Cisco FirePOWER ASA 5500 series Configuration Manual page 45

Introduction to the Security Appliance
The security appliance combines advanced stateful firewall and VPN concentrator functionality in one
device, and for some models, an integrated intrusion prevention module called the AIP SSM or an
integrated content security and control module called the CSC SSM. The security appliance includes
many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent
(Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and
WebVPN support, and many more features. See
a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series
Release Notes or the Cisco PIX Security Appliance Release Notes.
Note The Cisco PIX 501 and PIX 506E security appliances are not supported.
This chapter includes the following sections:
•
•
•
•
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the security appliance lets you configure many interfaces with varied
security policies, including many inside interfaces, many DMZs, and even many outside interfaces if
desired, these terms are used in a general sense only.
OL-10088-01
Firewall Functional Overview, page 1-1
VPN Functional Overview, page 1-5
Intrusion Prevention Services Functional Overview, page 1-5
Security Context Overview, page 1-6
C H A P T E R
Appendix A, "Feature Licenses and Specifications,"
Cisco Security Appliance Command Line Configuration Guide
1
for
1-1