Putting firepower into the next generation firewall
1 like511 views
The document discusses Cisco's Firepower Next Generation Firewall (NGFW) capabilities. It provides an overview of the Firepower software and NGFW platforms like the ASA 5500-X and Firepower 2100/4100 series. It covers the various management options including the Firepower Device Manager, Firepower Management Center, and ASDM. Integration with Cisco Identity Services Engine and third-party systems is also summarized. Finally, it presents an example use case of deploying Firepower NGFWs at the internet edge and in branch offices.
Putting firepower into the next generation firewall
- 1. Cisco Public© 2016 Cisco and/or its affiliates. All rights reserved. 1 Putting Firepower into the Next Generation Firewall Intégrer Firepower au pare-feu de prochaine génération Jeff Fanelli Principal Systems Engineer jefanell@cisco.com
- 2. Cisco Public 2© 2016 Cisco and/or its affiliates. All rights reserved. About your speaker Jeff Fanelli Principal Systems Engineer Cisco Global Security Sales Organization I’m from the U.S. state with the largest FRESH water coastline in the world!
- 3. Cisco Public 3© 2016 Cisco and/or its affiliates. All rights reserved. MICHIGAN (the “mitten” state..)
- 4. • Firepower Software Overview • ASA & Firepower NGFW Platforms • Management Options • Integration • Internet Edge Use Case Today’s Agenda
- 5. Cisco Public 5© 2016 Cisco and/or its affiliates. All rights reserved. Firepower NGFW Software
- 6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Firepower Threat Defense Malware Protection Network Profiling CISCO COLLECTIVE SECURITY INTELLIGENCE URL Filtering Integrated Software - Single Management WWW Identity-Policy Control Identity Based Policy Control Network Profiling Analytics & AutomationApplication Visibility &Control Intrusion Prevention High Availability Network Firewall and Routing
- 7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Firepower Threat Defense ASA (L2-L4) • L2-L4 Stateful Firewall • Scalable CGNAT, ACL, routing • Application inspection Firepower (L7) • Threat-Centric NGIPS • AVC, URL Filtering for NGFW • Advanced Malware Protection Full Feature Set Continuous Feature Migration Firepower Threat Defense Single Converged OS Firewall URL Visibility Threats Firepower Management Center (FMC) ASA with Firepower Services
- 8. Cisco Public 8© 2016 Cisco and/or its affiliates. All rights reserved. ASA & Firepower Platforms
- 9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Cisco NGFW Platforms NGFW capabilities all managed by Firepower Management Center 250 Mb -> 1.75 Gb (NGFW + IPS Throughput) Firepower Threat Defense for ASA 5500-X 2 Gb -> 8 GB (NGFW + IPS Throughput) Firepower 2100 Series 41xx = 10 Gb -> 24 Gb 93xx = 24 Gb -> 53Gb Firepower 4100 Series and Firepower 9300 Up to 16x with clustering!
- 10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Software Support - Virtual Platforms ASA Firepower NGIPS Firepower Threat Defense ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓ Firepower NGIPSv (vSphere + ISR UCSE) ✓ Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
- 11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 OpenAppID Next-generation visibility with OpenAppID Application Visibility & Control See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps Cisco database • 4,000+ apps • 180,000+ Micro- apps Network & users ü û û ü û û ü 1 2 Prioritize traffic
- 12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Web acceptable use controls and threat prevention URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs Category-based Policy Creation Allow Block Admin Cisco URL Database DNS Sinkhole 01001010100 00100101101 Security feeds URL | IP | DNS NGFW Filtering BlockAllow Safe Search ………… ü û
- 13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Decrypt 3.5 Gbps traffic over five million simultaneous flows Granular SSL Decryption Capabilities SSL TLS handshake certificate inspection and TLS decryption engine Log SSL decryption engine Enforcement decisions Encrypted Traffic AVC http://www.%$&^*#$@#$.com http://www.%$&^*#$@#$.com Inspect deciphered packets Track and log all SSL sessions NGIPS gambling elicit http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com û ü û ü ü ü û ü û û
- 14. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Application and Context aware Intrusion Prevention Next-Generation Intrusion Prevention System (NGIPS) Communications App & Device Data 01011101001 010 010001101 010010 10 10 Data packets Prioritize response Blended threats • Network profiling • Phishing attacks • Innocuous payloads • Infrequent callouts 3 1 2 Accept Block Automate policies ISE Scan network traffic Correlate data Detect stealthy threats Respond based on priority
- 15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 c File Reputation Malware and ransomware detection and blocking Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing) • Known Signatures • Fuzzy Fingerprinting • Indications of compromise û Block known malware Investigate files safely Detect new threats Respond to alerts File & Device Trajectory AMP for Network Log ü Threat Grid Sandboxing • Advanced Analytics • Dynamic analysis • Threat intelligence ? AMP for Endpoint Log Threat Disposition Enforcement across all endpoints RiskySafeUncertain Sandbox Analysis
- 16. Cisco Public 16© 2016 Cisco and/or its affiliates. All rights reserved. Management Platform Options
- 17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
- 18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 • On-box manager for managing a single Firepower Threat Defense device • Targeted for SMB market • Designed for Networking Security Administrator • Simple & Intuitive • On-screen troubleshooting Firepower Device Manager
- 19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
- 21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box Centralized On-box Management Options
- 22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
- 23. Cisco Public 23© 2016 Cisco and/or its affiliates. All rights reserved. Integration Capabilities
- 24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 ISE remediation in using pxGrid
- 25. Cisco Public 25© 2016 Cisco and/or its affiliates. All rights reserved. 3rd Party Integration SNMP, Syslog, NetFlow or eStreamer
- 29. LiveAction
- 30. Cisco Public 30© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Threat Intelligence Director
- 31. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Cisco Threat Intelligence Director (CTID) • Uses customer threat intelligence to identify threats • Automatically blocks supported indicators on Cisco NGFW • Provides a single integration point for all STIX and CSV intelligence sources
- 32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Hail a TAXII !! • Free source of TAXII feeds • Website URL: http://hailataxii.com • Multiple feeds • To configure the TAXII intelligence source URL: http://hailataxii.com/taxii-discovery-service USERNAME: guest PASSWORD: guest
- 33. Cisco Public 33© 2016 Cisco and/or its affiliates. All rights reserved. Deployment Designs Use Case
- 34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Use Case Internet Edge Firewall Requirement Connectivity and Availability Requirement: • High Availability ROUTED mode • Firewall should support Router or Transparent Mode Routing Requirements: • Static and BGP Routing • Dynamic NAT/PAT and Static NAT Security Requirements: • Application Control + URL Acceptable Use enforcement • IPS and Malware protection • SSL Decryption Authentication Requirements: • User authentication and device identity Solution Security Application: Firepower Threat Defense application with FMC ISP FW in HA Private Network Service Provider Campus/Priv ate Network DMZ Network Port- Channel Internet Edge
- 35. Cisco Public 35© 2016 Cisco and/or its affiliates. All rights reserved. Connectivity and Availability
- 36. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 10.1.1.0/24 192.168.1.0/24 192.168.1.1 10.1.1.1 IP:192.168.1.100 GW: 192.168.1.1 NAT DRP Firewall Design: Modes of Operation • Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts. • Transparent Mode is where the firewall acts as a bridge functioning at L2. Transparent mode firewall offers some unique benefits in the DC. Transparent deployment is tightly integrated with our ‘best practice’ data center designs.
- 37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Link Redundancy Resiliency with link failures Link and Platform Redundancy Capabilities Firewall Link Aggregation – High Availability - Clustering Inter-chassis Clustering Combine up to 16 9300 blades or 4100 chasses Active / Standby HA LACP Link Redundancy LACP Link Aggregation Control Protocol
- 38. Cisco Public 38© 2016 Cisco and/or its affiliates. All rights reserved. Routing Requirements
- 39. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Dynamic NAT for Direct Internet Access Automatic and Manual (complex) NAT Support for FTD including IPv6
- 40. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Routing Protocol support • OSPF and OSPFv3 (IPv6) • BGP (IPv4 & IPv6) • Static Route Tunneled Route support for VPNs Reverse Route Injection for VPNs • Multicast Routing IGMP PIM • EIGRP via FlexConfig IPv4 and IPv6 advanced routing
- 41. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 4 1 BRK Rate limiting Cloud File Sharing Traffic QOS Policy is a new policy type with separate policy table Upload and download rate limiting per application with identity!
- 42. Cisco Public 42© 2016 Cisco and/or its affiliates. All rights reserved. Security Requirements
- 43. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Access Control Policy blocking inappropriate content
- 44. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Granular SSL Decrypt Can specify by application, certificate fields / status, ciphers, etc. Decrypt Cert required!
- 45. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Custom IPS Policy
- 46. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Malware and File Analysis Attached to Access Policy
- 47. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 URL-Based Security Intelligence • Extension of IP-based SI • TALOS dynamic feed, 3rd party feeds and lists • Multiple categories: Malware, Phishing, CnC,… • Multiple Actions: Allow, Monitor, Block, Interactive Block,… • Policy configured via Access Rules or black- list • IoC tags for CnC and Malware URLs • New Dashboard widget for UR SI • Black/White-list URL with one click URL-SI Categories
- 48. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 DNS Inspection • Security Intelligence support for domains • Addresses challenges with fast-flux domains • Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing • Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor • Indications of Compromise extended with DNS Security Intelligence DNS List Action
- 49. Cisco Public 49© 2016 Cisco and/or its affiliates. All rights reserved. Identity Requirements Authentication and Authorization
- 50. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Access Control Policy Identity Control Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
- 51. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 TrustSec Security Group Tag based identity from ISE Can also reference Identity Services Engine identified Device Profiles
- 52. Cisco Public 52© 2016 Cisco and/or its affiliates. All rights reserved. Branch Firewall Use Cases Site to Site and Remote Access VPN
- 53. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Headquarters and Branch NGFW Example Use of Groups in FMC for organization • ONE policy sets applied to all branch firewalls
- 54. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Headquarters and Branch NGFW Example Dynamic Endpoint option for sites with DHCP Outside Interface • VPN can be backup to MPLS or dedicated WAN
- 55. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Secure Remote Access for Roaming User ISP FP2100 in HA Private Network Campus/Priv ate Network Internet Edge • Secure SSL/IPsec AnyConnect access to corporate network • AMP and File inspection Policy to monitor roaming user data. • Easy RA VPN Wizard to configure AnyConnect Remote Access VPN • Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data. • Monitoring and Troubleshooting to monitor remote access activity and simplified tool for troubleshooting. Secure access using Firepower
- 56. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Remote Access VPN • AnyConnect client- based VPN • Use cases: Split or full tunnel Multiple Connection profiles Username / password and or certificate authentication support
- 57. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Firepower Threat Defense Summary Power Internet Edge and Branch WAN Platform • Powerful Threat Defense Capabilities • Advanced Site to Site VPN and routing protocol support • AnyConnect Remote Access Unified Management Robust NGFW Feature set Flexible Deployment
- 58. Thank you.