Cisco ASA 5540

The Cisco ASA 5540 Adaptive Security Appliance delivers high-performance, high-density security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized and large enterprise and service-provider networks, in a reliable, modular appliance. With four Gigabit Ethernet interfaces and support for up to 100 VLANs, businesses can use the Cisco ASA 5540 to segment their network into numerous zones for improved security. The Cisco ASA 5540 Adaptive Security Appliance scales with businesses as their network security requirements grow, delivering exceptional investment protection and services scalability. The advanced network and application-layer security services and content security defenses provided by the Cisco ASA 5540 Adaptive Security Appliance can be extended by deploying the AIP SSM for high-performance intrusion prevention and worm mitigation.

Cisco ASA 5510

Cisco ASA 5540

IPS Performance: 650 Mbps
Firewall Performance: 650 Mbps
Cisco ASA 5500 Series IPS Edition

Businesses can scale their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Up to 2500 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5540 by installing an Essential or a Premium AnyConnect VPN license; 5000 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can also be increased by taking advantage of the integrated VPN clustering and load-balancing capabilities of the Cisco ASA 5540. The Cisco ASA 5540 supports up to 10 appliances in a cluster, supporting a maximum of 25,000 AnyConnect and/or clientless VPN peers or 50,000 IPsec VPN peers per cluster. For business continuity and event planning, the ASA 5540 can also benefit from the Cisco VPN FLEX licenses, which enable administrators to react to or plan for short-term bursts of concurrent Premium VPN remote-access users, for up to a 2-month period.

Using the optional security context capabilities of the Cisco ASA 5540 Adaptive Security Appliance, businesses can deploy up to 50 virtual firewalls within an appliance to enable compartmentalized control of security policies on a per-department or per-customer basis, and deliver reduced overall management and support costs.

Overview
Benefits
Features
Comparison
Model Specs
Data Sheets

Cisco ASA 5500 Series IPS Solution

Obtain market-leading intrusion prevention with firewall, VPN, and optional content security
Protect small business to large enterprise networks at the Internet edge, campus, and data center
Reduce operational and deployment costs, and achieve up to 10 Gb inspection performance
Get integrated security in a desktop or 1-2 rack-unit (RU) form factor

Cisco IPS 4200 Series Sensors

Get the market-leading standalone intrusion prevention appliance
Protect midsize business and enterprise networks at the Internet edge, campus, or data center
Maximize your intrusion prevention investment with up to 4 Gb of inspection capabilities
Install a purpose-built 1-4 RU form factor

Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Module

Software-based intrusion prevention for Cisco Integrated Services Routers
Router-based threat control at the branch, small business, or home office to stop attacks at the point of entry
Reduced operational and deployment costs; no additional hardware required

Cisco IOS Intrusion Prevention System (IPS)

Software-based, inline intrusion prevention for Cisco Integrated Services Routers
Branch-intrusion prevention capabilities integrated into the Cisco IOS platform
Reduced operational and deployment costs; no additional hardware required

Cisco Integrated Services Routers Intrusion Prevention System Module

Intrusion prevention hardware acceleration modules for Cisco Integrated Services Routers (ISRs)
Ideal for ISR branch installations that require dedicated IPS
Provide complete intrusion prevention with dedicated hardware to offload deep packet inspection from the router

Protection from Threats

Cisco Intrusion Prevention Systems (IPS) solutions provide protection against common threats such as:

Directed attacks
Worms
Botnets
SQL injection attacks and the like

Solutions are available as:

Standalone appliances
Hardware modules for Cisco Adaptive Security Appliance (ASA) firewalls
Hardware modules for Cisco Integrated Services Routers (ISR) and Cisco Catalyst Switches
Cisco IOS software-based solutions for ISR routers

Powerful Capabilities for Regulatory Compliance

Cisco IPS solutions can help organizations meet requirements such as:

PCI Data Security Standard (PCI DSS)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes - Oxley Act (SOX)
Gramm-Leach-Bliley Act (GLBA)
Federal Information Security Management Act (FISMA)

Simplified Management

Management options for Cisco IPS solutions include IPS Manager Express, a powerful yet easy to use GUI-based management platform for smaller deployments.

For enterprise deployment, Cisco offers Cisco Security Manager

Advanced Features

Cisco IPS solutions, including the 4200 Series IPS Sensors, and the Cisco ASA 5500 Series Advanced Inspection and Prevention Security Services Module and Card, are part of the Cisco SecureX security architecture.

For enterprise deployment, Cisco offers Cisco Security Manager

Exclusive Cisco Technology to Block Threats

More than 700,000 Cisco network devices worldwide send current threat information into Cisco Security Intelligence Operations (SIO). The data is analyzed, correlated, and pushed back to devices worldwide as reputation data and outbreak filters. Contain threats and block malware, including zero-day exploits, with these constant updates.

Key Features and Benefits

High performance: IPS capabilities are hardwareaccelerated to provide maximum performance, and do not negatively affect firewall or VPN throughput.

Full IPS protection: The Cisco ASA 5500 Series IPS Solution offers full IPS protection. It supports the same intrusion prevention software found in Cisco IPS 4200 Series Sensors.

Global Correlation: Part of Cisco IPS Sensor Software 7.0, IPS with Global Correlation provides real-time updates on the global threat environment beyond the perimeter, enabling your sensors to detect more threats, detect them earlier and more accurately, and protect critical assets from malicious attacks. With global correlation, your security definitions are updated every 15 minutes, so you always have the most current protection available.

Reputation technology: Using market-leading reputation technology backed by Cisco Global Correlation, you are proactively protected from known malicious users who attempt to gain access to your critical assets.

Comprehensive and timely attack protection: Through signature updates provided by a global security intelligence team working 24 hours a day, your critical assets and services are secured.

Zero-day attack protection: Cisco anomaly detection provides powerful protection against day-zero attacks. It learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Thus, you are protected against new threats even before signatures are available.

Wireless protection: Tight integration between the Cisco ASA 5500 Series IPS solution and the Cisco Wireless LAN Controller helps ensure that intruders do not enter your wireless network.

Unified Communications protection: Strong protection of voice-over-IP (VoIP) protocols, Cisco Unified CallManager, and devices provides maximum uptime of your critical voice network.

Advanced policy provisioning with Modular Policy Framework: The Cisco Modular Policy Framework provides a powerful mechanism to assign Cisco ASA firewall, VPN, and IPS policies in one place. With the Cisco Modular Policy Framework, the Cisco ASA firewall passes traffic to the AIP SSM for inspection on a flow-by-flow, as-needed basis for simplified management.

Cisco IPS policy provisioning: With Risk Rating–based IPS policy provisioning, you assign IPS policies based on risk, instead of tuning individual signatures. All events are assigned a Risk Rating number between 0 and 100 based on the risk level of the event. Based on the Risk Rating, different policy actions can be assigned, including drop packet, alarm, and log.

Cisco IPS Manager Express: Cisco IPS Manager Express is a powerful yet easy-to-use all-in-one IPS management application for as many as ten IPS sensors. With built-in provisioning, monitoring, troubleshooting, and reporting capabilities, Cisco IPS Manager Express simplifies IPS deployment and management.

Part Number	Firewall Performance	IPS Performance
ASA5505-50-AIP5-K9	150 Mbps	75 Mbps
ASA5505-U-AIP5P-K9	150 Mbps	75 Mbps
ASA5510-AIP10-K9	300 Mbps	150 Mbps
ASA5510-AIP20-K9	300 Mbps	300 Mbps
ASA5520-AIP10-K9	450 Mbps	225 Mbps
ASA5520-AIP20-K9	450 Mbps	375 Mbps
ASA5520-AIP40-K9	450 Mbps	450 Mbps
ASA5540-AIP20-K9	650 Mbps	500 Mbps
ASA5540-AIP40-K9	650 Mbps	650 Mbps
ASA 5585-X- SSP-10	2 Gbps	2 Gbps
ASA 5585-X- SSP-20	5 Gbps	3 Gbps
ASA 5585-X- SSP-40	10 Gbps	5 Gbps
ASA 5585-X- SSP-60	20 Gbps	10 Gbps

Cisco ASA 5500 Series Model/License	Cisco ASA 5540
Network Location	Internet Edge
Performance Summary
Maximum Firewall throughput	650 Mbps
Maximum Firewall Connections	400000
Maximum Firewall Connections/Second	25000
Packets Per Second (64 byte)	500000
Maximum 3DES/AES VPN Throughput	325 Mbps
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions	5000
Maximum AnyConnect or Clientless VPN User Sessions	2500
Bundled SSL VPN User Session	2
Technical Summary
Memory	2 GB
Minimum System Flash	256 MB
Integrated Ports	4-10/100/1000, 1-10/100 +4-10/100/1000 , 4 SFP (with 4GE SSM)
Maximum Virtual Interfaces (VLANs)	200
Expansion Capabilities
SSC/SSM/ICs Expansion	1-SSM
SSC/SSM/ICs Supported	CSC SSM, AIP SSM, 4GE SSM
Intrusion Prevention	Yes (with AIP SSM)
Concurrent Threat Mitigation Throughput (Mbps) (Firewall + IPS Services)	500 (wth AIP SSM-20) 650 (with AIP SSM-40)
Content Security (Anti-virus, Anti-Spyware, File Blocking)	Yes (with CSC SSM)
Maximum Number of Users for Anti-virus, Anti-spyware, File Blocking (CSC SSM only)	500 (CSC-SSM-10) 1000 (CSC-SSM-20)
Content Security Plus License features	Anti-spam, anti-phishing, URL filtering
Features
Cisco Adaptive Security Appliance Software Version (latest)	8.4
Application-layer Firewall Services	Yes
Layer 2 Transparent Firewalling	Yes
Security Contexts (included/maximum)1	02/01/50
GTP/GPRS Inspection1	Yes
High-availability Support2	A/A and A/S
SSL and IPsec VPN Services	Yes
VPN Clustering and Load Balancing	Yes
Advanced Endpoint Assessment1	Yes