Cisco ASA 5550 Firewall Edition Bundle ASA5550-BUN-K9 데이터 시트
제품 코드
ASA5550-BUN-K9
Data Sheet
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 8
Access Control
Access control is a basic security function that allows only authorized access to resources and
services within a system. In a unified communications context, this is often related to providing
network-layer access control to the Cisco Unified Communications Manager and other application
servers as a first line of defense against attack. Restricting access to the Cisco Unified
Communications Manager servers significantly reduces the risk of an attacker probing the system
for vulnerabilities or exploiting access through unauthorized network channels.
Cisco ASA 5500 Series Adaptive Security Appliances are voice- and video-aware and are able to
inspect and apply policy to the protocols (SIP, SCCP, H.323, MGCP) used in modern unified
communications. Legacy network access control mechanisms such as access control lists (ACLs)
are unable to deal with these more complex protocols with the granularity and dynamism required
by most organizations.
Unlike traditional data applications, unified communications protocols dynamically negotiate how to
communicate by exchanging port information within the signaling control channel. Static access
control mechanisms such as ACLs are unable to track which ports to open and must therefore
apply weak access controls, limiting the ability to implement effective access policies.
Cisco ASA 5500 Series Adaptive Security Appliances can dynamically track exactly which
authorized connections should be opened and close them as soon as the session has ended. This
level of control, combined with other intelligent services such as voice-protocol-aware Network
Address Translation (NAT), distinguishes the Cisco ASA 5500 Series appliances from legacy
mechanisms that are not suited to the requirements of modern unified communications protocols.
Threat Prevention
The Cisco ASA 5500 Series protects Cisco Unified Communications applications from a range of
common attacks that threaten the integrity and availability of the system. These include call
eavesdropping, user impersonation, toll fraud, and denial of service (DoS). Many of these attacks
(in particular, DoS) can be launched by sending malformed protocol packets to attack the unified
communications call control systems and applications. The Cisco ASA 5500 Series performs
protocol conformance and compliance checking on traffic destined to critical unified
communications servers (for example, making sure that media flowing through the appliance is
truly voice media [RTP], or preventing attackers from sending malicious voice signaling that could
crash the call control systems). By helping to ensure that signaling and media comply with
standard RFCs, the Cisco ASA 5500 Series provides an effective first line of defense for critical
systems.
In addition to checking protocol conformance, the Cisco ASA family’s multifunction security
services can be extended to provide intrusion prevention services. The Cisco ASA 5500 Series
AIP-SSM module applies hardware-based intrusion prevention system (IPS) features to inbound
traffic to stop known attacks against unified communications call control and application servers.
The combination of protocol conformance and intrusion prevention provides a robust network-layer
defense against common unified communications threats.
Network Policy
Unified communications deployments are often subject to the security policy requirements
established by the organization’s security department. With the Cisco ASA 5500 Series’
sophisticated unified communications security features, organizations are able to apply granular,