Cisco Connect Toronto 2017 - Putting Firepower into the Next Generation Firewall

Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1

Your TimeIs Now

Putting Firepower into the Next Generation FirewallJason MaynardConsulting Systems Engineer CybersecurityCCIE, CC[N|I|D]P, SFCE, C|EH, RCSS, GICSP, GPEN

#FE80CC1E

http://cs.co/Jason_Maynard_YouTube_Channel

Cisco Confidential 2© 2016 Cisco and/or its affiliates. All rights reserved.



Firepower Threat Defense



ASA (L2-L4)• L2-L4 Stateful Firewall• Scalable CGNAT, ACL, routing• Application inspection

Firepower (L7)• Threat-Centric NGIPS• AVC, URL Filtering for NGFW• Advanced Malware Protection

Full Feature Set

Continuous FeatureMigration


Single Converged OS

Firewall URL Visibility Threats

Firepower Management Center (FMC)*

ASA with Firepower Services


What are the Firepower Deployment Options?Firepower Appliances Firepower Threat Defense

ASA with Firepower Services

FirePOWERServices

ASA 9.5.x

FirepowerThreat Defense

FirepowerAppliances

7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual Firepower 2100 / 4100 / 9300

5585 cannot run FTD Image!

All Managed by Firepower Management Center


Feature Comparison: ASA with Firepower Services and Firepower Threat Defense

Features Firepower Threat Defense Firepower Services for ASA

SIM

ILA

RIT

IES

Routing +NAT✔

(OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR via FlexConfig)

✔(OSPF, BGP, EIGRP, static, RIP,

Multicast)

OnBox Management ✔ ✔HA (Active/Passive) ✔ ✔Clustering (Active/Active) ✔ ✔Site to Site VPN ✔ ✔Policy based on SGT tags ✔ ✔

DIF

FER

EN

CE

S

Unified ASA and Firepower rules and objects ✔ ✘

Hypervisor Support ✔(AWS, VMware, KVM, Azure 6.2)

✘

Smart Licensing Support ✔ ✘Multi-Context Support ✘(Coming Soon!) ✔

Remote Access VPN ✔ (6.2.1 – 2100, 6.2.2 - Virtual, 5500-x midrange, 4100, 9300)

✔

Note: Not an exhaustive feature list


OpenAppID

Next-generation visibility with OpenAppIDApplication Visibility & Control

See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps

Cisco database• 4,000+ apps

• 180,000+ Micro-apps Network & users

1

2

Prioritize traffic


Web acceptable use controls and threat preventionURL Filtering – Security Intelligence Feeds – DNS Sinkhole capability

Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs

Category-basedPolicy Creation

Allow Block

Admin

Cisco URL Database

DNS Sinkhole

0100101010000100101101

Security feedsURL | IP | DNS

NGFWFiltering

BlockAllow

Safe Search

…………


Decrypt 3.5 Gbps traffic over five million simultaneous flows

Granular SSL Decryption CapabilitiesSSL TLS handshake certificate inspection and TLS decryption engine

Log

SSL decryption engine

Enforcement decisions

Encrypted Traffic

AVC

http://www.%$&^*#$@#$.com

http://www.%$&^*#$@#$.com

Inspect deciphered packets Track and log all SSL sessions

NGIPS

gambling

elicit

http://www.%$*#$@#$.com











Upcoming Webinar!Firepower Threat Defense: SSL DecryptionDiscover 3 Ways to Solve the Encrypted Traffic Dilemma

Encrypted traffic still giving you security headaches? Tired of policies that don’t address encrypted traffic?

If you're looking for an answer to these issues, Cisco Security has the solution for you.

Join Jason Maynard, Security Consulting Systems Engineer, in the upcoming webinar, Discover 3 Ways to Solve the Encrypted Traffic Dilemma, by using Cisco’s SSL Inspection feature built into Firepower Threat Defense.

• Block selected encrypted traffic without inspecting it• Inspect selected encrypted traffic with access control• Decrypt selected encrypted traffic with access control

Seeing a hands on demo deploying the solution form start to finish

Register today!


Application and Context aware Intrusion PreventionNext-Generation Intrusion Prevention System (NGIPS)

Communications

App & Device Data

01011101001010

010001101 010010 10 10Data packets

Prioritizeresponse

Blended threats

• Network profiling

• Phishing attacks

• Innocuous payloads

• Infrequent callouts

3

1

2

Accept

Block

Automate policies

ISE

Scan network traffic Correlate data Detect stealthy threats Respond based on priority


cFile Reputation

Malware and ransomware detection and blockingCisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)

• Known Signatures• Fuzzy Fingerprinting• Indications of compromise

Block known malware Investigate files safely Detect new threats Respond to alerts

File & Device TrajectoryAMP for

Network Log

Threat Grid Sandboxing• Advanced Analytics• Dynamic analysis• Threat intelligence

?

AMP for Endpoint Log

Threat Disposition

Enforcement across all endpoints

RiskySafeUncertain

Sandbox Analysis


FlexConfig• Provides a way to configure ASA features not exposed directly by Firepower

Management Center

• EIGRP Routing• PBR• ISIS Routing• NetFlow (NSEL) export• VXLAN

• ALG inspections• IPv6 header inspection• BFD• Platform Sysopt commands• WCCP



Cisco ASA 5500-X

5506 / 5508 / 5516 Performance Unified Management

• 1-Gbp interfaces• Up to 1.2 Gbps throughput

• 5545 / 5555 Redundant Power Supply and SSD option

• Firepower Threat Defense or ASA Software Options

• 1-Gbp interfaces• Up to 450 Mbps throughput

• Wireless Option for 5506-X• Software Switching capability

• Firepower Threat Defense or ASA Software Options

• Firepower Management Center (Enterprise Management)

• Firepower Device Manager (On Box Manager)

• Cisco Defense Orchestrator (Cloud Management)

SMB and Enterprise Branch NGFW

5525 / 5545 / 5555Performance


Cisco Firepower 2100 Series

Performance and Density Optimization Unified Management Purpose Built NGFW

• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)

• 1-Gbp and 10-Gbps interfaces• Up to 8.5-Gbps throughput• 1-rack-unit (RU) form factor• Dual SSD slots• 12x RJ45 ports, 4xSFP(+)

• 2130 / 2140 Models• 1x Network Module• Fail to Wire Option• DC & Dual PSU support




Introducing four high-performance models


FPR 2110 FPR 2120 FPR 2130 FPR 2140

Throughput NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Throughput NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Maximum concurrent sessions 1 M 1.2 M 2 M 3.5 M

Maximum new connections per

second 12000 16000 24000 40000

Note: Early Performance Numbers

NO DROP IN PERFORMACE!

Firepower 2100 Series Performance


Cisco Firepower 4100 SeriesHigh performance campus and data center

Performance and Density Optimization Unified Management Multiservice

Security

• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)

• Radware DefensePro DDoS• ASA and other future

third party

• 10-Gb and 40-Gb interfaces• Up to 24-Gbps throughput• 1-rack-unit (RU) form factor• Low latency





Cisco Firepower 9300 Platform

Benefits• Integration of best-in-class security• Dynamic service stitching

Features*• ASA container option• Firepower™ Threat Defense:

• NGIPS, AMP, URL, AVC• Third-party containers:

• Radware DDoS

Benefits• Standards and interoperability• Flexible architecture

Features• Template-driven security• Secure containerization for

customer apps• RESTful/JSON API• Third-party orchestration and

management

Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps

ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building

System (NEBS) ready

* Contact Cisco for services availability

Modular Carrier ClassMultiservice Security

High performance data center


Cisco NGFW Platforms

NGFW capabilities all managed by Firepower Management Center

250 Mb -> 1.75 Gb(NGFW + IPS Throughput)

Firepower Threat Defense for ASA 5500-X

2 Gb -> 8 GB(NGFW + IPS Throughput)

Firepower 2100 Series

41xx = 10 Gb -> 24 Gb93xx = 24 Gb -> 53Gb

Firepower 4100 Seriesand Firepower 9300

Up to 6x with clustering!


Software Support – Physical Platforms

ASA FirepowerNGIPS

ASA with FirePOWER

Services

Firepower Threat

Defense

ASA 5506X -> 5555X (all models) ✓ ✓ ✓Firepower 2100 (all models) Future ✓Firepower 4100 (all models) ✓ ✓Firepower 9300 (all models) ✓ ✓

ASA 5585 (With SSP blade) ✓ ✓Firepower 7000 / 8000 (IPS appliances) ✓


Software Support - Virtual Platforms

ASA FirepowerNGIPS


ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓Firepower NGIPSv (vSphere + ISR UCSE) ✓Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓



Firepower Device Manager

Enables easy on-box management of

common security and policy tasks

Enables comprehensive security administration

and automation of multiple appliances

Firepower Management Center

Cisco Defense Orchestrator

Enables centralized cloud-based policy

management of multiple

deployments

On-box Centralized Cloud-based

Management Options


• On-box manager for managing a single Firepower Threat Defense device

• Targeted for SMB market

• Designed for NetworkingSecurity Administrator

• Simple & Intuitive

• Mutually Exclusive from FMC

• CLI for troubleshooting

Firepower Device Manager









deployments


Management Options


Firepower Management Center• Single manager for Firepower Threat Defense

• Can also manage Firepower appliance and “Services” deployments

• Broadest set of security capabilities for Firepower platforms!










deployments


Management Options










deployments


Management Options

CDO


On-box vs Off-boxFirepower Management Center (Off-box) Firepower Device Manager (On-box)

NAT & Routing

Access Control

Intrusion & Malware

Device & Events Monitoring

VPN - Site to Site & RA

Security Intelligence

Other Policies: SSL, Identity, Rate Limiting (QoS) etc.

Active/Passive Authentications

Firewall Mode Router / Transparent Routed

Threat Intelligence & Analytics

Correlation & Remediation

Risk Reports

Device Setup Wizard

Interface Port-Channel

High Availability



Troubleshooting: Packet Tracer• Displays logs for a single simulated (virtual) packet• Tracing data will include information from Snort & preprocessors about

verdicts and actions taken while processing a packet


Troubleshooting: Packet Capture with Trace• Captures and displays packets from live traffic• Allows PCAP file download of the capture buffer


Lookup features – Geolocation & WHOIS


Lookup Feature: URL


ISE remediation in using pxGrid



Cisco Threat Intelligence Director (CTID)

• Uses customer threat intelligence to identify threats

• Automatically blocks supported indicators on Cisco NGFW

• Provides a single integration point for all STIX and CSV intelligence sources


Cisco Threat Intelligence Director Overview

Cisco Threat Intelligence

Director


Hail a TAXII !!• Free source of TAXII feeds• Website URL: http://hailataxii.com• Multiple feeds• To configure the TAXII intelligence source

• URL: http://hailataxii.com/taxii-discovery-service• USERNAME: guest• PASSWORD: guest

http://hailataxii.com/

http://hailataxii.com/taxii-discovery-service



Use Case Internet Edge Firewall RequirementConnectivity and Availability Requirement:• High Availability ROUTED mode• Firewall should support Router or Transparent Mode

Routing Requirements:• Static and BGP Routing• Dynamic NAT/PAT and Static NAT

Security Requirements:• Application Control + URL Acceptable Use enforcement• IPS and Malware protection• SSL Decryption

Authentication Requirements:• User authentication and device identity

SolutionSecurity Application: Firepower Threat Defense application with FMC

ISP

FW in HA

Private Network

Service Provider

Campus/Private Network

DMZ Network

Port-Channel

Internet Edge



10.1.1.0/24

192.168.1.0/24

192.168.1.1

10.1.1.1

IP:192.168.1.100GW: 192.168.1.1

NATDRP

Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or

more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.

• Transparent Mode is where the firewall acts as a bridge functioning at L2.• Transparent mode firewall offers some unique benefits in the DC.• Transparent deployment is tightly integrated with our ‘best practice’

data center designs.


Link Redundancy

Resiliency with link failures

Link and Platform Redundancy CapabilitiesFirewall Link Aggregation – High Availability - Clustering

Inter-chassis Clustering

Combine up to

69300 blades or 4100 chasses

Active / Standby HA

LACP Link Redundancy

LACP Link Aggregation

Control Protocol



Dynamic NAT for Direct Internet AccessAutomatic and Manual (complex) NAT Support for FTD including IPv6


Routing Protocol support• OSPF and OSPFv3 (IPv6)

• BGP (IPv4 & IPv6)

• Static Route• Tunneled Route support for VPNs• Reverse Route Injection for VPNs

• Multicast Routing• IGMP• PIM

• EIGRP via FlexConfig


50BRKSEC-2058

Rate limiting Cloud File Sharing Traffic• QOS Policy is a new policy type with separate policy table

• Not associated with an Access Control Policy – directly associated with devices


FlexConfig for Internet Edge Use Case:

Prepend FlexConfig:

• Disables DNS Inspection to allow Umbrella DNSCrypt Traffic

Append FlexConfig:

• Enables ICMP and ICMP Error ASA Inspection Engines in Firepower

• Edit FlexConfig Text Object as below

Enable ICMP Inspection & Disable DNS Inspection


FlexConfig for Internet Edge Use Case:

Prepend FlexConfig:

• Clears IPv6-PD on each deployment

Append FlexConfig:

• Enables outside interface (recipient of delegated prefix) for IPv6 prefix delegation

• Assigns one or more inside interfaces with a subnet and address from delegated prefix

• Trust IPv6 default route from IPv6 DHCP Server (Neighbor Advertisement)

IPv6 Prefix Delegation (IPv6-PD)



Access Control Policy blocking inappropriate content


Granular SSL DecryptCan specify by application, certificate fields / status, ciphers, etc.


Custom IPS Policy


Malware and File AnalysisAttached to Access Policy


URL-Based Security Intelligence

• Extension of IP-based SI

• TALOS dynamic feed, 3rd party feeds and lists

• Multiple categories: Malware, Phishing, CnC,…

• Multiple Actions: Allow, Monitor, Block, Interactive Block,…

• Policy configured via Access Rules or black-list

• IoC tags for CnC and Malware URLs

• New Dashboard widget for URL SI

• Black/White-list URL with one click URL-SI Categories


DNS Inspection• Security Intelligence support for

domains

• Addresses challenges with fast-flux domains

• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing

• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor

• Indications of Compromise extended with DNS Security Intelligence DNS List Action



Identity Policy based on Passive Authentication

Attaches to Access Control Policy


Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)


Active Directory “Realm” Configuration

• Multiple Entries

• LDAP / LDAPS

• Assigned to Identity Policy for Active or Passive Authentication


ISE Integration

• pxGrid feed to retrieve from ISE:• AD Username (Group lookup via AD Realm)• Device type profile & location• TrustSec Security Group Tag (SGT)

• Ability to exert control based on the above in rules• i.e. block HR users from using personal iPads

• Reduces ACL size and complexity


Identity Services Engine pxGrid Integration• MUST install ROOT

certificate (chain) on FMC that signed ISE pxGrid Cert

• MUST install ROOT certificate (chain) on ISE that signed FMC Cert

• Private keys not needed (of course!)


TrustSec Security Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles


External Authenticationfor Administration

• LDAP / AD or RADIUS

• Example allows “External Users” to be defined that exist in Active-Directory for FMC or shell login

• Can stack multiple methods


Common and Recommended Practices



“DDoS Remains Biggest Threat of all Cyber-Attacks“

DDoS is increasingly moving away from Denial and into Ransom as a Motive or a smokescreen

Cyber criminals now maintain, and rent out botnets to mount DDoS attacks

70

No One Immune, Few Prepared

0%

20%

40%

60%

DDoS continues to remain a top concern

* Source Radware ERT Report 2016


In-Line: Protects against 75% of DDoS Attacks

DDoS Attack Surface – Hybrid mitigation strategy

Where DDoS Strikes:

Cloud: For volumetric DDoS attack mitigation

In-Line: Protects against both network and application attacks

23% Firewall 7% IDS/IPS 6% Load Balancer

35% Server Under Attack

Cloud: Protects against 25% of DDoS

attacks

4% SQL Server25% Internet Pipe


• Cisco Firepower is a scalable, carrier & enterprise -grade, multi-service security appliance featuring:• Radware DDoS Decorator App (OEM)• Cisco ASA firewall• Cisco NGIPS (Sourcefire – Threat Defense)

• What is required?• Firepower Chassis (FXOS 1.1.4+)• DDoS License (Virtual DefensePro)• Vision Management Software• Cloud DDoS *CSCO FY18 Q1 (Oct 15, 2017)

• Hybrid, Always on & On Demand

Firepower DDoS Solution Components

DDoS FW NGIPS

Firepower 4100/9300



Firepower Management CenterSite 2 Site VPN


Firepower Management CenterRemote Access VPN


Firepower Management CenterCisco Threat Intelligence Director

Thank you.


Abbreviation Key!ASA = Adaptive Security Appliance

FTD = Firepower Threat Defense

FPS = Firepower Services

FMC = Firepower Management Center

FDM = Firepower Device Manager

NGFW = Next Generation Firewall

NGIPS = Next Generation Intrusion Prevention System

AMP = Advanced Malware Protection

API = Application Programming Interface

ISE = Identity Services Engine

IoC = Indicator of Compromise

PAN = Place to cook your eggs


Crypto-Card and Fail-to-Wire

Crypto-Acceleration

Fail-to-Wire

Firepower 2100/4100/9300

*FTW – 2100 coming soon

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80

Flow Offload

Cisco Security Chalk Talk – Flow Offloadhttps://www.youtube.com/watch?v=2qnqILWhUuU&list=PLFT-9JpKjRTANXKBmLbQ611TPYLXbUL_0&index=21

BKUPFinance

OtherService

Threat Centric

x86

Smart NIC

Typical Flow

BKUPFinance

OtherService

FWAPP IPS

AMP

Smart NIC

Initial Flow Offload(has classifier if not seen then send for additional inspection)

BKUPFinance

OtherService

FWAPP IPS

AMP

Smart NIC

Subsequent Flow OffloadStill provides - TCP Sequence Randomization- NAT/PAT- Byte/Packet Count

(sends to x86 and can be send to NSEL (like Stealthwatch)


Firepower Threat Defense Interface Modes

Routed/TransparentA

B

C

D

F

G

H

I

Inline Pair 1

Inline Pair 2Inline Set

E J

Policy TablesPassive

Interfaces

Inline Tap


Segmentation

VLAN Stitching

APP IPS

AMP

APP IPS

AMP

APP IPS

AMP

Database Zone

Application Zone

Web Zone

Campus ZoneFTDFTDFTDFTDFTD

Cluster

How do I insert this into the Datacenter without having to change the physical infrastructure or move the routing?


Segmentation

VLAN Stitching - Before

Database Zone

Application Zone

Web Zone

FTDFTDFTDFTDFTD

Cluster


L3 High Speed

Switch

192.168.100.0/24

VLAN100 = 192.168.100.0/24SVI = 192.168.100.1

VLAN100

Traffic never hits FW unless you change the routing or try to insert into the physical path


Segmentation

VLAN Stitching - After

Database Zone

Application Zone

Web Zone

FTDFTDFTDFTDFTD

Cluster


L3 High Speed

Switch

192.168.100.0/24

VLAN100 = 192.168.100.0/24SVI = 192.168.100.1

VLAN101 = 192.168.100.10-50

VLAN102 = 192.168.100.51-100

VLAN103 = 192.168.100.101-110

Ex: Web Zone to get to App Zone has to go through policy on FTD. FTD stitches VLAN 101 and VLAN 102. Now I can add additional L7 Inspection. That could be the same for the default GW or other zones.


Firepower 4100/9300

ClusteringInside Switch

FTD

FTD

FTD

FTD

FTD

FTD

Outside Switch

Port-channel 6

Port-channel 5

Spanned EtherChannel(recommended)

Inside Switch

Outside Switch

Note: L3 PBR and ECMP models are supported

Benefits• High Scale: NGFW • Network Integration: Routing,

switching, inter-site DC extensions• High Density: 40G/100G• Clustering: Intra-chassis, Inter-

chassis, Inter-site• Consistent Policy Management

Pay-As-You-Grow- Traditional ASA 16 node cluster- FTD 6 nodes today will scale to16

in the near future

Out_P02200.1.1.1/24

In_P0110.1.1.1/24

VSS/VPCcom

pliant to theIEEE

standard (802.3ad)

VSS/VPCcom

pliant to theIEEE

standard (802.3ad)

Cisco Security Chalk Talk - NGFW Clustering Technologyhttps://www.youtube.com/watch?v=yt8Cc4tS0kE&t=38s&index=3&list=PLFT-9JpKjRTANXKBmLbQ611TPYLXbUL_0

Firepower 4100/9300

Clustering

Firepower 4100/9300

Clustering


The Firepower 4100/9300 Transforms Security Service Integration

Limited effectiveness Increased latency Slows network Static & Manual

Unified Threat Platform w/Integrated Security

Data Packet

1001000101111000101110

SSL FW WAF NGIPSDDoS AMP

Maximum protection Highly efficient Scalable processing Dynamic

Key:Cisco Service

3rd Party Service

• Radware vDP is our first 3rd Party component of the new Architecture • We are adding DDoS Application Services to the ingress interfaces of the Firepower 4100/930


Security Services Architecture with DDoS running

Supervisor

Ethernet 1/1-8 Ethernet 2/1-4

ASA ClusterSecurity Module 1

Ethernet 3/1-4

Security Module 2 Security Module 3

Application Image Storage

PortChannel1

DDoS DDoS DDoS

Ethernet1/7(Management)

Data Inside

Logical Device

Logical Device Unit

Link Decorator

Application Connector

External Connector

Primary Application

Decorator Application

On-board 8x10GE

interfaces

4x40GE NMSlot 1

4x40GE NMSlot 2

Logical Packet Flow

PortChannel1

ASA ASA ASA

Data Outside



Cisco Firepower – Radware DDoSMitigation Module

Firepower DDoS MitigationFirepower DDoS Mitigation is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco on the following Cisco Firepower 9300 and 4100 series appliances: