ASA Firepower NGFW Typical Deployment Scenariosd2zmdbbm9feqrf.cloudfront.net/2017/eur/pdf/BRKSEC-2050.pdf · ASA Firepower NGFW Typical Deployment Scenarios ... A Deep Dive into using

ASA Firepower NGFW Typical Deployment Scenarios

Jeff Fanelli - Principal Systems Engineer - [email protected]

BRKSEC-2050

#jefanell

About your speaker

Jeff Fanelli

Principal Systems Engineer

Cisco Global Security Sales Organization

I’m from the U.S. state with the longest suspension bridge in the western hemisphere!

MICHIGAN (the “mitten” state..)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Firepower Sessions: Building Blocks

BRKSEC-2058

A Deep Dive into using the Firepower

Manager

Tuesday 16:45

BRKSEC-2056

Threat Centric Network Security

Tuesday 11:15

BRKSEC-3032

NGFW Clustering Deep Dive

Wednesday 9:00

BRKSEC-3035

Firepower Platform Deep Dive

Thursday 9:00

BRKSEC-2050

ASA Firepower NGFW typical deployment

scenarios

Tuesday 14:15

BRKSEC-3455

Dissecting Firepower NGFW (FTD+FPS)

Friday 9:00

BRKSEC-2050 5

• Firepower System Architecture Overview

• Platforms & Capabilities

• Firepower Software Deep Dive

• Firepower 6.1 / 6.2 New Capabilities

• Management Options

• Deployment Modes

• Deployment Use Cases

Today’s Agenda


Abbreviation Key!

ASA = Adaptive Security Appliance

FTD = Firepower Threat Defense

FPS = Firepower Services

FMC = Firepower Management Center

FDM = Firepower Device Manager

NGFW = Next Generation Firewall

NGIPS = Next Generation Intrusion Prevention System

AMP = Advanced Malware Protection

API = Application Programming Interface

ISE = Identity Services Engine

IoC = Indicator of Compromise

PAN = Place to cook your eggs

BRKSEC-2050 7

Systems Architecture Overview


How did we get here from there?

• Adaptive Security Appliance (ASA)

• FirePOWER NGIPS

• ASA with FirePOWER Services?

• Firepower NGFW?

BRKSEC-2050 9


ASA “Adaptive Security Appliance”

ASDM (OnBox) / Command Line

Cisco Security Manager / RESTful API for Management

HA and Clustering

Network Firewall[Routing | Switching]

Data Center

Security

Service Provider

Security

Protocol

Inspection

Identity Based

Policy Control

VPN

Mix Multi Context

Mode

BRKSEC-2050 10


ASA with FirePOWER Services

► Cisco ASA is world’s most widely

deployed, enterprise-class stateful

firewall

► Granular Cisco® Application

Visibility and Control (AVC)

► Industry-leading FirePOWER next-

generation IPS (NGIPS)

► Reputation- and category-based

URL filtering

► Advanced malware protection

Cisco ASA

Identity-Policy

Control & VPN

URL Filtering(Subscription)

FireSIGHT

Analytics &

Automation

Advanced

Malware

Protection(Subscription)

Application

Visibility &

Control

Network Firewall

Routing | Switching

Clustering &

High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network

Profiling

Intrusion

Prevention (Subscription)

BRKSEC-2050 11


Malware

Protection

Firepower Threat Defense

Network

Profiling

CISCO COLLECTIVE SECURITY INTELLIGENCE

URL Filtering

Integrated Software - Single Management

WWW

Identity-Policy

Control

Identity Based

Policy Control

Network

Profiling

Analytics &

AutomationApplication

Visibility

&Control

Intrusion

Prevention

High

Availability

Network

Firewall and

Routing

BRKSEC-2050 12


Firepower Threat Defense (FTD) Software

ASA (L2-L4)

• L2-L4 Stateful Firewall

• Scalable CGNAT, ACL, routing

• Application inspection

Firepower (L7)

• Threat-Centric NGIPS

• AVC, URL Filtering for NGFW

• Advanced Malware Protection

Full Feature Set

Continuous Feature

Migration

Firepower Threat Defense

Single Converged OS

Firewall URL Visibility Threats

Firepower Management

Center (FMC)*

* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)

ASA with Firepower

Services

BRKSEC-2050 13


Feature Comparison: ASA with Firepower Services and Firepower Threat Defense

Features Firepower Threat Defense Firepower Services for ASA

SIM

ILA

RIT

IES

Routing +NAT✔

(OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR

via FlexConfig)

✔(OSPF, BGP, EIGRP, static, RIP,

Multicast)

OnBox Management ✔ ✔

HA (Active/Passive) ✔ ✔

Clustering (Active/Active) ✔ ✔

Site to Site VPN ✔ ✔

Policy based on SGT tags ✔ ✔

DIF

FE

RE

NC

ES

Unified ASA and Firepower rules and objects ✔ ✘

Hypervisor Support ✔(AWS, VMware, KVM, Azure 6.2)

✘

Smart Licensing Support ✔ ✘

Multi-Context Support ✘(Coming Soon!) ✔

Remote Access VPN ✔ (6.2.1) ✔

Note: Not an exhaustive feature list

BRKSEC-2050 14

What are the Firepower Deployment Options?

Firepower Appliances Firepower Threat Defense (Unified Software Image)

ASA with Firepower Services

FirePOWER

Services

ASA 9.5.x

Firepower

Threat DefenseFirepower

Appliances

7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual Firepower 2100 / 4100 / 9300

5585 cannot run FTD Image!

All Managed by Firepower Management Center

Platforms & Capabilities


Cisco ASA 5500-X

5506 / 5508 / 5516

PerformanceUnified Management

• 1-Gbp interfaces

• Up to 1.2 Gbps throughput

• 5545 / 5555 Redundant

Power Supply and SSD

option

• Firepower Threat Defense or

ASA Software Options

• 1-Gbp interfaces

• Up to 450 Mbps throughput

• Wireless Option for 5506-X

• Software Switching capability

• Firepower Threat Defense or

ASA Software Options

• Firepower Management Center

(Enterprise Management)

• Firepower Device Manager

(On Box Manager)

• Cisco Defense Orchestrator

(Cloud Management)

SMB and Enterprise Branch NGFW

5525 / 5545 / 5555

Performance

BRKSEC-2050 17


Cisco Firepower 2100 Series

Performance and

Density OptimizationUnified Management Purpose Built NGFW

• Integrated inspection engines

for FW, NGIPS, Application

Visibility and Control (AVC),

URL, Cisco Advanced

Malware Protection (AMP)

• 1-Gbp and 10-Gbps interfaces

• Up to 8.5-Gbps throughput

• 1-rack-unit (RU) form factor

• Dual SSD slots

• 12x RJ45 ports, 4xSFP(+)

• 2130 / 2140 Models

• 1x Network Module

• Fail to Wire Option

• DC & Dual PSU support




(On Box Manager)


(Cloud Management)

Introducing four high-performance models

BRKSEC-2050 18


FPR 2110 FPR 2120 FPR 2130 FPR 2140

Throughput

NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Throughput

NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Maximum

concurrent

sessions 1 M 1.2 M 2 M 3.5 M

Maximum new

connections per

second 12000 16000 24000 40000

Firepower 2100 Series Performance

Note: Early Performance Numbers

NO DROP IN PERFORMACE!

19BRKSEC-2050


Cisco Firepower 4100 SeriesHigh performance campus and data center

Performance and

Density OptimizationUnified Management

Multiservice

Security

• Integrated inspection engines

for FW, NGIPS, Application

Visibility and Control (AVC),

URL, Cisco Advanced

Malware Protection (AMP)

• Radware DefensePro DDoS

• ASA and other future

third party

• 10-Gb and 40-Gb interfaces

• Up to 24-Gbps throughput

• 1-rack-unit (RU) form factor

• Low latency




(On Box Manager)


(Cloud Management)

BRKSEC-2050 20


Cisco Firepower 9300 Platform

Benefits• Integration of best-in-class security• Dynamic service stitching

Features*• ASA container option• Firepower™ Threat Defense:

• NGIPS, AMP, URL, AVC• Third-party containers:

• Radware DDoS

Benefits• Standards and interoperability• Flexible architecture

Features• Template-driven security• Secure containerization for

customer apps• RESTful/JSON API• Third-party orchestration and

management

Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps

ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building

System (NEBS) ready

* Contact Cisco for services availability

Modular Carrier ClassMultiservice

Security

High performance data center

BRKSEC-2050 21


Cisco NGFW Platforms

NGFW capabilities all managed by Firepower Management Center

250 Mb -> 1.75 Gb

(NGFW + IPS Throughput)

Firepower Threat Defense for

ASA 5500-X

2 Gb -> 8 GB

(NGFW + IPS Throughput)

Firepower 2100 Series

41xx = 10 Gb -> 24 Gb

93xx = 24 Gb -> 53Gb

Firepower 4100 Series

and Firepower 9300

Up to 6x with clustering!

BRKSEC-2050 22


Software Support – Physical Platforms

ASAFirepower

NGIPS

ASA with

FirePOWER

Services

Firepower

Threat

Defense

ASA 5506X -> 5555X (all models) ✓ ✓ ✓

Firepower 2100 (all models) NO! ✓

Firepower 4100 (all models) ✓ ✓

Firepower 9300 (all models) ✓ ✓

ASA 5585 (With SSP blade) ✓ ✓

Firepower 7000 / 8000 (IPS appliances) ✓

BRKSEC-2050 23


Software Support - Virtual Platforms

ASAFirepower

NGIPS

Firepower Threat

Defense

ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

Firepower NGIPSv (vSphere + ISR UCSE) ✓

Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓

BRKSEC-2050 24

Firepower NGFW Software


OpenAppID

Application Visibility & Control

Provide next-generation visibility into app usage

See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps

Cisco database

• 4,000+ apps

• 180,000+ Micro-

apps

Network &

users

1

2

Prioritize traffic

26BRKSEC-2050


OpenAppID Integration

• What is OpenAppID ?

• Open source app-focused detection language

• > 2500 detectors contributed by Cisco

• > 20,000 downloads of the detection pack since last September

• Snort-community supported

• Simple Language

• Reduced dependency on vendor release cycles

• Written using the Lua scripting language

Open source application-focused detection language that enables users to create, share and implement custom application detection.

BRKSEC-2050 27


URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability

Web acceptable use controls and threat prevention

Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs

Category-based

Policy Creation

Allow Block

Admin

Cisco URL Database

DNS Sinkhole

01

00

10

10

100

00

10

01

01

101

Security feeds

URL | IP | DNS

NGFWFiltering

BlockAllow

Safe Search

…………

28BRKSEC-2050


URL-Based Security Intelligence

• Extension of IP-based SI

• TALOS dynamic feed, 3rd party feeds and lists

• Multiple categories: Malware, Phishing, CnC,…

• Multiple Actions: Allow, Monitor, Block, Interactive Block,…

• Policy configured via Access Rules or black-list

• IoC tags for CnC and Malware URLs

• New Dashboard widget for UR SI

• Black/White-list URL with one click URL-SI

CategoriesBRKSEC-2050 29


DNS Inspection

• Security Intelligence support for domains

• Addresses challenges with fast-flux domains

• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing

• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor

• Indications of Compromise extended with DNS Security Intelligence

• New Dashboard widget for DNS SI

DNS List Action

BRKSEC-2050 30


DNS Inspection: DNS Sinkhole

Local DNS Server

SinkholeXConnection to Sinkhole IP

NGFW PolicyDNS SI: C&C servers

Action: DNS Sinkhole

Generates SI events & IOC’s

Endpoint(10.15.0.21)

BRKSEC-2050 31


Decrypt 3.5 Gbps traffic over

five million simultaneous flows

SSL TLS handshake certificate inspection and TLS decryption engine

Visibility for encrypted traffic

Log

SSL

decryption engine

Enforcement

decisions

Encrypted Traffic

AVC

http://www.%$&^*#$@#$.com

http://www.%$&^*#$@#$.com

Inspect deciphered packets Track and log all SSL sessions

NGIPS

gambling

elicit

http://www.%$*#$@#$.com










32BRKSEC-2050


Integrated SSL Decryption

• Multiple Deployment modes

• Passive Inbound (known keys)

• Inbound Inline (with or without keys)

• Outbound Inline (without keys)

• Flexible SSL support for HTTPS & StartTLS based apps

• E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS

• Decrypt by URL category and other attributes

• Centralized enforcement of SSL certificate policies

• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices

BRKSEC-2050 33


Next-Generation Intrusion Prevention System (NGIPS)

Application and Context aware Intrusion Prevention

Communications

App & Device Data

01011101001

010

010001101

010010 10 10

Data packets

Prioritize

response

Blended threats

• Network

profiling

• Phishing

attacks

• Innocuous

payloads

• Infrequent

callouts

3

1

2

Accept

Block

Automate

policies

ISE

Scan network traffic Correlate data Detect stealthy threats Respond based on priority

BRKSEC-2050 34

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2050 35


c

File Reputation

Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)

Malware and ransomware detection and blocking

• Known Signatures

• Fuzzy Fingerprinting

• Indications of compromise

Block known malware Investigate files safely Detect new threats Respond to alerts

File & Device TrajectoryAMP for

Network Log

Threat Grid Sandboxing

• Advanced Analytics

• Dynamic analysis

• Threat intelligence

?

AMP for

Endpoint Log

Threat Disposition

Enforcement across

all endpoints

RiskySafeUncertain

Sandbox Analysis

BRKSEC-2050 36


Additional Firewall Features

Improve traffic control with new features

Identity Integration

Target threats accurately

• ISE

• pxGrid

• VDI

Captive Portal

Enforce authentication

• Active/Passive

• NTLM

• Kerberos

Rate limiting

Control application usage

• Rule-based limits

• Reports

• QoS rules

FlexConfig

Granular Config Controls

• CLI policies

• Legacy ASA

feature control

Tunnel Policy

Block unwanted traffic early

• Pre-filtering

• Priority policy

• Policy migration

BRKSEC-2050 37


ISE Integration

• pxGrid feed to retrieve form ISE:

• AD Username (Group lookup via AD Realm)

• Device type profile & location

• TrustSec Security Group Tag (SGT)

• Ability to exert control based on the above in rules• i.e. block HR users from using personal iPads

• Reduces ACL size and complexity

BRKSEC-2050 38


ISE Integration Screen Shot

BRKSEC-2050 39


Captive Portal / Active Authentication

• Enforces Authentication through the appliance

• Multiple Authentication modes (Passive, Active, Passive with Active Fallback)

• Various Supported Authentication types (e.g. Basic, NTLM, Advanced, Form)

• Guest / Non Windows Device Authentication Support

• Multi Realm Support

Method Source LDAP/AD Authoritative?

Active Forced authentication through device LDAP and AD yes

Passive Identity and IP mapping from AD Agent AD yes

User Discovery Username scraped from traffic. LDAP and AD,

passive from the

wire

no

BRKSEC-2050 40


Captive Portal - Configuration

Authentication Type

Action

Exclude User Agent

BRKSEC-2050 41

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42BRKSEC-2050

Rate limiting configuration

• QOS Policy is a new policy type with separate policy table

• Not associated with an Access Control Policy – directly associated with devices


• Provides a way to configure ASA features not exposed directly by Firepower Management Center

FlexConfig

• EIGRP Routing

• PBR

• ISIS Routing

• NetFlow (NSEL) export

• VXLAN

• ALG inspections

• IPv6 header inspection

• BFD

• Platform Sysopt commands

• WCCP

BRKSEC-2050 43


• Description: Configure IPv6 Prefix Delegation on FTD

• Configure:

• One outside (Prefix Delegation client) interface

• One inside interface (recipient of delegated prefix) for IPv6 prefix delegation.

• This template should be copied and the variables modified as appropriate.

FlexConfig Example: DHCPv6_Prefix_Delegation_Configure

BRKSEC-2050 44


## Outside interface (PD client): logical name, prefix pool name, prefix hint#set ( $pdoutside = ["outside", "Outside-Prefix", "::/56"] )#foreach($j in $SYS_FTD_ROUTED_INTF_MAP_LIST)#if($j.intf_logical_name == $pdoutside.get(0))

interface $j.intf_hardwarare_idipv6 dhcp client pd $pdoutside.get(1)ipv6 dhcp client pd hint $pdoutside.get(2)#end#end

## Inside interface (recipient of delegate prefix): logical name, prefix pool name, suffix#set ( $pdinside = ["inside", "Outside-Prefix", "::1:0:0:0:4/64"] )#foreach($j in $SYS_FTD_ROUTED_INTF_MAP_LIST)#if($j.intf_logical_name == $pdinside.get(0))

interface $j.intf_hardwarare_idipv6 address $pdinside.get(1) $pdinside.get(2)#end#end

FlexConfig Example: DHCPv6_Prefix_Delegation_Configure

BRKSEC-2050 45

Firepower Management CenterNew Capabilities

Troubleshooting: Packet Tracer• Displays logs for a single simulated (virtual) packet

• Tracing data will include information from Snort & preprocessors about

verdicts and actions taken while processing a packet

47

Troubleshooting: Packet Capture with Trace• Captures and displays packets from live traffic

• Allows PCAP file download of the capture buffer


Lookup features – Geolocation & WHOIS

BRKSEC-2050 49


Lookup Feature: URL

BRKSEC-2050 50


ISE remediation in using pxGrid

BRKSEC-2050 51

Cisco Threat Intelligence Director


• Uses customer threat intelligence to identify threats

• Automatically blocks supported indicators on Cisco NGFW

• Provides a single integration point for all STIX and CSV intelligence sources

Cisco Threat Intelligence Director (CTID)

BRKSEC-2050 53


Cisco Threat Intelligence Director Overview

Cisco Threat

Intelligence

Director

BRKSEC-2050 54


• Free source of TAXII feeds

• Website URL: http://hailataxii.com

• Multiple feeds

• To configure the TAXII intelligence source

• URL: http://hailataxii.com/taxii-discovery-service

• USERNAME: guest

• PASSWORD: guest

Hail a TAXII !!

BRKSEC-2050

http://hailataxii.com/

http://hailataxii.com/taxii-discovery-service

Management Platform Options


Firepower Device

Manager

Enables easy on-box

management of

common security and

policy tasks

Enables comprehensive

security administration

and automation of

multiple appliances

Firepower Management Center

Cisco Defense

Orchestrator

Enables centralized

cloud-based policy

management of

multiple

deployments

On-box Centralized Cloud-based

Management Options

BRKSEC-2050 57


Firepower Device

Manager

Enables easy on-box

management of

common security and

policy tasks



and automation of

multiple appliances


Cisco Defense

Orchestrator

Enables centralized

cloud-based policy

management of

multiple

deployments


Management Options

BRKSEC-2050 58


• Free local manager for managing a single Firepower Threat Defense device

• Targeted for SMB market

• Designed for NetworkingSecurity Administrator

• Simple & Intuitive

Firepower Device Manager

BRKSEC-2050 59

Firepower Device Manager Demo


Firepower Device

Manager

Enables easy on-box

management of

common security and

policy tasks



and automation of

multiple appliances


Cisco Defense

Orchestrator

Enables centralized

cloud-based policy

management of

multiple

deployments


Management Options

BRKSEC-2050 61


Firepower Management Center: Overview

• Single manager for Firepower Threat Defense

• Can also manage Firepower appliance and “Services” deployments

• Unified policy management for Firepower appliances and Firepower Threat Defense

• Broadest set of security capabilities for Firepower platforms!One

Rule

Table

BRKSEC-2050 62

Firepower Management Center Demo


Firepower Device

Manager

Enables easy on-box

management of

common security and

policy tasks



and automation of

multiple appliances


Cisco Defense

Orchestrator

Enables centralized

cloud-based policy

management of

multiple

deployments


Management Options

BRKSEC-2050 64


Firepower Device

Manager

Enables easy on-box

management of

common security and

policy tasks



and automation of

multiple appliances


Cisco Defense

Orchestrator

Enables centralized

cloud-based policy

management of

multiple

deployments


Management Options

CDO

BRKSEC-2050 65

On-box vs Off-boxFirepower Management Center (Off-box) Firepower Device Manager (On-box)

NAT & Routing

Access Control

Intrusion & Malware

Device & Events Monitoring

VPN - Site to Site & RA

Security Intelligence

Other Policies: SSL, Identity, Rate Limiting (QoS) etc.

Active/Passive Authentications

Firewall Mode Router / Transparent Routed

Threat Intelligence & Analytics

Correlation & Remediation

Risk Reports

Device Setup Wizard

Interface Port-Channel

High Availability

Deployment Designs Use Case

Firepower Threat DefenseInternet / WAN Edge


Use Case Internet Edge Firewall

Requirement

Connectivity and Availability Requirement:• High Availability ROUTED mode

• Firewall should support Router or Transparent Mode

Routing Requirements:

• Static and BGP Routing

• Dynamic NAT/PAT and Static NAT

Security Requirements:

• Application Control + URL Acceptable Use enforcement

• IPS and Malware protection

• SSL Decryption

Authentication Requirements:

• User authentication and device identity

Solution

Security Application: Firepower Threat Defense application with

FMC

ISP

FW in HA

Private Network

Service

Provider

Campus/Priv

ate Network

DMZ Network

vPC / Port-

Channel

Internet

Edge

HSRP

BRKSEC-2050 68

Connectivity and Availability


Link Redundancy

Resiliency

with link

failures

Deliver scalable performance across many sitesFirewall Link Aggregation – High Availability - Clustering

Inter-chassis Clustering

Combine up to

69300 blades or

4100 chasses

Active / Standby HA

LACP Link

Redundancy

LACP Link

Aggregation

Control

Protocol

BRKSEC-3032

NGFW Clustering Deep Dive

BRKSEC-2050 70


10.1.1.0/24

192.168.1.0/24

192.168.1.1

10.1.1.1

IP:192.168.1.100GW: 192.168.1.1

NAT

DRP

• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.

Firewall Design: Modes of Operation

BRKSEC-2050 71


192.168.1.0/24

192.168.1.1

IP:192.168.1.100GW: 192.168.1.1

Firewall Design: Modes of Operation

VLAN192

VLAN1920

• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.

• Transparent Mode is where the firewall acts as a bridge functioning at L2.

• Transparent mode firewall offers some unique benefits in the DC.

• Transparent deployment is tightly integrated with our ‘best practice’ data center designs.

• Note:

• No multiple context mode available on FTD today.

• Routed or transparent mode configured with setup dialog.• Changing between these modes requires re-registering with FMC.

• Policies will be re-deployed.

BRKSEC-2050 72


Wired and Wireless in same zone

IPv4 + IPv6 Support

Routing Requirements


Dynamic NAT for Direct Internet AccessAutomatic and Manual (complex) NAT Support for FTD including IPv6

BRKSEC-2050 75

Security Requirements


Access Control Policy blocking inappropriate content

BRKSEC-2050 77


SSL Decrypt is fully configurableCan specify by application, certificate fields / status, ciphers, etc


DNS Sink-holing / Traffic Drop Rule SetBased on DNS query results of client

BRKSEC-2050 79


Security Intelligence DNS Global SettingsWhitelist / Blacklist capabilities


Custom IPS Policy


Malware and File AnalysisAttached to Access Policy

Identity Requirements

Authentication and Authorization


Identity Policy based on Passive Authentication

Attaches to Access Control Policy

BRKSEC-2050 84


Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)


Active Directory “Realm” Configuration

• Multiple Entries

• LDAP / LDAPS

• Assigned to Identity Policy for Active or Passive Authentication


Identity Services Engine pxGrid Integration

• MUST install ROOT certificate (chain) on FMC that signed ISE pxGridCert

• MUST install ROOT certificate (chain) on ISE that signed FMC Cert

• Private keys not needed (of course!)

BRKSEC-2050 87


TrustSec Security Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles

BRKSEC-2050 88


• LDAP / AD or RADIUS

• Example allows “External Users” to be defined that exist in Active-Directory for FMC or shell login

• Can stack multiple methods

External Authenticationfor Administration

BRKSEC-2050 89


Secure Connection with Branch Office

• Simplified IPsec Wizard for Site to Site VPN

Configuration

• Advanced Application level inspection can be

enabled VPN traffic of Partner and Vendor Network.

• Prefilter policy to bypass Advance inspection and

improve performance.

• Authentication supports both Pre-Share Key and PKI.

• Branch Office Deployment to secure connection with

Head Office.

• Monitoring and Troubleshooting to monitor remote

access activity and simplified tool for troubleshooting.

Secure Connection with Branch Office

Edge Router

FRP2100

Failover

IPSec VPN

ISP

BRKSEC-2050 90


• Firepower Management Center will provide monitoring of VPN tunnels

• Pre-shared key support

• PKI Certificate authentication support

Site-to-Site VPN

BRKSEC-2050 91


Secure Remote Access for Roaming User

ISP

FP2100 in

HA

Private Network

Campus/Priv

ate Network

Internet

Edge

• Secure SSL/IPsec AnyConnect access to corporate

network

• AMP and File inspection Policy to monitor roaming

user data.

• Easy RA VPN Wizard to configure AnyConnect

Remote Access VPN

• Advanced Application level inspection can be

enabled to enforce security on inbound Remote

Access User data.

• Monitoring and Troubleshooting to monitor remote

access activity and simplified tool for troubleshooting.

Secure access using Firepower

BRKSEC-2050 92


• AnyConnect client-based VPN

• Limitations:

• No clientless VPN support (client download only)

• No legacy Cisco IPsec IKEv1 client support

• No Dynamic Access Policies

Remote Access VPN

Deployment Designs Use Cases

Other Modes


Inline or Passive Fail-to-wire NetMods Additional options

NetMod

Virtual or Physical

Routed

Transparent

101110

101110

Inline

Inline Tap

Passive

Firepower Threat Defense Deployment ModesCan Mix and Match on same hardware to maximize value and visibility

✔

BRKSEC-2050 95


• Allows IPS (or IDS) inspection of traffic bridge between physical interfaces.

• Can be configuration in addition to routed / transparent NGFW interfaces on FTP Device

• Be careful not to exceed platform performance limitations!

Firepower Threat Defense Inline Pairs

BRKSEC-2050 96


SPAN Destination Port

or VACL Capture

Promiscuous Interface

Ethernet Switch

Promiscuous Interface

• Only copies of the packets are sent to the sensor

• Mostly detection, limited protection

• Optional prevention through external blocking

• Separate device must send copies of the packets

• Span (or monitor) from a switch

• VACL capture from a switch

• Network Taps

BRKSEC-2050 97

Virtual Deployment Modes


Virtual FTD prerequisites

Multi-Hypervisor Support

KVM

VMWare vSphere 5.5+

Cisco Cloud Services Platform

Provide necessary virtual resources

4 x vCPUs

4-8GB of RAM

48GB of disk space

BRKSEC-2050 99


Firepower Threat Defense for AWS & Azure

• Global AWS data center support

• Smart license capable (“BYOL”)

• Manage with FMC

Integrated Routing and Bridging


• ”Software Switch” capability

• Allows configuration of bridges in routed firewall mode

• Regular routed interfaces can now co-exist with BVI interfaces and

interfaces that are members of bridge groups.


FTD or ASA (Single Context)

BVI 1 BVI 2 OutsideDept. X

BRKSEC-2050 102


Integrated Routing and Bridging = Software Switch

SAME VLAN

BRKSEC-2050 103


• BVI interface can now have name assigned to it this enables it to participate in routing

• Only static routing is enabled on BVI interfaces in


ASA - FTD Migration Tool


ASA – FTD MigrationFirepower 6.1+ introduces migration support for key ASA configurations

Access Rules,

NAT and

referenced

Objects

For Partners

and customers

Support for

ASA 9.1.x

onwards

Better

Scale

Expanded config

SupportRoadmap

BRKSEC-2050 106


Migration Tool Features

• Migration tool features: ASA to FTD Configuration Migration

Migrated policies downloadable as .sfo file importable in FMC

Migration Report

• Migration tools supports ASA Access-Rules, NAT policies and its referenced objects

• Qualified with10,000 ACEs and objects, with no more than 50,000 flattened rule entries.

BRKSEC-2050 107


Migration Process Overview

ASA .cfg

or .txr

file

FMCv

Deployed

as

migration

Tool

FMC .sfo

file

Migrati

on

Report

FMC

( Managing

FTD

Device )

ASA

FirePower

RegisterApply Migrated

Policy

Import as Access Control

Policy or Prefilter policy

BRKSEC-2050 108


Migration Capabilities – Today & Roadmap

Firepower 6.1/6.2

ACLs

NAT

Objects

ASA Versions

Ability to migrate Access Control Rules

Ability to migrate NAT rules

Support for migrating objects

corresponding to ACL, NAT rules

Except Users, Time Range, FQDN, SGT

Support for ASA 9.1+ versions

Firepower 6.x- Roadmap

Additional Object Support

User Experience

Device Configurations

ASA Versions

Ability to migrate additional types of

objects for access rules-Users, Time Range, FQDN, SGT

Improved usabilityTool, report improvements

Routing, VPN, Platform Settings etc.

Support for ASA 8.4+ versions

BRKSEC-2050 109


Firepower Threat Defense Summary

Robust NGFW

Feature setFlexible

Deployment Unified Management

Extending our threat

leadership

Enabling more NGFW use

cases

Delivering on our

convergence story

BRKSEC-2050 110


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

BRKSEC-2050 111

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

112BRKSEC-2050

Thank You

Documents

ASA Firepower NGFW Typical Deployment Scenariosd2zmdbbm9feqrf.cloudfront.net/2017/eur/pdf/BRKSEC-2050.pdf · ASA Firepower NGFW Typical Deployment Scenarios ... A Deep Dive into using