• Share
  • Email
  • Embed
  • Like
  • Private Content
Next Generation Firewall- CLLE
 

Next Generation Firewall- CLLE

on

  • 1,275 views

The Next Generation Fire wall is important because it provides visibility of your network and application usage. The world of the internet is changing and the internet needs a makeover. Cisco Live ...

The Next Generation Fire wall is important because it provides visibility of your network and application usage. The world of the internet is changing and the internet needs a makeover. Cisco Live Sled East, Cisco Live Local Edition (CLLE)

Statistics

Views

Total Views
1,275
Views on SlideShare
1,275
Embed Views
0

Actions

Likes
1
Downloads
53
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Next Generation Firewall- CLLE Next Generation Firewall- CLLE Presentation Transcript

    • Local Edition
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionCisco ASA NGFW Technical Deep DiveClark GambrelConsulting Systems Engineer – Securitycgambrel@cisco.com
    • The world Is Changing – The Era of an Internet Make OverThe Paradox for us as Security Professionals4VS.Mobility Threats / APTCloud VirtualizationDevices CollaborationApps BYODHTTPS/SSL IPv6SECURITY  
    • Why Do I Need / Want Next Generation Firewalling?•  Pure visibility of network and application usage?Is TCP Port 80 traffic really HTTP?•  Identity Firewalling?How can I make access rules based on individual users and groups?•  What CAN I block?How can I allow social media for my business and still block the unproductivegames?•  Acceptable Use?How can I ensure my users are not breaking policy?•  Threat Defense?How can I defend against Day-Zero attacks to my network?5
    • The ASA Next Generation SolutionApps, Users URL Filtering Web Reputation (SIO)CX  capabili*es  Industry’s most widely deployed stateful inspection FW & remote accesssolutionASA  CX  “solu1on”  
    • IP FragmentationIP Option InspectionTCP InterceptTCP NormalizationACLNATVPN TerminationRoutingTCP ProxyTLS ProxyAVCMultiple PolicyDecision PointsHTTP InspectionURL Category/ReputationASA  CX  ASA  Layer 3/4 Firewall Still Needed?
    • Cisco ASA CXMain Features•  User  ID  /  Ac1ve  &  Passive  Authen1ca1on    •  Applica1on  visbility  &  Control  –  Broad  and  Web    •  SSL/TLS  Decryp1on  •  HTTP  inspec1on  •  Web  Reputa1on  •  URL  filtering  •  Repor1ng  •  Even1ng  •  Layer  3/7  access  rules      8
    • Apps, Users: Business Problems SolvedBusiness Problem Addressed By ASA CX Example AppsBandwidth misuse View usage of Peer-to-Peer applicationsSensitive company datauploaded to the cloudControl usage of file sharing applicationsEmployee productivityBlock non-productivity-related applications, whilestill allowing general access to social networkingMalware writers taking control ofmachines through remote controlappsBlock remote control applications, while allowingWebExMalware masquerading as awell-known appIdentify and control applications that operate onwell-known open ports
    • Apps, Micro-apps and App BehaviorApp Support75k+  MicroApps  MicroApp  Engine  Deep  classifica1on    of  targeted  traffic  App  Behavior  Control  user  interac1on  with  the  applica1on  Broad…  …  classifica1on    of  all  traffic    1,000+  apps  
    • Granular App ControlJul   Aug   Sep  http://www.asacx-cisco.com/
    • Granular App ControlJul   Aug   Sep  http://www.asacx-cisco.com/
    • •  Ameba•  Yahoo! Mobage•  2Channel•  Pinterest: Block File Upload, BlockPosting Text, Block Like•  YandexNov  •  Winamp Remote•  Gree•  Google Drive: Upload, Download, Sharing,Editing•  Scribd: Upload, Download, Post•  SkyDrive: Upload, Download, Editing•  SmugMug: Upload, Download, Like, Sharing•  Microsoft Windows Azure•  Salesforce CRM•  Msft CRM Dynamic•  iscsi-target•  LogMeIn•  Mikogo•  Oracle e-Business SuiteUnencrypted Traffic•  Google ServicesDec  •  eBay•  FileDropper•  Mixi•  AOL Mail: Download attachment, Uploadattachment, Send email•  Photobucket: Upload file, Download file,Share•  Dailymotion: Upload file, Post, Site ContentEnforcement•  Answers.com: Post•  DocStoc: Upload file, Download file•  Microsoft Lync•  GbridgeJan  •  Tor•  ShowMyPC•  Facetime•  Yahoo-Accounts•  Camo-proxy•  Glide•  Nico Nico Douga•  Twiddla•  Suresome•  Techinline•  Vimeo: Upload, Download, Post textFeb  hYp://www.asacx-­‐cisco.com/  
    • Application Development – www.asa-cx.com
    • URL Filtering: Business Problems SolvedBusiness Problem Addressed By ASA CXEnforcing HR acceptable use policyBlock certain web site categories for everyone: Adult, Child Abuse Content,Gambling, Hate Speech, Illegal Activities, etcCreating a safe learning environmentDeny students but allow faculty access to the following web site categories:Entertainment, Arts, Dining and Drinking, Online TradingMaintaining employee productivityDeny employees access to the following web site categories: Sports andRecreation, Travel, Photo Search and ImagesControlling bandwidth-hungry sitesDeny users access to the following web site categories: File TransferServices, Freeware and Shareware, Illegal Downloads, Internet TelephonyUsers circumventing policy Block proxies that allow you to surf the internet anonymously
    • URL: Industry-leading coverage and efficacyContent FilteringMarke1ng   Legal   Finance  
    • Web Reputation: Business Problems SolvedBusiness Problem Addressed By ASA CXZero-day malware getting throughtraditional defensesMalware gets constantly tweaked so that desktop/network AV does notdetect it. New malware is released in the wild for <24 hours. Web Reputationis always able to block it even if the payload had changed.Social engineering attacksYou get a URL link in Facebook chat, saying “Check out this cool video!”.You click the link. Web Reputation blocks that specific transaction, whileallowing general access to Facebook.Infected machines sending data outASA’s Botnet Traffic Filter detects and blocks all attempts to contactcommand-and-control centers / Botnet masters
    • Senderbase    Over  700K  global  sensors    Over  100M  endpoints    5B  web  requests  per  day    Visibility  into  35%  of  global  email  Global  correla1on  &  so  much  more  Dynamic  Updates    Every  3  -­‐  5  minutes    For  every  security  product    Over  3K  IPS  signatures    Over  200  parameters  tracked    Over  8M  rules  per  day  Threat  Opera5ons  Center    Over  $100M  in  Dynamic  R&D    Over  500  engineers,  technicians  &  researchers      Over  40  languages    24x7x365  opera1ons    Over  100  security  patents  
    • SIO In ActionPopular sport of the day - PhishinghYp://www.carltoncupcakes.co.uk/web/nbtadf/caasav/5c3a91801f4553e7ba154429f3be5150/mfwidws.html  
    • SIO In ActionToday’s Catch - Malware
    • SIO In ActionThis One Didn’t Get Away
    • Topics of Interest•  Hardware Overview•  Software Overview•  Packet Flow•  Management Architecture•  Traffic Redirection•  ASA vs CX vs WSA vs CWS
    • Hardware Overview23
    • Supported Hardware PlatformsASA 5500-X supportedASA 5585-X SSP10 & 20 supported24Performance  and  Scalability  Data  Center  Campus  Branch  Office     Internet  Edge  ASA  5585-­‐X  SSP-­‐20  (10  Gbps,  125K  cps)  ASA  5585-­‐X  SSP-­‐60  (40  Gbps,  350K  cps)  ASA  5585-­‐X  SSP-­‐40  (20  Gbps,  200K  cps)  ASA  5585-­‐X  SSP-­‐10  (4  Gbps,  50K  cps)  ASA  5555-­‐X    (4  Gbps,50K  cps)  ASA  5545-­‐X    (3  Gbps,30K  cps)  ASA  5525-­‐X    (2  Gbps,20K  cps)  ASA  5512-­‐X    (1  Gbps,  10K  cps)  ASA  5515-­‐X    (1.2  Gbps,15K  cps)  SOHO   ROADMAP  24  
    • ASA CX•  Hardware blade on 5585-x•  Software Install on 5500-x•  SSP-10 and SSP-20 today•  SSP-40/60 Q4CY13
    • ASA CX – Front ViewTwo Hard Drives Raid1 (Event Data)10GE and GE ports Two GE ManagementPortsNew   8 GB eUSB (System)New  
    • Feature ASA5500x ASA5585-SSPStorage •  SSD•  120GB capacity•  “show inventory” on ASA will show SSDdetails•  ASA will shutdown CX service when allstorage devices have been removed•  Spinning hard drives•  600GB capacityRAID •  Supported only on 5545 & 5555•  RAID CLI is on ASA•  Supported on both SSP10 and SSP20•  RAID CLI is on CXConsole &Management•  CX console is thru ASA CLI•  Shares management port with ASA•  Dedicated Console•  Dedicated Management portCX - PRSMfeatures•  All features are supported •  All features are supportedCX on 5585x vs 5500x
    • SSP-10 SSP-20Processors Multi-core 64-bit Multi-core 64-bitMaximum Memory 12 GB (6 GB per blade) 24 GB (12 Gb per blade)Maximum Storage8 GB eUSB,600 GB Hard DiskRaid1 / Hotswappable8 GB eUSB,600 GB Hard DiskRaid1 / HotswappablePorts2 x 10 Gb SFP+8 x 1Gb Cu2 x 1Gb Cu Mgmt2 x 10Gb SFP+8 x 1Gb Cu2 x 1Gb Cu MgmtCrypto Chipset Yes Yes
    • 29FeatureASA5512-XASA5515-XASA5525-XASA5545-XASA5555-XAVC + WSE 200 Mbps 350 Mbps 650 Mbps 1 Gbps 1.4 GbpsTraffic  Profile  -­‐  EMIX  ASA 5500-X NGFW Performance
    • 30ASA CXSSP 10ASA CXSSP 20ThroughputMulti-Protocol2 Gbps 5 GbpsConcurrent Connections 500,000 1,000,000New Connections persecond40,000 75,000Source: Placeholder for Notes is 12ptsASA 5585-X NGFW Performance
    • Module Map•  Hardware Overview•  Software Overview•  Packet Flow•  Management Architecture•  Traffic Redirection•  ASA vs CX vs WSA vs CWS
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicSoftware ArchitectureControl PlaneManagementPlaneData Plane – L3-L4, Identity, Broad AVCHTTP EngineAVC, URL, WBRS InspectionenginesTLS ProxyEventingReportingAuthenticationIdentity AD CDACisco Context Directory AgentOpenLdap32Packet  data  RPC  Data  
    • Functional Overview
    • Compatibility* with existing ASA features*  in  Version  1.0  
    • Module Map•  Hardware Overview•  Software Overview•  Packet Flow•  Management Architecture•  Traffic Redirection•  ASA vs CX vs WSA vs CWS
    • Packet Flows37
    • Packet flow diagram – ASA and ASA CX SSP•  ASA SSP configures and controls CX SSP customer ports•  ASA SSP processes all ingress/egress packets‒ No packets are directly process by CX SSP except for management portsEgress  aoer  CX  Processing  CX  Ingress  ASA  Ingress  CPUComplexFabricSwitchCrypto orRegexEngineCX  SSP  CPUComplexFabricSwitchCryptoEngineASA  SSP  PORTSPORTSASA  5585-­‐X  Chassis  Backplane10GENICs10GENICs
    • Packet flow diagram – ASA decision processASA CX
    • Day-in-the-life of a packet – example non-HTTP traffic•  Note: Details of flow differs for different traffic characteristicsL3/L4 Check Broad AVC Access Policy Packet EgressDetermineProtocol andApplicationDeterime L3 andL4 informationAllow or Denyverdict based onaccess policyReturn packetback to the ASASSP with anallow verdict
    • Day-in-the-life of a packet – example HTTP traffic•  Note: Details of flow differs for different traffic characteristicsL3/L4 Check Broad AVCTCPProxyAccess PolicyHTTPInspectorPacket EgressDetermineProtocol andApplicationDeterime L3 andL4 informationHandle TCP3-way handshakeDetermineApplication, URLCategory,Reputation,User AgentAllow or Denyverdict based onaccess policyReturn packetback to the ASASSP with anallow verdict
    • Module Map•  Hardware Overview•  Software Overview•  Packet Flow•  Management Architecture•  Traffic Redirection•  ASA vs CX vs WSA vs CWS
    • ASA CX Management Architecture.43
    • Cisco Prime Security Manager (PRSM)•  Built-in/On-box‒ Configuration‒ Eventing‒ Reporting•  Off-box‒ Configuration‒ Eventing‒ Reporting‒ Multi-device Manager for ASA CX‒ Role Based Access Control‒ Virtual Machine or UCS Appliance (C Series M3)‒ PRSM Virtual Machine supports VMWare ESX 4.1+
    • •  delete – delete files (cores and package captures)•  setup – configure the IP addresses, hostname, domain, DNS, NTP•  system (reload | shutdown) – reboot or stop the blade•  system (upgrade | revert) – upgrade or downgrade the OS•  services (start | stop) – turn on and off the services including packet inspectors•  ping, nslookup, traceroute – management interface connectivity troubleshooting•  show interface – statistics for management interface•  show opdata – show operational data from the data plane•  show tech-support – outputs for Cisco support troubleshooting•  support tail log – watch the logs on the CLI•  support diagnostics – package and upload a collection of logs and debug info (including packet captures)•  config (backup | restore) – backup or restore the configuration. Backup requires FTP. Restore requires FTP or HTTPWhat’s Available via CLI
    • Logs on ASA CX and PRSM
    • Module Map•  Hardware Overview•  Software Overview•  Packet Flow•  Management Architecture•  Traffic Redirection•  ASA vs CX vs WSA vs CWS
    • Sending Traffic to CX SSP•  Use the ASA Modular Policy Framework (MPF) to direct traffic to the CXblade:Note: You do not have to modify the ASA configuration – PRSM will dothat for you.•  PRSM Multi-device applies this when connecting to CX:policy-map global_policyclass class-defaultcxsc fail-open auth-proxyservice-policy global_policy global
    • Module Map•  Hardware Overview•  Software Overview•  Packet Flow•  Management Architecture•  Traffic Redirection•  ASA vs CX vs WSA vs CWS
    • ASA CX & WSA/CWS: Feature Overlap &Differences•  URL Filtering•  Web Reputation•  Web Applications (like Facebook,LinkedIn, Twitter)•  User identification•  SSL Decryption•  Policy actions: allow/block•  End user notification•  Top N reports•  Caching (WSA)•  AV Scanning•  Data Loss Prevention•  Explicit Proxy (WSA)•  SOCKS Proxy* (WSA)•  No backhauling (SS)•  Add’l policy actions: Time-based controls, warn•  Inline firewall•  Non-web applications (like Skype,Oracle, SAP)•  Network protocols (like SMTP,DNS, ICMP)•  Layer 3-7 access rules•  Networking capabilities like NAT,Routing, VPN•  Inbound Threat Prevention*WSA /CWSASA CX* Roadmapped
    • ASA• Core or Datacenter• Multi-tenant• Active/Active FailoverASA CX• Campus or Edge• Application Control• Next-gen Firewall
    • WSA•  Secure Web Proxy•  Anti-Malware Scan•  DLP•  Caching•  Comprehensive Web SecurityASA CX•  Next-gen Firewall•  Inline•  All ports/protocols•  Essentials Web Security
    • Cloud WebSecurity•  Reduced equipment cost•  Secure mobile/roaming users•  Distributed enterpriseASA CX•  On-prem security•  Inline•  All ports/protocols
    • PRSM: Centralized Management & ReportingApplicationVisibility &ControlWeb SecurityEssentialsURL Filtering +ReputationCX HardwareIdentity, Onbox Mgmt & ReportingASA Hardware1Y,  3Y,  5Y  subscrip*ons  
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicRegister for Cisco Live - OrlandoCisco Live - OrlandoJune 23 – 27, 2013www.ciscolive.com/us5555