NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights...
Transcript of NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights...
![Page 1: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/1.jpg)
1 © 2018 Cisco Systems, Inc. All rights reserved.
.......................................................................................................... 2
............................................................................................................... 2
............................................................. 2
.................................................................................................. 3
......................................................................................................... 3
....................................................................................... 4
................................................................. 6
................................................................................. 7
................................................................................................................ 7
........................................................................................................ 8
..................................................................................... 8
............................................................................................. 8
............................................................................................ 8
...................................................................................................... 9
........................................................................................... 9
...................................................................................................... 10
................................................................................................ 10
........................................................................... 11
![Page 2: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/2.jpg)
2 © 2018 Cisco Systems, Inc. All rights reserved.
................................................................... 12
................................................................................................ 13
.................................................................................................................. 13
................................................................................. 14
................................................................................. 14
............................................................................................................................. 15
................................................................................. 15
................................................................................. 15
..................................................................................................... 16
................................................................................. 16
................................................................................. 17
................................................................... 17
................................................................................................................... 17
![Page 3: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/3.jpg)
3 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 4: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/4.jpg)
4 © 2018 Cisco Systems, Inc. All rights reserved.
Layer 2-4 Fast Path
IP Security Blocking
Layer 3 – 7,Security Group Tag,
and IdentityMatching
Threat InspectionAnd Blocking
LeafDomain
Final Action(Block, IPS, Network Discovery)
NGFW Policies: Efficiently Building Zero-Trust
• Like traditional firewall policies, rules run from top to bottom
• Some functions (fast path, IPSec, SSL, and traffic normalization) run before traffic is matched against an Access Control Rule
• Good to always be reducing the potential number of rules that any traffic pattern can hit.• Exp: SSH matches more than tcp/22• Caveat: matches without port info means
some packets will potentially pass until the app is detected.
• Each matched ACL has it’s own threat monitoring conditions (IPS, Malware, IPS Variables)
• The model can apply to policy “blocks” and/or leaf-domains.
![Page 5: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/5.jpg)
5 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 6: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/6.jpg)
6 © 2018 Cisco Systems, Inc. All rights reserved.
9
Packets and Policies: Know What’s Happening Where
SI (IP)
File/AMP IPS
SSL
SI:
DNS
URL Pre-proc
NAP
IPSID
L7 ACLDiscovery
App
Pasv ID
Host
Prefilter
Policy
DAQ
RXIngres
InterfaceTX
Existing
Conn
Egress
InterfacePre-Filter
L3/L4
ACL
ALG
ChecksNAT
L3, L2
Hops
Y
VPN
Decrypt
N
QoS
VPN Encrypt
Fastpathed
VPN
Config
ASA/Lina
Firepower
Knowing your detection process impacts:
• How you analyze the data
• How you tune your security applianceElement Enabled in AC Policy
Access
Control
Policy
Intrusion
Policy
Network
Discovery
Policy
Intrusion
Policy
(NAP)
Network
Analysis
Policy
Malware
& File
Policy
Identity
Policy
DNS
Policy
SSL
Policy
$VAR
$VAR Objects
File/AMP IPSL7 ACL
ACP Rule Chain
![Page 7: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/7.jpg)
7 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 8: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/8.jpg)
8 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 9: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/9.jpg)
9 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 10: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/10.jpg)
10 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 11: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/11.jpg)
11 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 12: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/12.jpg)
12 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 13: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/13.jpg)
13 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 14: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/14.jpg)
14 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 15: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/15.jpg)
15 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 16: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/16.jpg)
16 © 2018 Cisco Systems, Inc. All rights reserved.
![Page 17: NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou](https://reader035.fdocuments.us/reader035/viewer/2022071002/5fbef106249f6317204f801a/html5/thumbnails/17.jpg)
17 © 2018 Cisco Systems, Inc. All rights reserved.