Белая книга для Cisco Cisco Prime Infrastructure 3.0
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 31 of 68
Platform
Classification
Performance Collection
Control
WISM2
NBAR2 (PP 2.1)
Protocol Pack support future
(7.5)
(7.5)
Flexible NetFlow (fixed record)
QoS
3850 Wireless
NBAR2 - Future: Cisco IOS-XE
3.3 (Darya, Q4CY13)
3.3 (Darya, Q4CY13)
NetFlow (fixed record) for wireless traffic -
Future: Cisco IOS-XE 3.3 (Darya, Q4CY13)
Future: Cisco IOS-XE 3.3 (Darya, Q4CY13)
App-aware QoS policies for wireless -
Future: Cisco IOS XE 3.4 (Amur, 1H
CY14)
Future: Cisco IOS XE 3.4 (Amur, 1H
CY14)
AVC for Perimeter Security/Firewall
AVC for perimeter security/firewalls is very important.
Today applications are complex, their behavior is complex, and their use from a variety of devices and locations is
complex. Current access controls are based on IP addresses and ports, which work as the first strong layer of
defense but don’t go far enough. Where multiple applications traverse a port (like Internet-based applications on
defense but don’t go far enough. Where multiple applications traverse a port (like Internet-based applications on
port 80) or an application hops ports (like Skype), additional controls are needed that are much more fine-grained.
These controls need to identify the user, application, what the user is doing on the application, device
characteristics, threat profile of the transaction, and so on.
One of the key objectives of a context-aware firewall is to know which applications are being used by which user,
when, and what exactly is being done. The ability to control access is totally contextual and the admin needs to be
able to enforce policies at the level of business applications.
The need for next-generation firewalls (NGFWs) is to create policies that match the nuanced business needs of
today - not just help identify applications, but also microapplications, categories, groups, and so on.
In addition to microapplications, ASA NGFW services also identify the application behavior, that is, what action the
user is taking within that application. As an example, the Facebook videos category identifies whether the user is
uploading, tagging, or posting a video. So an administrator may allow users to view and tag videos, but not allow
users to upload a video. You could also deny any postings from users, effectively making Facebook read-only.
The key functions of AVC in the context of firewalls are to provide granular visibility, grouping, and control by
allowing or denying access to application.
A typical ASA based AVC deployment would look like the following: