Jesper Rathsach, Consulting Systems Engineer – Cisco Security NorthApril 2017

Techupdate April 2017Firepower 6.2.1

Firepower 6.2.1• Nr. 1 most important!!

Firepower 6.2.1BUGFIXES!!!!!

Alle kendte severity 1 og 2 bugs pr. 30th of March løst til 6.2.1 release

Jesper Rathsach, Consulting Systems Engineer – Cisco Security NorthApril 2017

Remote Access VPNFirepower 6.2.1

Secure Remote Access for Mobile UserISP

FP2100 in HA

Private NetworkCampus/Private Network

Internet Edge

• Secure SSL/IPSec AnyConnect access to corporate network

• AMP / File inspection Policy to monitor roaming user data.

• Easy RA VPN Wizard to configure AnyConnect Remote Access VPN

• Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data.

• Monitoring and Troubleshooting to monitor remote access activity and simplified tool for troubleshooting.

Secure access using FP2100

Jesper Rathsach, Consulting Systems Engineer – Cisco Security NorthApril 2017

Making Threat Intelligence ActionableThreat Intelligence Director

64%

25%

7%

4%

82%

8%

3%

7%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Using CTI

Not using CTI currently but plans to

Not using and no plans

Unknown

Do you have a dedicated person or team focusing on CTI?

2017 2015Source: SANS Survey 2015 & 2017 – Cyber Threat Intelligence Uses

Where do customers get their intelligence?

1. Community or industry groups such as ISACs and CERT

2. Internal sources3. Intelligence feeds from security vendors4. Open-source or public CTI feeds5. Intelligence feeds from CTI vendors6. Other formal and informal groups

CTI Is Everywhere

Open-source blacklists – 96% domain and 82% of IP observables unique to one listsSource: CERT-PL

Industry Organizations

Over 20 vendors and organizations distribute …

Intelligence SourcesThreat Intelligence Platforms

Main Issues With CTI

Cisco Threat Intelligence Director (CTID)

Step 1Ingest third-party Cyber Threat Intelligence (CTI)

Step 2Publish observables to sensors

Step 3Detect and alert on incidents

ESA / WSA / AMP

NGFW / NGIPSBlock Monitor

Cisco Threat Intelligence Director

FMC

Cisco Threat Intelligence Director (CTID)

ESA / WSA / AMP

NGFW / NGIPSBlock Monitor

Cisco Threat Intelligence Director

FMC

Requirements and Availability• Requires:

• FMC, if used on virtualized image a minimum 16 GB of memory• SHA256 detection requires a Malware License• The FMC and all sensors need to be upgraded to Firepower 6.2.1

• Availability:• H1 CY 2017 with the release of Firepower 6.2.1

• Performance Impact:• No impact on sensors• Some impact on the FMC

Introducing the New Firepower 2100 series

Business resiliency through superior threat defense – introducing the Firepower 2100 NGFW

Superior threat defenseIndustry best protection and

rapid breach detectionSustained performance

Threat inspection with minimal throughput impact

Simpler managementEasier management,lower operating costs

Choose from four powerful new appliances with industry-best price-performance

Models 2110 & 2120Low-cost, high–performance1 RU NGFW, Fixed 16-port

1GbE connectivity

Models 2130 & 2140High–performance 1 RU NGFW

Network modularity, up to 24-port 1GbE and up to 12 10GbE connectivity

Up to 8.5 Gbps FW+AVC+IPS throughput

Get leading security effectiveness

Optimized architecture

Unique dual multi-core CPUs sustains threat

inspection performance as services are added

Future-proofs your investment

Advanced threat detection

Exclusive integration of Firepower NGIPS and

AMPRanked #1 in breach

detection by NSS Labs in 2016

Superior time to detection of advanced

threats

Superior price-performance

Less than 50% of the cost per-protected Mbps

vs. competitors200% greater

throughput vs. competitors when IPS is

enabled

Superior threat defense Firepower 2100 series NGFWs deliver:

Enable threat defense withoutcompromising throughputSustained throughput performance when threat functions are enabled vs. competing designsFlexibility and future-proofing vs. ASIC-based designs that degrade as new defenses and functions are addedPrefix filtering with fast path verifies flows that do not require threat inspection, further enhancing performance

Sustained performanceDual Multi-Core CPU architecture enables:Layer 7 & advanced threat engine

I/O

Multi-core CPU x86

Internal switch

Layer 2-3 & SSL accelerationMulti-core CPU NPU

Fastpath fordesignatedflows.

Improve IT efficiency with streamlinedmanagementSimpler management Firepower 2100 series NGFWs deliver:

Scalable design Easy setup Faster time-to-valueQuick setup wizard

(FDM)Low-touch provisioningTemplates for multi-site

provisioning

Cloud-based policy delivery (CDO)

Automated executive summary

Demonstrate value more easily

50% increased management capacity

(FMC)Expanded file storage

Network modularity

4X Performance2X Performance

Significantly enhance performance with a Firepower 2100 NGFW

~2X to 4X Firewall Performance Boost; up to 10G Connectivity

Model Form Factor I/O Power Throughput –FW+AVC (1024b) Throughput –

FW+AVC+IPS (1024b) Firepower 2110

ASA 5525-X1RU1RU

12 RJ-45; 4 x SFP8 RJ-45; 6 x SFP

1x Fixed AC1x AC or DC

1.9 Gbps1.1 Gbps

1.9 Gbps650 Mbps

Firepower 2120

ASA 5545-X

1RU

1RU

12 RJ-45; 4 x SFP

8 RJ-45; 6 x SFP

1x Fixed AC

1x or 2xAC/1x or 2x DC

3 Gbps

1.5 Gbps

3 Gbps

1 Gbps

Firepower 2130

ASA 5555-X

1RU

1RU 8 RJ-45; 6 x SFP

1x or 2xAC/1x or 2x DC

1x or 2xAC/1x or 2x DC

4.75 Gbps

1.75 Gbps

4.75 Gbps

1.25 Gbps

Firepower 2140ASA 5585-X

SSP 10 2 RU16 RJ-45, 4 x 10 SFP+

(2 modules)

2x AC/2x DC

2x AC/2x DC

8.5 Gbps

4.5 Gbps

8.5 Gbps

2.5 Gbps

12 RJ-45; 4 x SFP+; 1x NM - 8x10G SFP+

1RU RJ-45; 4 x SFP+; 1 x NM - 8x10G SFP+

12 RJ-45; 4 x SFP+; 1x NM - 8x10G SFP+

1RU RJ-45; 4 x SFP+; 1 x NM - 8x10G SFP+

Firepower 2100 Series ModelsDescription FPR 2110 FPR 2120 FPR 2130 FPR 2140

Chassis & I/O 1RU12 Fixed RJ-45 (1G)

4 x SFP (1G)1RU12 Fixed RJ-45 (1G)4 x SFP (1G)

1RU12 Fixed RJ-45

(1G) 4 x SFP+ (10G)

1 x NM Slot

1RU,12 Fixed RJ-45 (1G)4 x SFP+ (10G)1 x NM SlotCPU x86 4-Core 6-Core 8-Core 16-CoreCPU DDR4 DRAM

16GB 16GB 32GB 64GBNPU Octeon 6-Core 8-Core 12-Core 16-CoreNPU DDR4 DRAM 8 GB 8 GB 16 GB 16 GBSSD 1 x 100GB Default

2nd Optional SSD for MSP 800GB1 x 200GB Default2nd Optional SSD for MSP 800GB

PSU –Default/Options 1x 250W Fixed AC PSU 1x 250W Fixed AC PSU 1x 400W AC default 2x AC, 1x or 2x DC options2x 400W AC default2x 350W DC options

FPR 2110 FPR 2120 FPR 2130 FPR 2140Throughput FW + AVC 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 GbpsThroughput FW + AVC + NGIPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Maximum concurrent sessions, with AVC1 M 1.2 M 2 M 3.5 M

Maximum new connections per second, with AVC 12000 16000 24000 40000

Firepower 2100 Series Performance

Note: Early Performance Numbers

Firepower 2100, 4100, 9300 SnapshotFeatures FPR 2100 FPR 4100 FPR 9300Throughput rangeFirewall + AVC

2 to 8 Gbps 12 to 30 Gbps 30 to 54 Gbps

Throughput rangeFirewall + AVC+IPS

2 to 8 Gbps 10 to 24 Gbps 24 to 53 Gbps

Interface Speed 1/10 Gbps 1/10/40 Gbps 1/10/ 40/100 GbpsRack Unit size 1 RU 1 RU 3 RUClustering Roadmap Yes (6.2) Yes (6.2)

Migration

Migration Capabilities – Today & RoadmapFirepower 6.1/6.2

ACLs

NAT

Objects

ASA Versions

Ability to migrate Access Control Rules

Ability to migrate NAT rules

Support for migrating objects corresponding to ACL, NAT rules

Except Users, Time Range, FQDN, SGT

Support for ASA 9.1+ versions

Firepower 6.x- RoadmapAdditional Object Support

User Experience

Device Configurations

ASA Versions

Ability to migrate additional types of objects for access rules-

Users, Time Range, FQDN, SGT

Improved usabilityTool, report improvements

Routing, VPN, Platform Settings etc.

Support for ASA 8.4+ versions

Migration at a GlanceFMCv

(deployed as Migration

Tool)

FMC (managing

FTD Devices)

ASA FTD

ASA .cfgor .txt file

FMC .sfofile

Migration Report

ASA version 9.1.x or higher Single Context Mode Transparent or Routed Active Unit (in HA pair)

Manual Reimage

Import Tool

Regis

ter

Apply Migrated Configs

Run as root: enableMigrationTool.plImport as ACL or Pre-filter policies

Migration of Installed Base (ASA customers)• New OS (ASA -> FTD)• Old configuration needs to be converted• There is a migration tool!• New dCloud lab on migration!

Tak for opmærksomhedenQ&A