TLS or SRTP Phone proxy supports Cisco Unified Communications Manager mixed and nonsecure modes You can deploy phone proxy behind an existing firewall or as an integrated firewall or phone proxy appliance Phone Proxy Mobile proxy protects Cisco Unified Mobility solutions and replaces Cisco Unified Mobility Proxy It incorporates a new inspection engine to validate mobility traffic including protocol conformance for Cisco Unified Mobile Communicator running on Blackberry Symbian and Windows mobile devices Mobility Proxy Presence This mandatory federation component of Cisco Unified Presence with Microsoft Presence solutions secures presence information and applies security policies white list black list and protocol conformance between two organizations SSL and IPsec VPN Robust encrypted SSL and IPsec VPN services for both unified com
12. f secure phones without a large scale VPN remote access hardware deployment End user infrastructure is limited to just the IP endpoint without VPN tunnels or hardware The Cisco ASA phone proxy is the replacement product for the Cisco Unified Phone Proxy e Mobility proxy The Cisco ASA mobility proxy facilitates secure connectivity between the Cisco Unified Mobile Communicator software and the Cisco Unified Mobility Advantage server The Cisco ASA appliance can intercept the TLS connection between the Cisco Unified Mobile Communicator software and Cisco Unified Mobility Advantage server and inspect and apply policies to the mobility traffic using a new Multichassis Multilink PPP MMP inspection engine The Cisco ASA appliance is a mandatory component of mobility solutions starting with the Cisco Unified Communications 7 0 systems and replaces the Cisco Unified Mobility Proxy e Presence federation The Cisco ASA 5500 Series facilitates secure presence federation between Cisco Unified Presence and the Microsoft Office Communications Server OCS Presence solutions This allows two organizations to collaborate more efficiently by sharing presence information about how to best reach and communicate with other users using the common form of communication that is available The Cisco ASA 5500 Series Adaptive Security Appliance is a mandatory component of presence federation solutions Deployment Topologies As shown in Figure 1 you can use the Cisco A
13. h ports to open and must therefore apply weak access controls limiting the ability to implement effective access policies Cisco ASA 5500 Series Adaptive Security Appliances can dynamically track the authorized connections that should be opened and then close the connections as soon as the session has ended This level of control combined with other intelligent services such as voice protocol aware Network Address Translation NAT distinguishes the Cisco ASA 5500 Series from older platforms that are not suited to the requirements of modern unified communications protocols Threat Prevention The Cisco ASA 5500 Series protects Cisco Unified Communications applications from a range of common attacks that can threaten the integrity and availability of your system These attacks include call eavesdropping user impersonation toll fraud and denial of service DoS Many of these attacks in particular DoS can be launched by sending malformed protocol packets to attack your unified communications call control systems and applications Cisco ASA 5500 Series appliances perform protocol conformance and compliance checking on traffic destined to critical unified communications servers For example the appliances can help ensure that media flowing through the appliance is truly voice media RTP or prevent attackers from sending malicious voice signaling that could crash your call control systems By helping to ensure that signaling and media comply with st
14. interfaces 1 Fast ASA5520 UC BUN K8 Ethernet interface 1000 UC proxy sessions 750 IPsec VPN peers 2 SSL VPN peers Active Active and Active Standby high availability 3DES AES Cisco ASA 5540 Adaptive Security Appliance for Unified Communications Security Cisco ASA 5540 Adaptive Security Appliance UC Security Edition includes 4 Gigabit Ethernet interfaces 1 Fast ASA5540 UC BUN K9 Ethernet interface 2000 UC proxy sessions 5000 IPsec VPN peers 2 SSL VPN peers 3DES AES Cisco ASA 5540 Adaptive Security Appliance UC Security Edition includes 4 Gigabit Ethernet interfaces 1 Fast ASA5540 UC BUN K8 Ethernet interface 1000 UC proxy sessions 5000 IPsec VPN peers 2 SSL VPN peers 3DES AES Cisco ASA 5550 Adaptive Security Appliance for Unified Communications Security Cisco ASA 5550 Adaptive Security Appliance UC Security Edition includes 8 Gigabit Ethernet interfaces 1 Fast ASA5550 UC BUN K9 Ethernet interface 3000 UC proxy sessions 5000 IPsec VPN peers 2 SSL VPN peers 3DES AES Cisco ASA 5550 Adaptive Security Appliance UC Security Edition includes 8 Gigabit Ethernet interfaces 1 Fast ASA5550 UC BUN K8 Ethernet interface 1000 UC proxy sessions 5000 IPsec VPN peers 2 SSL VPN peers 3DES AES Cisco Unified Communications Services Cisco Unified Communications Services allows you to accelerate cost savings and productivity gains associated with deploying a secure resilient Cisco Unified Communications sol
15. l attacks including SYN flood attacks using SYNC cookies and protects your network endpoints against protocol fuzzing and retransmission style time to live TTL evasion This security engine delivers a smart TCP proxy feature that reassembles TCP packets to protect against segment attacks that use multiple TCP packets The security engine offers TCP traffic normalization services for additional techniques to detect attacks including advanced flag and option checking TCP packet checksum verification detection of data tampering in retransmitted packets and more RTP and RTCP Inspection Services These services provide the ability to inspect RTP and RTCP traffic on media connections opened by the unified communications inspection engines such as SIP and SCCP connections The services can help your business set security policies for RTP and RTCP traffic such as validating conformance to RFC 1889 cross checking media values between signaling and RTP to validate payload type and policing of version number payload type integrity sequence numbers 2010 Cisco and or its affiliates All rights reserved This document is Cisco Public Information Page 5 of 8 Data Sheet Feature Details and the synchronization source SSRC Threat Prevention Intrusion Prevention Services The optional Cisco ASA 5500 Series AIP SSM applies intrusion prevention services to protect the unified communications infrastr
16. munications and data traffic offer preconnection posture assessment for endpoints and the ability to apply policies and inspection capabilities to VPN traffic to prevent remote users from introducing vulnerabilities into your network Cisco AnyConnect delivers optimization for voice with support of Datagram Transport Layer Security DTLS and secures third party endpoints such as Apple iPhones Ordering Information To place an order visit the Cisco Ordering homepage http www cisco com go ordering and refer to Tables 2 through 4 To download software visit the Cisco Software Center http Awww cisco com go software You have two options for ordering the Cisco ASA 5500 Series Adaptive Security Appliance to protect your unified communications deployments e Option 1 Cisco Unified Communications proxy licenses You can order Cisco Unified Communications proxy software licenses separately for existing ASA appliances You can combine features such as phone proxy mobility proxy presence federation proxy and TLS proxy for up to the maximum number of sessions listed in Table 2 2010 Cisco and or its affiliates All rights reserved This document is Cisco Public Information Page 6 of 8 Data Sheet a Table 2 Cisco Unified Communications Proxy Maximum Sessions Cisco ASA Cisco ASA Cisco ASA Cisco ASA Cisco ASA Cisco ASA Cisco ASA Cisco ASA 5505 5510 5520 5540 5550 5580 5585 X SSP 5585 X SSP 20 10 or
17. of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1005R Printed in USA C78 450091 03 10 10 2010 Cisco and or its affiliates All rights reserved This document is Cisco Public Information Page 8 of 8
18. omputer Telephony Interface Quick Buffer Encoding CTIQBE Real Time Transport Protocol RTP and Real Time Transport Control Protocol RTCP Cisco ASA 5500 Series Unified Communications Features Cisco ASA 5500 Series Adaptive Security Appliances are designed to secure real time unified communications applications such as voice and video These appliances protect all of the critical elements of your unified communications deployment network infrastructure call control platforms IP endpoints and unified communications applications They deliver several security features that complement the embedded security within the unified communications system providing additional layers of protection These features include e Access control Dynamic and granular policy access control prevents unauthorized access to unified communications services e Threat prevention Built in threat prevention protects the unified communications infrastructure from attempts to exploit the system e Network security policy enforcement Effective unified communications policies for applications and users are created and administered e Voice encryption services Cisco Transport Layer Security TLS proxy can help customers maintain their security policies while encrypting signaling and media e Perimeter security services for unified communications In addition to SSL and IPsec VPN services phone proxy mobility proxy and presence federation security services allow
19. p ensure that vulnerabilities from the untrusted network do not affect the trusted network You can use a Cisco ASA 5500 Series appliance to proxy traffic or to secure an internal network against external access in a DMZ architecture With the range of Cisco ASA 5500 Series models available your organization has the flexibility to standardize on a single family of security products while positioning specific models to meet different performance needs for every topology or location Figure 1 Cisco ASA 5500 Series Deployment Topologies Remote user mobile user and B2B collaboration KK m m ee ewe we ww ew ww ew J m m m m wwe www Mm ww ww ww Mw ew ew l eK Remote Access Security fae ae a ee ae a aa a a ee ee eee er nr err ar a a ee ee ee ee ee 5 Provider r Network Cisco ASA 5500 Gee SIP Trunk Cisco ASA 5500 gt i Trusted gt vy Untrusted Network E Network E T I iiia if i 1 SIP Trunk Security Trust Boundary Security The Cisco ASA 5500 Series provides a comprehensive suite of voice and video security features for your unified communications network Table 1 lists the features and benefits 2010 Cisco and or its affiliates All rights reserved This document is Cisco Public Information Page 4 of 8 Data Sheet a Table 1 Features and Benefits Summary Feature Details Unified Communications Application Supported protocols include
20. ucture and call control servers from IPS signature based attacks The AIP SSM provides IPS services that are optimized for unified communications and support specific unified communications engines such as the H 323 and H 225 inspection engines it also helps prevent OS attacks on call control servers Unique intrusion prevention capabilities such as anomaly detection OS fingerprinting capabilities and risk rating features provide better context on threats to prevent false positives These services can help your business implement a gateway based content inspection feature to inspect content of email and web traffic This helps ensure that the unified communications infrastructure is free from viruses worms spam phishing and malware attacks Content Security Services Encryption Services TLS Proxy TLS proxy addresses encrypted signaling and firewall integration concerns in situations in which encrypted signaling leaves unified communications firewalls unable to dynamically open ports or apply policies As a trusted device within the Cisco Unified Communications Manager the Cisco ASA appliance can intercept the encrypted signaling mutually authenticate with the endpoint and decrypt the signaling After the signaling is decrypted the appliance retrieves all the necessary signaling information and applies all the inspection and policy enforcement actions To maintain secure connectivity from end to end the appliance then initiat
21. ution Delivered by Cisco and our certified partners our portfolio of services is based on proven methodologies for unifying voice video data and mobile applications on fixed and mobile networks Our unique lifecycle approach to services enhances your technology experience to accelerate true business advantage For More Information For more information about the Cisco ASA 5500 Series or about unified communications on the Cisco ASA platform visit http www cisco com go asa or http www cisco com go secureuc You may also contact your local Cisco account representative 1 DES applies to UC licenses in ASA software version 8 2 and earlier 3DES AES applies to UC licenses in ASA software version 8 3 and higher 2010 Cisco and or its affiliates All rights reserved This document is Cisco Public Information Page 7 of 8 Data Sheet o CE Americas Headquarters Asia Pacific Headquarters Europe Headquarters C j S C o Cisco Systems Inc Cisco Systems USA Pte Ltd Cisco Systems International BV 7 San Jose CA Singapore Amsterdam The Netherlands Cisco has more than 200 offices worldwide Addresses phone numbers and fax numbers are listed on the Cisco Website at www cisco com go offices Cisco and the Cisco Logo are trademarks of Cisco Systems Inc and or its affiliates in the U S and other countries A listing of Cisco s trademarks can be found at wwwcisco com go trademarks Third party trademarks mentioned are the property

Cisco ASA5520-UC-BUN-K9 firewall (hardware)

Contents

Download Pdf Manuals

Related Search

Related Contents