Cisco Firepower Thread Defence - Cluj Connecting Day › fileadmin › user_upload › brinel ›...
Transcript of Cisco Firepower Thread Defence - Cluj Connecting Day › fileadmin › user_upload › brinel ›...
Cisco Firepower Thread Defence
Claudiu Boar
©2017 BRINEL. All rights reserved www.brinel.com
Find and contain problems
fast
Simplifynetwork
segmentation
Control who gets onto your network
Protect users wherever they work
Stop threats at the edge
Security everywhere
©2017 BRINEL. All rights reserved www.brinel.com
Portfolio
ASA 5515-X
ASA 5512-X
ASA 5555-X
ASA 5545-X
ASA 5525-X
Branch Internet EdgeSMB/SOHO
ASA 5585-X SSP60
ASA 5585-X SSP40
ASA 5585-X SSP20
ASA 5585-X SSP10
Data Center
ASA 5505
©2017 BRINEL. All rights reserved www.brinel.com
Portfolio
ASA 5515-X
ASA 5512-X
ASA 5555-X
ASA 5545-X
ASA 5525-X
Branch Internet EdgeSMB/SOHO
ASA 5585-X SSP60
ASA 5585-X SSP40
ASA 5585-X SSP20
ASA 5585-X SSP10
Data Center
ASA 5505
ASA 5506-X
ASA 5508-X
ASA 5516-X
©2017 BRINEL. All rights reserved www.brinel.com
Portfolio
ASA 5515-X
ASA 5512-X
ASA 5555-X
ASA 5545-X
ASA 5525-X
Branch Internet EdgeSMB/SOHO
ASA 5585-X SSP60
ASA 5585-X SSP40
ASA 5585-X SSP20
ASA 5585-X SSP10
Data Center
ASA 5505
ASA 5506-X
ASA 5508-X
ASA 5516-X
FPR 9300 -SM-24
FPR 9300 -SM-36
FPR 9300 -SM-44
Service Provider
©2017 BRINEL. All rights reserved www.brinel.com
Portfolio
ASA 5515-X
ASA 5512-X
ASA 5555-X
ASA 5545-X
ASA 5525-X
Branch Internet EdgeSMB/SOHO
ASA 5585-X SSP60
ASA 5585-X SSP40
ASA 5585-X SSP20
ASA 5585-X SSP10
Data Center
ASA 5505
ASA 5506-X
ASA 5508-X
ASA 5516-X
FPR 9300 -SM-24
FPR 9300 -SM-36
FPR 9300 -SM-44
Service Provider
FPR 4110
FPR 4120
FPR 4140
FPR 4150
©2017 BRINEL. All rights reserved www.brinel.com
Portfolio
ASA 5515-X
ASA 5512-X
ASA 5555-X
ASA 5545-X
ASA 5525-X
Branch Internet EdgeSMB/SOHO
ASA 5585-X SSP60
ASA 5585-X SSP40
ASA 5585-X SSP20
ASA 5585-X SSP10
Data Center
ASA 5505
ASA 5506-X
ASA 5508-X
ASA 5516-X
FPR 9300 -SM-24
FPR 9300 -SM-36
FPR 9300 -SM-44
Service Provider
FPR 4110
FPR 4120
FPR 4140
FPR 4150
FPR 2100 Series
©2017 BRINEL. All rights reserved www.brinel.com
Firepower 2100, 4100, 9300 Snapshot
Features FPR 2100 FPR 4100 FPR 9300
Throughput rangeFirewall + AVC
2 to 8 Gbps 12 to 30 Gbps 30 to 54 Gbps
Throughput rangeFirewall + AVC+IPS
2 to 8 Gbps 10 to 24 Gbps 24 to 53 Gbps
Interface Speed 1/10 Gbps 1/10/40 Gbps 1/10/ 40/100 Gbps
Rack Unit size 1 RU 1 RU 3 RU
Clustering Roadmap Yes (6.2) Yes (6.2)
Other Apps No Yes (Radware DDoS) Yes (Radware DDoS)
Chassis Manager Unified With FMC / FDM
Yes Yes
©2017 BRINEL. All rights reserved www.brinel.com
Firepower 2100 Series
FPR 2110 16x 1G Port
FPR 2120 16x 1G Port
FPR 2140 12x 1G 12x 10G Port
High Performance, Purpose Built Hardware for Cisco NGFW
Available in 4 Platforms
Higher Port Density in 1 Rack Unit
10 Gbps Support (2130 and 2140)
Firepower2100
Firepower2100
Firepower2100
FPR 2130 12x-1G 12x 10G Port
Firepower2100
©2017 BRINEL. All rights reserved www.brinel.com
Firepower 2100 Series Performance
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput FW + AVC
1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Throughput FW + AVC + NGIPS
1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum concurrent sessions, with AVC
1 M 1.2 M 2 M 3.5 M
Maximum new connections per
second, with AVC 12000 16000 24000 40000
©2017 BRINEL. All rights reserved www.brinel.com
Hardware Architecture Overview
Stateful Inspection(Octeon NPU)
Advance Inspection(x86 CPU)
NM Slot
4 port 10GE -8 Port12 Port GE RJ45
SSD
SSD
4 Port SFP+
Fabric
USB CON
MGMT GE RJ45
Console
Dual CPU X86 CPU for Advanced Inspections NPU for Stateful Firewall
©2017 BRINEL. All rights reserved www.brinel.com
Hardware Architecture Overview
Stateful Inspection(Octeon NPU)
NM Slot
4 port 10GE -8 Port12 Port GE RJ45
SSD
SSD
4 Port SFP+
Fabric
USB CON
MGMT GE RJ45
Console
Advance Inspection(x86 CPU)
Prefilter Action: Block, Fastpath, Analyze
NAT VPN Routing QoS Stateful Firewall High Availability
©2017 BRINEL. All rights reserved www.brinel.com
Hardware Architecture Overview
Stateful Inspection(Octeon NPU)
Advance Inspection(x86 CPU)
NM Slot
4 port 10GE -8 Port12 Port GE RJ45
SSD
SSD
4 Port SFP+
Fabric
USB CON
MGMT GE RJ45
Console
Advance Inspection AVC with OpenAppID NGIPS Malware & File inspection
(AMP) Security Intelligence URL Filter User Identity
©2017 BRINEL. All rights reserved www.brinel.com
FPR 2100 with Firepower Threat Defense
New in FTD 6.2.x RA VPN S2S VPN Packet tracer and Capture
©2017 BRINEL. All rights reserved www.brinel.com
Management Options
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management Center
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Firepower Device
ManagerCisco Defense
Orchestrator
©2017 BRINEL. All rights reserved www.brinel.com
On-box vs Off-box
Firepower Management Center (Off-box) Firepower Device Manager (On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
VPN - Site to Site & RA
Security Intelligence
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
Active/Passive Authentications
Firewall Mode Router / Transparent Routed
Threat Intelligence & Analytics
Correlation & Remediation
Risk Reports
Device Setup Wizard
Interface Port-Channel
High Availability
©2017 BRINEL. All rights reserved www.brinel.com
FTD Licensing Structure
• Base License enables NGFW
• Networking, Firewall and Application Visibility &
Control
• Perpetual License - included with Appliance
purchase
• Term-based licenses for advanced protection
• Threat, Malware and URL Filtering
• VPN License
• VPN only
• AnyConnect Plus
• AnyConnect Apex
Base (NGFW)
Thre
at(I
PS
/ SI
/ D
NS)
Mal
war
e(A
MP
/ T
G)
UR
L Fi
lter
ing
Blue = Term-basedGreen = Perpetual
VP
N
On
ly
An
yCo
nn
ect
Plu
sA
pex
©2017 BRINEL. All rights reserved www.brinel.com
Migration Capabilities
Migration of ASA Configuration to FTD
• ACL • Ability to migrate Access Control Rules
• NAT • Ability to migrate NAT rules
• Objects• Support for migrating objects corresponding to ACL, NAT rules
• Except Time Range, FQDN
• ASA Versions• Support for ASA 8.4+ versions
©2017 BRINEL. All rights reserved www.brinel.com
Migration Process Overview
ASA .cfg or .txr file
Migration Tool
FMC .sfo file
Migration Report
FMC( Managing FTD Device )
ASA
Firepower 2100
RegisterApply Migrated Policy
Import as Access Control Policy or Prefilter policy
©2017 BRINEL. All rights reserved www.brinel.com
Firepower 2100 Physical Characteristics
• FPR 2100 Series • 1RU x 16.89” x 19.8” Chassis Design
• Front to back cooling
• FIPS opacity optional kit
• Dual SSD
• Fixed ports• 12x RJ45 ports, 4xSFP(+) and USB2.0
• Management Ethernet & Console Port
• Rack Mount Rails Kit optional
• FPR 2130 / 2140• 1x Network Module
• Dual PSU
• DC PSU support
16.89”
1RU
©2017 BRINEL. All rights reserved www.brinel.com
Firepower 4100 Hardware Overview
• 1RU x 16.89” x 29.9” - Front to Back Cooling (6x dual fan)
• Built-in modules • Supervisor Module• Security Engine • 8x SFP+ (10G) fixed ports
• Modular system• 2x Network Modules (NetMod) slots• (Common across Firepower Platform)• 2x 2.5” SSD Slot • 2x Universal 950 DC PSU• (or) • 2x Universal 1100W AC PSU• FAN Units
• Note: Except power supply unit, all the physical specifications are same • for FP4110, FP4120, FP4140 and FP4150
1RU tall (1.73”)
©2017 BRINEL. All rights reserved www.brinel.com
Firepower 4120, 4140 and 4150 - Hardware Components
Supervisor Module:• Console and Management Port• 8 10G Fixed Ethernet Ports • 2 x Network Modules
Security Engine:• Dual CPU, each connected with a Smart NIC and Crypto accelerator card • Two SSD - 1 Default + 1 Optional (For AMP
service)• SSD Size
• 200GB for 4120• 400GB for 4140
Backplane • 80GB Backplane support
Internal 720G Switch Fabric
Security Engine
RAMSmart NIC + Crypto Accelerator
2x40Gpbs
2x100Gbps
Built-in 8x10GE
interfaces
NMSlot 1
X86 CPU
NMSlot 2
80G
8x 10G (or) 4x 40G Network Module
…… ……
Console Mgmt. Port
200G2x40Gbps 5x40Gbps 200G 5x40Gbps
SSD
SSD
©2017 BRINEL. All rights reserved www.brinel.com
FP 4100 Series Performance Specification
Category FP 4110 FP 4120 FP 4140
Large Packet Firewall (1500 byte UDP) 20Gbps 40Gbps 60Gbps
Firewall Throughput 10Gbps 20Gbps 30Gbps
Firewall Packet Per Second (64byte UDP) 3 M 6 M 10 M
UDP Latency (1500 LDR) 18 µ sec 31 µ sec 30 µ sec
Connections per Second 150K 250K 350K
Concurrent Connections 10M 15M 25M
NGFW - FW+AVC Perf. (440byte) 3.5 Gbps 7 Gbps 10 Gbps
NGFW - FW+AVC+IPS Perf.(440byte) 2.5 Gbps 4.5 Gbps 6.5 Gbps
©2017 BRINEL. All rights reserved www.brinel.com
Firepower 4100 Software
• FP 4100 Series of platform supported from FXOS 1.1.4
• FXOS provides interface for device management and provisioning of the security application on security engine.
• All images are digitally signed and validated through Secure Boot.
• Security application images are in Cisco Secure Package (CSP) format
• Multiple version of same application can be stored in Supervisor. It can deployed to Security Engine on demand
• Contains system (i.e. ASA, FTD) and other images (i.e. ASDM, REST, and so on)
Decorator application from third-party (KVM)
Primary application from Cisco (Native)
DDoS (Radware)
ASA or FTD
FXOS
Firepower Extensible Operating System (FXOS)
Supervisor
Security Engine
©2017 BRINEL. All rights reserved www.brinel.com
DDoS Attacks breaking all layers of the DC
IPS/IDSInternet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
9
DDoS Protection on the Firewall protects from 64% of the DDoS attacks. Pipe Saturation attacks require an
integrated cloud protection
©2017 BRINEL. All rights reserved www.brinel.com
Firepower Threat Defense
©2017 BRINEL. All rights reserved www.brinel.com
Advanced Malware Risk Report
©2017 BRINEL. All rights reserved www.brinel.com
Network Risk Report
©2017 BRINEL. All rights reserved www.brinel.com
Attack Risk Report
Thank you!
Parteneri media