Unified Threat Management NETASQ Multifunction Firewall U ...
Cisco Threat-Focused Next Generation Firewall
-
Upload
cisco -
Category
Technology
-
view
321 -
download
1
Transcript of Cisco Threat-Focused Next Generation Firewall
Chad Mitchell – CCIE #44090 – Security Consulting Systems Engineer
November 2016
Cisco Threat-Focused Next Generation Firewall
Strategic ImperativesVisibility-Driven Threat-Focused Platform-Based
Network-Integrated,Broad Sensor Base,
Context and Automation
Continuous Advanced Threat Protection, Security
Intelligence
Agile and Open Platforms,Built for Scale, Consistent
Control, Management
Network Endpoint Mobile Virtual Cloud
Focus on the Apps…
101 010011101 1100001110001110 1001 1101 1110011 0110011
01 1100001 1100 0111010011101 1100001110001110 1001 1101 11
The Problem with Legacy Next-Generation Firewalls
Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.
…But Miss the Threat
They can’t help you once you’ve been breached…
They’re only app-focused…
They’re another silo to manage…
Threat
Threat
Threat
Attack Continuum
BEFORE AFTERDURING
NGFW DDoS SandboxAcceptable useIPS
Other “next-generation” firewalls fix some problems but create new ones
Attack Continuum
GAP
They protect before an attack but are less effective during or after one
Enable applications
Typical NGFW
BEFORE AFTERDURING
Silos
DDoS SandboxURLIPS Incident Response
Stop more threats across the entire attack continuum
Remediate breaches and prevent future attacks
Detect, block, and defend against attacks
Discover threats and enforcesecurity policies
Cisco Firepower™ NGFW
BEFORE AFTERDURING
“You can’t protect what you can’t see”
Gain more insight with increased visibility
Malware
Client applications
Operating systems
Mobile devices
VoIP phones
Routers and switches
Printers
Command and control
servers
Network servers
Users
File transfers
Web applications
Applicationprotocols
Threats
Typical IPS
Typical NGFW
Cisco Firepower™ NGFW
Cisco Firepower™ Management Center
Reduce complexity with simplified, consistent management
• Network-to-endpoint visibility• Manages firewall, applications, threats, and files• Track, contain, and recover remediation tools
Unified
• Central, role-based management• Multitenancy• Policy inheritance
Scalable
• Impact assessment• Rule recommendations• Remediation APIs
Automated
Cisco: 17.5 hoursIndustry TTD rate:* 100 days
Detect infections earlier and act faster• Automated attack
correlation
• Indications of compromise
• Local or cloud sandboxing
• Malware infection tracking
• Two-click containment
• Malware analysis
Source: Cisco® 2016 Annual Security Report*Median time to detection (TTD)
JANMONDAY
1JAN
FEB
MAR
APR
Services
AMP
Stateful Firewalling
AVC
URLFiltering
NGIPS
VPNCapabilities
Foundational FunctionalityBuilt-in firewall services to provide base protection and connect with other security solutions
Stateful Firewalling VPN CapabilitiesPolicy Enforcement Pointfor ISE
FirePOWER Services Subscription services that run on the ASA and provide enhanced levels of threat protection and network visibility
Advanced Malware Protection
Next-Generation Intrusion Prevention System
URL FilteringApplicationVisibility and Control
Add security services to help defend your network
Included by default
Foundational FunctionalityBuilt-in firewall services to provide base protection and connect with other security solutions
Stateful Firewalling VPN CapabilitiesPolicy Enforcement Pointfor ISE
FirePOWER Services Subscription services that run on the ASA and provide enhanced levels of threat protection and network visibility
Advanced Malware Protection
Next-Generation Intrusion Prevention System
URL FilteringApplicationVisibility and Control
Minimize your exposure to web-based threats
Restrict categories of URLs
Filter out over 280 million URLs based on any of the 80+ categories into which they are grouped; new URLs are added daily
Block specific URLs
Restrict access to specific sitesand subsites
Social MediaüGamblingû
Healthü
Drug Useû
Gamingû
Change policies easily
Use the refined user interface to make additions or changes with just a few clicks
Allowed Restricted
Services
AMP
Stateful Firewalling
VPNCapabilities
AVC
URLFiltering
NGIPS
Protect the network more effectively
Reduce IT management burden
Gain unmatched visibility and threat detection
NGIPS automatically correlates information from intrusion events with network assets to prioritize threat investigation
Priority 1
Priority 2
Priority 3
Blended threats and attacks coming through multiple vectors are quickly identified
www…
Policies can be updated automatically based on vulnerabilities and previous intrusion events
Admins can make adjustments to policies and system settings across locations from a single location, even offsite
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
Protect against the most advanced forms of malware and remediate after a breach
Identify malware that other solutions miss by analyzing files based on reputation or suspicious behavior. AMP is continuously updated to ensure that it can stop the latest and most advanced forms of malware.
Point-in-time Protection
Defend against attacks even after a file passes the perimeter. AMP tracks files as they move around network; if they turn out to be malicious, you can quickly determine areas of impact and remediate quickly.
Continuous Protection
Trajectory
BehavioralIndications
of Compromise BreachHunting Retrospection
Attack Chain Weaving
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
Fuzzy Finger-printing
Machine
Learning
Dynamic Analysis
Indications of Compromise
Device Flow Correlation
Advanced Analytics
One-to-OneSignature
Reduce attack surfaces by controlling application access
Control port- and protocol-hopping apps that evade traditional firewalls
Limit the exposure created by socialmedia applications
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
Enforce acceptable use policies with granular control over applications and micro-applications
Apps
Use custom application detectors /Open App ID
Leverage the proven ASA Firewall capabilities
Standard Functions New ASA Features
• Clientless tagging, WebVPNsupport for OWA2013 and XenDesktop7.5
• TLS 1.2
• ECMP Support, IPV6 BGP
• Std. based IKEv2 support. Citrix HTML5 browser support
• VPN Clients Win7, 8.1, 8.1 phone client, iOS8, Knox and Strong Swan
• Full VX LAN support
• Policy-based Routing
• REST API and SNMP enhancement
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
Routing
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
Extend protection to off-site users
ThreatProtection ü Data-loss
Prevention ü AcceptableUse ü Access
Control ü
Diverse Endpoint Support Broad VPN Deployment Split Tunneling Capabilities
Mobile and non-mobile devices
Cisco and non-Cisco devices
AnyConnect 4.0 and 3rd-party VPNs
Single- and Multi-site deployments
Corporate and sensitive information
Personal and generic information
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
ThreatsUsers
Web ApplicationsApplication Protocols
File TransfersMalware
Command & Control
Operating Systems
Client Applications
Network Servers
Mobile Devices
Cisco FireSIGHT Provides Unmatched Visibility for Accurate Threat Detection and Adaptive Defense
Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
1
2
3
4
0
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act Immediately, Vulnerable
Event corresponds to vulnerability mapped to host
Investigate, Potentially Vulnerable
Relevant port openor protocol in use, but no vuln mapped
Good to Know, Currently Not Vulnerable
Relevant port not open or protocol not in use
Good to Know, Unknown Target
Monitored network,but unknown host
Good to Know, Unknown Network
Unmonitored network
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors CnC Connections
Exploit Kits Admin Privilege Escalations
Web App Attacks
SI Events
Connections to Known CnC IPs
MalwareEvents
Malware Detections
Malware Executions
Office/PDF/Java Compromises Dropper Infections
Awareness Delivers Insight
OS & version Identified
Server applications and version
Client Applications
Who is at the host
Client Version
Application
What other systems / IPs did user have, when?
Understand risks using reputation scoring See more through industry-leading research
Stop known threats from getting in
URL Based
Block risky sites using aclassified database of
270 million+known URLs
DNS Based
Get real-time threatintelligence based on
80 billion+daily DNS requests
IP Based
Filter out bad IPsusing a blacklist of
70,000+known IPs
Get real-time protection against global threats
Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates
Endpoints
Devices
Networks
NGIPS
WWW Web250+Researchers
Jan
24 x 7 x 365 Operations
Security Coverage Research Response
1.5 million daily malware samples
600 billion daily email messages
16 billion daily web requests
Threat Intelligence
Inline or Passive Fail-to-wire NetMods Additional options
NetMod
Virtual or Physical
Routed
Transparent
101110
101110
Inline
Inline Tap
Passive
Pick from many deployment modesFirewall deployment modes
Link Scalability Distributed Plan Inter-site Clustering
Increasethroughput
Handle more connections Combine up to
16individual units
Deliver scalable performance across many sitesFirewall Clustering
Location A:Austin
Location B:Boston
Perf
orm
ance
and
Sca
labi
lity
ASA 5506-X
ASA 5508-X
ASA 5525-X
ASA 5545-XASA 5555-X
ASA 5585-SSP10
ASA 5585-SSP20
ASA 5585-SSP40
ASA 5506W-XASA 5516-X
SMB & Distributed Enterprise
Commercial & Enterprise Data Center, High Performance Computing, Service Provider
ASA 5585-SSP60
ASA low-end, including hardened FW for IOT/E
Cisco NGFW Product Family: Four Categories(Select Models Pictured)
New Appliances
Cisco Firepower™ 4100 Series and 9300
Virtual Appliances
ASAv FTDv
Cisco Firepower 4100 SeriesIntroducing four new high-performance models
Performance and Density Optimization Unified Management Multiservice
Security
• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)
• Radware DefensePro DDoS• ASA and other future
third party
• 10-Gbps and 40-Gbps interfaces
• Up to 80-Gbps throughput• 1-rack-unit (RU) form factor• Low latency
• Single management interface with Firepower Threat Defense
• Unified policy with inheritance• Choice of management
deployment options
Firepower 4100 Overview
1RU
Built-in Supervisor and Security Module• Same hardware and software architecture as 9300• Fixed configurations (4110, 4120, 4140, 4150)
Network Modules• 10GE/40GE interchangeable with 9300• Partially overlapping fail-to-wire controller options
Cisco Firepower 9300 Platform
Benefits• Integration of best-in-class security• Dynamic service stitching
Features*• Cisco® ASA container• Cisco Firepower™ Threat Defense
containers:• NGIPS, AMP, URL, AVC
• Third-party containers:• Radware DDoS• Other ecosystem partners
Benefits• Standards and interoperability• Flexible architecture
Features• Template-driven security• Secure containerization for
customer apps• RESTful/JSON API• Third-party orchestration and
management
Benefits• Industry-leading performance:
• 600% higher performance• 30% higher port density
Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps
ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building
System (NEBS) ready
* Contact Cisco for services availability
Modular Carrier ClassMultiservice Security
High-speed, scalable security
Security Modules• Embedded Smart NIC and crypto hardware• Cisco (ASA, FTD) and third-party (Radware DDoS) applications• Standalone or clustered within and across chassis
Supervisor• Application deployment and orchestration• Network attachment and traffic distribution• Clustering base layer for ASA/FTD
Firepower 9300 OverviewNetwork Modules• 10GE, 40GE, and 100GE• Hardware bypass for inline NGIPS
3RU
• Same modules must be installed across entire chassis or cluster• SM-44: 88 x86 CPU cores (10-15% higher performance than SM-36)• SM-36: 72 x86 CPU cores• SM-24: 48 x86 CPU cores
Firepower 9300 Security Modules
FXOS 2.0.1
• All external network modules require fiber or copper transceivers
• Support online insertion and removal
Standard Network Modules
8x10GE 4x40GE 2x100GE
• Firepower 4100 and 9300• Single width• 4x10GE breakouts for
each 40GE port
• Firepower 9300 only• Double width• QSFP28 connector• No breakout support
• Firepower 4100 and 9300• Single width• 1GE/10GE SFP
FXOS 1.1.4
• Fixed interfaces, no removable SFP support
• NGIPS inline interfaces for standalone FTD 6.1 only
• Sub-second reaction time to application, software, or hardware failure
Fail-to-Wire Network Modules
6x1GE 6x10GE 2x40GE• Firepower 4100 and 9300• Single width• 10GE SR or LR
• Firepower 4100 and 9300• Single width• 40GE SR4• No 10GE breakout support
• Firepower 4100 only• Single width• 1GE fiber SX
FXOS 2.0.1