View
467
Download
1
Category
Tags:
Preview:
Citation preview
Next Generation Security
Rob Bleeker
Security Consulting Systems Engineer
CCIE# 2926, CISSP
Justin Malczewski
1234567890
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The Industrialization of Hacking
1990 2020 2015 2010 2005 2000 1995
Phishing, Low
Sophistication
Hacking Becomes
an Industry
Sophisticated
Attacks, Complex
Landscape
Viruses 1990–2000
Worms 2000–2005
Spyware and Rootkits 2005–Today
APTs Cyberware Today +
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
How Bad – 2013 and Beyond
145 Million 152 Million
70 Million
60 Million
50 Million
50 Million and a lot more!!!!!!
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Needs to be a Better Approach
Current approach has never worked!
Imagine – Security as an Architecture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
The New Security Model
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cyber Attack Chain
Recon Package Deliver Exploit Install CnC Act
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
During Detect
Block
Prevent
Visibility and Context
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behavior Analysis
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
The better you can protect……….
The More You See
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Visibility Control
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 101000 0110 00 0111000 111010011 101 1100001
0010 010 10010111001 10 100111 010 000100101 110011 01100111010000110000111000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 11000 111010011101 101000 0110 00 0111000 111010011 101 1100001 11000
CiscoSecurity Intelligence Operation (SIO)
Cisco® SIO
WWW Email Web Devices
IPS Endpoints Networks
More Than 150 Million DEPLOYED ENDPOINTS
100 TB DATA RECEIVED PER DAY
1.6 Million GLOBAL SENSORS
40% WORLDWIDE EMAIL TRAFFIC
13 Billion WEB REQUESTS
Cloud AnyConnect® IPS
ESA WSA ASA WWW
3 to 5 MINUTE UPDATES
More Than 200 PARAMETERS TRACKED
More Than 5500 IPS SIGNATURES PRODUCED
More Than 8 Million RULES PER DAY
More Than 70 PUBLICATIONS PRODUCED
Information
Actions
More Than 40 LANGUAGES
More Than 80 PH.D, CCIE, CISSP, MSCE
More Than $100
Million SPENT IN DYNAMIC RESEARCH
AND DEVELOPMENT
24 Hours Daily OPERATIONS
More Than 800 ENGINEERS, TECHNICIANS,
AND RESEARCHERS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Collective Security Intelligence
IPS Rules
Malware Protection
Reputation Feeds
Vulnerability Database Updates
Sourcefire AEGIS™ Program
Private and Public
Threat Feeds Sandnets
FireAMP™ Community
Honeypots
Advanced Microsoft
and Industry Disclosures
SPARK Program Snort and ClamAV
Open Source Communities
File Samples (>380,000 per Day)
Sourcefire VRT®
(Vulnerability Research Team)
Sandboxing Machine Learning
Big Data Infrastructure
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
ASA with FirePower Services
Mission:
Founded in 2001 by Marty Roesch
Security from Cloud to Core
• Market leader in (NG)IPS
• Recent entrant to NGFW space with strong offering
• Groundbreaking Advanced Malware Protection solution
Innovative – 52+ patents issued or pending
• Pioneer in IPS, context-driven security, advanced malware
World-class research capability
Owner of major Open Source security projects
• Snort, ClamAV, Razorback
13
Sourcefire Security Solutions
COLLECTIVE
SECURITY
INTELLIGENCE
Management Center APPLIANCES | VIRTUAL
NEXT- GENERATION
FIREWALL
NEXT- GENERATION
INTRUSION
PREVENTION
ADVANCED
MALWARE
PROTECTION
CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE
APPLIANCES | VIRTUAL
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
FirePOWER Services for ASA: Components
ASA 5585-X
FirePOWER Services Blade
• Models: ASA 5512-X, 5515-X, 5525-X,
5545-X, and 5555-X
• SSD Drive Required
• FirePOWER Services Software Module
• Licenses and Subscriptions
• Models: ASA 5585-X-10, ASA 5585-X-
20, ASA 5585-X-40, ASA 5585-X-60
• New FirePOWER Services Hardware
Module Required
• Licenses and Subscriptions
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
2014 NSS Labs SVM for NFGW
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Functional Distribution
ACL
NAT
VPN Termination
Routing
Advanced Malware Protection
AVC (App Control)
NGIPS
URL Filtering
FirePOWER Services
Module
Base ASA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Next Generation Security on a Trusted Firewall
FirePOWER Services
NGIPS, NGFW/AVC, AMP
FireSIGHT Management Center
Comprehensive SECOPS Workflows
Cisco Security Manager (CSM) or ASDM
Comprehensive NETOPS Workflows
ASA Software
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Why does this matter • Application visibility efficacy is NOT a 100%.Today the best efficacy around App ID is about 65%.
• If you are looking to strengthen your overall security posture then building policies with 65%
efficacy is putting your organization at risk. This creates a hit and miss security model.
• Application ID is non deterministic, applications are evasive, what happens with unknown
applications.
• Logging of unknown application should take place and silent drops are forbidden in security –
you need to know what has happened even if the applications has not been identified
Cisco Still Understands the Value of APP Visibility/Control • Application visibility and control and web filtering has been within Cisco’s portfolio for 5+ years.
We have led this with our Cisco Ironport WSA and our CWS (Scansafe) solutions. (we have
brought this quadrant leading product to our next generation ASA platform)
• Built upon a strong traditional stateful firewall platform that has been proven within the industry.
Cisco is solving the application ID efficacy with OpenAppID
NGFW RealitiesOpenAppID
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
NGFW Realities – The Blocks of Building the Best NGFW Difficult to Build at Best
Good Great Poor
How – Cisco will be adding
FireAMP for Malware and
SourceFire NGIPS and further
ISE integration.
Very Difficult to build the best of
breed for all elements that make
a NGFW. Note: the great, good,
and poor changes depending on
the product referenced.
NGFW Today
Traditional FW
VPN APP URL IPS
Malware
Visibility and Integration
ASA with
Firepower Services
Traditional FW
VPN APP URL IPS
Malware
Visibility and Integration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
FirePOWER Services: Application Control
• Control access for applications, users and devices
• “Employees may view Facebook, but only Marketing may post to it”
• “No one may use peer-to-peer file sharing apps”
Over 3,000
apps, devices,
and more!
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Application Control
Social:
Security and
DLP
Mobile:
Enforce
BYOD Policy Bandwidth:
Recover
Lost
Bandwidth
Security:
Reduce
Attack
Surface
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
FirePOWER Services: URL Filtering
• Block non-business-related sites by category
• Based on user and user group
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
FireSIGHT™ Full Stack Visibility
CATEGORIES
EXAMPLES
FirePOWER Services TYPICAL
IPS
TYPICAL
NGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security Intelligence ✔ ✗ ✗
Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗
Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Windows, Linux ✔ ✗ ✗
Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Cisco phones ✔ ✗ ✗
Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗
Contextual
Awareness Information Superiority
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Correlates all intrusion events to an impact of the attack against the target
Impact Assessment IMPACT
FLAG
ADMINISTRATOR
ACTION
WHY
Act Immediately,
Vulnerable
Event corresponds to
vulnerability mapped
to host
Investigate,
Potentially
Vulnerable
Relevant port open or
protocol in use, but
no vuln mapped
Good to Know,
Currently Not
Vulnerable
Relevant port not
open or protocol not
in use
Good to Know,
Unknown Target
Monitored network,
but unknown host
Good to Know,
Unknown Network
Unmonitored network
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Cisco FireSIGHT Simplifies Operations
• Impact Assessment and Recommended Rules Automate Routine Tasks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Reduced Cost and Complexity
• Multilayered protection in a single device
• Highly scalable for branch, internet edge, and data centers
• Automates security tasks
oImpact assessment
oPolicy tuning
oUser identification
• Integrate transparently with third-party security solutions through eStreamer API
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
The Power of Continuous Analysis
Point-in-time security sees a
lighter, bullet, cufflink, pen &
cigarette case…
Wouldn’t it be nice to know if
you’re dealing with something
more deadly?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors
CnC Connections
Exploit Kits Admin Privilege
Escalations
Web App Attacks
SI Events
Connections to Known CnC IPs
Malware Events
Malware Detections
Malware Executions
Office/PDF/Java Compromises
Dropper Infections
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Advanced Malware Protection (FireAMP)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Actual Disposition = Bad = Blocked
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Retrospective Detection, Analysis Continues
Initial Disposition = Clean
Continuous
Blind to scope of compromise
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Actual Disposition = Bad = Too Late!!
Turns back time Visibility and Control are Key
Not 100%
Analysis Stops
Beyond the Event Horizon Addresses limitations of point-in-time detection
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
1) File Capture
FirePOWER Services: Advanced Malware
Malware Alert!
2) File Storage
4) Execution Report
Available In Defense Center
Network Traffic
Collective Security
Intelligence Sandbox
3) Send to Sandbox
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Visibility and Context
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Visibility and Context
File Sent
File Received
File Executed
File Moved
File Quarantined
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
FirePOWER Services for ASA: Subscriptions
FirePOWER Services for ASA Included
Appliance
Features
Configurable Fail Open Interfaces ✓
Connection/Flow Logging ✓
Network, User, and Application Discovery ✓
Traffic filtering / ACLs ✓
NSS Leading IPS Engine ✓
Comprehensive Threat Prevention ✓
Security Intelligence (C&C, Botnets, SPAM etc) ✓
Blocking of Files by Type, Protocol, and Direction ✓
Basic DLP in IPS Rules (SSN, Credit Card etc.) ✓
Access Control: Enforcement by Application ✓
Access Control: Enforcement by User ✓
IPS and App
Updates IPS Rule and Application Updates Annual Fee
URL Filtering URL Filtering Subscription Annual Fee
Malware
Protection
Subscription for Malware Blocking, Continuous File Analysis,
Malware Network Trajectory Annual Fee
High Availability and Clustering
Max 2 Units
Max 16 Units*
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Deploying ASA w/ FirePOWER Services
• Available on all ASA platforms
• State-sharing between Firewalls for high availability
• L2 Transparent or L3 Routed deployment options
• Failover Link
• ASA provides valid, normalized flows to FirePOWER module
• State sharing does not occur between FirePOWER Services Modules
High Availability with ASA Failover
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Multi-Context ASA Deployments
• ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies
• These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.
• In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.
• Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration.
Context A Context B
Outside
Inside
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Multi-Context ASA Deployments
Admin
Context Context-
1
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Deploying ASA w/ FirePOWER Services
• Up to 8 ASA5585-X IPS
• Stateless load balancing by external switch
• L2 Transparent or L3 Routed deployment options
• Support for vPC, VSS and LACP
• Cluster Control Protocol/Link
• State-sharing between Firewalls for symmetry and high availability
• Every session has a primary and secondary owner ASA
• ASA provides traffic symmetry to FirePOWER module
• Scaling IPS with ASA5585-X Clustering
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Why ASA with FirePOWER Services? • World’s most widely deployed, enterprise-class ASA stateful firewall
• Granular Application Visibility and Control (AVC)
• Industry-leading FirePOWER Next-Generation IPS (NGIPS)
• Validated by NSS Labs as the best NGFW on the market today
• Advanced malware protection
CISCO ASA
Identity-Policy
Control & VPN
URL Filtering (subscription)
FireSIGHT
Analytics &
Automation
Advanced
Malware
Protection (subscription)
Application
Visibility &Control Network Firewall
Routing | Switching
Clustering &
High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network
Profiling
Intrusion
Prevention (subscription)
Q & A
Recommended