ngfw

NGFW

Jamie Sanbower, CCIE #13637 R&S/Security/Wireless

Technical Solutions Architect

February 2015

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

§  Intro to NGFW §  Software Architecture §  Application Control §  URL Filtering §  AMP §  Management §  Deployment Options §  5506 / 5508 §  Q&A

Agenda


Intro to NGFW


Sophisticated Attackers

Complex Geopolitics

Boardroom Engagement

The Challenges Come from Every Direction

Misaligned Policies

Dynamic Threats

Defenders

Complicit Users


Focus on the Apps…

101 010011101 1100001110001110 1001 1101 1110011 0110011

01 1100001 1100 0111010011101 1100001110001110 1001 1101 11

The Problem with Legacy Next-Generation Firewalls

Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.

…but miss the threat


Integrated Threat Defense Across the Attack Continuum

Firewall/VPN NGIPS Advanced Malware Protection

BEFORE Control Enforce Harden

DURING Detect Block

Defend

AFTER Scope

Contain Remediate

Attack Continuum

Visibility and Automation

Security Intelligence Granular App Control Retrospective Security

Web Security Modern Threat Control IoCs/Incident Response


Cisco ASA with FirePOWER Services Industry’s First Adaptive, Threat-Focused NGFW

Features

•  Cisco® ASA firewalling combined with Sourcefire® next-generation IPS

•  Integrated threat defense over the entire attack continuum

•  Best-in-class security intelligence, application visibility and control (AVC), and URL filtering

Benefits

•  Superior, multilayered threat protection

•  Unprecedented network visibility

•  Advanced malware protection

•  Reduced cost and complexity


Superior Integrated & Multilayered Protection

Cisco ASA

Identity-Policy Control & VPN

URL Filtering (Subscription) FireSIGHT

Analytics & Automation

Advanced Malware

Protection (Subscription)

Application Visibility & Control Network Firewall

Routing | Switching

Clustering & High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network Profiling

Intrusion Prevention

(Subscription)

World’s most widely deployed, enterprise-class ASA stateful firewall

Granular Cisco® Application Visibility and Control (AVC)

Industry-leading FirePOWER next-generation IPS (NGIPS)

Reputation- and category-based URL filtering

Advanced malware protection


NSS Labs – Next-Generation Firewall Security Value Map

Source: NSS Labs 2014

The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All three products achieved 99.2 percent in security effectiveness and now all can be confident that they will receive the best protections possible regardless of deployment.


Advanced VPN Capabilities AnyConnect™ Secure Mobility

Acceptable Use ü Access Control ü

Data-Loss Prevention ü Threat Prevention ü Corporate File Sharing

Access Granted

Choice Diverse Endpoint

Support for Greater Flexibility

Security Rich, Granular

Security Integrated into the Network

User Experience Always-on for Seamless

Experience and Performance


Cisco ASA with FirePOWER Services Base Hardware and Software New ASA 5585-X Bundle SKUs with FirePOWER Services Module New ASA 5500-X SKUs running FirePOWER Services Software FirePOWER Services Spare Module/Blade for ASA 5585-X Series FirePOWER Services Software Hardware includes Application Visibility and Control (AVC)

Security Subscription Services • IPS, URL, Advanced Malware Protection (AMP) Subscription Services • One- and Three-Year Term Options

Management FireSIGHT Management Center (HW Appliance or Virtual) Cisco Security Manager (CSM) or ASDM

Support SmartNET Software Application Support plus Upgrades


What platforms support FirePOWER Services as a software module? Maximum AVC and IPS throughput

12

Branch Locations

300 Mbps NGFW 100K Connections 10,000 CPS

ASA 5512-X

250Mbps NGFW 250K Connections 15,000 CPS

ASA 5515-X

Small/Medium Internet Edge

650Mbps NGFW 500K Connections 20,000 CPS

ASA 5525-X

1 Gbps NGFW 750K Connections 30,000 CPS

ASA 5545-X

1.25 Gbps NGFW 1 MM Connections 50,000 CPS

ASA 5555-X


What platforms support FirePOWER Hardware Module

13

§  5585-X + FirePOWER module in top slot – Hardware Module

FirePOWER SSP

ASA SSP 10GE and GE ports

Two Hard Drives Raid 1 (Event Data)

Two GE Management Ports

8 GB eUSB (System)


What platforms support FP Hardware Module? Maximum AVC and IPS throughput

14

ASA 5585-SSP10 ASA 5585-SSP20

Campus / Data Center

2 Gbps NGFW 500K Connections 40,000 CPS

3.5 Gbps NGFW 1 M Connections 75,000 CPS

Enterprise Internet Edge

ASA 5585-SSP40

ASA 5585-SSP60

6 Gbps NGFW 1.8 M Connections 120,000 CPS

10 Gbps NGFW 4 M Connections 160,000 CPS


750 1500 * 2000 3500 4000 Virtual *

Maximum devices managed*

10 35 70 150 300 Virtual FireSIGHT® Management Center

Up to 25 managed devices Event storage 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB

Maximum network map (hosts/users)

2000/2000 50,000/ 50,000

150,000/ 150,000

300,000/ 300,000

600,000/ 600,000

Virtual FirePOWER Services for ASA devices

limited to 2 or 10 ASAs

FS-VMW-2-SW-K9 FS-VMW-10-SW-K9

Events per second (EPS) 2000 6000 12,000 10,000 20,000

Cisco FireSIGHT Management Center Appliance

Max number of devices is dependent upon sensor type and event rate

* = Recommended!


Software Architecture


Detailed ASA SFR Packet Flow

FirePOWER

Receive PKT

Ingress Interface

Existing Conn

ACL Permit

Match Xlate

Inspections sec checks

NAT IP Header

Egress Interface

L3 Route

L2 Addr

XMIT PKT

DROP DROP

7 8 9 10 11

NO

YES

DROP DROP

NO

YES

DROP

NO NO NO

NO YES YES

3 2 1 4 5 6

YES

FirePOWERdoes not drop flows, it marks them for drop by the ASA


• The Snort Engine’s Basic Architecture •  The sniffer

•  Preprocessors

•  The detection engine

•  The output and alerting module

Snort Technology


OpenAppID – First OSS Application and Control

•  OpenAppID Language Documentation o  Accelerate the identification and protection for new cloud-

delivered applications

•  Special Snort engine with OpenAppID preprocessor o  Detect apps on network o  Report usage stats o  Block apps by policy o  Snort rule language extensions to enable app specification o  Append ‘App Name’ to IPS events

•  Library of Open App ID Detectors o  Over 1000 new detectors to use with Snort preprocessor o  Extendable sample detectors

Available now at Snort.org


Traf

fic

Data Acquisition

Stream Re-assembly

IP Defragmentation

Packet Decode

Security Intelligence

Application Identification

NGFW Rules

Network Discovery IPS AMP URL Reputation

User / IP Mapping

20


Access Control & Application Control


FirePOWER Services: Application Control •  Control access for applications, users and devices

•  “Employees may view Facebook, but only Marketing may post to it”

•  “No one may use peer-to-peer file sharing apps”

Over 2,200 apps, devices, and more!


Application Control

Social: Security and

DLP

Mobile: Enforce BYOD

Policy Bandwidth: Recover Lost

Bandwidth

Security: Reduce Attack

Surface


User Identification

User identification uses two distinct mechanisms

1.  Network discovery

•  Understands AIM, IMAP, LDAP, Oracle, POP3 and SIP

•  Will only provide limited information when deployed at the Internet edge

2.  Sourcefire User Agent (SFUA)

•  Installed on a Windows Platform

•  Windows server does not have to be a domain member

•  Communicates with the AD using WMI – starts on port 136 then switches to random TCP ports

•  Communicates with FMC through a persistent connection to TCP port 3306 on the FMC

•  Endpoints must be domain members

•  Well-suited for Internet edge firewalls

Note: This solution does not use the Cisco Context Directory Agent (CDA)

ASA Service Policy To/From SourceFire

Services

Applica;on Vis/Control

IPS Policy’s Snort Rules

FireSight: Network, Host, User, OS & Applica;on Discovery

Correla;on, Aler;ng, Repor;ng

URL Filtering

AD Integra;on

Security Intelligence Blacklist

Block/Permit

Access Control Policy Rules – Monitor, Block or Allow with Inspec:on

File Policy’s File Analysis Advanced Malware Detec;on

FW, Geo Blocking

AMP/Threat Grid Sandbox

Security Intelligence Black List & App Control Updates for ASA with Sourcefire & New xxx-‐FPK9 Smartnet

Effec:vely Replaces ASA Botnet Traffic Filter Sampling of Available Applica:ons & Categories

Class-‐Leading NGFW Context and Visibility Demo


URL Filtering


URL Filtering

•  Block non-business-related sites by category or reputation

•  Based on user and user group


URL Filtering

Dozens of Content Categories

URLs Categorized by Risk


AMP


Advanced Analytics And Correlation

Fire reputation and file sandboxing

Continuous & Zero-Day Detection

AMP: File based malware prevention

Dedicated FirePOWER

Appliance

Web & Email Security

Appliances

Private Cloud

Cloud Based Web Security

& Hosted Email ASA with

FirePOWER Services

PC / MAC Virtual Mobile


Advanced Malware Protection

Reputation Filtering and File Sandboxing

All detection is less than 100%

Dynamic Analysis

Machine Learning

Fuzzy Finger-Printing

Advanced Analytics

One-to-One Signature


AMP Provides Continuous Retrospective Security

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

Continuous Feed

Continuous Analysis

Telemetry Stream

Web

WWW

Endpoints Network Email

Devices

IPS

File Fingerprint and Metadata

File and Network I/O

Process Information

Breadth of Control Points

Inspection verdicts


1) File Capture

FirePOWER Services: Advanced Malware

Malware Alert!

2) File Storage

4) Execution Report Available In Defense Center

Network Traffic

Collective Security Intelligence Sandbox

3) Send to Sandbox


Licensing


Functional Distribution of Features

IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

Botnet Traffic Filter

Advanced Malware Protection

File Type filtering Application Visibility and Control

NGIPS

URL Category/Reputation

File capture FirePOWER Services

ASA

Failover & Clustering


Licensing

•  Five (5) feature license packages are available •  AVC is part of the default offering •  One (1) and three (3) year terms are available •  SMARTnet is ordered separately with the appliance

URL

IPS

URL IPS

AMP

IPS

AMP

URL

IPS

URL URL TAC TAMC TA TAM


How to add FirePOWER Services to an ASA-5500-X

•  Purchase ASA5500X-SSD120= •  Adds Solid State Disc drive to ASA platform •  Two drives required for ASA-5545 / 5555 (mirror redundancy)

•  Purchase $0 ASA55xx-CTRL-LIC= •  Adds perpetual “Protect and Control” license

•  Purchase FS-VMW-x-SW-K9 •  FireSIGHT Management Center Virtual Appliance •  2 and 10 device SKU’s can NOT be upgraded later

•  Purchase additional licenses as needed (not required) •  URL / IPS / AMP offered as 1 or 3 year subscriptions

39


Management


Network Discovery & Connection Awareness

Host discovery

Identifies OS, protocols and

services running on each host

Reports on potential vulnerabilities present on each host based

on the information it’s gathered

Application identification

FireSIGHT can identify over 1900

unique applications using OpenAppID

Includes applications that run over web services such as

Facebook or LinkedIn

Applications can be used as criteria for

access control

User discovery

Monitors for user IDs transmitted as

services are used

Integrates with MS AD servers to

authoritatively ID users

Authoritative users can be used as

access control criteria

What is FireSIGHT ?


FireSIGHT Management Center Single console for event, policy, and configuration management


Awareness Delivers Insight

OS & version Identified

Server applications and version

Client Applications

Who is at the host

Client Version

Application

What other systems / IPs did user have, when?


FireSight Management – Custom Dashboards


FireSight Management – Custom Reporting


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors CnC Connections

Exploit Kits Admin Privilege Escalations

Web App Attacks

SI Events

Connections to Known CnC IPs

Malware Events

Malware Detections Malware Executions

Office/PDF/Java Compromises Dropper Infections


Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

1

2

3

4

0

IMPACT FLAG ADMINISTRATOR ACTION WHY

Act Immediately, Vulnerable

Event corresponds to vulnerability mapped to host

Investigate, Potentially Vulnerable

Relevant port open or protocol in use, but no vuln mapped

Good to Know, Currently Not Vulnerable

Relevant port not open or protocol not in use

Good to Know, Unknown Target

Monitored network, but unknown host

Good to Know, Unknown Network

Unmonitored network


Context Explorer

•  Data exploration tool

•  Visualizations of IoC, Network, Intrusion, File, App, User, and Geo info

•  Advanced filtering across data silos

•  Drill downs into detailed event analysis

•  Accessible from analysis tools to provide context

48


Correlation Engine

•  Flexible Boolean rules engine functioning on the real-time event stream at the FireSIGHT Management Console. •  Comprehensive access to events and all their columns •  Arbitrarily complex rule conditions •  Host profile qualification •  Dynamic connection tracking triggered by rule criteria

•  Responses •  Email, Syslog, SNMP Traps •  Remediation

•  API driven subsystem to dynamically respond to triggering Correlation Rules

49


Correlation Engine – Anomaly Detection

•  Compliance Whitelists •  Define a set of criteria against which to measure hosts of interest on your network

•  Operating System

•  Network Protocol, Application Protocol, Web Application, and Client Application

•  Traffic Profiles •  Set a baseline for connections that meet all the complex criteria provided by the correlation engine

then alert on aberrant behavior

50


Deployment Guidelines


Deploying ASA w/ FirePOWER Services

•  Available on all ASA platforms

•  State-sharing between Firewalls for high availability

•  L2 Transparent or L3 Routed deployment options

•  Failover Link

•  ASA provides valid, normalized flows to FirePOWER module

•  State sharing does not occur between FirePOWER Services Modules

High Availability with ASA Failover


Deploying ASA w/ FirePOWER Services

•  Up to 8 ASA5585-X IPS

•  Stateless load balancing by external switch

•  L2 Transparent or L3 Routed deployment options

•  Support for vPC, VSS and LACP

•  Cluster Control Protocol/Link

•  State-sharing between Firewalls for symmetry and high availability

•  Every session has a primary and secondary owner ASA

•  ASA provides traffic symmetry to FirePOWER module

Scaling IPS with ASA5585-X Clustering


Multi-Context ASA Deployments

•  ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies

•  These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.

•  In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.

•  Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration.

Context A Context B

Outside

Inside


Multi-Context ASA Deployments

Admin Context Context-1


5506 / 5508


New ASA Models Desktop ASA-5506

Rack-mount ASA-5508


New! Combines Control Over Access Policies and Advanced Threat Defense Func;ons. The enhanced UI provides quick views on trends and the ability to drill-‐down for details.

On Box Manager: ASDM 7.3.x


Provides security teams with: §  Management for mul;ple devices

§  Comprehensive visibility and control over network ac;vity

§  Op;mal remedia;on through infec;on scoping and root cause determina;on

Centralized Management

BEFORE Discover Enforce Harden

DURING Detect Block

Defend

AFTER Scope Contain

Remediate


Q&A

Thank you.