Datasheet
Data Sheet
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 8
Feature Details
RTP/RTCP inspection
services
Provides the ability to inspect RTP and RTCP traffic on media connections opened by the unified
communications inspection engines, such as SIP and SCCP connections.
Allows businesses to set security policies for RTP/RTCP traffic such as validating conformance
to RFC 1889, cross-checking media values between signaling and RTP to validate payload type,
and policing of version number, payload type integrity, sequence numbers, and the
synchronization source (SSRC).
Threat Prevention Threat Prevention
Intrusion prevention
services
Optional Cisco ASA 5500 Series AIP-SSM Module applies intrusion prevention services to
protect the unified communications infrastructure and call control servers from IPS signature-
based attacks. The modules provide IPS services that have been optimized for unified
communications and support specific unified communications engines such as the H.323/H.225
inspection engine, and help to prevent OS attacks on call control servers.
Unique intrusion prevention capabilities such as anomaly detection, OS fingerprinting
capabilities, and risk rating features provide better context on threats to prevent against false
positives.
Content security
services
Allows businesses to implement a gateway-based content inspection feature to inspect content
of e-mail and Web traffic. This helps ensure that the unified communications infrastructure is free
from viruses, worms, spam, phishing, and malware attacks.
Encryption Services
TLS Proxy
Addresses encrypted signaling and firewall integration issues where encrypted signaling leaves
unified communications firewalls unable to dynamically open ports or apply policies. As a trusted
device within the Cisco Unified Communications Manager system, the Cisco ASA appliance is
able to intercept the encrypted signaling, mutually authenticate with the endpoint, and decrypt the
signaling. Once the signaling is decrypted, the appliance is able to retrieve all the necessary
signaling information and apply all the inspection and policy enforcement actions. To maintain
secure connectivity from end to end, the appliance then initiates a secondary TLS session back
to Cisco Unified Communications Manager. The signaling and communications between
endpoint and Cisco Unified Communications Manager remain functionally the same and the
firewall is able to deliver its unified communications security services
Supports TLS proxy services for both SIP and SCCP endpoints for comprehensive integration
with Cisco Unified IP Phones.
SSL/IPsec VPN
Delivers robust encrypted SSL and IPsec VPN services for both unified communications and
data traffic, with preconnection posture assessment for endpoints and the ability to apply policies
and inspection capabilities to VPN traffic to prevent remote users from bringing vulnerabilities to
the network.
Ordering Information
To place an order, visit the Cisco Ordering Home Page. To download software, visit the Cisco
Software Center.
There are two ways to order the Cisco ASA 5500 Series Adaptive Security Appliance.
Organizations that are investing in a Cisco Unified Communications solution have the option to
order a bundle that includes Cisco Unified Communications Manager and a Cisco ASA 5500
Series Adaptive Security Appliance. These bundles, when configured using the Dynamic
Configurator tool or the Ordering Tool provide Cisco ASA 5500 Series model recommendations for
every Cisco Unified Communications Manager server. For example:
Cisco MCS 7825 servers: Cisco ASA 5520 security appliances are recommended
Cisco MCS 7825 and 7835 servers: Cisco ASA 5540 security appliances are
recommended
Cisco MCS 7825, 7835, 7845, and higher: Cisco ASA 5550 security appliances are
recommended
Organizations that prefer to purchase their security appliances separately may purchase Cisco
ASA 5500 Series bundles as described in Table 3. This table lists the more popular recommended
options for Cisco Unified Communications deployments. The K8 unrestricted bundles (DES
encryption only) are ideal for partners that do not have export licenses. An end customer can then