Post on 21-Jan-2018
Cisco Public© 2016 Cisco and/or its affiliates. All rights reserved. 1
Putting Firepower into the Next Generation Firewall
Intégrer Firepower au pare-feu de prochaine génération
Jeff FanelliPrincipal Systems Engineer
jefanell@cisco.com
Cisco Public 2© 2016 Cisco and/or its affiliates. All rights reserved.
About your speakerJeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organization
I’m from the U.S. state with the largest FRESH water coastline in the world!
Cisco Public 3© 2016 Cisco and/or its affiliates. All rights reserved.
MICHIGAN (the “mitten” state..)
• Firepower Software Overview• ASA & Firepower NGFW
Platforms• Management Options• Integration• Internet Edge Use Case
Today’s Agenda
Cisco Public 5© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower NGFW Software
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Firepower Threat Defense
Malware Protection
Network Profiling
CISCO COLLECTIVE SECURITY INTELLIGENCE
URL Filtering
Integrated Software - Single Management
WWW
Identity-Policy Control
Identity Based Policy Control
Network Profiling
Analytics & AutomationApplication
Visibility &Control
Intrusion Prevention
High Availability
Network Firewall and
Routing
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Firepower Threat Defense
ASA (L2-L4)• L2-L4 Stateful Firewall• Scalable CGNAT, ACL, routing• Application inspection
Firepower (L7)• Threat-Centric NGIPS• AVC, URL Filtering for NGFW• Advanced Malware Protection
Full Feature Set
Continuous FeatureMigration
Firepower Threat Defense
Single Converged OS
Firewall URL Visibility Threats
Firepower Management Center (FMC)
ASA with Firepower Services
Cisco Public 8© 2016 Cisco and/or its affiliates. All rights reserved.
ASA & Firepower Platforms
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco NGFW Platforms
NGFWcapabilitiesallmanagedbyFirepowerManagementCenter
250 Mb -> 1.75 Gb(NGFW + IPS Throughput)
Firepower Threat Defense for ASA 5500-X
2 Gb -> 8 GB(NGFW + IPS Throughput)
Firepower 2100 Series
41xx = 10 Gb -> 24 Gb93xx = 24 Gb -> 53Gb
Firepower 4100 Seriesand Firepower 9300
Up to 16x with clustering!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Software Support - Virtual Platforms
ASA FirepowerNGIPS
Firepower Threat Defense
ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓
Firepower NGIPSv (vSphere + ISR UCSE) ✓
Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
OpenAppID
Next-generation visibility with OpenAppIDApplication Visibility & Control
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database• 4,000+ apps
• 180,000+ Micro-apps
Network & users
ü
û
û
ü
û
û
ü
1
2
Prioritize traffic
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Web acceptable use controls and threat preventionURL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Category-basedPolicy Creation
Allow Block
Admin
Cisco URL Database
DNS Sinkhole0100101010000100101101
Security feedsURL | IP | DNS
NGFWFiltering
BlockAllow
Safe Search
…………
ü û
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Decrypt 3.5 Gbps traffic over five million simultaneous flows
Granular SSL Decryption CapabilitiesSSL TLS handshake certificate inspection and TLS decryption engine
Log
SSL decryption engine
Enforcement decisions
Encrypted Traffic
AVC
http://www.%$&^*#$@#$.com
http://www.%$&^*#$@#$.com
Inspect deciphered packets Track and log all SSL sessions
NGIPS
gambling
elicit
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
û
ü
û
ü
ü
ü
û
ü
û
û
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Application and Context aware Intrusion PreventionNext-Generation Intrusion Prevention System (NGIPS)
Communications
App & Device Data
01011101001010
010001101 010010 10 10Data packets
Prioritizeresponse
Blended threats
• Network profiling
• Phishing attacks
• Innocuous payloads
• Infrequent callouts
3
1
2
Accept
Block
Automate policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
cFile Reputation
Malware and ransomware detection and blockingCisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
• Known Signatures• Fuzzy Fingerprinting• Indications of compromise
û
Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device TrajectoryAMP for
Network Log
ü
Threat Grid Sandboxing• Advanced Analytics• Dynamic analysis• Threat intelligence
?
AMP for Endpoint Log
Threat Disposition
Enforcement across all endpoints
RiskySafeUncertain
Sandbox Analysis
Cisco Public 16© 2016 Cisco and/or its affiliates. All rights reserved.
Management Platform Options
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Firepower Device Manager
Enables easy on-box management of
common security and policy tasks
Enables comprehensive security administration
and automation of multiple appliances
Firepower Management Center
On-box Centralized
Management Options
ASDM withFirePOWER Services
Enables easy on-box migration and
management of ASA with Firepower
On-box
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
• On-box manager for managing a single Firepower Threat Defense device
• Targeted for SMB market
• Designed for NetworkingSecurity Administrator
• Simple & Intuitive
• On-screen troubleshooting
Firepower Device Manager
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Firepower Device Manager
Enables easy on-box management of
common security and policy tasks
Enables comprehensive security administration
and automation of multiple appliances
Firepower Management Center
On-box Centralized
Management Options
ASDM withFirePOWER Services
Enables easy on-box migration and
management of ASA with Firepower
On-box
Firepower Management Center
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Firepower Device Manager
Enables easy on-box management of
common security and policy tasks
Enables comprehensive security administration
and automation of multiple appliances
Firepower Management Center
ASDM withFirePOWER Services
Enables easy on-box migration and
management of ASA with Firepower
On-box Centralized On-box
Management Options
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Firepower Device Manager
Enables easy on-box management of
common security and policy tasks
Enables comprehensive security administration
and automation of multiple appliances
Firepower Management Center
On-box Centralized
Management Options
ASDM withFirePOWER Services
Enables easy on-box migration and
management of ASA with Firepower
On-box
Cisco Public 23© 2016 Cisco and/or its affiliates. All rights reserved.
Integration Capabilities
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
ISE remediation in using pxGrid
Cisco Public 25© 2016 Cisco and/or its affiliates. All rights reserved.
3rd Party Integration
SNMP, Syslog, NetFlow or eStreamer
LiveAction
Cisco Public 30© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Threat Intelligence Director
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Cisco Threat Intelligence Director (CTID)
• Uses customer threat intelligence to identify threats
• Automatically blocks supported indicators on Cisco NGFW
• Provides a single integration point for all STIX and CSV intelligence sources
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Hail a TAXII !!• Free source of TAXII feeds
• Website URL: http://hailataxii.com
• Multiple feeds
• To configure the TAXII intelligence sourceURL: http://hailataxii.com/taxii-discovery-serviceUSERNAME: guestPASSWORD: guest
Cisco Public 33© 2016 Cisco and/or its affiliates. All rights reserved.
Deployment Designs Use Case
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Use Case Internet Edge Firewall
RequirementConnectivity and Availability Requirement:• High Availability ROUTED mode• Firewall should support Router or Transparent Mode
Routing Requirements:• Static and BGP Routing• Dynamic NAT/PAT and Static NAT
Security Requirements:• Application Control + URL Acceptable Use enforcement• IPS and Malware protection• SSL Decryption
Authentication Requirements:• User authentication and device identity
SolutionSecurity Application: Firepower Threat Defense application with FMC
ISP
FW in HA
Private Network
Service Provider
Campus/Private Network
DMZ Network
Port-Channel
Internet Edge
Cisco Public 35© 2016 Cisco and/or its affiliates. All rights reserved.
Connectivity and Availability
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
10.1.1.0/24
192.168.1.0/24
192.168.1.1
10.1.1.1
IP:192.168.1.100GW: 192.168.1.1
NATDRP
Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or more
interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.
• Transparent Mode is where the firewall acts as a bridge functioning at L2.
Transparent mode firewall offers some unique benefits in the DC.
Transparent deployment is tightly integrated with our ‘best practice’ data center designs.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Link Redundancy
Resiliency with link failures
Link and Platform Redundancy CapabilitiesFirewall Link Aggregation – High Availability - Clustering
Inter-chassis Clustering
Combine up to
169300 blades or 4100 chasses
Active / Standby HA
LACP Link Redundancy
LACP Link Aggregation
Control Protocol
Cisco Public 38© 2016 Cisco and/or its affiliates. All rights reserved.
Routing Requirements
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Dynamic NAT for Direct Internet AccessAutomatic and Manual (complex) NAT Support for FTD including IPv6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Routing Protocol support
• OSPF and OSPFv3 (IPv6)
• BGP (IPv4 & IPv6)
• Static RouteTunneled Route support for VPNsReverse Route Injection for VPNs
• Multicast RoutingIGMPPIM
• EIGRP via FlexConfig
IPv4 and IPv6 advanced routing
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4141
BRK
Rate limiting Cloud File Sharing TrafficQOS Policy is a new policy type with separate policy table
Upload and download rate limiting per application with identity!
Cisco Public 42© 2016 Cisco and/or its affiliates. All rights reserved.
Security Requirements
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Access Control Policy blocking inappropriate content
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Granular SSL DecryptCan specify by application, certificate fields / status, ciphers, etc.
Decrypt Cert required!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Custom IPS Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Malware and File AnalysisAttached to Access Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
URL-Based Security Intelligence
• Extension of IP-based SI
• TALOS dynamic feed, 3rd party feeds and lists
• Multiple categories: Malware, Phishing, CnC,…
• Multiple Actions: Allow, Monitor, Block, Interactive Block,…
• Policy configured via Access Rules or black-list
• IoC tags for CnC and Malware URLs
• New Dashboard widget for UR SI
• Black/White-list URL with one click URL-SI Categories
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
DNS Inspection
• Security Intelligence support for domains
• Addresses challenges with fast-flux domains
• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing
• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor
• Indications of Compromise extended with DNS Security Intelligence
DNS List Action
Cisco Public 49© 2016 Cisco and/or its affiliates. All rights reserved.
Identity Requirements
Authentication and Authorization
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
TrustSec Security Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles
Cisco Public 52© 2016 Cisco and/or its affiliates. All rights reserved.
Branch Firewall Use CasesSite to Site and Remote Access VPN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Headquarters and Branch NGFW ExampleUse of Groups in FMC for organization
• ONE policy sets applied to all branch firewalls
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Headquarters and Branch NGFW ExampleDynamic Endpoint option for sites with DHCP Outside Interface
• VPN can be backup to MPLS or dedicated WAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Secure Remote Access for Roaming User
ISP
FP2100 in HA
Private NetworkCampus/Private Network
Internet Edge
• Secure SSL/IPsec AnyConnect access to corporate network
• AMP and File inspection Policy to monitor roaming user data.
• Easy RA VPN Wizard to configure AnyConnect Remote Access VPN
• Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data.
• Monitoring and Troubleshooting to monitor remote access activity and simplified tool for troubleshooting.
Secure access using Firepower
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Remote Access VPN• AnyConnect client-
based VPN
• Use cases:Split or full tunnel
Multiple Connection profiles
Username /password and orcertificateauthenticationsupport
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Firepower Threat Defense SummaryPower Internet Edge and Branch WAN Platform
• Powerful Threat Defense Capabilities
• Advanced Site to Site VPN and routing protocol support
• AnyConnect Remote Access
UnifiedManagement
RobustNGFWFeatureset
FlexibleDeployment
Thank you.