Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Your TimeIs Now
Putting Firepower into the Next Generation FirewallJason MaynardConsulting Systems Engineer CybersecurityCCIE, CC[N|I|D]P, SFCE, C|EH, RCSS, GICSP, GPEN
#FE80CC1E
http://cs.co/Jason_Maynard_YouTube_Channel
Cisco Confidential 2© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 3© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 4© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense
Cisco Confidential 5© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense
ASA (L2-L4)• L2-L4 Stateful Firewall• Scalable CGNAT, ACL, routing• Application inspection
Firepower (L7)• Threat-Centric NGIPS• AVC, URL Filtering for NGFW• Advanced Malware Protection
Full Feature Set
Continuous FeatureMigration
Firepower Threat Defense
Single Converged OS
Firewall URL Visibility Threats
Firepower Management Center (FMC)*
ASA with Firepower Services
Cisco Confidential 6© 2016 Cisco and/or its affiliates. All rights reserved.
What are the Firepower Deployment Options?Firepower Appliances Firepower Threat Defense
ASA with Firepower Services
FirePOWERServices
ASA 9.5.x
FirepowerThreat Defense
FirepowerAppliances
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual Firepower 2100 / 4100 / 9300
5585 cannot run FTD Image!
All Managed by Firepower Management Center
Cisco Confidential 7© 2016 Cisco and/or its affiliates. All rights reserved.
Feature Comparison: ASA with Firepower Services and Firepower Threat Defense
Features Firepower Threat Defense Firepower Services for ASA
SIM
ILA
RIT
IES
Routing +NAT✔
(OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR via FlexConfig)
✔(OSPF, BGP, EIGRP, static, RIP,
Multicast)
OnBox Management ✔ ✔HA (Active/Passive) ✔ ✔Clustering (Active/Active) ✔ ✔Site to Site VPN ✔ ✔Policy based on SGT tags ✔ ✔
DIF
FER
EN
CE
S
Unified ASA and Firepower rules and objects ✔ ✘
Hypervisor Support ✔(AWS, VMware, KVM, Azure 6.2)
✘
Smart Licensing Support ✔ ✘Multi-Context Support ✘(Coming Soon!) ✔
Remote Access VPN ✔ (6.2.1 – 2100, 6.2.2 - Virtual, 5500-x midrange, 4100, 9300)
✔
Note: Not an exhaustive feature list
Cisco Confidential 8© 2016 Cisco and/or its affiliates. All rights reserved.
OpenAppID
Next-generation visibility with OpenAppIDApplication Visibility & Control
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database• 4,000+ apps
• 180,000+ Micro-apps Network & users
1
2
Prioritize traffic
Cisco Confidential 9© 2016 Cisco and/or its affiliates. All rights reserved.
Web acceptable use controls and threat preventionURL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Category-basedPolicy Creation
Allow Block
Admin
Cisco URL Database
DNS Sinkhole
0100101010000100101101
Security feedsURL | IP | DNS
NGFWFiltering
BlockAllow
Safe Search
…………
Cisco Confidential 10© 2016 Cisco and/or its affiliates. All rights reserved.
Decrypt 3.5 Gbps traffic over five million simultaneous flows
Granular SSL Decryption CapabilitiesSSL TLS handshake certificate inspection and TLS decryption engine
Log
SSL decryption engine
Enforcement decisions
Encrypted Traffic
AVC
http://www.%$&^*#$@#$.com
http://www.%$&^*#$@#$.com
Inspect deciphered packets Track and log all SSL sessions
NGIPS
gambling
elicit
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
Cisco Confidential 11© 2016 Cisco and/or its affiliates. All rights reserved.
Upcoming Webinar!Firepower Threat Defense: SSL DecryptionDiscover 3 Ways to Solve the Encrypted Traffic Dilemma
Encrypted traffic still giving you security headaches? Tired of policies that don’t address encrypted traffic?
If you're looking for an answer to these issues, Cisco Security has the solution for you.
Join Jason Maynard, Security Consulting Systems Engineer, in the upcoming webinar, Discover 3 Ways to Solve the Encrypted Traffic Dilemma, by using Cisco’s SSL Inspection feature built into Firepower Threat Defense.
• Block selected encrypted traffic without inspecting it• Inspect selected encrypted traffic with access control• Decrypt selected encrypted traffic with access control
Seeing a hands on demo deploying the solution form start to finish
Register today!
Cisco Confidential 12© 2016 Cisco and/or its affiliates. All rights reserved.
Application and Context aware Intrusion PreventionNext-Generation Intrusion Prevention System (NGIPS)
Communications
App & Device Data
01011101001010
010001101 010010 10 10Data packets
Prioritizeresponse
Blended threats
• Network profiling
• Phishing attacks
• Innocuous payloads
• Infrequent callouts
3
1
2
Accept
Block
Automate policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
Cisco Confidential 13© 2016 Cisco and/or its affiliates. All rights reserved.
cFile Reputation
Malware and ransomware detection and blockingCisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
• Known Signatures• Fuzzy Fingerprinting• Indications of compromise
Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device TrajectoryAMP for
Network Log
Threat Grid Sandboxing• Advanced Analytics• Dynamic analysis• Threat intelligence
?
AMP for Endpoint Log
Threat Disposition
Enforcement across all endpoints
RiskySafeUncertain
Sandbox Analysis
Cisco Confidential 14© 2016 Cisco and/or its affiliates. All rights reserved.
FlexConfig• Provides a way to configure ASA features not exposed directly by Firepower
Management Center
• EIGRP Routing• PBR• ISIS Routing• NetFlow (NSEL) export• VXLAN
• ALG inspections• IPv6 header inspection• BFD• Platform Sysopt commands• WCCP
Cisco Confidential 15© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 16© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco ASA 5500-X
5506 / 5508 / 5516 Performance Unified Management
• 1-Gbp interfaces• Up to 1.2 Gbps throughput
• 5545 / 5555 Redundant Power Supply and SSD option
• Firepower Threat Defense or ASA Software Options
• 1-Gbp interfaces• Up to 450 Mbps throughput
• Wireless Option for 5506-X• Software Switching capability
• Firepower Threat Defense or ASA Software Options
• Firepower Management Center (Enterprise Management)
• Firepower Device Manager (On Box Manager)
• Cisco Defense Orchestrator (Cloud Management)
SMB and Enterprise Branch NGFW
5525 / 5545 / 5555Performance
Cisco Confidential 17© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower 2100 Series
Performance and Density Optimization Unified Management Purpose Built NGFW
• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)
• 1-Gbp and 10-Gbps interfaces• Up to 8.5-Gbps throughput• 1-rack-unit (RU) form factor• Dual SSD slots• 12x RJ45 ports, 4xSFP(+)
• 2130 / 2140 Models• 1x Network Module• Fail to Wire Option• DC & Dual PSU support
• Firepower Management Center (Enterprise Management)
• Firepower Device Manager (On Box Manager)
• Cisco Defense Orchestrator (Cloud Management)
Introducing four high-performance models
Cisco Confidential 18© 2016 Cisco and/or its affiliates. All rights reserved.
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Throughput NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum concurrent sessions 1 M 1.2 M 2 M 3.5 M
Maximum new connections per
second 12000 16000 24000 40000
Note: Early Performance Numbers
NO DROP IN PERFORMACE!
Firepower 2100 Series Performance
Cisco Confidential 19© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower 4100 SeriesHigh performance campus and data center
Performance and Density Optimization Unified Management Multiservice
Security
• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)
• Radware DefensePro DDoS• ASA and other future
third party
• 10-Gb and 40-Gb interfaces• Up to 24-Gbps throughput• 1-rack-unit (RU) form factor• Low latency
• Firepower Management Center (Enterprise Management)
• Firepower Device Manager (On Box Manager)
• Cisco Defense Orchestrator (Cloud Management)
Cisco Confidential 20© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower 9300 Platform
Benefits• Integration of best-in-class security• Dynamic service stitching
Features*• ASA container option• Firepower™ Threat Defense:
• NGIPS, AMP, URL, AVC• Third-party containers:
• Radware DDoS
Benefits• Standards and interoperability• Flexible architecture
Features• Template-driven security• Secure containerization for
customer apps• RESTful/JSON API• Third-party orchestration and
management
Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps
ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building
System (NEBS) ready
* Contact Cisco for services availability
Modular Carrier ClassMultiservice Security
High performance data center
Cisco Confidential 21© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco NGFW Platforms
NGFW capabilities all managed by Firepower Management Center
250 Mb -> 1.75 Gb(NGFW + IPS Throughput)
Firepower Threat Defense for ASA 5500-X
2 Gb -> 8 GB(NGFW + IPS Throughput)
Firepower 2100 Series
41xx = 10 Gb -> 24 Gb93xx = 24 Gb -> 53Gb
Firepower 4100 Seriesand Firepower 9300
Up to 6x with clustering!
Cisco Confidential 22© 2016 Cisco and/or its affiliates. All rights reserved.
Software Support – Physical Platforms
ASA FirepowerNGIPS
ASA with FirePOWER
Services
Firepower Threat
Defense
ASA 5506X -> 5555X (all models) ✓ ✓ ✓Firepower 2100 (all models) Future ✓Firepower 4100 (all models) ✓ ✓Firepower 9300 (all models) ✓ ✓
ASA 5585 (With SSP blade) ✓ ✓Firepower 7000 / 8000 (IPS appliances) ✓
Cisco Confidential 23© 2016 Cisco and/or its affiliates. All rights reserved.
Software Support - Virtual Platforms
ASA FirepowerNGIPS
Firepower Threat Defense
ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓Firepower NGIPSv (vSphere + ISR UCSE) ✓Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
Cisco Confidential 24© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 25© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Device Manager
Enables easy on-box management of
common security and policy tasks
Enables comprehensive security administration
and automation of multiple appliances
Firepower Management Center
Cisco Defense Orchestrator
Enables centralized cloud-based policy
management of multiple
deployments
On-box Centralized Cloud-based
Management Options
Cisco Confidential 26© 2016 Cisco and/or its affiliates. All rights reserved.
• On-box manager for managing a single Firepower Threat Defense device
• Targeted for SMB market
• Designed for NetworkingSecurity Administrator
• Simple & Intuitive
• Mutually Exclusive from FMC
• CLI for troubleshooting
Firepower Device Manager
Cisco Confidential 27© 2016 Cisco and/or its affiliates. All rights reserved.
Enables easy on-box management of
common security and policy tasks
Enables comprehensive security administration
and automation of multiple appliances
Firepower Management Center
Enables centralized cloud-based policy
management of multiple
deployments
On-box Centralized Cloud-based
Management Options
Cisco Confidential 28© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center• Single manager for Firepower Threat Defense
• Can also manage Firepower appliance and “Services” deployments
• Broadest set of security capabilities for Firepower platforms!
Cisco Confidential 29© 2016 Cisco and/or its affiliates. All rights reserved.
Enables easy on-box management of
common security and policy tasks
Enables comprehensive security administration
and automation of multiple appliances
Firepower Management Center
Cisco Defense Orchestrator
Enables centralized cloud-based policy
management of multiple
deployments
On-box Centralized Cloud-based
Management Options
Cisco Confidential 30© 2016 Cisco and/or its affiliates. All rights reserved.
Enables easy on-box management of
common security and policy tasks
Enables comprehensive security administration
and automation of multiple appliances
Firepower Management Center
Cisco Defense Orchestrator
Enables centralized cloud-based policy
management of multiple
deployments
On-box Centralized Cloud-based
Management Options
CDO
Cisco Confidential 31© 2016 Cisco and/or its affiliates. All rights reserved.
On-box vs Off-boxFirepower Management Center (Off-box) Firepower Device Manager (On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
VPN - Site to Site & RA
Security Intelligence
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
Active/Passive Authentications
Firewall Mode Router / Transparent Routed
Threat Intelligence & Analytics
Correlation & Remediation
Risk Reports
Device Setup Wizard
Interface Port-Channel
High Availability
Cisco Confidential 32© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 33© 2016 Cisco and/or its affiliates. All rights reserved.
Troubleshooting: Packet Tracer• Displays logs for a single simulated (virtual) packet• Tracing data will include information from Snort & preprocessors about
verdicts and actions taken while processing a packet
Cisco Confidential 34© 2016 Cisco and/or its affiliates. All rights reserved.
Troubleshooting: Packet Capture with Trace• Captures and displays packets from live traffic• Allows PCAP file download of the capture buffer
Cisco Confidential 35© 2016 Cisco and/or its affiliates. All rights reserved.
Lookup features – Geolocation & WHOIS
Cisco Confidential 36© 2016 Cisco and/or its affiliates. All rights reserved.
Lookup Feature: URL
Cisco Confidential 37© 2016 Cisco and/or its affiliates. All rights reserved.
ISE remediation in using pxGrid
Cisco Confidential 38© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 39© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Threat Intelligence Director (CTID)
• Uses customer threat intelligence to identify threats
• Automatically blocks supported indicators on Cisco NGFW
• Provides a single integration point for all STIX and CSV intelligence sources
Cisco Confidential 40© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Threat Intelligence Director Overview
Cisco Threat Intelligence
Director
Cisco Confidential 41© 2016 Cisco and/or its affiliates. All rights reserved.
Hail a TAXII !!• Free source of TAXII feeds• Website URL: http://hailataxii.com• Multiple feeds• To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service• USERNAME: guest• PASSWORD: guest
Cisco Confidential 42© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 43© 2016 Cisco and/or its affiliates. All rights reserved.
Use Case Internet Edge Firewall RequirementConnectivity and Availability Requirement:• High Availability ROUTED mode• Firewall should support Router or Transparent Mode
Routing Requirements:• Static and BGP Routing• Dynamic NAT/PAT and Static NAT
Security Requirements:• Application Control + URL Acceptable Use enforcement• IPS and Malware protection• SSL Decryption
Authentication Requirements:• User authentication and device identity
SolutionSecurity Application: Firepower Threat Defense application with FMC
ISP
FW in HA
Private Network
Service Provider
Campus/Private Network
DMZ Network
Port-Channel
Internet Edge
Cisco Confidential 44© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 45© 2016 Cisco and/or its affiliates. All rights reserved.
10.1.1.0/24
192.168.1.0/24
192.168.1.1
10.1.1.1
IP:192.168.1.100GW: 192.168.1.1
NATDRP
Firewall Design: Modes of Operation• Routed Mode is the traditional mode of the firewall. Two or
more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.
• Transparent Mode is where the firewall acts as a bridge functioning at L2.• Transparent mode firewall offers some unique benefits in the DC.• Transparent deployment is tightly integrated with our ‘best practice’
data center designs.
Cisco Confidential 46© 2016 Cisco and/or its affiliates. All rights reserved.
Link Redundancy
Resiliency with link failures
Link and Platform Redundancy CapabilitiesFirewall Link Aggregation – High Availability - Clustering
Inter-chassis Clustering
Combine up to
69300 blades or 4100 chasses
Active / Standby HA
LACP Link Redundancy
LACP Link Aggregation
Control Protocol
Cisco Confidential 47© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 48© 2016 Cisco and/or its affiliates. All rights reserved.
Dynamic NAT for Direct Internet AccessAutomatic and Manual (complex) NAT Support for FTD including IPv6
Cisco Confidential 49© 2016 Cisco and/or its affiliates. All rights reserved.
Routing Protocol support• OSPF and OSPFv3 (IPv6)
• BGP (IPv4 & IPv6)
• Static Route• Tunneled Route support for VPNs• Reverse Route Injection for VPNs
• Multicast Routing• IGMP• PIM
• EIGRP via FlexConfig
Cisco Confidential 50© 2016 Cisco and/or its affiliates. All rights reserved.
50BRKSEC-2058
Rate limiting Cloud File Sharing Traffic• QOS Policy is a new policy type with separate policy table
• Not associated with an Access Control Policy – directly associated with devices
Cisco Confidential 51© 2016 Cisco and/or its affiliates. All rights reserved.
FlexConfig for Internet Edge Use Case:
Prepend FlexConfig:
• Disables DNS Inspection to allow Umbrella DNSCrypt Traffic
Append FlexConfig:
• Enables ICMP and ICMP Error ASA Inspection Engines in Firepower
• Edit FlexConfig Text Object as below
Enable ICMP Inspection & Disable DNS Inspection
Cisco Confidential 52© 2016 Cisco and/or its affiliates. All rights reserved.
FlexConfig for Internet Edge Use Case:
Prepend FlexConfig:
• Clears IPv6-PD on each deployment
Append FlexConfig:
• Enables outside interface (recipient of delegated prefix) for IPv6 prefix delegation
• Assigns one or more inside interfaces with a subnet and address from delegated prefix
• Trust IPv6 default route from IPv6 DHCP Server (Neighbor Advertisement)
IPv6 Prefix Delegation (IPv6-PD)
Cisco Confidential 53© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 54© 2016 Cisco and/or its affiliates. All rights reserved.
Access Control Policy blocking inappropriate content
Cisco Confidential 55© 2016 Cisco and/or its affiliates. All rights reserved.
Granular SSL DecryptCan specify by application, certificate fields / status, ciphers, etc.
Cisco Confidential 56© 2016 Cisco and/or its affiliates. All rights reserved.
Custom IPS Policy
Cisco Confidential 57© 2016 Cisco and/or its affiliates. All rights reserved.
Malware and File AnalysisAttached to Access Policy
Cisco Confidential 58© 2016 Cisco and/or its affiliates. All rights reserved.
URL-Based Security Intelligence
• Extension of IP-based SI
• TALOS dynamic feed, 3rd party feeds and lists
• Multiple categories: Malware, Phishing, CnC,…
• Multiple Actions: Allow, Monitor, Block, Interactive Block,…
• Policy configured via Access Rules or black-list
• IoC tags for CnC and Malware URLs
• New Dashboard widget for URL SI
• Black/White-list URL with one click URL-SI Categories
Cisco Confidential 59© 2016 Cisco and/or its affiliates. All rights reserved.
DNS Inspection• Security Intelligence support for
domains
• Addresses challenges with fast-flux domains
• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing
• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor
• Indications of Compromise extended with DNS Security Intelligence DNS List Action
Cisco Confidential 60© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 61© 2016 Cisco and/or its affiliates. All rights reserved.
Identity Policy based on Passive Authentication
Attaches to Access Control Policy
Cisco Confidential 62© 2016 Cisco and/or its affiliates. All rights reserved.
Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
Cisco Confidential 63© 2016 Cisco and/or its affiliates. All rights reserved.
Active Directory “Realm” Configuration
• Multiple Entries
• LDAP / LDAPS
• Assigned to Identity Policy for Active or Passive Authentication
Cisco Confidential 64© 2016 Cisco and/or its affiliates. All rights reserved.
ISE Integration
• pxGrid feed to retrieve from ISE:• AD Username (Group lookup via AD Realm)• Device type profile & location• TrustSec Security Group Tag (SGT)
• Ability to exert control based on the above in rules• i.e. block HR users from using personal iPads
• Reduces ACL size and complexity
Cisco Confidential 65© 2016 Cisco and/or its affiliates. All rights reserved.
Identity Services Engine pxGrid Integration• MUST install ROOT
certificate (chain) on FMC that signed ISE pxGrid Cert
• MUST install ROOT certificate (chain) on ISE that signed FMC Cert
• Private keys not needed (of course!)
Cisco Confidential 66© 2016 Cisco and/or its affiliates. All rights reserved.
TrustSec Security Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles
Cisco Confidential 67© 2016 Cisco and/or its affiliates. All rights reserved.
External Authenticationfor Administration
• LDAP / AD or RADIUS
• Example allows “External Users” to be defined that exist in Active-Directory for FMC or shell login
• Can stack multiple methods
Cisco Confidential 68© 2016 Cisco and/or its affiliates. All rights reserved.
Common and Recommended Practices
Cisco Confidential 69© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 70© 2016 Cisco and/or its affiliates. All rights reserved.
“DDoS Remains Biggest Threat of all Cyber-Attacks“
DDoS is increasingly moving away from Denial and into Ransom as a Motive or a smokescreen
Cyber criminals now maintain, and rent out botnets to mount DDoS attacks
70
No One Immune, Few Prepared
0%
20%
40%
60%
DDoS continues to remain a top concern
* Source Radware ERT Report 2016
Cisco Confidential 71© 2016 Cisco and/or its affiliates. All rights reserved.
In-Line: Protects against 75% of DDoS Attacks
DDoS Attack Surface – Hybrid mitigation strategy
Where DDoS Strikes:
Cloud: For volumetric DDoS attack mitigation
In-Line: Protects against both network and application attacks
23% Firewall 7% IDS/IPS 6% Load Balancer
35% Server Under Attack
Cloud: Protects against 25% of DDoS
attacks
4% SQL Server25% Internet Pipe
Cisco Confidential 72© 2016 Cisco and/or its affiliates. All rights reserved.
• Cisco Firepower is a scalable, carrier & enterprise -grade, multi-service security appliance featuring:• Radware DDoS Decorator App (OEM)• Cisco ASA firewall• Cisco NGIPS (Sourcefire – Threat Defense)
• What is required?• Firepower Chassis (FXOS 1.1.4+)• DDoS License (Virtual DefensePro)• Vision Management Software• Cloud DDoS *CSCO FY18 Q1 (Oct 15, 2017)
• Hybrid, Always on & On Demand
Firepower DDoS Solution Components
DDoS FW NGIPS
Firepower 4100/9300
Cisco Confidential 73© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 74© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Management CenterSite 2 Site VPN
Cisco Confidential 75© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Management CenterRemote Access VPN
Cisco Confidential 76© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Management CenterCisco Threat Intelligence Director
Thank you.
Cisco Confidential 78© 2016 Cisco and/or its affiliates. All rights reserved.
Abbreviation Key!ASA = Adaptive Security Appliance
FTD = Firepower Threat Defense
FPS = Firepower Services
FMC = Firepower Management Center
FDM = Firepower Device Manager
NGFW = Next Generation Firewall
NGIPS = Next Generation Intrusion Prevention System
AMP = Advanced Malware Protection
API = Application Programming Interface
ISE = Identity Services Engine
IoC = Indicator of Compromise
PAN = Place to cook your eggs
Cisco Confidential 79© 2016 Cisco and/or its affiliates. All rights reserved.
Crypto-Card and Fail-to-Wire
Crypto-Acceleration
Fail-to-Wire
Firepower 2100/4100/9300
*FTW – 2100 coming soon
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Flow Offload
Cisco Security Chalk Talk – Flow Offloadhttps://www.youtube.com/watch?v=2qnqILWhUuU&list=PLFT-9JpKjRTANXKBmLbQ611TPYLXbUL_0&index=21
BKUPFinance
OtherService
Threat Centric
x86
Smart NIC
Typical Flow
BKUPFinance
OtherService
FWAPP IPS
AMP
Smart NIC
Initial Flow Offload(has classifier if not seen then send for additional inspection)
BKUPFinance
OtherService
FWAPP IPS
AMP
Smart NIC
Subsequent Flow OffloadStill provides - TCP Sequence Randomization- NAT/PAT- Byte/Packet Count
(sends to x86 and can be send to NSEL (like Stealthwatch)
Cisco Confidential 81© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense Interface Modes
Routed/TransparentA
B
C
D
F
G
H
I
Inline Pair 1
Inline Pair 2Inline Set
E J
Policy TablesPassive
Interfaces
Inline Tap
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Segmentation
VLAN Stitching
APP IPS
AMP
APP IPS
AMP
APP IPS
AMP
Database Zone
Application Zone
Web Zone
Campus ZoneFTDFTDFTDFTDFTD
Cluster
How do I insert this into the Datacenter without having to change the physical infrastructure or move the routing?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Segmentation
VLAN Stitching - Before
Database Zone
Application Zone
Web Zone
FTDFTDFTDFTDFTD
Cluster
How do I insert this into the Datacenter without having to change the physical infrastructure or move the routing?
L3 High Speed
Switch
192.168.100.0/24
VLAN100 = 192.168.100.0/24SVI = 192.168.100.1
VLAN100
Traffic never hits FW unless you change the routing or try to insert into the physical path
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Segmentation
VLAN Stitching - After
Database Zone
Application Zone
Web Zone
FTDFTDFTDFTDFTD
Cluster
How do I insert this into the Datacenter without having to change the physical infrastructure or move the routing?
L3 High Speed
Switch
192.168.100.0/24
VLAN100 = 192.168.100.0/24SVI = 192.168.100.1
VLAN101 = 192.168.100.10-50
VLAN102 = 192.168.100.51-100
VLAN103 = 192.168.100.101-110
Ex: Web Zone to get to App Zone has to go through policy on FTD. FTD stitches VLAN 101 and VLAN 102. Now I can add additional L7 Inspection. That could be the same for the default GW or other zones.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Firepower 4100/9300
ClusteringInside Switch
FTD
FTD
FTD
FTD
FTD
FTD
Outside Switch
Port-channel 6
Port-channel 5
Spanned EtherChannel(recommended)
Inside Switch
Outside Switch
Note: L3 PBR and ECMP models are supported
Benefits• High Scale: NGFW • Network Integration: Routing,
switching, inter-site DC extensions• High Density: 40G/100G• Clustering: Intra-chassis, Inter-
chassis, Inter-site• Consistent Policy Management
Pay-As-You-Grow- Traditional ASA 16 node cluster- FTD 6 nodes today will scale to16
in the near future
Out_P02200.1.1.1/24
In_P0110.1.1.1/24
VSS/VPCcom
pliant to theIEEE
standard (802.3ad)
VSS/VPCcom
pliant to theIEEE
standard (802.3ad)
Cisco Security Chalk Talk - NGFW Clustering Technologyhttps://www.youtube.com/watch?v=yt8Cc4tS0kE&t=38s&index=3&list=PLFT-9JpKjRTANXKBmLbQ611TPYLXbUL_0
Firepower 4100/9300
Clustering
Firepower 4100/9300
Clustering
Cisco Confidential 88© 2016 Cisco and/or its affiliates. All rights reserved.
The Firepower 4100/9300 Transforms Security Service Integration
Limited effectiveness Increased latency Slows network Static & Manual
Unified Threat Platform w/Integrated Security
Data Packet
1001000101111000101110
SSL FW WAF NGIPSDDoS AMP
Maximum protection Highly efficient Scalable processing Dynamic
Key:Cisco Service
3rd Party Service
• Radware vDP is our first 3rd Party component of the new Architecture • We are adding DDoS Application Services to the ingress interfaces of the Firepower 4100/930
Cisco Confidential 89© 2016 Cisco and/or its affiliates. All rights reserved.
Security Services Architecture with DDoS running
Supervisor
Ethernet 1/1-8 Ethernet 2/1-4
ASA ClusterSecurity Module 1
Ethernet 3/1-4
Security Module 2 Security Module 3
Application Image Storage
PortChannel1
DDoS DDoS DDoS
Ethernet1/7(Management)
Data Inside
Logical Device
Logical Device Unit
Link Decorator
Application Connector
External Connector
Primary Application
Decorator Application
On-board 8x10GE
interfaces
4x40GE NMSlot 1
4x40GE NMSlot 2
Logical Packet Flow
PortChannel1
ASA ASA ASA
Data Outside
Cisco Confidential 90© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 91© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower – Radware DDoSMitigation Module
Firepower DDoS MitigationFirepower DDoS Mitigation is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco on the following Cisco Firepower 9300 and 4100 series appliances:
Top Related