Cisco Firepower Next-Generation Firewall Solutions

Cisco Confidential 1C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.

Cisco Firepower NGFW Solutions

Jim KotantoulasConsulting SE – Cisco [email protected] 2016


Integrated Threat Defense Across the Attack Continuum

Firewall/VPN NGIPS

Security Intelligence

Web Security

Advanced MalwareProtection

BEFOREControlEnforceHarden

DURINGDetectBlock

Defend

AFTERScope

ContainRemediate

Attack Continuum

Visibility and Automation

Granular App Control

Modern Threat Control

Retrospective Security

IoCs/IncidentResponse


NGFW Firepower Appliances


Introduction

Industry’s First Threat-Focused Next-Generation Firewall (NGFW)

#1 Cisco® security announcement of the year

Integrate defense layers so that organizations get the best visibility

Help enable dynamic controls to automatically adapt

Protect against advanced threats acrossthe entire attack continuum

Proven Cisco ASA firewalling

Industry-leading NGIPS and AMP

Cisco ASA with FirePOWER™ Services


Superior Integrated and Multilayered Protection

Cisco ASA

Identity-Policy Control and VPN

URL Filtering(Subscription)

FireSIGHT™Analytics and Automation

Advanced Malware

Protection(Subscription)

Application Visibility and

Control

Network FirewallRouting | Switching

Clustering and High Availability

WWW

Cisco® Collective Security Intelligence Enabled

Built-in Network Profiling

Intrusion Prevention

(Subscription)

World’s most widely deployed,enterprise-class, ASA stateful firewall

Granular Cisco Application Visibility and Control (AVC)

Industry-leading FirePOWER™ next-generation IPS (NGIPS)

Reputation- and category-based URL filtering

Advanced malware protection


Deployment options and New Appliances


Security Modules• Embedded Smart NIC and crypto hardware• Cisco (ASA, FTD) and third-party (Radware DDoS) applications• Standalone or clustered within and across chassis

Supervisor• Application deployment and orchestration• Network attachment and traffic distribution• Clustering base layer for ASA/FTD

Introducing the Firepower 9300

Network Modules• 10GE, 40GE, and 100GE• Hardware bypass for inline NGIPS

3RU


Same modules must be installed across entire chassis or cluster SM-36: 72 x86 CPU cores SM-24: 48 x86 CPU cores, NEBS Ready

x86 Turbo Mode for all security modules (FXOS 2.0.1) Triggered when 25% of ASA cores reach 80% load Disabled when all ASA cores drop below 60% load Increases performance by 10-20%

Firepower 9300 Security Modules


Introducing the Firepower 4100

1RU

Built-in Supervisor and Security Module• Same hardware and software architecture as 9300• Fixed configurations (4110, 4120, 4140, 4150)• FXOS 1.1.4 for 4110-4140, 2.0.1 for 4150

Solid State Drives• Independent operation (no RAID)• Slot 1 today provides limited AMP storage• Slot 2 will add 400GB of AMP storage in FXOS 2.0.1

Network Modules• 10GE/40GE interchangeable with 9300• Partially overlapping fail-to-wire controller options


All external network modules require fiber or copper transceivers Support online insertion and removal

Standard Network Modules

8x10GE 4x40GE 2x100GE

• Firepower 4100 and 9300• Single width• 4x10GE breakouts for

each 40GE port

• Firepower 9300 only• Double width• QSFP28 connector

• Firepower 4100 and 9300• Single width• 1GE/10GE SFP

FXOS 1.1.4


Fixed interfaces, no removable SFP support NGIPS inline interfaces for standalone FTD 6.1 only Sub-second reaction time to application, software, or hardware failure

Fail-to-Wire Network Modules

6x1GE 6x10GE 2x40GE• Firepower 4100 and 9300• Single width• 10GE SR or LR

• Firepower 4100 and 9300• Single width• 40GE SR4• No 10GE breakout support

• Firepower 4100 only• Single width• 1GE fiber SX

FXOS 2.0.1


4110 4120 4140 SM-24 SM-36 SM-36x3Stateful inspection firewall throughput (maximum) 20Gbps 40Gbps 60Gbps 75Gbps 80Gbps 225Gbps

Stateful inspection firewall throughput (multiprotocol) 10Gbps 20Gbps 30Gbps 50Gbps 60Gbps 130Gbps

Concurrent firewall connections 10M 15M 25M 55M 60M 70M

New connections per second 150K 250K 350K 0.6M 0.9M 2M

Security contexts 250 250 250 250 250 250

Virtual Interfaces 1024 1024 1024 1024 1024 1024

IPSec 3DES/AES VPN Throughput 8Gbps 10Gbps 14Gbps 15Gbps 18Gbps 54Gbps

Firepower 4100 and 9300 Series - ASA Performance


Firepower 4100 and 9300 Series – Firepower Threat Defense Performance

4110 4120 4140 SM-24 SM-36 SM-36x3Max Throughput: Application Control (AVC) 12Gbps 20Gbps 25Gbps 25Gbps 35Gbps 100Gbps

Max Throughput: Application Control (AVC) and IPS 10Gbps 15Gbps 20Gbps 20Gbps 30Gbps 90Gbps

Sizing Throughput: AVC (450B) 4Gbps 8Gbps 10Gbps 9Gbps 12.5Gbps 30Gbps

Sizing Throughput: AVC+IPS (450B) 3Gbps 5Gbps 6Gbps 6Gbps 8Gbps 20Gbps

Maximum concurrent sessions w/AVC 4.5M 11M 14M 28M 29M 57M


Trusted flow processing at ultra-high speed using SMART NIC• Hardware-based offload with no x86

dependency • 30-40Gbps per single TCP/UDP flow, <5us

latency.

Use Cases: • High Frequency Trading• High Performance Computing Research Sites • Intra/Inter DC storage Backup or Database Sync• GRE Tunneled Packets

Flow Offload Operation for the FP9300/FP4100

Security Engine

Supervisor Module

Hardware Accelerator

ASA

40Gpbs single flow

Policy

Policy matched flows

Flow processed by the Hardware NIC

Source Destination

1

2


Firepower 5500-X – Firepower Threat Defense Performance

5506 (all variants)

5508 5516 5525 5545 5555Max Throughput: Application Control (AVC) 250Mbps 450Mbps 850Mbps 1.1Gbps 1.5Gbps 1.75Gbps

Max Throughput: Application Control (AVC) and IPS 125Mbps 250Mbps 450Mbps 650Mbps 1Gbps 1.25Gbps

Sizing Throughput: AVC or IPS (440B) 90Mbps 180Mbps 300Mbps 375Mbps 575Mbps 725Mbps

Sizing Throughput: AVC and IPS (440B) 65Mbps 115Mbps 200Mbps 255Mbps 360Mbps 450Mbps

Note: Firepower Threat Defense performance numbers and sizing guidance for 5500-X are the same as for Firepower Services for ASA. Refer to the “Cisco ASA with FirePOWER Services Data Sheet” for performance numbers.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html


FirePOWER Services Support All Current ASA Deployment Models

Multi-context mode for policy flexibility

Each ASA Interface appears as a separate interface to FirePOWER Services module

Allows for granular policy enforcement on both ASA and FirePOWER services

*State sharing does not occur between FirePOWER Services Modules

Clustering for linear scalability

Up to 16x ASA in clusterEliminates Asymmetrical traffic issuesEach FirePOWER Services module inspects traffic independently

HA for increased redundancy

Redundancy and state sharing (A/S & A/A pair)L2 and L3 designs


FirePOWER Services Features


Application Identification

Cisco Confidential 19C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. 19

Application Identification and Control

Reduce attack surface and inspection requirements

Reclaim bandwidth from streaming /

sharing apps

Limit social media to control malware and

data leakageRestrict mobile apps in BYOD

environments

Deep visibility into app usage, regardless of

port/protocol


OpenAppID

The power of Open Source comes toapplication-layer security

• Create, share and implement custom application detections

• Put control into the hands of customers and the larger security community

• Community development accelerates the creation of detectors and controls

Library of OpenAppID Detectors

• Extendable sample detectors

• > 3000 detectors contributed by Cisco

• Thousands of downloads of the detection pack since last September

Open source application-focused detection language that enables users tocreate, share and implement custom application detection.


URL Filtering


URL Filtering

• Block non-business-related sites by category

• Based on user and user group


URL Filtering

• Dozens of Content Categories

• URLs Categorized by Risk

Cisco Confidential 24© 2015 Cisco and/or its affiliates. All rights reserved.

> 30% of Internet traffic is SSL encrypted, hiding it from inspection Google, Facebook, Office 365

Expected to increase by 50% in 2017 Google to prioritize sites using SSL

Increasing % of malware is hiding in SSL tunnels Malware downloads CnC connections Data exfiltration

Integrated SSL Decryption –


Multiple Deployment modes Passive Inbound (known keys) Inbound Inline (with or without keys) Outbound Inline (without keys)

Flexible SSL support for HTTPS & StartTLS based apps E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS

Decrypt by URL category and other attributes Centralized enforcement of SSL certificate policies

e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices

Integrated SSL Decryption


Attackers are leveraging DNS ! Blacklist domains and URLs associated with Bots,

CnC, Malware Delivery Fast-flux: High Frequency DNS Record Changes Control C&C traffic Seize control of Botnets Restrict access to domains violating corporate

policy

URL and DNS Protection


Security Intelligence support for domains

Addresses challenges with fast-flux domains

Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor

Indications of Compromise extended with DNS Security Intelligence

Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing

New Dashboard widget for URL/DNS SI

DNS Inspection

DNS List Action


DNS Inspection: Domain Not Found

Local DNS Server

NGFW

tbhatc.mxp2398.com tbhatc.mxp2398.com

NGFW PolicyCan configure: Lists/Feeds/Global listsAction: DNS NXDOMAINGenerates SI events

NXDOMAINNXDOMAIN


DNS Inspection: DNS SinkholeLocal DNS Server

NGFW

Sinkhole

X

C&C Over DNS

C&C Over DNS

Sinkhole IP Sinkhole IP

Connection to Sinkhole IP

NGFW PolicyDNS SI: C&C servers Action: DNS SinkholeGenerates SI events & IOC’s

Endpoint (10.15.0.21) Malware Download



Receive identity data from pxGrid / ISE More than just AD

Receive device-type/network Security Group Tags from pxGrid / ISE Ability to exert control based on the above in rules

i.e. block HR users from using personal iPads

ISE Integration


ISE Integration for Rapid Threat Containment


RTC Use CaseDynamic Segmentation using TrustSec

1100

0011

1000

110000111000

110000111000

Ops

Backbone

ThreatDetection

SIEM

Floor 1 SW

Floor 2 SW

Data Center

DC FW

Sinkhole

High Security

DB

ISE

OS Type: Windows XP EmbeddedUser: MaryAD Group: EmployeeAsset Registration: YesMAC Address: aa:bb:cc:dd:ee:ff

TSServer

GFEWorkstation

PxGrid/EPS

Change SGT to:Non-Compliant

Source: FirePowerEvent: TCP SYNC ScanSource IP: 1.2.3.4Response: Quarantine

Security Group = Non-Compliant

Contain and/or use Non-Compliant

tag for further forensics

Non-Complianttag follows compromised endpoint

Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123

SGACL Policy


Migration to ThreatGRID for Dynamic File Analysis/Sandboxing Cisco owned Sandboxing Technology Ability to use on-premise (private) sandbox appliances as well as public sandbox cloud Seamless migration requiring no customer intervention

Public AMP / Public ThreatGRID Public AMP / Private ThreatGRID Use of Private AMP Cloud is currently not supported in Drambuie

ThreatGRID Integration


How Cisco AMP Works: Network File Trajectory Use Case



An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox


At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8


Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application


The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later


The Cisco Talos Intelligence has learned this file is malicious and a retrospective event is raised for all four devices immediately.


At the same time, a device with the AMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware


8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.


ThreatGRID Integration – Summary Threat Report


ThreatGRID Integration – Full Threat Report






AMP at the Endpoint


AMP for Endpoint – Public + Private Cloud Options


AMP for Endpoint – Indicators of Compromise


AMP for Endpoint - Stop malware and provide visibility


With AMP for NGFW + AMP for Endpoints…

NGFW AMP + Endpoint AMP = Better Context in FMC

Detecting malware is great, but it could have been blocked on the client by AV or AMP for Endpoint

Knowing the malware executed makes prioritizing response much easier


A device with the AMP for Endpoints connector reacts to a retrospective event and immediately stops and quarantines the newly detected malware

NGFW AMP + Endpoint AMP = Better Context in FMC


Firepower Management Center


FireSIGHT


ThreatsUsers

Web ApplicationsApplication Protocols

File TransfersMalware

Command & Control

Operating Systems

Client Applications

Network Servers

Mobile Devices

Cisco FireSIGHT Provides Unmatched Visibility for Accurate Threat Detection and Adaptive Defense


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors

SI Events

Connections to Known CnC IPs

MalwareEvents


Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

1

2

3

4

0

IMPACT FLAG ADMINISTRATOR ACTION WHY

Act Immediately, Vulnerable

Event corresponds to vulnerability mapped to host

Investigate, Potentially Vulnerable

Relevant port open or protocol in use, but no vuln mapped

Good to Know, Currently Not Vulnerable

Relevant port not open or protocol not in use

Good to Know, Unknown Target

Monitored network, but unknown host

Good to Know, Unknown Network

Unmonitored network


FireSIGHT Management CenterSingle console for event, policy, and configuration management


Awareness Delivers Insight

OS & version Identified

Server applications and version

Client Applications

Who is at the host

Client Version

Application

What other systems / IPs did user have, when?


Use cases Large Enterprises MSSP

Benefits Segmentation Granular RBAC Overlapping IP Addresses Maintaining Privacy

Multi-Tenancy through Domains and Multiple Network Maps


UK/London

Domain Overview

AnalyticsObjectsPolicies



West Region East Region

Global Policies

Global Objects

Global Analytics

Supports up to 50 domains and 3 levelsAvailable for all platforms running 6.0

UK

UK/Oxford

1

23

Thank You