ASA Firepower NGFW Update and Deployment Scenarios

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

NGFW Update and Deployment ScenariosMichael MercierConsulting Systems Engineer – Security Solutions

May 19, 2016

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.

• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session


Agenda

Firepower NGFWFirepower Threat Defense

Software Overview

Firepower 4100Next-Generation Security Architecture

Firepower 9300Next-Generation Security Architecture

FTDv

Licensing

Performance

Deployment Modes / Use Cases

Deployment Considerations


Firepower Threat Defense (FTD)• Unified codebase software image

Firepower 4100 Series and 9300 Appliances• Brand for new hardware product offerings which run FTD or ASA

“Firepower Next-Generation Firewall (NGFW)”• FTD + Hardware appliance

Firepower Management Center (FMC)• Formerly FireSIGHT. Unified manager for NGFW, NGIPS, AMP, FirePOWER on ISR

ASA with FirePOWER Services• Two managers, full firewall feature set

Relevant Terminology


Detect earlier, act faster

Gain more insight

Reducecomplexity

Get more fromyour network

Stop more threats

Enable your business with a fully integrated, threat-focused solution

Threat Focused Fully Integrated

Cisco Firepower™ NGFW


Stop more threats across the entire attack continuum

Remediate breaches and prevent future attacks

Detect, block, and defend against attacks

Discover threats and enforcesecurity policies


BEFORE AFTERDURING


“You can’t protect what you can’t see”

Gain more insight with increased visibility

Malware

Client applications

Operating systems

Mobile devices

VoIP phones

Routers and switches

Printers

Command and control

servers

Network servers

Users

File transfers

Web applications

Applicationprotocols

Threats

Typical IPS

Typical NGFW



Cisco: 17.5 hoursIndustry TTD rate:* 100 days

Detect infections earlier and act faster• Automated attack

correlation

• Indications of compromise

• Local or cloud sandboxing

• Malware infection tracking

• Two-click containment

• Malware analysis

Source: Cisco® 2016 Annual Security Report*Median time to detection (TTD)

JANMONDAY

1JAN

FEB

MAR

APR

Cisco Confidential 9© 2015 Cisco and/or its affiliates. All rights reserved.

Firepower Management Center


Cisco Firepower™ Management Center

Reduce complexity with simplified, consistent management

• Network-to-endpoint visibility• Manages firewall, applications, threats, and files• Track, contain, and recover remediation tools

Unified

• Central, role-based management• Multitenancy• Policy inheritance

Scalable

• Impact assessment• Rule recommendations• Remediation APIs

Automated


Shared intelligence

Shared contextual awareness

Consistent policy enforcement

Cisco Firepower™ Management Center

Get more from your network through integrated defenses

Talos

Firepower 4100 Series Firepower 9300 Platform

Visibility Radware DDoS

Network analysis Email Threats Identity

and NAC DNS FirewallURL


FS750 FS2000 FS4000 Virtual

Maximum devices managed*

10 70 300Virtual FireSIGHT®

Management CenterUp to 25 managed devices

ASA or FirePOWER appliancesEvent storage 100 GB 1.8 TB 3.2 TB

Maximum network map (hosts/users)

2000/2000 150,000/150,000

600,000/600,000

Virtual FireSIGHT®

Management for 2 or 10 ASA devices only!

Not upgradeableFS-VMW-2-SW-K9FS-VMW-10-SW-K9

Events per second (EPS) 2000 12,000 20,000

Max number of devices is dependent upon sensor type and event rate

ManagementFirepower Management Center Appliances

12


Cisco NGFW Platforms

*5585-X management available 2H CY16

All* Managed by Cisco Firepower Management Center

Cisco Firepower™ 4100 Series and 9300

Cisco FirePOWER™ Services on ASA 5585-X

Cisco Firepower Threat Defense on ASA 5500-X

New Appliances


Firepower Threat Defense


New Converged Software Image:Firepower Threat Defense

Contains all Firepower Services plusselect ASA capabilities

Single Manager:Firepower Management Center*

Same subscriptions as FirePOWER Services, enabled by Smart Licensing:

Threat (IPS + SI + DNS)Malware (AMP + ThreatGrid)URL Filtering

Converged Software – Firepower Threat Defense

* Also manages Firepower Appliances, Firepower Services (not ASA Software)


• Everything from Firepower 6.0.1

• Phased introduction of features from ASA

• FTD 6.0.1IPv4 and IPv6 Connection state tracking and TCP normalizationAccess ControlNAT (Full support)Unicast Routing (except EIGRP)ALGs (only default configuration)Intra chassis Clustering on Firepower 9300Stateful Failover (HA)

What features are available?


High-Level Feature Comparison: ASA with FirePOWER Services, Firepower Threat Defense

Feature FirepowerServices for ASA


Notes for Firepower Threat Defense

HA, NAT ✔ ✔

Routing ✔ ✔ Multicast in 6.1, No EIGRPUnified ASA and Firepower rules/objects ✘ ✔

Local Management ✔ ✔ In 6.1, features differMulti-Context ✔ ✘

Inter-chassis Clustering ✔ ✘

VPN ✔ ✔ Site-to-Site VPN in 6.1

Hypervisor Support ✘ ✔ AWS, VMware; KVM in 6.1

Smart Licensing support ✘ ✔

Note: Not an exhaustive list of differences between these offerings.


Firepower Threat Defense – Phased Delivery

• Remote Access VPN• Device Clustering• SSL Acceleration• Traffic QoS• Time-based Policies• Hyper-V / Azure• MS Exchange

identity• Pkt Trace/Capture• Configuration CLI

• Site-to-Site VPN• Rate-Limiting• Multicast and EIGRP• VDI User Identity• AMP Private Cloud• ISE Remediation• X-Forwarded-For• Web Safe Search• Built-in Risk Reports• KVM Virtual platform• On-box Web UI• FMC HA, Scale and

API

General AvailabilityV6.0.1 – Mar. 2016

• FP 9300/4100 platforms• ASA Low/Mid platforms• All of FP Services 6.0• ASA+FP Rules/Objects• Transp/Routed Deploy• Active/Passive HA• NAT (Dynamic/Static)• OSPF, BGP, RIP, Static• ALGs (fixed config)• Syn Cookie/Anti-Spoof

V6.1 - Q4FY16 1HFY17High-Priority NGFW Feature Parity


What Platforms run Firepower Threat Defense?

*5585-X ASA module management being investigated for 2HCY16

All* Managed by Cisco Firepower Management Center

Cisco Firepower Threat Defense on Firepower™ 4100

Series and 9300

Cisco FirePOWER Services on ASA 5585-X

Cisco FirePOWER on 7000/8000 Series Appliances

Cisco Firepower Threat Defense on ASA 5500-X

New Appliances


Firepower Threat Defense Software Overview


• New Next Generation Firewall offering

• Brings together the best features from ASA and Firepower, all under one OS

• Zero-copy packet inspection

• Single management application

• Duplicate functionality removed

Advantages of Firepower Threat Defense

FirepowerThreatDefense

L2-L4Inspections

(ASATechnology)

AdvancedInspections(FirePOWERTechnology)

FirepowerManagementCenter

ASA

FirePOWERServices

CSM/ASDM FireSIGHT


ASA with FirePOWER Services Packet flow

Ingress NIC

L2/L3 Decode

L4 Decode

Flow Lookup Route Lookup

NAT Lookup

Inspection checks

Routing

NAT

Egress NIC

Flow Update

File/AMP

IPS

AVC

KernelVirtual TAP

FirePOWER Services

Event Database

Virtual Container2 OS, ASA & FP


Firepower Threat Defense Packet Flow

Ingress NIC

L2/L3 Decode

L4 Decode

Flow Lookup Route Lookup

NAT Lookup

Inspection checks

Routing

NAT

Egress NIC

Flow Update

File/AMP

IPS

AVC

FirePOWER Services

Event Database

Pack

et L

ibra

ry (P

DTS

)

Zero Copy Single OS


• Access policies broken down into 2 sets of rules

• Advanced ACLs - Evaluate L2 – L4 attributes and give a verdictPermitDenyTrust

• NGFW ACLs – Evaluate L7 attributesAllowBlockTrustPath

Unified Access Control policies


Unified Objects ConfigurationObjects in 5.4

Objects in 6.0


Firepower 4100Next Generation Firewall


Cisco Firepower 4100 SeriesIntroducing four new high-performance models

Performance and Density Optimization Unified Management Multiservice

Security

• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)

• Radware DefensePro DDoS• ASA and other future

third party

• 10-Gbps and 40-Gbps interfaces

• Up to 80-Gbps throughput• 1-rack-unit (RU) form factor• Low latency

• Single management interface with Firepower Threat Defense

• Unified policy with inheritance• Choice of management

deployment options


Hardware Overview


Firepower 4100 Series Front and Rear ViewSSD1 SSD2

1 3 5 7 NetMod 1 (Slot)NetMod 2 (Slot)

2 4 6 8

PS1 PS2 FAN1 FAN2 FAN3 FAN4 FAN5 FAN6

PowerConsole

Mgmt. SYS

ACT SSD Status


Supervisor Module:Console and Management Port8 10G Fixed Ethernet Ports 2 x Network Modules

Security Engine:Dual CPU, each connected with a Smart NIC and Crypto accelerator card Two SSD - 1 Default + 1 Optional (For AMP service)SSD Size

200GB for 4120400GB for 4140

Backplane 80GB Backplane support

Firepower 4110/20/40/50 - Hardware Components

Internal 720G Switch Fabric

Security Engine

RAMSmart NIC + Crypto Accelerator

2x40Gpbs

2x100Gbps

Built-in 8x10GE

interfaces

NMSlot 1

X86 CPU

NMSlot 2

80G

8x 10G (or) 4x 40G Network Module

…… ……

Console Mgmt. Port

200G2x40Gbps5x

40Gbps 200G5x

40Gbps

SSDSSD


Software Overview


§ FP 4100 Series of platform supported from FXOS 1.1.4

§ FXOS provides interface for device management and provisioning of the security application on security engine.

§ All images are digitally signed and validated through Secure Boot.

§ Security application images are in Cisco Secure Package (CSP) format§ Multiple version of same application can be

stored in Supervisor. It can deployed to Security Engine on demand

§ Contains system (i.e. ASA, FTD) and other images (i.e. ASDM, REST, and so on)

Firepower 4100 Software

Decorator application from third-party (KVM)

Primary application from Cisco (Native)

DDoS

ASA or FTDFXOS

Firepower Extensible Operating System (FXOS)

Supervisor

Security Engine


Security Service Architecture for Firepower 4100 Series Platform

Supervisor

Ethernet 1/1-8 Ethernet 2/1-8

Standalone/ClusterSecurity Module 1

Ethernet 3/1-4

Application Image Storage

PortChannel1Ethernet1/7(Management)

Data

Logical Device

Link Decorator

External Connector

Primary Application

Decorator Application

On-board 8x10GE interfaces

8x10GE NMSlot 1

4x40GE NMSlot 2

ASA/FTD

Packet Flow

Security Engine

Radware vDP


Firepower 9300 Next Generation Firewall


Cisco Firepower 9300 Platform

Benefits• Integration of best-in-class security• Dynamic service stitching

Features*• Cisco® ASA container• Cisco Firepower™ Threat Defense

containers:• NGIPS, AMP, URL, AVC

• Third-party containers:• Radware DDoS• Other ecosystem partners

Benefits• Standards and interoperability• Flexible architecture

Features• Template-driven security• Secure containerization for

customer apps• RESTful/JSON API• Third-party orchestration and

management

Benefits• Industry-leading performance:

• 600% higher performance• 30% higher port density

Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps

ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building

System (NEBS) ready

* Contact Cisco for services availability

Modular Carrier ClassMultiservice Security

High-speed, scalable security


Cisco Firepower 9300 Overview

Supervisor§ Application deployment and orchestration§ Network attachment (10/40/100GE) and traffic distribution§ Clustering base layer for Cisco® ASA, NGFW, and NGIPS

1

3

2

Security Modules

§ Embedded packet and flow classifier and crypto hardware§ Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications§ Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis


Cisco Firepower 9300 Chassis Hardware§ 19-inch 3RU rack (32 in. deep, 17.5 in. wide, and

135 lb fully loaded)

§ Four FRU fan modules with OIR§ N+1 redundancy

§ Front-to-back airflow

§ Dual redundant power supplies with load sharing and OIR§ 2500 and 1300W AC power supplies initially; 2500W DC to

follow

§ Single supply at 110V is not enough for full chassis; 220V is required

§ Scalable backplane support up to 200 Gbps per security module


Supervisor Module

Overall chassis management and network interaction§ Network interface allocation and security module connectivity (960-Gbps internal fabric)§ Application image storage, deployment, provisioning, and service chaining§ Clustering infrastructure for supported applications§ Cisco® Smart Licensing and NTP for entire chassis

RJ-45 Console

1 GE Management (SFP)

Built-in 10 GE Data (SFP+) Optional Network Modules (NMs)

1 2


Supervisor Simplified Hardware Diagram

Internal Switch Fabric (up to 24x40GE)

Security Module 1 Security Module 2 Security Module 3

On-Board 8 x 10 GE Interfaces Network Module 1 Network Module 2

2 x 40 Gbps 2 x 40 Gbps 2 x 40 Gbps

2 x 40 Gbps 5 x 40 Gbps 5 x 40 Gbps

x86 CPU

RAM

System Bus Ethernet


Network Modules

§ Supervisor configures interfaces and directs traffic to security modules

§ All interfaces are called “Ethernet” and 1 referenced (for example, Ethernet1/1)

§ Hardware OIR support; software support to follow

§ Mix and match up to two 10 and 40 GE half-width modules

§ 8 x 10 GE SFP or SFP+ per module

§ 4 x 40 GE QSFP per module; each port can be split to 4 x 10 GE

§ 100 GE modules


Security Modules

§ Three security module configurations

§ SM36: 72 x86 CPU cores for up to 80 Gbps of firewalled throughput

§ SM24: 48 x86 CPU cores for up to 60 Gbps of firewalled throughput

§ (Future) NEBS: SM24 NEBS certification

§ Dual 800GB SSD in RAID1 by default

§ Built-in hardware packet and flow classifier and crypto accelerator

§ Hardware VPN acceleration is targeted for a subsequent software release


Security Module Simplified Diagram

System Bus

x86 CPU 124 or 36 Cores

Packet and Flow Classifier and

Crypto Accelerator

Backplane Supervisor Connection

x86 CPU 224 or 36 Cores

2 x 100 Gbps

2 x 100 Gbps

RAM

Ethernet


Cisco Firepower 9300 Software§ Supervisor and security modules use multiple

independent images§ Infrastructure software bundle for supervisor§ Security module firmware bundle§ Security application images bundles for modules

§ All images are digitally signed and validated through Secure Boot

§ Service application images are in Cisco® Secure Package (CSP) format§ Stored on supervisor and deployed to security module on

demand§ Multiple versions of the same application may be stored§ Contains system (for example, Cisco ASA) and other

images (Cisco ASDM, REST, etc.)


Security Services Architecture on Firepower 9300Cisco® ASA Cluster

Security Module 1 Security Module 2 Security Module 3

Supervisor

On-Board 8 x 10 GE Interfaces

8 x 10 GE NMSlot 1

Application Image Storage

4 x 40 GE NMSlot 2

Ethernet 1/7(Management)

Ethernet 1/1-8 Ethernet 2/1-8 Ethernet 3/1-4

Logical Device

Logical Device Unit

Link Decorator

Application Connector

External Connector

Packet Flow

Primary Application

Decorator Application

PortChannel1

Data

DDoS DDoS DDoS

ASA ASA ASA


Management Overview§ Chassis management is independent from applications

§ On-box chassis manager UI and CLI § Cisco® ASDM is the only management GUI for

Cisco ASA initially§ Future off-box Cisco Firepower Device Manager for

both chassis and Cisco applications§ SNMP and syslog support for chassis-level counters

and events on supervisor§ REST API on supervisor for third-party service

management§ SDN orchestration enablement for security services

on demand


FTDv


FTDv

FMC

Cisco FTDv for Vmware: Routed, Transparent, Inline Mode


FTDv for Vmware: Passive mode

FTDv


BD1

BD2BD1

BD2

• Routed Mode (Go-To)

• Transparent Mode (Go-Through)

FTDv Service Graph in the ACI Fabric

EPGApp

EPGDBFTDv

GraphB10.0.0.0/24

TenantB

External Internal

EPGWeb

EPGApp

GraphA10.0.0.0/24 10.0.0.1 20.0.0.1 20.0.0.0/24

TenantA

External InternalFTDv

Bridge Domains need flooding turned on, to allow ASA to see and

bridge packets between two EPGsBVI10.0.0.10

Use port-channels on ESXi hosts instead of NIC teaming. It can break Go-Through mode.


• FTDv can connect to Amazon Virtual Private Cloud (VPC) network which closely resembles a traditional network topology.

• The FTDv and FMCv run as guests in AWS private Xen Hypervisor* environment.

• Protect your AWS environment by controlling and monitoring traffic. All features, Stateful L3 mode and ERSPAN Passive modes supported.

• FTDv Transparent Mode and Active/Standby HA is NOT supported (Roadmap)

Cisco FMCv/FTDv in AWS

*Note: The FTDv and FMCv do not support the Xen Hypervisor outside of the AWS environment.


AWS FMCv is optional as many organizations like to use their on premises FMC.

• Cisco Smart Licensing, AWS hourly coming soon

• AWS Security Group Access control must permit SSH/HTTPs access to your instances

• Create and attach Network interfaces and add Route table entry for Internet access

• An Elastic IP (Static persistent Public IP) is required for either FTDv or FMCv remote admin access

• * 2 management interfaces required for AWS FTDv

Cisco FMCv/FTDv in AWSInstance Type Interf. Subnets vCPUs RAM (GB)

FMCv m3.large 3 2 7.5FMCv m3.xlarge 3 4 15

FMCv & FTDv* c3.xlarge 2 4 7.5FMCv c3.2xlarge 8 4 15


Licensing


Firepower Threat Defense Smart Licensing Structure

• Base License enables NGFW• Networking, Firewall and Application Visibility &

Control

• Perpetual license - included with appliance purchase

• Term-based licenses for advanced protection• Threat, Malware and URL Filtering

• Smart License Enabled onlyBase (NGFW)

Thre

at(IP

S / S

I / D

NS)

Mal

war

e(A

MP

/ TG

)

UR

L Fi

lterin

g

Blue = Term-basedGreen = Perpetual


Mapping Classic Licenses to new Smart LicensesFunctionality Traditional Licensing Smart Licensing

Base License (includes AVC)

Protect + Control Base

IPS (SI, DNS) (EULA Enforced) Threat

AMP/Threat GRID Malware Malware

URL Filtering URL Filtering URL Filtering

Management FireSIGHT Built into Firepower Management Center


Performance:Firepower 4100 and 9300


Performance Highlights

4110 4120 4140 SM-24 SM-36 SM-36x3

Highlights Max FW 20G 40G 60G 75G 80G 225G

1024 AVC 12G 20G 25G 25G 35G 100G

1024 AVC+IPS 10G 15G 20G 20G 30G 90G


FTD Performance

4110 4120 4140 SM-24 SM-36 SM-36x3MaxThroughput:ApplicationControl(AVC) 12G 20G 25G 25G 35G 100G

MaxThroughput:ApplicationControl(AVC)andIPS 10G 15G 20G 20G 30G 90G

SizingThroughput:AVC(450B) 4G 8G 10G 9G 12.5G 30G

SizingThroughput:AVC+IPS(450B) 3G 5G 6G 6G 8G 20G

Maximumconcurrentsessionsw/AVC 4.5M 11M 14M 28M 29M 57M


ASA Performance4110 4120 4140 SM-24 SM-36 SM-36x3

Stateful inspectionfirewallthroughput(maximum) 20G 40G 60G 75G 80G 225G

Stateful inspectionfirewallthroughput(multiprotocol) 10G 20G 30G 50G 60G 100G

Concurrentfirewallconnections 10M 15M 25M 55M 60M 70M

Newconnectionspersecond 150K 250K 350K 0.6M 0.9M 2M

Securitycontexts 250 250 250 250 250 250

VirtualInterfaces 1024 1024 1024 1024 1024 1024

IPSec3DES/AESVPNThroughput 8G 10G 14G 15G 18G 18G


Deployment Modes and Use Cases


Branding Terms: Review

Firepower NGFWNew NGFW brand (Unified ASA+Firepower)

Firepower Threat Defense New unified appliance software

Firepower Management CenterNew unified manager

Firepower AppliancesNew Firepower 4100 Series and Firepower 9300 appliances.

ASA with FirePOWER Services

• ASA Appliances with ASA and Firepower software, application firewalling and threat defense.

• The ASA and FirePOWER functions have separate managers.

Today Recently Announced


Deployment Modes• Basic deployment modes: Firewall modes (choose one)

Routed Transparent

• Other interface modes: IPS/IDS modesInlineInline TapPassive


Firepower Threat Defense interface modes

Routed/TransparentA

B

C

D

F

G

H

I

Inline Pair 1

Inline Pair 2Inline Set

E J

Policy TablesPassive

Interfaces

Inline Tap


Malware Protection


Network Profiling

CISCO COLLECTIVE SECURITY INTELLIGENCE

URL Filtering

Integrated Software - Single Management

WWW

Identity-Policy Control

Identity Based Policy Control

Network Profiling

Analytics & AutomationApplication

Visibility &Control

Intrusion Prevention

High Availability

Network Firewall and

Routing


Internet Edge Use CaseFirepower NGFW

RequirementsConnectivity and Availability Requirements:• Firewall for High Availability (Redundancy) • Firewall should support Routed Mode• Port-Channel for interface redundancy and link speed aggregation• Dynamic Routing Support (OSPF / BGP)

Security Requirements:• Single Context mode• Dynamic NAT/PAT and Static NAT• Identity based AVC, URL filtering, IPS and Malware protection• SSL Decryption

SolutionSecurity Application: Firepower NGFW appliances with Firepower Management Center

VPN connections via separate appliance until until 6.1+

ISP

FW in HA

Private Network

Service Provider

Campus/Private Network

DMZ Network

Port-Channel

Internet Edge

HSRP

Caveats


Cloud Data Center EdgeFirepower NGFWv

RequirementsConnectivity and Availability Requirements:• Virtual appliance form factor AWS / vSphere• Firewall for High Availability (Redundancy) • Firewall in router or transparent mode• Support for both North/South and East/West deployments

Security Requirements:• Single Context mode• Identity based AVC, IPS and Malware & CnC protection• SSL Decryption• TrustSec Security Group Tag Support

SolutionSecurity Application: Firepower NGFWv virtual appliance with Firepower Management Center

KVM support in 6.1 and Microsoft Azure in 6.2Not suitable for Micro-Segmentation / per server firewalling.

ISP

FW in HA

Service Provider

Data Center Network

vPC / Port-Channel

Data Center Edge Traffic Zone

StorageApp Servers

WWW Server

Caveats


Local Data Center EdgeAppliance & Virtual Firepower NGFW

RequirementsConnectivity and Availability Requirements:• Firewall for High Availability (Redundancy) • Firewall in router or transparent mode• High bandwidth interfaces (10/40Gb/100Gb) and throughput• High bandwidth flow offload support (fast path)• Support for both North/South and East/West deployments

Security Requirements:• Single Context mode• Identity based AVC, IPS and Malware & CnC protection• SSL Decryption• TrustSec Security Group Tag Support

SolutionSecurity Application: Firepower Threat Defense physical or virtual appliance for Amazon Web Services (AWS) with FMC management

Active / Standy Failover only, no clustering until future release.No VXLAN support.

ISP

FW in HA

Service Provider

Data Center Network

vPC / Port-Channel

Data Center Edge Traffic Zone

StorageApp Servers

WWW Server

Caveats


Campus NGFWFirepower NGFW

RequirementsConnectivity and Availability Requirements:• Firewall for High Availability (Redundancy) • Firewall in router or transparent mode• Dynamic Routing Support (OSPF / BGP) • High bandwidth interfaces (10/40Gb) and throughput• Port-Channel for interface redundancy and firewall-on-a-stick

Security Requirements:• Firewall support between security domains within campus• Campus edge firewall• Single Context mode• Identity based AVC, IPS and Malware & CnC protection• TrustSec Security Group Tag Support

Security Application: Firepower NGFW appliances with Firepower Management Center

Active / Standy Failover only, no clustering until future release.HA for FMC in 6.1+No EIGRP Support

DC / Internet

FW in HA

Access Layer

Port-Channel

Data Center Edge

CampusDistriubtion

Core

FW in A/S HA

NGFW

DatabaseApp

ServersWWW Database

App Servers

WWW

vPC / Port-Channel

Caveats

Solution


ASA

ASDM/CSM/RESTful API for Management

HA and Clustering

Network Firewall[Routing | Switching]

Data Center Security

Service Provider Security

ProtocolInspection

Identity Based Policy Control

VPN

Mix Multi Context Mode


Use CaseInternet Edge Firewall with VPN Support

RequirementConnectivity and Availability Requirement:• Firewall for High Availability (Redundancy) • Firewall in the Router Mode• vPC/Port-Channel for interface redundancy and link speed

aggregation

Security Requirement:• Dynamic NAT/PAT and Static NAT• Application Inspection • ACL to control the traffic flows• VPN support (S2S, SSL and AnyConnect)

Solution

Security Application: ASA Firewall

ISP

FW in HA

Private Network

Service Provider

Campus/Private Network

DMZ Network

vPC / Port-Channel

Internet Edge

Remote VPN Users

Branch Office

HSRP


Map Product to Use Case

5585-X Firepower 4100 & 9300

Firepower 4100 & 9300

ASA with Firepower Services ASA Software Firepower Threat Defense Software

NGFW for Data Center & Enterprise Core; anywhere

clustering, VPN, on-box management are required.

Dedicated ASA Service Provider, Data

Center (Firewall only)

Firepower NGFWHigh-speed Internet Edge (where

clustering, VPN, multi-context, and on-box management are not

required)

Cisco’s driving rapid feature parity between ASA with FirePOWER Services and Firepower NGFW, with two additional major releases planned for this year.


• There are no EOS/EOL plans: won’t be considered until CY2017

• Superior reputation: 5585-X cited in Nov. 2015 Gartner Research Highlight for Carrier Class Firewalls: our market share is near 50%

• As customers migrate to newer platforms over the next 5 years, long-term evolution and protection is assured

• Investment protection built into the engineering plan: threat defense innovation will continue to come regularly to both ASA with FirePOWER Services and Firepower NGFWs

• Firepower Management Center expected to support mgmt. of key ASA features on 5585-X Q4CY2016*

ASA5585-X: 2016 and BeyondASA5585– X:

üProven

üReliable

üSupported

* Pre-Commit Date


Deployment Considerations


Software Support by Platform

FirepowerNGFW

(Firepower Threat

Defense)

FirepowerNGIPS/

AMP Appliance

ASA with FirePOWER

ServicesASA

RadwarevDP

DDoS

FirePOWER 7000/8000 Series ✓

ASA Low/Mid Range (5506/08/16/25/45/55) ✓ ✓ ✓

ASA High-end (5585 SSP-10/20/40/60) ✓ ✓

Firepower 4100/9300 (4110/20/40/ FPR9K, SM-24/36) ✓ ✓ ✓

*Subject to Compliance Hold


Deployment Considerations - Migration• New Deployments

All hardware and software options depending on the requirementsFirepower appliances for 40/100 Gb interfaces

• ASA RefreshAll hardware options – ASA and Fireppwer appliancesSoftware Migration

ASA to ASA softwareLimited migration from ASA to FTD in July timeframeNative migration from ASA to FTD in the November timeframe


Security Architecture


More than just an NGFW• When considering the move to an NGFW

Think about more than just the firewall featuresConsider the various use cases and integration opportunitiesUse an architectural approach to ensure the NGFW meets the capabilities required


Thank you.