Putting firepower into the next generation firewall

Putting Firepower into the Next Generation Firewall

Intégrer Firepower au pare-feu de prochaine génération

Jeff FanelliPrincipal Systems Engineer

jefanell@cisco.com

About your speakerJeff Fanelli

Principal Systems Engineer

Cisco Global Security Sales Organization

I’m from the U.S. state with the largest FRESH water coastline in the world!

MICHIGAN (the “mitten” state..)

• Firepower Software Overview• ASA & Firepower NGFW

Platforms• Management Options• Integration• Internet Edge Use Case

Today’s Agenda

Firepower NGFW Software

Firepower Threat Defense

Malware Protection

Network Profiling

CISCO COLLECTIVE SECURITY INTELLIGENCE

URL Filtering

Integrated Software - Single Management

Identity-Policy Control

Identity Based Policy Control

Network Profiling

Analytics & AutomationApplication

Visibility &Control

Intrusion Prevention

High Availability

Network Firewall and

Routing

ASA (L2-L4)• L2-L4 Stateful Firewall• Scalable CGNAT, ACL, routing• Application inspection

Firepower (L7)• Threat-Centric NGIPS• AVC, URL Filtering for NGFW• Advanced Malware Protection

Full Feature Set

Continuous FeatureMigration

Single Converged OS

Firewall URL Visibility Threats

Firepower Management Center (FMC)

ASA with Firepower Services

ASA & Firepower Platforms

Cisco NGFW Platforms

NGFWcapabilitiesallmanagedbyFirepowerManagementCenter

250 Mb -> 1.75 Gb(NGFW + IPS Throughput)

Firepower Threat Defense for ASA 5500-X

2 Gb -> 8 GB(NGFW + IPS Throughput)

Firepower 2100 Series

41xx = 10 Gb -> 24 Gb93xx = 24 Gb -> 53Gb

Firepower 4100 Seriesand Firepower 9300

Up to 16x with clustering!

Software Support - Virtual Platforms

ASA FirepowerNGIPS

ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

Firepower NGIPSv (vSphere + ISR UCSE) ✓

Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓

OpenAppID

Next-generation visibility with OpenAppIDApplication Visibility & Control

See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps

Cisco database• 4,000+ apps

• 180,000+ Micro-apps

Network & users

Prioritize traffic

Web acceptable use controls and threat preventionURL Filtering – Security Intelligence Feeds – DNS Sinkhole capability

Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs

Category-basedPolicy Creation

Allow Block

Cisco URL Database

DNS Sinkhole0100101010000100101101

Security feedsURL | IP | DNS

NGFWFiltering

BlockAllow

Safe Search

…………

Decrypt 3.5 Gbps traffic over five million simultaneous flows

Granular SSL Decryption CapabilitiesSSL TLS handshake certificate inspection and TLS decryption engine

SSL decryption engine

Enforcement decisions

Encrypted Traffic

http://www.%$&^*#$@#$.com

Inspect deciphered packets Track and log all SSL sessions

gambling

elicit

http://www.%$*#$@#$.com

Application and Context aware Intrusion PreventionNext-Generation Intrusion Prevention System (NGIPS)

Communications

App & Device Data

01011101001010

010001101 010010 10 10Data packets

Prioritizeresponse

Blended threats

• Network profiling

• Phishing attacks

• Innocuous payloads

• Infrequent callouts

Accept

Automate policies

Scan network traffic Correlate data Detect stealthy threats Respond based on priority

cFile Reputation

Malware and ransomware detection and blockingCisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)

• Known Signatures• Fuzzy Fingerprinting• Indications of compromise

Block known malware Investigate files safely Detect new threats Respond to alerts

File & Device TrajectoryAMP for

Network Log

Threat Grid Sandboxing• Advanced Analytics• Dynamic analysis• Threat intelligence

AMP for Endpoint Log

Threat Disposition

Enforcement across all endpoints

RiskySafeUncertain

Sandbox Analysis

Management Platform Options

Firepower Device Manager

Enables easy on-box management of

common security and policy tasks

Enables comprehensive security administration

and automation of multiple appliances

Firepower Management Center

On-box Centralized

Management Options

ASDM withFirePOWER Services

Enables easy on-box migration and

management of ASA with Firepower

On-box

• On-box manager for managing a single Firepower Threat Defense device

• Targeted for SMB market

• Designed for NetworkingSecurity Administrator

• Simple & Intuitive

• On-screen troubleshooting

On-box Centralized

Management Options

On-box

On-box Centralized On-box

Management Options

On-box Centralized

Management Options

On-box

Integration Capabilities

ISE remediation in using pxGrid

3rd Party Integration

SNMP, Syslog, NetFlow or eStreamer

LiveAction

Cisco Threat Intelligence Director

Cisco Threat Intelligence Director (CTID)

• Uses customer threat intelligence to identify threats

• Automatically blocks supported indicators on Cisco NGFW

• Provides a single integration point for all STIX and CSV intelligence sources

Hail a TAXII !!• Free source of TAXII feeds

• Website URL: http://hailataxii.com

• Multiple feeds

• To configure the TAXII intelligence sourceURL: http://hailataxii.com/taxii-discovery-serviceUSERNAME: guestPASSWORD: guest

Deployment Designs Use Case

Use Case Internet Edge Firewall

RequirementConnectivity and Availability Requirement:• High Availability ROUTED mode• Firewall should support Router or Transparent Mode

Routing Requirements:• Static and BGP Routing• Dynamic NAT/PAT and Static NAT

Security Requirements:• Application Control + URL Acceptable Use enforcement• IPS and Malware protection• SSL Decryption

Authentication Requirements:• User authentication and device identity

SolutionSecurity Application: Firepower Threat Defense application with FMC

FW in HA

Private Network

Service Provider

Campus/Private Network

DMZ Network

Port-Channel

Internet Edge

Connectivity and Availability

10.1.1.0/24

192.168.1.0/24

192.168.1.1

10.1.1.1

IP:192.168.1.100GW: 192.168.1.1

NATDRP

Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or more

interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.

• Transparent Mode is where the firewall acts as a bridge functioning at L2.

Transparent mode firewall offers some unique benefits in the DC.

Transparent deployment is tightly integrated with our ‘best practice’ data center designs.

Link Redundancy

Resiliency with link failures

Link and Platform Redundancy CapabilitiesFirewall Link Aggregation – High Availability - Clustering

Inter-chassis Clustering

Combine up to

169300 blades or 4100 chasses

Active / Standby HA

LACP Link Redundancy

LACP Link Aggregation

Control Protocol

Routing Requirements

Dynamic NAT for Direct Internet AccessAutomatic and Manual (complex) NAT Support for FTD including IPv6

Routing Protocol support

• OSPF and OSPFv3 (IPv6)

• BGP (IPv4 & IPv6)

• Static RouteTunneled Route support for VPNsReverse Route Injection for VPNs

• Multicast RoutingIGMPPIM

• EIGRP via FlexConfig

IPv4 and IPv6 advanced routing

Rate limiting Cloud File Sharing TrafficQOS Policy is a new policy type with separate policy table

Upload and download rate limiting per application with identity!

Security Requirements

Access Control Policy blocking inappropriate content

Granular SSL DecryptCan specify by application, certificate fields / status, ciphers, etc.

Decrypt Cert required!

Custom IPS Policy

Malware and File AnalysisAttached to Access Policy

URL-Based Security Intelligence

• Extension of IP-based SI

• TALOS dynamic feed, 3rd party feeds and lists

• Multiple categories: Malware, Phishing, CnC,…

• Multiple Actions: Allow, Monitor, Block, Interactive Block,…

• Policy configured via Access Rules or black-list

• IoC tags for CnC and Malware URLs

• New Dashboard widget for UR SI

• Black/White-list URL with one click URL-SI Categories

DNS Inspection

• Security Intelligence support for domains

• Addresses challenges with fast-flux domains

• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing

• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor

• Indications of Compromise extended with DNS Security Intelligence

DNS List Action

Identity Requirements

Authentication and Authorization

Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)

TrustSec Security Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles

Branch Firewall Use CasesSite to Site and Remote Access VPN

Headquarters and Branch NGFW ExampleUse of Groups in FMC for organization

• ONE policy sets applied to all branch firewalls

Headquarters and Branch NGFW ExampleDynamic Endpoint option for sites with DHCP Outside Interface

• VPN can be backup to MPLS or dedicated WAN

Secure Remote Access for Roaming User

FP2100 in HA

Private NetworkCampus/Private Network

Internet Edge

• Secure SSL/IPsec AnyConnect access to corporate network

• AMP and File inspection Policy to monitor roaming user data.

• Easy RA VPN Wizard to configure AnyConnect Remote Access VPN

• Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data.

• Monitoring and Troubleshooting to monitor remote access activity and simplified tool for troubleshooting.

Secure access using Firepower

Remote Access VPN• AnyConnect client-

based VPN

• Use cases:Split or full tunnel

Multiple Connection profiles

Username /password and orcertificateauthenticationsupport

Firepower Threat Defense SummaryPower Internet Edge and Branch WAN Platform

• Powerful Threat Defense Capabilities

• Advanced Site to Site VPN and routing protocol support

• AnyConnect Remote Access

UnifiedManagement

RobustNGFWFeatureset

FlexibleDeployment

Thank you.

Putting firepower into the next generation firewall

Travel

Cisco Firepower Next-Generation Firewall Data Sheet Next-Generation... · 2017-05-19 · The Cisco Firepower™ Next-Generation Firewall (NGFW) is the industry’s first fully integrated,

Deploying Next-Generation Firewall with ASA and … Live 2015 Melbourne/Cisco Live... · Deploying Next-Generation Firewall with ASA and Firepower Services ... (AVC) Industry-leading

Cisco ASA with FirePOWER Services Data Sheet · Cisco ASA with FirePOWER Services . Meet the industry’s first adaptive, threat-focused next-generation firewall (NGFW) designed for

Transparent or Routed Firewall Mode for Firepower Threat ... · Feature Description Youcan,however,addstaticroutesfortraffic originatingontheFirepowerThreatDefensedevice forbridgegroupmemberinterfaces.Youcanalso

Cisco Firepower Threat Defense バージョン 6.2 ......Cisco Firepower Threat Defense バージョン 6.2 コンフィギュレーションガイド（ Firepower Device Manager

Cisco ASA with FirePOWER Services Data Sheet · class stateful firewall. Cisco ASA with FirePOWER Services features these comprehensive capabilities:

Cisco Firepower Threat Defense (FTD) SNMP Monitoring White ... · Firepower 2100 Series Firepower 4100 Series Firepower 9300 Series The Firepower 2100/4100 appliances are 1RU with

Linux 2.4 stateful firewall designread.pudn.com/downloads65/ebook/231158/Linux 2.4... · Firewall design basics In putting together our firewall, the "iptables" command is our friend

Cisco Firepower Next-Generation Firewall Data Sheet Security...Cisco® Advanced Malware Protection (AMP), and URL Filtering. Cisco Firepower NGFW provides advanced threat protection

Cisco Firepower NGFW Data Sheet...The Cisco Firepower® NGFW (next-generation firewall) is the industry’s first fully integrated, threat-focused next-gen firewall with unified management

AH Firepower

TechWiseTV Workshop: Firepower Next Generation Firewall

Cisco Firepower Next-Generation Firewall Data Sheet · The Cisco Firepower™ Next-Generation Firewall (NGFW) is the industry’s first fully integrated, threat-focused next-gen firewall

Actualice un par ASA HA en los dispositivos de FirePOWER...Navegue a las descargas a casa > > Security (Seguridad) de los Productos > los Firewall > los Firewall de la última generación

Firewall de próxima generación Cisco Firepower · Especificaciones de hardware de Cisco Firepower de la serie 4100 Modelo Cisco Firepower Características 4110 4120 4140 4150 Dimensiones

Cisco ASA mit FirePOWER-Services - arp.com · Datenblatt Cisco ASA mit FirePOWER-Services . Produktübersicht . Lernen Sie die erste anpassungsfähige, bedrohungsorientierte Firewall

Cisco Firepower Next-Generation Firewall Data Sheet Cisco Firepower™ Next-Generation Firewall (NGFW) is the industry’s first fully integrated, threat-focused next-gen firewall

ASA FirePOWER (SFR) Module - cisco.com · 3. Firewall policies are applied. 4. Traffic is sent to the ASA FirePOWER module. 5. The ASA FirePOWER module applies its security polic

Firepower Qsg

Cisco Firepower Next-Generation Firewalls · Cisco Firepower Next-Generation Firewalls Find the Best Next-Generation Firewall for Your Customer NEW NEW Small business, branch office,