Chad Mitchell – CCIE #44090 – Security Consulting Systems Engineer

chadmi@cisco.com

November 2016

Cisco Threat-Focused Next Generation Firewall

Strategic ImperativesVisibility-Driven Threat-Focused Platform-Based

Network-Integrated,Broad Sensor Base,

Context and Automation

Continuous Advanced Threat Protection, Security

Intelligence

Agile and Open Platforms,Built for Scale, Consistent

Control, Management

Network Endpoint Mobile Virtual Cloud

Focus on the Apps…

101 010011101 1100001110001110 1001 1101 1110011 0110011

01 1100001 1100 0111010011101 1100001110001110 1001 1101 11

The Problem with Legacy Next-Generation Firewalls

Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.

…But Miss the Threat

They can’t help you once you’ve been breached…

They’re only app-focused…

They’re another silo to manage…

Threat

Threat

Threat

Attack Continuum

BEFORE AFTERDURING

NGFW DDoS SandboxAcceptable useIPS

Other “next-generation” firewalls fix some problems but create new ones

Attack Continuum

GAP

They protect before an attack but are less effective during or after one

Enable applications

Typical NGFW

BEFORE AFTERDURING

Silos

DDoS SandboxURLIPS Incident Response

Stop more threats across the entire attack continuum

Remediate breaches and prevent future attacks

Detect, block, and defend against attacks

Discover threats and enforcesecurity policies

Cisco Firepower™ NGFW

BEFORE AFTERDURING

“You can’t protect what you can’t see”

Gain more insight with increased visibility

Malware

Client applications

Operating systems

Mobile devices

VoIP phones

Routers and switches

Printers

Command and control

servers

Network servers

Users

File transfers

Web applications

Applicationprotocols

Threats

Typical IPS

Typical NGFW

Cisco Firepower™ NGFW

Cisco Firepower™ Management Center

Reduce complexity with simplified, consistent management

• Network-to-endpoint visibility• Manages firewall, applications, threats, and files• Track, contain, and recover remediation tools

Unified

• Central, role-based management• Multitenancy• Policy inheritance

Scalable

• Impact assessment• Rule recommendations• Remediation APIs

Automated

Cisco: 17.5 hoursIndustry TTD rate:* 100 days

Detect infections earlier and act faster• Automated attack

correlation

• Indications of compromise

• Local or cloud sandboxing

• Malware infection tracking

• Two-click containment

• Malware analysis

Source: Cisco® 2016 Annual Security Report*Median time to detection (TTD)

JANMONDAY

1JAN

FEB

MAR

APR

Security Services

Services

AMP

Stateful Firewalling

AVC

URLFiltering

NGIPS

VPNCapabilities

Foundational FunctionalityBuilt-in firewall services to provide base protection and connect with other security solutions

Stateful Firewalling VPN CapabilitiesPolicy Enforcement Pointfor ISE

FirePOWER Services Subscription services that run on the ASA and provide enhanced levels of threat protection and network visibility

Advanced Malware Protection

Next-Generation Intrusion Prevention System

URL FilteringApplicationVisibility and Control

Add security services to help defend your network

Included by default

Foundational FunctionalityBuilt-in firewall services to provide base protection and connect with other security solutions

Stateful Firewalling VPN CapabilitiesPolicy Enforcement Pointfor ISE

FirePOWER Services Subscription services that run on the ASA and provide enhanced levels of threat protection and network visibility

Advanced Malware Protection

Next-Generation Intrusion Prevention System

URL FilteringApplicationVisibility and Control

Minimize your exposure to web-based threats

Restrict categories of URLs

Filter out over 280 million URLs based on any of the 80+ categories into which they are grouped; new URLs are added daily

Block specific URLs

Restrict access to specific sitesand subsites

Social MediaüGamblingû

Healthü

Drug Useû

Gamingû

Change policies easily

Use the refined user interface to make additions or changes with just a few clicks

Allowed Restricted

Services

AMP

Stateful Firewalling

VPNCapabilities

AVC

URLFiltering

NGIPS

Protect the network more effectively

Reduce IT management burden

Gain unmatched visibility and threat detection

NGIPS automatically correlates information from intrusion events with network assets to prioritize threat investigation

Priority 1

Priority 2

Priority 3

Blended threats and attacks coming through multiple vectors are quickly identified

www…

Policies can be updated automatically based on vulnerabilities and previous intrusion events

Admins can make adjustments to policies and system settings across locations from a single location, even offsite

ServicesURLFiltering

NGIPS

AMP

Stateful Firewalling

AVC

VPNCapabilities

Protect against the most advanced forms of malware and remediate after a breach

Identify malware that other solutions miss by analyzing files based on reputation or suspicious behavior. AMP is continuously updated to ensure that it can stop the latest and most advanced forms of malware.

Point-in-time Protection

Defend against attacks even after a file passes the perimeter. AMP tracks files as they move around network; if they turn out to be malicious, you can quickly determine areas of impact and remediate quickly.

Continuous Protection

Trajectory

BehavioralIndications

of Compromise BreachHunting Retrospection

Attack Chain Weaving

ServicesURLFiltering

NGIPS

AMP

Stateful Firewalling

AVC

VPNCapabilities

Fuzzy Finger-printing

Machine

Learning

Dynamic Analysis

Indications of Compromise

Device Flow Correlation

Advanced Analytics

One-to-OneSignature

Reduce attack surfaces by controlling application access

Control port- and protocol-hopping apps that evade traditional firewalls

Limit the exposure created by socialmedia applications

ServicesURLFiltering

NGIPS

AMP

Stateful Firewalling

AVC

VPNCapabilities

Enforce acceptable use policies with granular control over applications and micro-applications

Apps

Use custom application detectors /Open App ID

Leverage the proven ASA Firewall capabilities

Standard Functions New ASA Features

• Clientless tagging, WebVPNsupport for OWA2013 and XenDesktop7.5

• TLS 1.2

• ECMP Support, IPV6 BGP

• Std. based IKEv2 support. Citrix HTML5 browser support

• VPN Clients Win7, 8.1, 8.1 phone client, iOS8, Knox and Strong Swan

• Full VX LAN support

• Policy-based Routing

• REST API and SNMP enhancement

IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

Routing

ServicesURLFiltering

NGIPS

AMP

Stateful Firewalling

AVC

VPNCapabilities

Extend protection to off-site users

ThreatProtection ü Data-loss

Prevention ü AcceptableUse ü Access

Control ü

Diverse Endpoint Support Broad VPN Deployment Split Tunneling Capabilities

Mobile and non-mobile devices

Cisco and non-Cisco devices

AnyConnect 4.0 and 3rd-party VPNs

Single- and Multi-site deployments

Corporate and sensitive information

Personal and generic information

ServicesURLFiltering

NGIPS

AMP

Stateful Firewalling

AVC

VPNCapabilities

FireSIGHT

ThreatsUsers

Web ApplicationsApplication Protocols

File TransfersMalware

Command & Control

Operating Systems

Client Applications

Network Servers

Mobile Devices

Cisco FireSIGHT Provides Unmatched Visibility for Accurate Threat Detection and Adaptive Defense

Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

1

2

3

4

0

IMPACT FLAG ADMINISTRATOR ACTION WHY

Act Immediately, Vulnerable

Event corresponds to vulnerability mapped to host

Investigate, Potentially Vulnerable

Relevant port openor protocol in use, but no vuln mapped

Good to Know, Currently Not Vulnerable

Relevant port not open or protocol not in use

Good to Know, Unknown Target

Monitored network,but unknown host

Good to Know, Unknown Network

Unmonitored network

Indications of Compromise (IoCs)

IPS Events

Malware Backdoors CnC Connections

Exploit Kits Admin Privilege Escalations

Web App Attacks

SI Events

Connections to Known CnC IPs

MalwareEvents

Malware Detections

Malware Executions

Office/PDF/Java Compromises Dropper Infections

Firepower Management CenterSingle console for event, policy, and configuration management

Awareness Delivers Insight

OS & version Identified

Server applications and version

Client Applications

Who is at the host

Client Version

Application

What other systems / IPs did user have, when?

Threat Intelligence & Deployment Options

Understand risks using reputation scoring See more through industry-leading research

Stop known threats from getting in

URL Based

Block risky sites using aclassified database of

270 million+known URLs

DNS Based

Get real-time threatintelligence based on

80 billion+daily DNS requests

IP Based

Filter out bad IPsusing a blacklist of

70,000+known IPs

Get real-time protection against global threats

Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates

Endpoints

Devices

Networks

NGIPS

WWW Web250+Researchers

Jan

24 x 7 x 365 Operations

Security Coverage Research Response

1.5 million daily malware samples

600 billion daily email messages

16 billion daily web requests

Threat Intelligence

Inline or Passive Fail-to-wire NetMods Additional options

NetMod

Virtual or Physical

Routed

Transparent

101110

101110

Inline

Inline Tap

Passive

Pick from many deployment modesFirewall deployment modes

Link Scalability Distributed Plan Inter-site Clustering

Increasethroughput

Handle more connections Combine up to

16individual units

Deliver scalable performance across many sitesFirewall Clustering

Location A:Austin

Location B:Boston

Platforms

Perf

orm

ance

and

Sca

labi

lity

ASA 5506-X

ASA 5508-X

ASA 5525-X

ASA 5545-XASA 5555-X

ASA 5585-SSP10

ASA 5585-SSP20

ASA 5585-SSP40

ASA 5506W-XASA 5516-X

SMB & Distributed Enterprise

Commercial & Enterprise Data Center, High Performance Computing, Service Provider

ASA 5585-SSP60

ASA low-end, including hardened FW for IOT/E

Cisco NGFW Product Family: Four Categories(Select Models Pictured)

New Appliances

Cisco Firepower™ 4100 Series and 9300

Virtual Appliances

ASAv FTDv

Cisco Firepower 4100 SeriesIntroducing four new high-performance models

Performance and Density Optimization Unified Management Multiservice

Security

• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)

• Radware DefensePro DDoS• ASA and other future

third party

• 10-Gbps and 40-Gbps interfaces

• Up to 80-Gbps throughput• 1-rack-unit (RU) form factor• Low latency

• Single management interface with Firepower Threat Defense

• Unified policy with inheritance• Choice of management

deployment options

Firepower 4100 Overview

1RU

Built-in Supervisor and Security Module• Same hardware and software architecture as 9300• Fixed configurations (4110, 4120, 4140, 4150)

Network Modules• 10GE/40GE interchangeable with 9300• Partially overlapping fail-to-wire controller options

Cisco Firepower 9300 Platform

Benefits• Integration of best-in-class security• Dynamic service stitching

Features*• Cisco® ASA container• Cisco Firepower™ Threat Defense

containers:• NGIPS, AMP, URL, AVC

• Third-party containers:• Radware DDoS• Other ecosystem partners

Benefits• Standards and interoperability• Flexible architecture

Features• Template-driven security• Secure containerization for

customer apps• RESTful/JSON API• Third-party orchestration and

management

Benefits• Industry-leading performance:

• 600% higher performance• 30% higher port density

Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps

ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building

System (NEBS) ready

* Contact Cisco for services availability

Modular Carrier ClassMultiservice Security

High-speed, scalable security

Security Modules• Embedded Smart NIC and crypto hardware• Cisco (ASA, FTD) and third-party (Radware DDoS) applications• Standalone or clustered within and across chassis

Supervisor• Application deployment and orchestration• Network attachment and traffic distribution• Clustering base layer for ASA/FTD

Firepower 9300 OverviewNetwork Modules• 10GE, 40GE, and 100GE• Hardware bypass for inline NGIPS

3RU

• Same modules must be installed across entire chassis or cluster• SM-44: 88 x86 CPU cores (10-15% higher performance than SM-36)• SM-36: 72 x86 CPU cores• SM-24: 48 x86 CPU cores

Firepower 9300 Security Modules

FXOS 2.0.1

• All external network modules require fiber or copper transceivers

• Support online insertion and removal

Standard Network Modules

8x10GE 4x40GE 2x100GE

• Firepower 4100 and 9300• Single width• 4x10GE breakouts for

each 40GE port

• Firepower 9300 only• Double width• QSFP28 connector• No breakout support

• Firepower 4100 and 9300• Single width• 1GE/10GE SFP

FXOS 1.1.4

• Fixed interfaces, no removable SFP support

• NGIPS inline interfaces for standalone FTD 6.1 only

• Sub-second reaction time to application, software, or hardware failure

Fail-to-Wire Network Modules

6x1GE 6x10GE 2x40GE• Firepower 4100 and 9300• Single width• 10GE SR or LR

• Firepower 4100 and 9300• Single width• 40GE SR4• No 10GE breakout support

• Firepower 4100 only• Single width• 1GE fiber SX

FXOS 2.0.1

Simple Platform Management

Home Screen

Interface Status

Interface Configuration

Logical Device Status

FireSIGHT Demo