Cisco Cisco ASA 5525-X Adaptive Security Appliance - No Payload Encryption Fiche De Données

White Paper

Page 2 of 3

lack of control over application usage can drain employee productivity and network resources, and

can expose an organization to regulatory and legal concerns.

In addition, an increasing number of attacks target the application layer. These attacks threaten to

disrupt the productivity enhancements enabled by networked applications by targeting the

availability and integrity of those applications. From IP telephony to Web-enabled applications, the

need for protection against application-layer attacks has never been greater. However, traditional

security devices provide little protection for the application layer, and the few protections provided

do not address the threats of today and tomorrow.

Finally, traditional solutions have lacked the critical network services and performance profile

required for deployment in a modern network. Business-critical traffic, such as IP telephony, must

be highly available, and delivered across the network with toll-quality service. It is unacceptable for

security services to impact service delivery across the network.

These challenges place security and network administrators in the difficult position of

compromising on either application delivery or application security. A new class of solution is

needed to break this cycle of compromise and provide security for today's critical business

applications.

Solution: Application Security In The Cisco ASA 5500 Series

Today's security threats require a new approach to security. Comprehensive application security

requires application awareness across a network's applications, instead of an individual approach

to every application on the network. Each application requires a set of common services, as well

as application-specific inspection services. These application inspection services must meet the

demanding performance and services requirements of today's networks. All of these requirements

must be tied together in a clear and comprehensive architecture that allows flexible deployment

and enforcement of application security policies. Cisco ASA 5500 Series adaptive security

appliances have been designed to enable this new approach to application security, and help

protect the availability and integrity of critical business applications.

The Cisco ASA 5500 Series brings a new level of security and policy control to networks via the

Modular Policy Framework architecture. With application security inspection engines spanning all

major network protocols, the Cisco ASA 5500 Series enables deployment of a comprehensive

application security policy. Each inspection engine monitors the application flow, and can flag and

block protocol violations as appropriate to the specific protocol. For example, the Web inspection

engine allows an administrator to enforce traffic compliance with HTTP RFCs and other standards,

helping to ensure that traffic flowing over port 80 is valid Web traffic. This provides two major

benefits. First, the inspection engine detects and blocks non-HTTP applications attempting to

circumvent security policy by tunneling over port 80 (peer-to-peer programs, such as Kazaa, fall

into this category). Second, it protects against both known and unknown attacks targeting the

application layer by evaluating protocol semantics and best practices. Malware that targets

vulnerabilities in application processing can be thwarted by standards conformance.

In addition to protocol compliance, inspection engines extend the access control toolset of security

administrators through a robust set of controls that govern the use of individual features or

capabilities within an application. The FTP inspection engine allows the administrator to protect file

servers by controlling the specific commands a user is allowed to perform on that file server-

allowing users to retrieve files but not delete them or upload potentially malicious content, for

example.