Putting firepower into the next generation firewall

Cisco Public© 2016 Cisco and/or its affiliates. All rights reserved. 1

Putting Firepower into the Next Generation Firewall

Intégrer Firepower au pare-feu de prochaine génération

Jeff FanelliPrincipal Systems Engineer

[email protected]

Cisco Public 2© 2016 Cisco and/or its affiliates. All rights reserved.

About your speakerJeff Fanelli

Principal Systems Engineer

Cisco Global Security Sales Organization

I’m from the U.S. state with the largest FRESH water coastline in the world!


MICHIGAN (the “mitten” state..)

• Firepower Software Overview• ASA & Firepower NGFW

Platforms• Management Options• Integration• Internet Edge Use Case

Today’s Agenda


Firepower NGFW Software

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Firepower Threat Defense

Malware Protection

Network Profiling

CISCO COLLECTIVE SECURITY INTELLIGENCE

URL Filtering

Integrated Software - Single Management

WWW

Identity-Policy Control

Identity Based Policy Control

Network Profiling

Analytics & AutomationApplication

Visibility &Control

Intrusion Prevention

High Availability

Network Firewall and

Routing



ASA (L2-L4)• L2-L4 Stateful Firewall• Scalable CGNAT, ACL, routing• Application inspection

Firepower (L7)• Threat-Centric NGIPS• AVC, URL Filtering for NGFW• Advanced Malware Protection

Full Feature Set

Continuous FeatureMigration


Single Converged OS

Firewall URL Visibility Threats

Firepower Management Center (FMC)

ASA with Firepower Services


ASA & Firepower Platforms


Cisco NGFW Platforms

NGFWcapabilitiesallmanagedbyFirepowerManagementCenter

250 Mb -> 1.75 Gb(NGFW + IPS Throughput)

Firepower Threat Defense for ASA 5500-X

2 Gb -> 8 GB(NGFW + IPS Throughput)

Firepower 2100 Series

41xx = 10 Gb -> 24 Gb93xx = 24 Gb -> 53Gb

Firepower 4100 Seriesand Firepower 9300

Up to 16x with clustering!


Software Support - Virtual Platforms

ASA FirepowerNGIPS


ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

Firepower NGIPSv (vSphere + ISR UCSE) ✓

Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓


OpenAppID

Next-generation visibility with OpenAppIDApplication Visibility & Control

See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps

Cisco database• 4,000+ apps

• 180,000+ Micro-apps

Network & users

ü

û

û

ü

û

û

ü

1

2

Prioritize traffic


Web acceptable use controls and threat preventionURL Filtering – Security Intelligence Feeds – DNS Sinkhole capability

Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs

Category-basedPolicy Creation

Allow Block

Admin

Cisco URL Database

DNS Sinkhole0100101010000100101101

Security feedsURL | IP | DNS

NGFWFiltering

BlockAllow

Safe Search

…………

ü û


Decrypt 3.5 Gbps traffic over five million simultaneous flows

Granular SSL Decryption CapabilitiesSSL TLS handshake certificate inspection and TLS decryption engine

Log

SSL decryption engine

Enforcement decisions

Encrypted Traffic

AVC

http://www.%$&^*#$@#$.com

http://www.%$&^*#$@#$.com

Inspect deciphered packets Track and log all SSL sessions

NGIPS

gambling

elicit

http://www.%$*#$@#$.com










û

ü

û

ü

ü

ü

û

ü

û

û


Application and Context aware Intrusion PreventionNext-Generation Intrusion Prevention System (NGIPS)

Communications

App & Device Data

01011101001010

010001101 010010 10 10Data packets

Prioritizeresponse

Blended threats

• Network profiling

• Phishing attacks

• Innocuous payloads

• Infrequent callouts

3

1

2

Accept

Block

Automate policies

ISE

Scan network traffic Correlate data Detect stealthy threats Respond based on priority


cFile Reputation

Malware and ransomware detection and blockingCisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)

• Known Signatures• Fuzzy Fingerprinting• Indications of compromise

û

Block known malware Investigate files safely Detect new threats Respond to alerts

File & Device TrajectoryAMP for

Network Log

ü

Threat Grid Sandboxing• Advanced Analytics• Dynamic analysis• Threat intelligence

?

AMP for Endpoint Log

Threat Disposition

Enforcement across all endpoints

RiskySafeUncertain

Sandbox Analysis


Management Platform Options


Firepower Device Manager

Enables easy on-box management of

common security and policy tasks

Enables comprehensive security administration

and automation of multiple appliances

Firepower Management Center

On-box Centralized

Management Options

ASDM withFirePOWER Services

Enables easy on-box migration and

management of ASA with Firepower

On-box


• On-box manager for managing a single Firepower Threat Defense device

• Targeted for SMB market

• Designed for NetworkingSecurity Administrator

• Simple & Intuitive

• On-screen troubleshooting









On-box Centralized

Management Options




On-box












On-box Centralized On-box

Management Options








On-box Centralized

Management Options




On-box


Integration Capabilities


ISE remediation in using pxGrid


3rd Party Integration

SNMP, Syslog, NetFlow or eStreamer

LiveAction


Cisco Threat Intelligence Director


Cisco Threat Intelligence Director (CTID)

• Uses customer threat intelligence to identify threats

• Automatically blocks supported indicators on Cisco NGFW

• Provides a single integration point for all STIX and CSV intelligence sources


Hail a TAXII !!• Free source of TAXII feeds

• Website URL: http://hailataxii.com

• Multiple feeds

• To configure the TAXII intelligence sourceURL: http://hailataxii.com/taxii-discovery-serviceUSERNAME: guestPASSWORD: guest


Deployment Designs Use Case


Use Case Internet Edge Firewall

RequirementConnectivity and Availability Requirement:• High Availability ROUTED mode• Firewall should support Router or Transparent Mode

Routing Requirements:• Static and BGP Routing• Dynamic NAT/PAT and Static NAT

Security Requirements:• Application Control + URL Acceptable Use enforcement• IPS and Malware protection• SSL Decryption

Authentication Requirements:• User authentication and device identity

SolutionSecurity Application: Firepower Threat Defense application with FMC

ISP

FW in HA

Private Network

Service Provider

Campus/Private Network

DMZ Network

Port-Channel

Internet Edge


Connectivity and Availability


10.1.1.0/24

192.168.1.0/24

192.168.1.1

10.1.1.1

IP:192.168.1.100GW: 192.168.1.1

NATDRP

Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or more

interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.

• Transparent Mode is where the firewall acts as a bridge functioning at L2.

Transparent mode firewall offers some unique benefits in the DC.

Transparent deployment is tightly integrated with our ‘best practice’ data center designs.


Link Redundancy

Resiliency with link failures

Link and Platform Redundancy CapabilitiesFirewall Link Aggregation – High Availability - Clustering

Inter-chassis Clustering

Combine up to

169300 blades or 4100 chasses

Active / Standby HA

LACP Link Redundancy

LACP Link Aggregation

Control Protocol


Routing Requirements


Dynamic NAT for Direct Internet AccessAutomatic and Manual (complex) NAT Support for FTD including IPv6


Routing Protocol support

• OSPF and OSPFv3 (IPv6)

• BGP (IPv4 & IPv6)

• Static RouteTunneled Route support for VPNsReverse Route Injection for VPNs

• Multicast RoutingIGMPPIM

• EIGRP via FlexConfig

IPv4 and IPv6 advanced routing


BRK

Rate limiting Cloud File Sharing TrafficQOS Policy is a new policy type with separate policy table

Upload and download rate limiting per application with identity!


Security Requirements


Access Control Policy blocking inappropriate content


Granular SSL DecryptCan specify by application, certificate fields / status, ciphers, etc.

Decrypt Cert required!


Custom IPS Policy


Malware and File AnalysisAttached to Access Policy


URL-Based Security Intelligence

• Extension of IP-based SI

• TALOS dynamic feed, 3rd party feeds and lists

• Multiple categories: Malware, Phishing, CnC,…

• Multiple Actions: Allow, Monitor, Block, Interactive Block,…

• Policy configured via Access Rules or black-list

• IoC tags for CnC and Malware URLs

• New Dashboard widget for UR SI

• Black/White-list URL with one click URL-SI Categories


DNS Inspection

• Security Intelligence support for domains

• Addresses challenges with fast-flux domains

• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing

• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor

• Indications of Compromise extended with DNS Security Intelligence

DNS List Action


Identity Requirements

Authentication and Authorization


Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)


TrustSec Security Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles


Branch Firewall Use CasesSite to Site and Remote Access VPN


Headquarters and Branch NGFW ExampleUse of Groups in FMC for organization

• ONE policy sets applied to all branch firewalls


Headquarters and Branch NGFW ExampleDynamic Endpoint option for sites with DHCP Outside Interface

• VPN can be backup to MPLS or dedicated WAN


Secure Remote Access for Roaming User

ISP

FP2100 in HA

Private NetworkCampus/Private Network

Internet Edge

• Secure SSL/IPsec AnyConnect access to corporate network

• AMP and File inspection Policy to monitor roaming user data.

• Easy RA VPN Wizard to configure AnyConnect Remote Access VPN

• Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data.

• Monitoring and Troubleshooting to monitor remote access activity and simplified tool for troubleshooting.

Secure access using Firepower


Remote Access VPN• AnyConnect client-

based VPN

• Use cases:Split or full tunnel

Multiple Connection profiles

Username /password and orcertificateauthenticationsupport


Firepower Threat Defense SummaryPower Internet Edge and Branch WAN Platform

• Powerful Threat Defense Capabilities

• Advanced Site to Site VPN and routing protocol support

• AnyConnect Remote Access

UnifiedManagement

RobustNGFWFeatureset

FlexibleDeployment

Thank you.

Travel

Putting firepower into the next generation firewall