Cisco Cisco ASA 5585-X with No Payload Encryption Hoja De Datos
White Paper
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 3
lack of control over application usage can drain employee productivity and network resources, and
can expose an organization to regulatory and legal concerns.
In addition, an increasing number of attacks target the application layer. These attacks threaten to
disrupt the productivity enhancements enabled by networked applications by targeting the
availability and integrity of those applications. From IP telephony to Web-enabled applications, the
need for protection against application-layer attacks has never been greater. However, traditional
security devices provide little protection for the application layer, and the few protections provided
do not address the threats of today and tomorrow.
Finally, traditional solutions have lacked the critical network services and performance profile
required for deployment in a modern network. Business-critical traffic, such as IP telephony, must
be highly available, and delivered across the network with toll-quality service. It is unacceptable for
security services to impact service delivery across the network.
These challenges place security and network administrators in the difficult position of
compromising on either application delivery or application security. A new class of solution is
needed to break this cycle of compromise and provide security for today's critical business
applications.
Solution: Application Security In The Cisco ASA 5500 Series
Today's security threats require a new approach to security. Comprehensive application security
requires application awareness across a network's applications, instead of an individual approach
to every application on the network. Each application requires a set of common services, as well
as application-specific inspection services. These application inspection services must meet the
demanding performance and services requirements of today's networks. All of these requirements
must be tied together in a clear and comprehensive architecture that allows flexible deployment
and enforcement of application security policies. Cisco ASA 5500 Series adaptive security
appliances have been designed to enable this new approach to application security, and help
protect the availability and integrity of critical business applications.
The Cisco ASA 5500 Series brings a new level of security and policy control to networks via the
Modular Policy Framework architecture. With application security inspection engines spanning all
major network protocols, the Cisco ASA 5500 Series enables deployment of a comprehensive
application security policy. Each inspection engine monitors the application flow, and can flag and
block protocol violations as appropriate to the specific protocol. For example, the Web inspection
engine allows an administrator to enforce traffic compliance with HTTP RFCs and other standards,
helping to ensure that traffic flowing over port 80 is valid Web traffic. This provides two major
benefits. First, the inspection engine detects and blocks non-HTTP applications attempting to
circumvent security policy by tunneling over port 80 (peer-to-peer programs, such as Kazaa, fall
into this category). Second, it protects against both known and unknown attacks targeting the
application layer by evaluating protocol semantics and best practices. Malware that targets
vulnerabilities in application processing can be thwarted by standards conformance.
In addition to protocol compliance, inspection engines extend the access control toolset of security
administrators through a robust set of controls that govern the use of individual features or
capabilities within an application. The FTP inspection engine allows the administrator to protect file
servers by controlling the specific commands a user is allowed to perform on that file server-
allowing users to retrieve files but not delete them or upload potentially malicious content, for
example.