Manualsbrain.com
  1. Инструкции и руководства
  2. Бренды
  3. Cisco
  4. Cisco ASA 5585-X Adaptive Security Appliance
  5. Техническая Спецификация

Техническая Спецификация для Cisco Cisco ASA 5585-X Adaptive Security Appliance

Скачать
Страница из 6
 
 
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. 
Page 5 of 6 
queue is full, the ASA drops any subsequent packets that hash to the same queue. As the result, the 
oversubscription impact from a single flow is contained to just one work queue out of 32,000; this translates into 
about a 0.003 percent chance of one offending flow affecting other legitimate transit connections. This process is 
yet another example of how the ASA 5585-X architecture is explicitly designed to contain and self-mitigate 
common packet-flood attacks. 
As mentioned earlier, the ASA performs all packet-processing tasks in the flexible SoftNP. On the multiple-core 
Cisco ASA platforms, such as the ASA 5585-X, the SoftNP components are spread across the data path and 
control plane processes. Most of the connection-processing functions are implemented directly in the data path 
with the following logical components: 
● 
Fast path: As the name implies, this component allows to forward packets that match already established 
stateful connections at a very high rate. It uses the previously evaluated security policy for the given flow to 
perform the full scope of stateful checks with extremely low latency. 
● 
Session manager: This component evaluates the complete security policy when attempting to create the 
stateful connection entry. If the connection is permitted by the policy used by the first packet, the complete 
inspection action set is programmed into the fast path for future packet processing. 
Packets that match certain connections may be escalated from any data path process to the control plane. Figure 5 
provides a brief view of the functional separation between the fast path and session manager components within 
the data path as well as the control plane modules of the SoftNP. 
Figure 5.    The ASA SoftNP Logical Diagram 
 
In this hierarchical ASA architecture, a defense-in-depth approach can be effectively implemented, where every 
connection is permitted or denied after the minimum necessary set of security checks. While ASA can effectively 
manage most security threats at the basic Layer 3 and 4 levels, advanced application inspection engines as well as 
IPS and CX modules can examine the permitted traffic all the way up to Layer 7 in order to stop the most complex 
attacks. At every step, the ASA 5585-X architecture aims at optimizing the processing resources toward potentially 
malicious traffic.