思科防火墙售前宝典.xls

超链接 ASA防火墙产品售前分析和产品订购 Version1 0 1 ASA5500参数分析 2 ASA5580参数分析 3 PIX500参数分析 4 ASA软件特性描述 5 ASA服务模块参数分析 6 ASA订购信息 7 ASA5500和H3C FX系列竞争分析 ASA5500ASA5500售售前前产产品品分分析析 中中文文版版 8 ASA5500和Juniper NS系列竞争分析 2009 7 152009 7 159 ASA5500和锐捷的竞争分析 10 ASA5500和天融信的竞争分析 11 ASA5500和启明星辰的竞争分析 12 ASA5500CPL 超链接 ASA防火墙产品售前分析和产品订购 Version1 0 1 ASA5500参数分析 2 ASA5580参数分析 3 PIX500参数分析 4 ASA软件特性描述 5 ASA服务模块参数分析 6 ASA订购信息 7 ASA5500和H3C FX系列竞争分析 8 ASA5500和Juniper NS系列竞争分析 9 ASA5500和锐捷的竞争分析 10 ASA5500和天融信的竞争分析 11 ASA5500和启明星辰的竞争分析 12 ASA5500CPL 型号ASA5505ASA5510ASA5520 防火墙吞吐率最高150Mbps 最高300Mbps最高450Mbps 并发连接数 100000 25000 需Sec plus 50000 130000 需Sec plus 280000 3DES AES吞吐量 最高100Mbps最高170Mbps最高225Mbps 集成网络端口数量 8 port 10 100 交换端口 其中 2 个POE交换端口 5 10 100 FE 其中可升 级2个为GE 4 10 100 1000 4 SFP 需 要 4GE SSM 4个10 100 1000 GE 1个10 100 FE 4 10 100 1000 4 SFP 需要 4GE SSM 用户数量 10 50和无限制 根据软 件License 无限制无限制 是否扩展应用服务模块目前不支持 支持支持 支持服务模块列表 无 ASA SSM AIP ASA SSM CSC ASA SSM AIP ASA SSM CSC Security Contexts 虚拟防火墙 无 默认2个 可升级至5个 需软件License 默认2个 可升级至最多20 个 需软件License 应用场景 小型SMB企业互联网接入 根据性能可以考虑用户 数量在200以内用户 百兆 级防火墙 中小型企业互联网接入 根据性能可以考虑用户数 量在600以内用户 百兆 或千兆级防火墙 中型企业互联网接入 根 据性能可以考虑用户数量 在1000以内用户 千兆级 防火墙 高可用性 HA 不支持 主用 备用支持 主用 备用 支持 主用 主用 VPN Stateful Failover 不支持支持支持 处理器性能 CPU AMD Geode 500 MHzCPU Pentium II 1664 MHz 内存256MB256MB512MB 最低系统Flash 64MB Min 64MB Min 64MB Min 系统总线 是否支持硬件VPN 支持支持支持 扩展插槽 1个SSC1个 SSM1个 SSM 网络接口卡选择SSC ASA SSM AIP ASA SSM CSC和SSM 4GE ASA SSM AIP ASA SSM CSC和SSM 4GE 串行端口Console port RJ 45 Console port RJ 45 Console port RJ 45 支持的VPN种类 Site to site Remote access WebVPN Site to site Remote access WebVPN Site to site Remote access WebVPN IPSec VPN设备对 10 默认 25 需要买 feature授权或安全bundle 250 默认 750 默认 SSL VPN设备对 默认 最大 2个 默认 2个 默认 2个 默认 虚拟VLAN接口 3 不支持trunking 20 支 持trunking 需买feature授 权 50 100 需买feature授 权 150 平台许可证 HA VPN和虚拟VLAN接 口 HA SSL VPN IPSec VPN和虚拟VLAN接口 HA SSL VPN和虚拟VLAN接口 是否支持GUI界面管理 是 ASDM 是 ASDM 是 ASDM 是否支持SNMP and Syslog 支持支持支持 是否支持QOS服务 支持支持支持 是否支持IPV6 支持支持支持 支持的路由协议静态 Rip和OSPF静态 Rip和OSPF静态 Rip和OSPF 网络地址转换 NAT PAT 支持支持支持 防火墙支持模式 路由 透明路由 透明路由 透明 ASA5540ASA5550 最高650Mbps最高1 2Gbps 400000650000 最高325Mbps最高425Mbps 4个10 100 1000 GE 1个10 100 FE 4 10 100 1000 4 SFP 需 要 4GE SSM 8个10 100 1000 GE 1个10 100 FE 4 10 100 1000 4 SFP 需要 4GE SSM 无限制无限制 支持无 ASA SSM AIP ASA SSM CSC不支持 默认2个 可升级至最多 50个 需软件License 默认2个 可升级至最多50 个 需软件License 大中型企业互联网接入 货园区 根据性能可以 考虑用户数量在2000以 内用户 千兆级防火墙 运营商 数据中心和园区 千兆防火墙 支持 Active Active Active Standby 支持 Active Active Active Standby 支持支持 1GB4GB 64MB Min 64MB Min 支持支持 1个 SSM无 ASA SSM AIP ASA SSM CSC和SSM 4GE无 Console port RJ 45 Console port RJ 45 Site to site Remote access WebVPN Site to site Remote access WebVPN 5000 默认 5000 默认 2个 默认 2个 默认 200250 HA SSL VPN和虚拟VLAN接口 HA SSL VPN和虚拟VLAN接口 是 ASDM 是 ASDM 支持支持 支持支持 支持支持 静态 Rip和OSPF静态 Rip和OSPF 支持支持 路由 透明路由 透明 特特性性Cisco ASA 5580 20 用户数不限制 防火墙 ThroughputUp to 5 Gbps 实际HTTP连接 10 Gbps 巨型帧 3DES AES VPN 吞吐 量 1 Gbps IPsec VPN 对10 000 SSL VPN 对 2 10 000 并发连接数1 000 000 每秒建立的新连接数90 000 包 秒 64 byte 2 500 000 集成网络端口2 Gigabit Ethernet 管理口 接口卡插槽6 可选的接口卡 4 Port 10 100 1000 RJ45 4 Port Gigabit Ethernet 光纤接口 SR LC SFP 2 Port 10Gigabit Ethernet 光纤接口 SR LC SFP 虚拟接口 VLAN 100 虚拟防火墙 Security Contexts 2 默认 50 需licenses 高可用性 HA 主用 主用 主用 备用 是否支持GUI界面管理是 ASDM 是否支持SNMP and Syslog netflow 是 冗余电源支持 可选第二块电源 扩展网络接口6 个接口扩展插槽 USB 2 0 接口2 串行接口 控制台 1 RJ 45 console 机架式是 包含轨道 技技术术规规范范 内存8 GB 最小系统闪存1 GB 系统总线多总线架构 Cisco ASA 5580 40 不限制 Up to 5 Gbps 实际HTTP连接 11 Gbps 巨型帧 1 Gbps 10 000 2 10 000 2 000 000 150 000 4 000 000 2 Gigabit Ethernet 管理口 6 4 Port 10 100 1000 RJ45 5 Port Gigabit Ethernet 光纤接口 SR LC SFP 2 Port 10Gigabit Ethernet 光纤接口 SR LC SFP 100 2 默认 50 需licenses 主用 主用 主用 备用 是 ASDM 是 支持 可选第二块电源 6 个接口扩展插槽 2 1 RJ 45 console Yes 包含轨道 12 GB 1 GB 多总线架构 技技术术规规范范 型号PIX501PIX506E 防火墙吞吐率60Mbps100Mbps 并发连接数750025000 3DES AES吞吐量3Mbps 4 5Mbps16Mbps 30Mbps 集成网络端口数量 1个10 100BASE T outside 4个10 100二层交换端 口2个10 100BASE T快速以太网端口 用户数量 10 50和无限制 根据软件 License 无限制 是否扩展应用服务模块不具备 不具备 支持服务模块列表 无无 Security Contexts 虚拟防火墙 无无 应用场景 小型SMB企业 根据性能可以考 虑用户数量在50以内用户 百兆 级防火墙 中小型SMB企业互联网接入 根 据性能可以考虑用户数量在200以 内用户 百兆级防火墙 高可用性 HA 不支持不支持 Failover port 无无 VPN Stateful Failover 不支持不支持 处理器性能AMD133MHZ300MHZ Intel celeron Processor 内存16MB32MB 最低系统Flash 8MB8MB 系统总线Single 32 bit 33 MHz PCISingle 32 bit 33 MHz PCI 是否支持硬件VPN 支持支持 扩展插槽 无无 网络接口卡选择 串行端口Console port RJ 45 Console port RJ 45 支持的VPN种类 Easy VPN server client Site to Site VPN IPSec或其它 Remote access Easy VPN server client Site to Site VPN IPSec或其它 Remote access IPSec VPN设备对 10个25个 SSL VPN设备对 默认 最大 无无 虚拟VLAN接口 12 平台许可证用户数 VPN3DES VPN 虚拟VLAN接口 是否支持GUI界面管理 是 PDM 是 PDM 是否支持SNMP and Syslog 支持支持 是否支持QOS服务 不支持支持 是否支持IPV6 不支持支持 支持的路由协议 静态静态 Rip和OSPF 网络地址转换 NAT PAT 支持支持 防火墙支持模式 路由路由 PIX515EPIX525PIX535 190Mbps330Mbps1 7Gbps 130000280000500000 135Mbps 130Mbps 需加VAC 145Mbps 135Mbps 需加VAC 425Mbps 495Mbps 需加VAC 2个10 100BASE T快速以太网端口 最高可扩展至6个FE 2个10 100BASE T快速以太网端口 最高可扩展至10个FE 其中可 扩展2个GE 2个10 100BASE T快速以太网端口 最高可扩展至14个FE 或9个GE 无限制无限制无限制 支持 VPN加速模块 支持 VPN加速模块 支持 VPN加速模块 PIX Firewall VAC卡 VPN加速卡 PIX Firewall VAC卡 VPN加速卡 PIX Firewall VAC卡 VPN加速卡 5 需软件License 5 10 20 50 需软件License 5 10 20 50 需软件License 中型企业互联网接入 根据性能可以 考虑用户数量在500以内用户 百兆级 防火墙 大型企业互联网接入或园区 根据 性能可以考虑用户数量在1000以内 用户 千兆级防火墙 运营商级 数据中心和园区防火墙 Active Active and Active Standby Stateful Failover Active Active and Active Standby Stateful Failover Active Active and Active Standby Stateful Failover 有RS 232 115 Kbps DB 15 有RS 232 115 Kbps DB 15有RS 232 115 Kbps DB 16 支持支持支持 433 MHz Intel Celeron Processor 600 MHz Intel Pentium III Processor1GHz Intel Pentium III Processor 64 128MB128 256MB512 1GB 16MB16MB16MB Single 32 bit 34 MHz PCISingle 32 bit 35 MHz PCI Two 64 bit 66 MHz PCI one 32 bit 33 MHz PCI 支持支持支持 3个4个8个 1端口的FE 4端口的FE和1端口的GE 1端口的FE 4端口的FE和1端口的 GE 1端口的FE 4端口的FE和2端口的 GE Console port RJ 45 Console port RJ 45 Console port RJ 45 Easy VPN server client Site to Site VPN IPSec或其它 Remote access Easy VPN server client Site to Site VPN IPSec或其它 Remote access Easy VPN server client Site to Site VPN IPSec或其它 Remote access 2000个2000个2000个 无无无 25100150 HA VPN和虚拟VLAN接口HA VPN和虚拟VLAN接口HA VPN和虚拟VLAN接口 是 PDM 是 PDM 是 PDM 支持支持支持 支持支持支持 支持支持支持 静态 Rip和OSPF静态 Rip和OSPF静态 Rip和OSPF 支持支持支持 路由 透明路由 透明路由 透明 特特性性 Application Security Services Advanced Application Inspection and Control Services 高级 应用服务检测和控制 Advanced Web Security Services 高级的WEB安全服务 Tunneling Application Control 隧道应用控制 FTP Security Services FTP安全服务 Cisco ASA Botnet Traffic Filter 思科ASA僵尸网络流量过滤器 ESMTP E Mail Security Services 扩展SMTP安全服务 SNMP Security Services ICMP Security Services Sun RPC and Network Information Service Plus NIS Security Services 3G Mobile Wireless Security Services 3G移动无线安全服务 H 323 Security Services SIP Security Services SCCP Security Services MGCP Security Services RTSP Security Services TAPI JTAPI over CTIQBE Security Services Fragmented and Segmented Multimedia Stream Inspection 多媒体流检测 Advanced TCP Security Engine Anti X Security Services Advanced Intrusion Prevention and Anti X Services 需增加防 火墙IPS模块 SSM AIP Multi Vector Threat Protection 全方位的安全防护 H 323 Security Services URL Filtering URL过滤 ActiveX and Java Filtering Network Containment and Control Services Stateful Inspection Firewall Services 状态检测服务 Access Control Services Object Grouping 对象组 NAT and PAT Services Secure Connectivity Services Cisco Easy VPN Server and IPSec Remote Access Concentrator Services Cisco VPN Client WebVPN SSL VPN Remote Access Concentrator Services Remote Access VPN Clustering and Load Balancing Native Integration with Popular User Authentication Services 本地集成了流行的认证服务 Site to Site VPN Services 端到端的VPN服务 X 509 Certificate and Certificate Revocation List CRL Support Cisco Easy VPN Server and IPSec Remote Access Concentrator Services High Availability Services Active Standby Stateful Failover Active Active Stateful Failover VPN Stateful Failover VPN状态切换 LAN Based Failover Zero Downtime Software Upgrades Intelligent Networking Services Security Contexts 虚拟防火墙 Layer 2 Transparent Firewall 透明模式 VLAN Based Virtual Interfaces 基于VLAN的虚拟接口 OSPF Dynamic Routing X 509 Certificate and Certificate Revocation List CRL Support Routing Information Protocol RIP Dynamic Routing Multicast Routing 组播路由 QoS Services IPV6网络 Security Level per Network Interface 每个网络接口的安全级 别 Dynamic Host Configuration Protocol DHCP Server DHCP Relay Network Time Protocol NTPv3 Client Flexible Management Solutions Cisco ASDM Command Line Interface CLI Cisco Modular Policy Framework OSPF Dynamic Routing Authentication Authorization and Accounting AAA Services Cut Through Proxy Services Cut Through代理服务 SNMP Monitoring SNMP监控 灵活的Syslog and 安全设备事件交换 SDEE 监控 Software and Configuration File Import and Export SSH and SCP Storage of multiple configurations and software images in flash memory Secure Asset Recovery Scheduled System Reloads Dedicated Out of Band Management Interface Packet Capture Extended ICMP Ping Services SMTP E Mail Alerts Packet Capture 优优势势 集成了30多种专门的检测引擎去给如下协议提供丰富的应用控制和安全接入 如 HTTP FTP ESMTP DNS SNMP ICMP SQL Net NFS H 323 Versions 1 4 SIP SCCP MGCP RTSP TAPI 和JTAP ICTIQBE GTP LDAP ILS RPC Enables deep inspection services for Web traffic which provide granular control over HTTP sessions for improved protection from a wide range of Web based attacks Gives businesses precise control over what HTTP commands or methods can be used on a per flow basis different policy for traffic coming from Internet vs traffic coming from a staging Web server to production Web server for example thus protecting businesses from a variety of Web based attacks including unauthorized deletion or modification of Web content Delivers a wide range of additional powerful HTTP security services including RFC compliance enforcement protocol anomaly detection protocol state tracking response validation Multipurpose Internet Mail Extensions MIME type validation and content control Uniform Resource Identifier URI length enforcement and more 为一些即时通信 点对点文件共享和其它通过Web应用端口的程序提供升读检测或阻塞 阻塞流行的即时通信应用程序 比如说 AOL Instant Messenger MSN and Yahoo Messenger 禁止点对点传输下载 比如 KaZaA and Gnutella Thwarts tunneling applications such as GoToMyPC Delivers advanced FTP inspection services including protocol anomaly detection protocol state tracking Network Address Translation NAT and Port Address Translation PAT support and dynamic port opening and closing Gives administrators greater control over the use of numerous FTP commands allowing them to have the security appliance enforce what operations users and groups can perform within FTP sessions such as FTP gets and puts Provides server obfuscation techniques and additional attack signatures to further protect FTP servers from attack Supports ESMTP security inspection services including protocol anomaly detection protocol state tracking and support for the following new commands introduced in ESTMP protocol AUTH DATA EHLO ETRN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML and VRFY Protects businesses from malicious SMTP and ESTMP commands with automatic command filtering Delivers SNMP filtering services allowing administrators to maintain a consistent version of the SNMP protocol flowing through their networks Provides version filtering for all SNMP traffic attempting to flow through a Cisco ASA 5500 Series appliance supporting filtering of SNMP versions 1 2 2c and 3 Enables secure usage of ICMP for troubleshooting and improved network performance by providing state tracking services for ICMP connections as well as providing additional controls for ICMP error messages Includes support for port hopping UNIX applications through stateful inspection and NAT services for Sun RPC and NIS sessions transactions that use Portmapper v2 or RPCBind v3 or v4 Delivers rich security services for 3G Mobile Wireless environments that provide packet switched data services using the General Packet Radio Service GPRS Tunneling Protocol standard GTP Provides advanced GTP inspection services that enable Mobile Wireless providers to have secure interactions with roaming partners through robust filtering capabilities based on GTP specific parameters such as International Mobile Subscriber Identity IMSI prefixes and access point name APN values and more Note This feature is licensed separately Enables advanced H 323 inspection services that support versions 1 4 of the protocol along with Direct Call Signaling DCS and Gatekeeper Router Control Signaling GKRCS to provide flexible security integration in a variety of H 323 driven voice over IP VoIP environments Application Security Services Includes NAT and PAT support for H 323 services including advanced features such as fax over IP FoIP using the T 38 protocol an ITU standard that defines how to transmit FoIP in real time Delivers a fortified SIP inspection engine that secures both UDP and TCP based SIP environments Enables NAT and PAT based address translation support for SIP based IP phones and applications such as Microsoft Windows Messenger while delivering advanced services such as call forwarding call transfers and more Provides secure integration of Cisco SCCP based IP telephony services with Cisco CallManager Version 4 1 while successfully connecting calls over multiprotocol VoIP environments across NAT and PAT boundaries Enables rich MGCP security services and NAT and PAT based address translation services for MGCP based connections between media gateways and call agents or media gateway controllers Delivers NAT based address translation services for RTSP media streams for improved support in real time networking environments Supports inspection of various Cisco TAPI and JTAPI based applications that use CTIQBE including Cisco IP SoftPhone and the Cisco Customer Response solution Enables inspection of H 323 SIP and SCCP based voice and multimedia streams that have been fragmented or segmented 可检查H 323 SIP和SCCP以及多媒体数据流 Supports several foundational capabilities to assist in detecting protocol and application layer attacks Provides TCP stream reassembly and analysis services to help detect attacks that are spread across a series of packets Offers TCP traffic normalization services for additional techniques to detect attacks including advanced flag and option checking TCP packet checksum verification detection of data tampering in retransmitted packets and more Delivers advanced protection from known and unknown network and application layer attacks DoS attacks and malware including worms network viruses Trojan horses spyware and adware Analyzes network traffic accurately for these threats using a wide range of techniques including stateful pattern recognition protocol analysis traffic anomaly detection protocol anomaly detection and Layer 2 analysis to detect man in the middle attacks Provides specialized safeguards to scrub network traffic to prevent detection evasion attempts including IP fragmentation reassembly and normalization TCP stream reassembly and normalization TCP evasion control as well as IP antispoofing and deobfuscation services Helps ensure malicious attacks are stopped without impacting legitimate traffic by using innovative Cisco Risk Rating technology incorporating four elements event severity signature fidelity asset value and attack relevancy to accurately determine the risk of an event and then confidently performing administrator specified mitigation action s Provides on device event correlation capabilities through Cisco Meta Event Generator to quickly identify and stop new threats and optionally reduce the number of events sent to centralized monitoring systems for analysis Supports both in line prevention of attacks as well as detection only of attacks in both routed or Layer 2 transparent bridging modes Gives administrators granular control over protocols and provides custom regular expression matching tools for businesses to craft environment specific signatures Uses auto update capability to download the latest threat information from C refer to Cisco Services for IPS for more information Note These features are available only when an AIP SSM is installed in a Cisco ASA 5500 Series appliance Incorporates a variety of technologies to defend businesses from many popular forms of attacks including DoS attacks fragmented attacks replay attacks and malformed packet attacks Provides advanced attack protection features such as DNSGuard FloodGuard FragGuard MailGuard IPVerify and TCP intercept to identify and stop a wide range of attacks Delivers advanced TCP stream reassembly and traffic normalization services to assist in detecting hidden application and protocol layer attacks Anti X Security Services Enables robust employee Web usage management and control through integration with Websense and Secure Computing N2H2 based URL filtering solutions Supports HTTPS and FTP Web request filtering through enhanced Websense integration Provides optional filtering of ActiveX and Java applets to prevent downloads of malware and the resulting damage malware can create Provides wide range of perimeter network security services to prevent unauthorized network access Delivers robust stateful inspection firewall services that track the state of all network communications Provides flexible access control capabilities for more than 100 predefined applications services and protocols with the ability to define custom applications and services Supports inbound and outbound access control lists ACLs for interfaces time based ACLs and per user or group policies for improved control over network and application usage Simplifies management of security policies by giving administrators the ability to create reusable network and service object groups that can be referenced by multiple security policies simplifying initial policy definition and ongoing policy maintenance Delivers a flexible solution for defining access control policies by including support for outbound ACLs in addition to inbound ACLs allowing access controls to be enforced as network traffic enters or exits an interface Gives administrators greater control over resource usage by defining time based ACLs when certain ACL ent