ngfw
TRANSCRIPT
NGFW
Jamie Sanbower, CCIE #13637 R&S/Security/Wireless
Technical Solutions Architect
February 2015
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ Intro to NGFW § Software Architecture § Application Control § URL Filtering § AMP § Management § Deployment Options § 5506 / 5508 § Q&A
Agenda
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Intro to NGFW
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Sophisticated Attackers
Complex Geopolitics
Boardroom Engagement
The Challenges Come from Every Direction
Misaligned Policies
Dynamic Threats
Defenders
Complicit Users
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Focus on the Apps…
101 010011101 1100001110001110 1001 1101 1110011 0110011
01 1100001 1100 0111010011101 1100001110001110 1001 1101 11
The Problem with Legacy Next-Generation Firewalls
Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.
…but miss the threat
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Integrated Threat Defense Across the Attack Continuum
Firewall/VPN NGIPS Advanced Malware Protection
BEFORE Control Enforce Harden
DURING Detect Block
Defend
AFTER Scope
Contain Remediate
Attack Continuum
Visibility and Automation
Security Intelligence Granular App Control Retrospective Security
Web Security Modern Threat Control IoCs/Incident Response
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ASA with FirePOWER Services Industry’s First Adaptive, Threat-Focused NGFW
Features
• Cisco® ASA firewalling combined with Sourcefire® next-generation IPS
• Integrated threat defense over the entire attack continuum
• Best-in-class security intelligence, application visibility and control (AVC), and URL filtering
Benefits
• Superior, multilayered threat protection
• Unprecedented network visibility
• Advanced malware protection
• Reduced cost and complexity
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Superior Integrated & Multilayered Protection
Cisco ASA
Identity-Policy Control & VPN
URL Filtering (Subscription) FireSIGHT
Analytics & Automation
Advanced Malware
Protection (Subscription)
Application Visibility & Control Network Firewall
Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
Intrusion Prevention
(Subscription)
World’s most widely deployed, enterprise-class ASA stateful firewall
Granular Cisco® Application Visibility and Control (AVC)
Industry-leading FirePOWER next-generation IPS (NGIPS)
Reputation- and category-based URL filtering
Advanced malware protection
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
NSS Labs – Next-Generation Firewall Security Value Map
Source: NSS Labs 2014
The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All three products achieved 99.2 percent in security effectiveness and now all can be confident that they will receive the best protections possible regardless of deployment.
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced VPN Capabilities AnyConnect™ Secure Mobility
Acceptable Use ü Access Control ü
Data-Loss Prevention ü Threat Prevention ü Corporate File Sharing
Access Granted
Choice Diverse Endpoint
Support for Greater Flexibility
Security Rich, Granular
Security Integrated into the Network
User Experience Always-on for Seamless
Experience and Performance
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ASA with FirePOWER Services Base Hardware and Software New ASA 5585-X Bundle SKUs with FirePOWER Services Module New ASA 5500-X SKUs running FirePOWER Services Software FirePOWER Services Spare Module/Blade for ASA 5585-X Series FirePOWER Services Software Hardware includes Application Visibility and Control (AVC)
Security Subscription Services • IPS, URL, Advanced Malware Protection (AMP) Subscription Services • One- and Three-Year Term Options
Management FireSIGHT Management Center (HW Appliance or Virtual) Cisco Security Manager (CSM) or ASDM
Support SmartNET Software Application Support plus Upgrades
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What platforms support FirePOWER Services as a software module? Maximum AVC and IPS throughput
12
Branch Locations
300 Mbps NGFW 100K Connections 10,000 CPS
ASA 5512-X
250Mbps NGFW 250K Connections 15,000 CPS
ASA 5515-X
Small/Medium Internet Edge
650Mbps NGFW 500K Connections 20,000 CPS
ASA 5525-X
1 Gbps NGFW 750K Connections 30,000 CPS
ASA 5545-X
1.25 Gbps NGFW 1 MM Connections 50,000 CPS
ASA 5555-X
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What platforms support FirePOWER Hardware Module
13
§ 5585-X + FirePOWER module in top slot – Hardware Module
FirePOWER SSP
ASA SSP 10GE and GE ports
Two Hard Drives Raid 1 (Event Data)
Two GE Management Ports
8 GB eUSB (System)
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What platforms support FP Hardware Module? Maximum AVC and IPS throughput
14
ASA 5585-SSP10 ASA 5585-SSP20
Campus / Data Center
2 Gbps NGFW 500K Connections 40,000 CPS
3.5 Gbps NGFW 1 M Connections 75,000 CPS
Enterprise Internet Edge
ASA 5585-SSP40
ASA 5585-SSP60
6 Gbps NGFW 1.8 M Connections 120,000 CPS
10 Gbps NGFW 4 M Connections 160,000 CPS
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
750 1500 * 2000 3500 4000 Virtual *
Maximum devices managed*
10 35 70 150 300 Virtual FireSIGHT® Management Center
Up to 25 managed devices Event storage 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB
Maximum network map (hosts/users)
2000/2000 50,000/ 50,000
150,000/ 150,000
300,000/ 300,000
600,000/ 600,000
Virtual FirePOWER Services for ASA devices
limited to 2 or 10 ASAs
FS-VMW-2-SW-K9 FS-VMW-10-SW-K9
Events per second (EPS) 2000 6000 12,000 10,000 20,000
Cisco FireSIGHT Management Center Appliance
Max number of devices is dependent upon sensor type and event rate
* = Recommended!
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Software Architecture
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Detailed ASA SFR Packet Flow
FirePOWER
Receive PKT
Ingress Interface
Existing Conn
ACL Permit
Match Xlate
Inspections sec checks
NAT IP Header
Egress Interface
L3 Route
L2 Addr
XMIT PKT
DROP DROP
7 8 9 10 11
NO
YES
DROP DROP
NO
YES
DROP
NO NO NO
NO YES YES
3 2 1 4 5 6
YES
FirePOWERdoes not drop flows, it marks them for drop by the ASA
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• The Snort Engine’s Basic Architecture • The sniffer
• Preprocessors
• The detection engine
• The output and alerting module
Snort Technology
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
OpenAppID – First OSS Application and Control
• OpenAppID Language Documentation o Accelerate the identification and protection for new cloud-
delivered applications
• Special Snort engine with OpenAppID preprocessor o Detect apps on network o Report usage stats o Block apps by policy o Snort rule language extensions to enable app specification o Append ‘App Name’ to IPS events
• Library of Open App ID Detectors o Over 1000 new detectors to use with Snort preprocessor o Extendable sample detectors
Available now at Snort.org
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Traf
fic
Data Acquisition
Stream Re-assembly
IP Defragmentation
Packet Decode
Security Intelligence
Application Identification
NGFW Rules
Network Discovery IPS AMP URL Reputation
User / IP Mapping
20
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Access Control & Application Control
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER Services: Application Control • Control access for applications, users and devices
• “Employees may view Facebook, but only Marketing may post to it”
• “No one may use peer-to-peer file sharing apps”
Over 2,200 apps, devices, and more!
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Application Control
Social: Security and
DLP
Mobile: Enforce BYOD
Policy Bandwidth: Recover Lost
Bandwidth
Security: Reduce Attack
Surface
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
User Identification
User identification uses two distinct mechanisms
1. Network discovery
• Understands AIM, IMAP, LDAP, Oracle, POP3 and SIP
• Will only provide limited information when deployed at the Internet edge
2. Sourcefire User Agent (SFUA)
• Installed on a Windows Platform
• Windows server does not have to be a domain member
• Communicates with the AD using WMI – starts on port 136 then switches to random TCP ports
• Communicates with FMC through a persistent connection to TCP port 3306 on the FMC
• Endpoints must be domain members
• Well-suited for Internet edge firewalls
Note: This solution does not use the Cisco Context Directory Agent (CDA)
ASA Service Policy To/From SourceFire
Services
Applica;on Vis/Control
IPS Policy’s Snort Rules
FireSight: Network, Host, User, OS & Applica;on Discovery
Correla;on, Aler;ng, Repor;ng
URL Filtering
AD Integra;on
Security Intelligence Blacklist
Block/Permit
Access Control Policy Rules – Monitor, Block or Allow with Inspec:on
File Policy’s File Analysis Advanced Malware Detec;on
FW, Geo Blocking
AMP/Threat Grid Sandbox
Security Intelligence Black List & App Control Updates for ASA with Sourcefire & New xxx-‐FPK9 Smartnet
Effec:vely Replaces ASA Botnet Traffic Filter Sampling of Available Applica:ons & Categories
Class-‐Leading NGFW Context and Visibility Demo
Cisco Confidential 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
URL Filtering
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
URL Filtering
• Block non-business-related sites by category or reputation
• Based on user and user group
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
URL Filtering
Dozens of Content Categories
URLs Categorized by Risk
Cisco Confidential 31 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AMP
Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced Analytics And Correlation
Fire reputation and file sandboxing
Continuous & Zero-Day Detection
AMP: File based malware prevention
Dedicated FirePOWER
Appliance
Web & Email Security
Appliances
Private Cloud
Cloud Based Web Security
& Hosted Email ASA with
FirePOWER Services
PC / MAC Virtual Mobile
Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced Malware Protection
Reputation Filtering and File Sandboxing
All detection is less than 100%
Dynamic Analysis
Machine Learning
Fuzzy Finger-Printing
Advanced Analytics
One-to-One Signature
Cisco Confidential 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AMP Provides Continuous Retrospective Security
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
Continuous Feed
Continuous Analysis
Telemetry Stream
Web
WWW
Endpoints Network Email
Devices
IPS
File Fingerprint and Metadata
File and Network I/O
Process Information
Breadth of Control Points
Inspection verdicts
Cisco Confidential 35 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
1) File Capture
FirePOWER Services: Advanced Malware
Malware Alert!
2) File Storage
4) Execution Report Available In Defense Center
Network Traffic
Collective Security Intelligence Sandbox
3) Send to Sandbox
Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Licensing
Cisco Confidential 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Functional Distribution of Features
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
Botnet Traffic Filter
Advanced Malware Protection
File Type filtering Application Visibility and Control
NGIPS
URL Category/Reputation
File capture FirePOWER Services
ASA
Failover & Clustering
Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Licensing
• Five (5) feature license packages are available • AVC is part of the default offering • One (1) and three (3) year terms are available • SMARTnet is ordered separately with the appliance
URL
IPS
URL IPS
AMP
IPS
AMP
URL
IPS
URL URL TAC TAMC TA TAM
Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
How to add FirePOWER Services to an ASA-5500-X
• Purchase ASA5500X-SSD120= • Adds Solid State Disc drive to ASA platform • Two drives required for ASA-5545 / 5555 (mirror redundancy)
• Purchase $0 ASA55xx-CTRL-LIC= • Adds perpetual “Protect and Control” license
• Purchase FS-VMW-x-SW-K9 • FireSIGHT Management Center Virtual Appliance • 2 and 10 device SKU’s can NOT be upgraded later
• Purchase additional licenses as needed (not required) • URL / IPS / AMP offered as 1 or 3 year subscriptions
39
Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Management
Cisco Confidential 41 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network Discovery & Connection Awareness
Host discovery
Identifies OS, protocols and
services running on each host
Reports on potential vulnerabilities present on each host based
on the information it’s gathered
Application identification
FireSIGHT can identify over 1900
unique applications using OpenAppID
Includes applications that run over web services such as
Facebook or LinkedIn
Applications can be used as criteria for
access control
User discovery
Monitors for user IDs transmitted as
services are used
Integrates with MS AD servers to
authoritatively ID users
Authoritative users can be used as
access control criteria
What is FireSIGHT ?
Cisco Confidential 42 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT Management Center Single console for event, policy, and configuration management
Cisco Confidential 43 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Awareness Delivers Insight
OS & version Identified
Server applications and version
Client Applications
Who is at the host
Client Version
Application
What other systems / IPs did user have, when?
Cisco Confidential 44 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSight Management – Custom Dashboards
Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FireSight Management – Custom Reporting
Cisco Confidential 46 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors CnC Connections
Exploit Kits Admin Privilege Escalations
Web App Attacks
SI Events
Connections to Known CnC IPs
Malware Events
Malware Detections Malware Executions
Office/PDF/Java Compromises Dropper Infections
Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
1
2
3
4
0
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act Immediately, Vulnerable
Event corresponds to vulnerability mapped to host
Investigate, Potentially Vulnerable
Relevant port open or protocol in use, but no vuln mapped
Good to Know, Currently Not Vulnerable
Relevant port not open or protocol not in use
Good to Know, Unknown Target
Monitored network, but unknown host
Good to Know, Unknown Network
Unmonitored network
Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Context Explorer
• Data exploration tool
• Visualizations of IoC, Network, Intrusion, File, App, User, and Geo info
• Advanced filtering across data silos
• Drill downs into detailed event analysis
• Accessible from analysis tools to provide context
48
Cisco Confidential 49 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Correlation Engine
• Flexible Boolean rules engine functioning on the real-time event stream at the FireSIGHT Management Console. • Comprehensive access to events and all their columns • Arbitrarily complex rule conditions • Host profile qualification • Dynamic connection tracking triggered by rule criteria
• Responses • Email, Syslog, SNMP Traps • Remediation
• API driven subsystem to dynamically respond to triggering Correlation Rules
49
Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Correlation Engine – Anomaly Detection
• Compliance Whitelists • Define a set of criteria against which to measure hosts of interest on your network
• Operating System
• Network Protocol, Application Protocol, Web Application, and Client Application
• Traffic Profiles • Set a baseline for connections that meet all the complex criteria provided by the correlation engine
then alert on aberrant behavior
50
Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Deployment Guidelines
Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Deploying ASA w/ FirePOWER Services
• Available on all ASA platforms
• State-sharing between Firewalls for high availability
• L2 Transparent or L3 Routed deployment options
• Failover Link
• ASA provides valid, normalized flows to FirePOWER module
• State sharing does not occur between FirePOWER Services Modules
High Availability with ASA Failover
Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Deploying ASA w/ FirePOWER Services
• Up to 8 ASA5585-X IPS
• Stateless load balancing by external switch
• L2 Transparent or L3 Routed deployment options
• Support for vPC, VSS and LACP
• Cluster Control Protocol/Link
• State-sharing between Firewalls for symmetry and high availability
• Every session has a primary and secondary owner ASA
• ASA provides traffic symmetry to FirePOWER module
Scaling IPS with ASA5585-X Clustering
Cisco Confidential 54 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multi-Context ASA Deployments
• ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies
• These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.
• In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.
• Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration.
Context A Context B
Outside
Inside
Cisco Confidential 55 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multi-Context ASA Deployments
Admin Context Context-1
Cisco Confidential 56 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
5506 / 5508
Cisco Confidential 57 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New ASA Models Desktop ASA-5506
Rack-mount ASA-5508
Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New! Combines Control Over Access Policies and Advanced Threat Defense Func;ons. The enhanced UI provides quick views on trends and the ability to drill-‐down for details.
On Box Manager: ASDM 7.3.x
Cisco Confidential 59 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Provides security teams with: § Management for mul;ple devices
§ Comprehensive visibility and control over network ac;vity
§ Op;mal remedia;on through infec;on scoping and root cause determina;on
Centralized Management
BEFORE Discover Enforce Harden
DURING Detect Block
Defend
AFTER Scope Contain
Remediate
Cisco Confidential 60 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Q&A
Thank you.