CCNP Security FIREWALL 642-618 Official Cert Guide (2012)

---

1. Which of the following are recommended tasks for making a security domain secure? (Choose all that apply.)

a. Place a router at the boundary of trusted and untrusted areas of the network, and then place a firewall inside the trusted area.

b. Place a firewall at the boundary of trusted and untrusted areas of the network.

c. Make the firewall the only path into and out of the security domain.

d. Make the firewall the only path into and out of the untrusted domain.

e. Harden the firewall against attacks.

f. Force protected traffic through the firewall and bypass other traffic around it.

2. Which one of the following is considered to be the most secure?

a. Logically separating a network with a firewall.

b. Physically separating a network with a firewall.

c. Putting the trusted and untrusted areas on different VLANs that are connected to a firewall over a trunk link.

d. None of these answers are correct.

3. Consider the following list of rules, and then choose the answer that best describes it.

10 Permit all HTTP traffic
20 Permit all SMTP traffic to host 10.10.1.10
30 Permit all DNS queries
40 Deny everything

a. Reactive access control

b. Permissive access control

c. Restrictive access control

d. Protective access control

4. Which one of the following techniques would be the best choice for filtering HTTP (TCP port 80) sessions?

a. Stateless packet filtering

b. Stateful packet filtering

c. Stateful packet filtering with application inspection and control

d. Network intrusion protection system

e. Network behavior analysis

5. Which of the following is not typically used for a restrictive approach to traffic filtering?

a. Stateless packet filtering

b. Stateful packet filtering

c. Stateful packet filtering with AIC

d. Network IPS

e. Network behavior analysis

6. A company wants to join its network with another business partner, but wants to place a firewall between the two. Users within the company’s home network should appear to use the business partner’s IP address space when they access the partner’s servers. Which of the following Cisco ASA features should be used to meet this requirement?

a. Stateful packet filtering

b. NAT

c. IPS

d. AIC

e. NBA

7. A business has been the target of several attacks recently, where its network was scanned or probed to find unsuspecting victims. Which Cisco ASA feature should you leverage to detect and prevent further attacks?

a. Remote Access VPNs

b. Virtualization

c. Traffic policing

d. Botnet Traffic Filtering

e. Threat detection

8. A company wants to begin using a firewall to protect its network, but it doesn’t want to disrupt its operations with any IP address reconfiguration. In fact, it doesn’t want to change the IP addresses on any of its existing network devices when the firewall is installed. Which Cisco ASA feature could you use to meet this requirement?

a. NAT

b. Virtualization

c. IP routing

d. Transparent firewall mode

e. AIC

9. A medium-sized business would like to implement a firewall where it borders the public Internet. The business also plans to add intrusion prevention at the border. Assuming the business’s Internet bandwidth will not exceed 350 Mbps, which of the following ASA models in combination with an integrated IPS module should you select?

a. ASA 5505 with an AIP-SSC-5

b. ASA 5510 with an AIP-SSM-10

c. ASA 5520 with an AIP-SSM-20

d. ASA 5550 with an AIP-SSM-40

e. Any of the combinations in these answers will work.

10. Which one of the following represents a typical environment or application for an ASA 5550?

a. A remote office

b. A teleworker’s home

c. A data center requiring 10-Gbps throughput

d. A large enterprise requiring 5-Gbps throughput

e. A large enterprise requiring 1-Gbps throughput

11. Assuming the correct license has been purchased and activated, which of the following ASA models can support 50 virtual firewalls or security contexts? (Choose all that apply.)

a. ASA 5510

b. ASA 5520

c. ASA 5540

d. ASA 5550

e. ASA 5580

f. ASA 5585-X

12. Which one of the following functions requires the purchase of an additional feature license for a Cisco ASA 5520?

a. Strong encryption

b. Botnet Traffic Filtering

c. DHCP server

d. Threat protection

e. Stateful packet filtering with AIC

Foundation Topics

To preserve the integrity and stability of resources on a network, they must be protected from things that can’t always be trusted or controlled. Rather than begin with a list of possible network attacks, exploits, and vulnerabilities, this chapter presents an overview of a firewall, its features, and how it fits into various scenarios to protect a network. Individual security threats are described throughout this book as the appropriate firewall features to protect against those threats are introduced.

Firewall Overview

Network security engineers must protect valuable resources within a network. For example, corporate data might be confidential or critical to the operation of a business or to offering patient care, in which case it must be kept from prying eyes and protected from tampering. Similarly, the computers in a network might need to be protected from outside interference so that they are kept stable and in good working order.

To protect these resources, the network must somehow be divided into trusted and untrusted parts. The trusted portions of the network are known as security domains; everything inside the security domain is protected from everything outside the domain. As a simple example, a small company decides to protect itself from the public Internet. The security domain forms where the company’s network meets the Internet, and everything inside the company network resides within a secure boundary. Figure 1-1 illustrates this scenario.

Figure 1-1. A Simple Security Domain

The most common and effective way to implement a security domain is to place a firewall at the boundary between the trusted and untrusted parts of a network. By definition, a firewall is a device that enforces an access control policy between two or more security domains. Firewalls have interfaces that connect into the network. In order for a firewall to do its job, all traffic that crosses a security domain boundary must pass through the firewall. In effect, a firewall becomes the only pathway or “chokepoint” to get in or out of the security domain.

For the simple network shown in Figure 1-1, a firewall would sit on the trust boundary and become the only path between Company A’s internal trusted network and the un-trusted public Internet, as shown in Figure 1-2. Although Figure 1-2 shows the addition of the firewall, several things must happen before the firewall can make the security domain truly secure:

Figure 1-2. Implementing a Security Domain with a Firewall

• The firewall must be the only path into and out of the secured network. No other paths around the firewall or “backdoors” into the network behind the firewall can exist. The firewall can enforce security policies on only the traffic that passes through it, not around or behind it.

• The firewall itself must be hardened or made resistant to attack or compromise. Otherwise, malicious users on the untrusted side might take control of the firewall and alter its security policies.

Sometimes, a single security domain with a single firewall isn’t enough. Suppose Company A wants to secure itself from the public Internet, but it also has a data center that needs to be even more secure. Company A trusts its employees to perform their job functions, but it can’t risk letting anyone access its mission critical resources in an improper way or disrupt any services in its data center. Therefore, Company A decides to make a second security domain around the data center, as shown in Figure 1-3.

Figure 1-3. Multiple Security Domains and Firewalls

Each security domain is implemented with a firewall at its border. On the inside of the security domain or firewall, trusted resources exist; on the outside are untrusted things. This trust relationship is only locally significant, however. Consider the data center boundary firewall in Figure 1-3. The users just outside the data center are untrusted (at least from the perspective of that firewall), but they are still trusted from the perspective of the Internet boundary firewall. Each firewall has its own set of security policies and its own concept of a trust boundary.

Now consider a different scenario. Company A is surrounded by a security domain at the Internet boundary. It wants to allow its internal, trusted users to connect to resources out on the public Internet through the Internet firewall. Company A also has some web servers that it wants to have face the public so that untrusted Internet users can interact with the business.

If the web servers are located somewhere inside the security domain, then untrusted users would be granted access into the trusted environment. That isn’t necessarily bad, except that malicious users might be able to attack or compromise one of the web servers. Because the web server is already a trusted resource, the malicious users might then use that server to attack other trusted resources.

A better solution is to put the web servers into a security domain of their own, somewhere between the trusted internal network and the untrusted Internet. This is commonly called a demilitarized zone (DMZ). Figure 1-4 shows one solution that leverages the Internet firewall. With the addition of a third interface, the firewall can act as the boundary between a trusted domain, an untrusted public network, and a new “somewhat trusted” domain full of web servers.

Figure 1-4. Using a Single Firewall to Form Multiple Security Domains

Whenever a firewall is used to form a security domain boundary, it must somehow separate the network into distinct parts. This can be done in one of two ways: physical separation or logical separation.

Physical separation requires that each physical firewall interface must be connected into a distinct network infrastructure. This usually requires additional hardware and additional cost. For example, Figure 1-5 shows how a firewall physically separates a network into two distinct pieces, with each firewall interface connecting into a different switch. Physical separation provides the utmost security because traffic cannot pass between security domains without some sort of physical intervention—the firewall would have to be disconnected, cables rerouted, and so on.

Figure 1-5. Physical Separation of Security Domains

A firewall can also be positioned to offer logical separation. In this case, the security domains exist on the same physical network infrastructure, but are separated logically into different virtual local area networks (VLAN), virtual storage area networks (VSAN), or Multiprotocol Label Switching Virtual Private Networks (MPLS VPN). In Figure 1-6, a firewall forms a boundary between two security domains that are carried over two separate VLANs.

Figure 1-6. Logical Separation of Security Domains

While the firewall could use two physical interfaces to connect to the two VLANs, the VLANs could just as easily be carried over a single trunk link or one physical firewall interface. Logical networks are cost effective and can be flexible and complex. This makes logical separation less secure than physical separation, simply because a firewall might be bypassed or breached through a misconfiguration or failure of a logical network component or through an exploit of the logical separation itself.

Firewall Techniques

In its most basic form, a firewall strives to isolate its interfaces from each other and to carefully control how packets are forwarded from one interface to another. A firewall can enforce access control across a security boundary based on layers in the Open Systems Interconnection (OSI) model.

For example, a firewall performing network layer access control can make decisions based on Layers 2 through 4, or the data link, network, and transport layers. Such a firewall might control whether IP traffic can pass through, whether hosts on one side can open UDP or TCP connections to resources on the other side, and so on.

Firewalls that perform application layer access control enforce security policies at Layers 5 through 7, or the session, presentation, and application layers. Such a firewall can control what users do within applications that pass data from one side to another. For example, an application layer firewall might verify that a user’s web browsing sessions are conforming to the industry standard protocols, or that a user’s email or file transfers do not contain viruses or confidential material.

A firewall can take one of the following approaches to its access control:

• Permissive access control: All traffic is allowed to pass through unless it is explicitly blocked.

• Restrictive access control: No traffic is allowed to pass through unless it is explicitly allowed.

Permissive access control is also known as a reactive approach because it can react or block traffic only after potentially threatening things are identified and rules are put in place. Otherwise, everything else is allowed to pass through. Permissive rules are usually added to a firewall by intrusion prevention systems (IPS) and antivirus systems, which are tools that react to things that are detected on the network in real time.

Restrictive access control is also known as a proactive approach. Every acceptable type of traffic is identified ahead of time and entered into the firewall rules so that it may pass without further intervention. Any other traffic, whether it is malicious, undesirable, or just unidentified, is blocked by default. This is the same approach that is used by Cisco IOS access lists—traffic rules are processed in sequential order but always end with an implicit “deny all” rule.

A firewall can use its access control approach to evaluate and filter traffic based on the methods and techniques described in the following sections.

Stateless Packet Filtering

Some firewalls examine traffic based solely on values found in a packet’s header at the network or transport layer. Decisions to forward or block a packet are made on each packet independently. Therefore, the firewall has no concept of a connection state; it knows only whether each packet conforms to the security policies.

Stateless packet filtering is performed by using a statically configured set of firewall rules. Even if a connection involves dynamic negotiation of further sessions and protocol port numbers, the stateless firewall is unaware. Stateless packet filters can be characterized by the attributes listed inTable 1-2.

Table 1-2. Characteristics of a Stateless Packet Filter

Stateful Packet Filtering

Stateful packet filtering (SPF) requires that a firewall keep track of individual connections or sessions as packets are encountered. The firewall must maintain a state table for each active connection that is permitted, to verify that the pair of hosts is following an expected behavior as they communicate. As well, the firewall must inspect traffic at Layer 4 so that any new sessions that are negotiated as part of an existing connection can be validated and tracked. Tracking the negotiated sessions requires some limited inspection of the application layer protocol.

Stateful packet filters can be characterized by the attributes listed in Table 1-3.

Table 1-3. Characteristics of a Stateful Packet Filter

Stateful Packet Filtering with Application Inspection and Control

To move beyond stateful packet filtering, firewalls must add additional analysis at the application layer. Inspection engines in the firewall reassemble UDP and TCP sessions and look inside the application layer protocols that are passing through. Application inspection and control (AIC) filtering, also known as deep packet inspection (DPI), can be performed based on the application protocol header and its contents, allowing greater visibility into a user’s activity.

AIC comes at a price, as a firewall needs more processing power and more memory to be able to inspect and validate application sessions and they unfold.

SPF with AIC can be characterized by the attributes listed in Table 1-4.

Table 1-4. Characteristics of Stateful Packet Filtering with Application Inspection and Control

Network Intrusion Prevention System

A network intrusion prevention system (NIPS) examines and analyzes network traffic and compares it to a database of known malicious activity. The database contains a large number of signatures or patterns that describe specific known attacks or exploits. As new attacks are discovered, new signatures are added to the database.

In some cases, NIPS devices can detect malicious activity from single packets or atomic attacks. In other cases, groups or streams of packets must be collected, reassembled, and examined. A NIPS can also detect malicious activity based on packet and session rates, such as a denial-of-service TCP SYN flood, that differ significantly from normal activity on the network.

A network IPS usually operates with a permissive approach, where traffic is allowed to cross security domains unless something suspicious is detected. Once that occurs, the NIPS can generate firewall rules dynamically to block or reset malicious packets or connections.

A NIPS can be characterized by the attributes listed in Table 1-5.

Table 1-5. Characteristics of a Network Intrusion Prevention System

Network Behavior Analysis

Network behavior analysis (NBA) systems examine network traffic over time to build statistical models of normal, baseline activity. This isn’t a simple bandwidth or utilization average; rather, the models consider things like traffic volume, traffic rates, connection rates, and types of application protocols that are normally used. An NBA system continually examines traffic and refines its models automatically, although human intervention is needed to tune the results.

Once the models are built, an NBA system can trigger on any activity that it considers to be an anomaly or that falls outside the normal conditions. In fact, NBA systems are often called anomaly-based network IPSs. Even when malicious activity involves a previously unknown scheme, an NBA system can often detect it if it involves traffic patterns or volumes that fall outside the norm. An NBA system can be characterized by the attributes listed in Table 1-6.

Table 1-6. Characteristics of a Network Behavior Analysis System

Application Layer Gateway (Proxy)

An application layer gateway (ALG) or proxy is a device that acts as a gateway or intermediary between clients and servers. A client must send its application layer requests to the proxy, in place of any destination servers. The proxy masquerades as the client and relays the client’s requests on to the actual servers. Once the servers answer the requests, the proxy evaluates the content and decides what to do with them.

Because a proxy operates on application requests, it can filter traffic based on the IP addresses involved, the type of application request, and the content of any data that is returned from the server.

Proxies can perform detailed and thorough analysis of client-server connections. Traffic can be validated against protocol standards at Layers 3 through 7, and the results can be normalized or made to conform to the standards, as needed. An ALG or proxy can be characterized by the attributes listed in Table 1-7.

Table 1-7. Characteristics of an Application Layer Gateway (Proxy)

Cisco ASA Features

The Cisco ASA is the focus of the FIREWALL exam. Is the ASA a firewall? Yes. Is it more than a firewall? Yes! The Cisco ASA platform has the capability to perform any of the firewall techniques described in the previous sections.

Even further, the ASA has many features that go beyond the basic firewall techniques, giving it great versatility. A summary of the ASA features is presented in the following sections. You should become familiar with these features, as you will need to be able to select the appropriate ASA features and technologies on the exam, given some high-level design criteria:

• Stateful packet filtering engine: The SPF engine tracks connections and their states, performing TCP normalization and conformity checks, as well as dynamic session negotiation. Chapter 9, “Inspecting Traffic,” covers the SPF engine in more detail.

• Application inspection and control: The AIC function analyzes application layer protocols to track their state and to make sure they conform to protocol standards. Chapter 9 covers the AIC functionality in more detail.

• User-based access control: The ASA can perform inline user authentication followed by Cut-through Proxy, which controls the access that specific users are allowed to have. Once a user is authenticated, Cut-through Proxy also accelerates inspection of a user’s traffic flows. Chapter 10, “Using Proxy Services to Control Access,” covers these functions in more detail.

• Session auditing: Accounting records can be generated for user-based sessions, as well as for application layer connections and sessions. Chapter 6, “Recording ASA Activity,” covers session auditing in more detail. Session auditing can be used to generate audit trails, traffic accounting, and incident investigation.

• Security Services Modules: The ASA platform supports several Security Services Modules (SSM) that contain specialized hardware to offload processor-intensive security functions. An ASA can contain one SSM, offloading either IPS or content security services. Chapter 15, “Integrating ASA Service Modules,” covers SSMs in more detail.

• Reputation-based Botnet Traffic Filtering: An ASA can detect and filter traffic involved with botnet activity on infected hosts. The Botnet Traffic Filter database used to detect botnet threats is periodically updated by Cisco. Chapter 9 covers Botnet Traffic Filtering in more detail.

• Category-based URL filtering: An ASA can leverage an external URL filtering server to enforce acceptable use policies and control user access to various types of web services.

• Cryptographic Unified Communications (UC) proxy: When Cisco Unified Communications traffic must pass through an ASA, the ASA can be configured as an authorized UC proxy. The ASA can then terminate and relay cryptographically protected UC sessions between clients and servers.

• Denial-of-service prevention: An ASA can leverage traffic-control features like protocol normalization, traffic policing, and connection rate controls to minimize the effects of denial-of-service (DoS) attacks. Chapter 9 covers DoS prevention in more detail.

• Traffic correlation: The threat detection feature examines and correlates traffic from many different connections and sessions to detect and block anomalies stemming from network attacks and reconnaissance activity. Chapter 9 covers threat detection in more detail.

• Remote access VPNs: An ASA can support secure VPN connections from trusted users located somewhere on an untrusted network. Clientless SSL VPNs can be used to offer a secure web portal for limited remote access to users, without requiring VPN client software. For complete secure network access, full tunneling of all user traffic is supported with either SSL VPNs or IPsec VPNs, which require VPN client software. Remote access VPNs are covered in the CCNP Security VPN 642-648 Official Cert Guide.

• Site-to-site VPNs: An ASA can support IPsec VPN connections between sites or enterprises. Site-to-site or LAN-to-LAN VPN connections are usually built between firewalls or routers at each location. Site-to-site VPNs are covered in the CCNP Security VPN 642-648 Official Cert Guide.

• High availability failover clustering: Two identical ASA devices can be configured to operate as a failover pair, making the ASA security functions redundant in case of a hardware failure. Chapter 14, “Deploying High Availability Features,” covers failover clustering in more detail.

• Redundant interfaces: To increase availability within a single ASA, interfaces can be configured as redundant pairs so that one is always active, while the other takes over after an interface hardware failure. Redundant interfaces are covered in Chapter 3, “Configuring ASA Interfaces,” and can be used in conjunction with failover clustering.

• EtherChannel: Multiple ASA interfaces can be aggregated or bundled together as a single logical interface. By connecting an EtherChannel between an ASA and a switch, you can scale the bandwidth and offer additional redundancy. EtherChannels are covered in Chapter 3.

• Traffic and policy virtualization: An ASA can be configured to operate multiple virtual instances or security contexts, each acting as an independent firewall. Each virtual context has its own set of logical interfaces, security policies, and administrative control. Chapter 13, “Creating Virtual Firewalls on the ASA,” covers virtual security contexts in more detail.

• Rich IP routing functionality: An ASA can forward traffic onto the local networks connected to each of its interfaces without any additional IP routing information. It can also be configured to use static routes or a dynamic routing protocol such as RIPv1, RIPv2, EIGRP, and OSPF to make more complex routing decisions. Chapter 4, “Configuring IP Connectivity,” covers IP routing in more detail.

• Powerful Network Address Translation (NAT): As an ASA inspects and forwards packets, it can apply a rich set of NAT functions to alter source and destination addresses. Chapter 7, “Using Address Translation,” covers NAT in more detail.

• Transparent (bridged) operation: An ASA can be configured to operate as a transparent firewall, effectively becoming a secure bridge between its interfaces. Transparent firewall mode allows an ASA to be wedged into an existing network without requiring any readdressing of the network. Chapter 12, “Using Transparent Firewall Mode,” covers transparent firewall mode in more detail.

• Integrated DHCP, DDNS, and PPPoE: An ASA can be configured to act as a DHCP client or a PPP over Ethernet (PPPoE) client to obtain a dynamic IP address for its interfaces from the network, and as a Dynamic DNS (DDNS) client to record information for hostname-to-address resolution. As well, an ASA can act as a DHCP server to offer IP addressing services to other hosts on the network. Chapter 4 covers most of these features.

• IPv6 support: An ASA can be configured to operate natively in an IPv6 network.

• IP multicast support: An ASA can leverage the Internet Group Management Protocol (IGMP) and the Protocol Independent Multicast (PIM) protocol to participate in handling IP multicast traffic.

• Management control and protocols: An ASA supports several different methods of management control, including a console port, Telnet, Secure Shell (SSH), Secure HTTP (HTTPS), and Simple Network Management Protocol (SNMP; Versions 1, 2c, and 3). A dedicated out-of-band management port is also available. An ASA can send event notifications using SNMP traps, NetFlow, and syslog. Chapter 5, “Managing a Cisco ASA,” covers management control in more detail.

• Simple software management: An ASA supports a local file system and remote file transfers for software upgrades. Software upgrades can be performed manually, automatically, or in a zero-downtime fashion on a failover cluster of ASAs. Chapter 13 covers software management in more detail.

• Configuration flexibility and scalability: Security policies and rules can be configured using reusable objects. Through the Modular Policy Framework (MPF), security features can be configured and applied in a flexible and versatile manner. Chapter 8, “Controlling Access Through the ASA,” and Chapter 9 cover these features in more detail.

• Cisco Security Management Suite: Multiple ASAs can be managed from the Cisco Security Management Suite for ease of administration.

Selecting a Cisco ASA Model

The Cisco ASA family consists of seven different models. In the FIREWALL exam, you will probably have to select an appropriate ASA model based on some high-level design criteria. How can you learn all of the specifications about every model? Fortunately, the model numbers can be used as a crude guide because they increase as the firewall capabilities or capacities increase.

The following sections briefly describe each of the ASA models, presented in order of increasing performance. The ASA features are consistent across the entire platform range, with some models limited only by feature licensing. Therefore, when you need to select an ASA model for a given scenario, your decision will most often hinge on the type of environment and the performance that is required.

ASA 5505

The ASA 5505 is the smallest model in the ASA lineup, in both physical size and performance. It is designed for small offices and home offices (SOHO). For a larger enterprise, the ASA 5505 is frequently used to support teleworkers in remote locations. Figure 1-7 shows front and rear views of the ASA 5505.

Figure 1-7. ASA 5505 Front and Rear Views

There are eight FastEthernet ports on the ASA 5505, all connected to an internal switch. Two of the ports are capable of offering Power over Ethernet (PoE) to attached devices. (The ASA itself cannot be powered by PoE.) By default, all eight ports are connected to the same VLAN in the switch, allowing connected devices to communicate with each other at Layer 2 directly.

The switch ports can be broken up into multiple VLANs to support different areas or functions within a small office. The ASA connects to each VLAN through individual logical interfaces. Any traffic crossing between VLANs must pass through the ASA and its security policies.

The ASA 5505 has one Security Services Card (SSC) slot that can accept an optional AIPSSC-5 IPS module. With the module installed, the ASA can augment its security features with network IPS functions.

ASA 5510, 5520, and 5540

The ASA 5510, 5520, and 5540 models all use a common chassis and have identical front panel indicators and hardware connections. Figure 1-8 shows front and rear views of the common platform.

Figure 1-8. ASA 5510, 5520, and 5540 Front and Rear Views

The models differ in their security performance ratings, however. The ASA 5510 is designed for small to medium businesses (SMB) and remote offices for larger enterprises. The ASA 5520 is appropriate for medium-sized enterprises, while the ASA 5540 is more suited for medium- and large-sized enterprises and service provider networks.

The ASA 5520 and 5540 models has four 10/100/1000 Ethernet ports that can be used to connect into the network infrastructure. The four ports are dedicated firewall interfaces and are not connected to each other. An ASA 5510 can use all four Ethernet ports in FastEthernet (10/100) mode by default. If a Security Plus license is purchased and activated, two of the ports can operate as Gigabit Ethernet (10/100/1000) and two as FastEthernet. A fifth management Ethernet interface is also available.

The ASA 5510, 5520, and 5540 chassis have one SSM slot that can be populated with one of the following:

• Four-port Gigabit Ethernet SSM: This module adds four additional physical firewall interfaces, as either 10/100/1000 RJ45 or small form-factor pluggable (SFP)-based ports.

• Advanced Inspection and Prevention (AIP) SSM: This module adds inline network IPS capabilities to the ASA’s security suite.

• Content Security and Control (CSC) SSM: This module adds comprehensive content control and antivirus services to the ASA’s security suite.

Each of the SSMs is described in more detail in the section, “Security Services Modules.”

The ASA 5510, 5520, and 5540 models have one AUX port that can be used for out-of-band management through an asynchronous serial connection or a modem. It also has one FastEthernet port that is designated for management traffic but can be reconfigured for normal data traffic if needed.

ASA 5550

The ASA 5550 is designed to support large enterprises and service provider networks. Figure 1-9 shows both front and rear views. Notice that the ASA 5550 looks identical to the ASA 5510, 5520, and 5540 models. The most noticeable difference is that the ASA 5550 has one fixed four-port Gigabit Ethernet (4GE-SSM) module in the SSM slot, which cannot be removed or changed.

Figure 1-9. ASA 5550 Front and Rear Views

The ASA 5550 architecture features two groups of physical interfaces that connect to two separate internal buses. The interface groups are referred to as slot 0 and slot 1, corresponding to bus 0 and bus 1. Slot 0 consists of four built-in copper Gigabit Ethernet ports.

Slot 1 consists of four built-in copper and four built-in SFP Gigabit Ethernet ports, though only four of the eight ports can be used at any time.

The ASA 5550 offers high performance for demanding environments. To maximize the firewall throughput, the bulk of the traffic should go from the switch ports on bus 0 to the switch ports on bus 1. The ASA can forward traffic much more efficiently from bus to bus than it can if traffic stays within a single bus.

ASA 5580

The ASA 5580 is a high-performing model in the family and is designed for large enterprises, data centers, and large service providers. It can support up to 24 Gigabit Ethernet interfaces or up to 12 10Gigabit Ethernet interfaces. It is one of two models that has a chassis larger than one standard rack unit (RU).