ASA Firepower NGFW Update and Deployment Scenarios

21,762 views

Published on

This session will focus on typical deployment scenarios for the Adaptive Security Appliance family running FirePower Services. Also, a feature overview and comparison of the ASA with Firepower services and the new Firepower Threat Defense (FTD) image will be included with updates on the new Firepower hardware platform. Deployment use cases will include Internet Edge, various segmentation scenarios, and VPN. A configuration walk-through and accepted best practices will be covered. This session is designed for existing ASA customers and targets the security and network engineer. They will learn the benefit of a FirePower NGFW in network edge and Internet use cases

Published in: Technology

ASA Firepower NGFW Update and Deployment Scenarios

  1. 1. Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1 NGFW Update and Deployment Scenarios Michael Mercier Consulting Systems Engineer – Security Solutions May 19, 2016
  2. 2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Housekeeping notes Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today. • Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session
  3. 3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Agenda Firepower NGFW Firepower Threat Defense Software Overview Firepower 4100 Next-GenerationSecurity Architecture Firepower 9300 Next-GenerationSecurity Architecture FTDv Licensing Performance Deployment Modes / Use Cases DeploymentConsiderations
  4. 4. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Firepower Threat Defense (FTD) • Unified codebase software image Firepower 4100 Series and 9300 Appliances • Brand for new hardware product offerings which run FTD or ASA “Firepower Next-Generation Firewall (NGFW)” • FTD + Hardware appliance Firepower Management Center (FMC) • Formerly FireSIGHT. Unified manager for NGFW, NGIPS, AMP, FirePOWER on ISR ASA with FirePOWER Services • Two managers, full firewall feature set Relevant Terminology
  5. 5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Detect earlier, act faster Gain more insight Reduce complexity Get more from your network Stop more threats Enable your business with a fully integrated, threat- focused solution Threat Focused Fully Integrated Cisco Firepower™ NGFW
  6. 6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Stop more threats across the entire attack continuum Remediate breaches and prevent future attacks Detect, block, and defend against attacks Discover threats and enforce security policies Cisco Firepower™ NGFW BEFORE AFTERDURING
  7. 7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 “You can’t protect what you can’t see” Gain more insight with increased visibility Malware Clientapplications Operating systems Mobile devices VoIP phones Routers and switches Printers Command and control servers Network servers Users File transfers Web applications Application protocols Threats TypicalIPS TypicalNGFW Cisco Firepower™ NGFW
  8. 8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Cisco: 17.5 hoursIndustry TTD rate:* 100 days Detect infections earlier and act faster • Automated attack correlation • Indications of compromise • Local or cloud sandboxing • Malware infection tracking • Two-click containment • Malware analysis Source: Cisco® 2016 Annual Security Report *Median time to detection (TTD) JAN MONDAY 1 JAN FEB MAR APR
  9. 9. Cisco Confidential 9© 2015 Cisco and/or its affiliates. All rights reserved. Firepower Management Center
  10. 10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Cisco Firepower™ Management Center Reduce complexity with simplified, consistent management • Network-to-endpoint visibility • Manages firewall, applications, threats, and files • Track, contain, and recover remediation tools Unified • Central, role-based management • Multitenancy • Policy inheritance Scalable • Impact assessment • Rule recommendations • Remediation APIs Automated
  11. 11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Shared intelligence Shared contextual awareness Consistent policy enforcement Cisco Firepower™ Management Center Get more from your network through integrated defenses Talos Firepower 4100 Series Firepower 9300 Platform Visibility Radware DDoS Network analysis Email Threats Identity and NAC DNS FirewallURL
  12. 12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 FS750 FS2000 FS4000 Virtual Maximum devices managed* 10 70 300 Virtual FireSIGHT® Management Center Up to 25 managed devices ASA or FirePOWER appliancesEvent storage 100 GB 1.8 TB 3.2 TB Maximum network map (hosts/users) 2000/2000 150,000/ 150,000 600,000/ 600,000 Virtual FireSIGHT® Management for 2 or 10 ASA devices only! Not upgradeable FS-VMW-2-SW-K9 FS-VMW-10-SW-K9 Events per second (EPS) 2000 12,000 20,000 Max number of devices is dependent upon sensor type and event rate Management Firepower Management Center Appliances 12
  13. 13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Cisco NGFW Platforms *5585-Xmanagement available 2HCY16 All* Managed by Cisco Firepower Management Center Cisco Firepower™ 4100 Series and 9300 Cisco FirePOWER™ Services on ASA 5585-X Cisco Firepower Threat Defense on ASA 5500-X New Appliances
  14. 14. Cisco Confidential 14© 2015 Cisco and/or its affiliates. All rights reserved. Firepower Threat Defense
  15. 15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 New Converged Software Image: Firepower Threat Defense Contains all Firepower Services plus select ASA capabilities Single Manager: Firepower Management Center* Same subscriptions as FirePOWER Services, enabled by Smart Licensing: Threat (IPS + SI + DNS) Malware (AMP + ThreatGrid) URL Filtering Converged Software – Firepower Threat Defense * Also manages FirepowerAppliances, Firepower Services (not ASASoftware)
  16. 16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 • Everything from Firepower 6.0.1 • Phased introduction of features from ASA • FTD 6.0.1 IPv4 and IPv6 Connection state tracking and TCP normalization Access Control NAT (Full support) Unicast Routing (except EIGRP) ALGs (only default configuration) Intra chassis Clustering on Firepower 9300 Stateful Failover (HA) What features are available?
  17. 17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 High-Level Feature Comparison: ASA with FirePOWER Services, Firepower Threat Defense Feature Firepower Services for ASA Firepower Threat Defense Notes for Firepower Threat Defense HA, NAT ✔ ✔ Routing ✔ ✔ Multicast in 6.1, No EIGRP Unified ASA and Firepower rules/objects ✘ ✔ Local Management ✔ ✔ In 6.1, features differ Multi-Context ✔ ✘ Inter-chassis Clustering ✔ ✘ VPN ✔ ✔ Site-to-Site VPN in 6.1 Hypervisor Support ✘ ✔ AWS, VMware; KVM in 6.1 Smart Licensing support ✘ ✔ Note: Not an exhaustive list of differences between these offerings.
  18. 18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Firepower Threat Defense – Phased Delivery • Remote Access VPN • Device Clustering • SSLAcceleration • Traffic QoS • Time-based Policies • Hyper-V / Azure • MS Exchange identity • Pkt Trace/Capture • Configuration CLI • Site-to-Site VPN • Rate-Limiting • Multicast and EIGRP • VDI User Identity • AMP Private Cloud • ISE Remediation • X-Forwarded-For • Web Safe Search • Built-in Risk Reports • KVM Virtual platform • On-box Web UI • FMC HA, Scale and API GeneralAvailability V6.0.1 – Mar. 2016 • FP 9300/4100 platforms • ASALow/Mid platforms • All of FP Services 6.0 • ASA+FP Rules/Objects • Transp/Routed Deploy • Active/Passive HA • NAT (Dynamic/Static) • OSPF, BGP, RIP, Static • ALGs (fixed config) • Syn Cookie/Anti-Spoof V6.1 - Q4FY16 1HFY17 High-Priority NGFW Feature Parity
  19. 19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 What Platforms run Firepower Threat Defense? *5585-XASAmodule management being investigated for 2HCY16 All* Managed by Cisco Firepower Management Center Cisco Firepower Threat Defense on Firepower™ 4100 Series and 9300 Cisco FirePOWER Services on ASA 5585-X Cisco FirePOWER on 7000/8000 Series Appliances Cisco Firepower Threat Defense on ASA 5500-X New Appliances
  20. 20. Cisco Confidential 20© 2015 Cisco and/or its affiliates. All rights reserved. Firepower Threat Defense Software Overview
  21. 21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 • New Next Generation Firewall offering • Brings together the best features from ASA and Firepower, all under one OS • Zero-copy packet inspection • Single management application • Duplicate functionality removed Advantages of Firepower Threat Defense Firepower Threat Defense L2-L4 Inspections (ASA Technology) Advanced Inspections (FirePOWER Technology) Firepower Management Center ASA FirePOWER Services CSM/ASDM FireSIGHT
  22. 22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 ASA with FirePOWER Services Packet flow Ingress NIC L2/L3 Decode L4 Decode Flow Lookup Route Lookup NAT Lookup Inspection checks Routing NAT Egress NIC Flow Update File/AMP IPS AVC Kernel Virtual TAP FirePOWER Services Event Database Virtual Container 2 OS, ASA & FP
  23. 23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Firepower Threat Defense Packet Flow Ingress NIC L2/L3 Decode L4 Decode Flow Lookup Route Lookup NAT Lookup Inspection checks Routing NAT Egress NIC Flow Update File/AMP IPS AVC FirePOWER Services Event Database PacketLibrary(PDTS) Zero Copy Single OS
  24. 24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 • Access policies broken down into 2 sets of rules • Advanced ACLs - Evaluate L2 – L4 attributes and give a verdict Permit Deny Trust • NGFW ACLs – Evaluate L7 attributes Allow Block TrustPath Unified Access Control policies
  25. 25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Unified Objects Configuration Objects in 5.4 Objects in 6.0
  26. 26. Cisco Confidential 26© 2015 Cisco and/or its affiliates. All rights reserved. Firepower 4100 Next Generation Firewall
  27. 27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Cisco Firepower 4100 Series Introducing four new high-performance models Performance and Density Optimization Unified Management Multiservice Security • Integrated inspectionengines for FW, NGIPS,Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP) • Radware DefensePro DDoS • ASA and otherfuture third party • 10-Gbps and 40-Gbps interfaces • Up to 80-Gbpsthroughput • 1-rack-unit(RU) form factor • Low latency • Single managementinterface with FirepowerThreatDefense • Unified policy with inheritance • Choice of management deploymentoptions
  28. 28. Cisco Confidential 28© 2015 Cisco and/or its affiliates. All rights reserved. Hardware Overview
  29. 29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Firepower 4100 Series Front and Rear View SSD1 SSD2 1 3 5 7 NetMod 1 (Slot) NetMod 2 (Slot) 2 4 6 8 PS1 PS2 FAN1 FAN2 FAN3 FAN4 FAN5 FAN6 Power Console Mgmt. SYS ACT SSD Status
  30. 30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Supervisor Module: Console and Management Port 8 10G Fixed Ethernet Ports 2 x Network Modules Security Engine: Dual CPU, each connected with a Smart NIC and Crypto accelerator card Two SSD - 1 Default + 1 Optional (For AMP service) SSD Size 200GB for 4120 400GB for 4140 Backplane 80GB Backplane support Firepower 4110/20/40/50 - Hardware Components Internal 720G Switch Fabric Security Engine RAMSmart NIC + Crypto Accelerator 2x40Gpbs 2x100Gbps Built-in 8x10GE interfaces NM Slot 1 X86 CPU NM Slot 2 80G 8x 10G (or) 4x 40G Network Module …… …… Console Mgmt. Port 200G2x40Gbps 5x 40Gbps 200G 5x 40Gbps SSD SSD
  31. 31. Cisco Confidential 31© 2015 Cisco and/or its affiliates. All rights reserved. Software Overview
  32. 32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 § FP 4100 Series of platform supported from FXOS 1.1.4 § FXOS provides interfacefor device managementand provisioning of the security application on security engine. § All images are digitally signed and validated throughSecure Boot. § Security application imagesare in Cisco Secure Package(CSP)format § Multiple version of same application can be stored in Supervisor. It can deployed to Security Engine on demand § Contains system (i.e. ASA, FTD) and other images (i.e. ASDM, REST, and so on) Firepower 4100 Software Decorator application from third-party (KVM) Primary application from Cisco (Native) DDoS ASAor FTD FXOS Firepower Extensible Operating System (FXOS) Supervisor Security Engine
  33. 33. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Security Service Architecture for Firepower 4100 Series Platform Supervisor Ethernet 1/1-8 Ethernet 2/1-8 Standalone/Cluster Security Module 1 Ethernet 3/1-4 Application Image Storage PortChannel1 Ethernet1/7 (Management) Data Logical Device Link Decorator External Connector Primary Application Decorator Application On-board 8x10GE interfaces 8x10GE NM Slot 1 4x40GE NM Slot 2 ASA/FTD Packet Flow Security Engine Radware vDP
  34. 34. Cisco Confidential 34© 2015 Cisco and/or its affiliates. All rights reserved. Firepower 9300 Next Generation Firewall
  35. 35. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Cisco Firepower 9300 Platform Benefits • Integration of best-in-class security • Dynamic service stitching Features* • Cisco®ASA container • Cisco Firepower™ Threat Defense containers: • NGIPS, AMP, URL, AVC • Third-party containers: • Radware DDoS • Other ecosystem partners Benefits • Standards and interoperability • Flexible architecture Features • Template-driven security • Secure containerization for customer apps • RESTful/JSON API • Third-party orchestration and management Benefits • Industry-leading performance: • 600% higher performance • 30% higher port density Features • Compact, 3RU form factor • 10-Gbps/40-Gbps I/O; 100-Gbps ready • Terabit backplane • Low latency, intelligent fast path • Network Equipment-Building System (NEBS) ready * Contact Cisco for services availability Modular Carrier Class Multiservice Security High-speed, scalable security
  36. 36. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Cisco Firepower 9300 Overview Supervisor § Application deployment and orchestration § Network attachment (10/40/100GE) and traffic distribution § Clustering base layer for Cisco® ASA, NGFW, and NGIPS 1 3 2 Security Modules § Embedded packet and flow classifier and crypto hardware § Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications § Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis
  37. 37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Cisco Firepower 9300 Chassis Hardware § 19-inch 3RU rack (32 in. deep, 17.5 in. wide, and 135 lb fully loaded) § Four FRU fan modules with OIR § N+1 redundancy § Front-to-back airflow § Dual redundant power supplies with load sharing and OIR § 2500 and 1300W AC power supplies initially; 2500W DC to follow § Single supply at 110V is not enough for full chassis; 220V is required § Scalable backplane support up to 200 Gbps per security module
  38. 38. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Supervisor Module Overall chassis management and network interaction § Network interface allocation and security module connectivity (960-Gbps internal fabric) § Application image storage, deployment, provisioning, and service chaining § Clustering infrastructure for supported applications § Cisco® Smart Licensing and NTP for entire chassis RJ-45 Console 1 GE Management (SFP) Built-in 10 GE Data (SFP+) Optional Network Modules (NMs) 1 2
  39. 39. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 Supervisor Simplified Hardware Diagram Internal Switch Fabric (up to 24x40GE) Security Module 1 Security Module 2 Security Module 3 On-Board 8 x 10 GE Interfaces Network Module 1 Network Module 2 2 x 40 Gbps 2 x 40 Gbps 2 x 40 Gbps 2 x 40 Gbps 5 x 40 Gbps 5 x 40 Gbps x86 CPU RAM System Bus Ethernet
  40. 40. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Network Modules § Supervisor configures interfaces and directs traffic to security modules § All interfaces are called “Ethernet” and 1 referenced (for example, Ethernet1/1) § Hardware OIR support; software support to follow § Mix and match up to two 10 and 40 GE half-width modules § 8 x 10 GE SFP or SFP+ per module § 4 x 40 GE QSFP per module; each port can be split to 4 x 10 GE § 100 GE modules
  41. 41. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Security Modules § Three security module configurations § SM36: 72 x86 CPU cores for up to 80 Gbps of firewalled throughput § SM24: 48 x86 CPU cores for up to 60 Gbps of firewalled throughput § (Future) NEBS: SM24 NEBS certification § Dual 800GB SSD in RAID1 by default § Built-in hardware packet and flow classifier and crypto accelerator § Hardware VPN acceleration is targeted for a subsequent software release
  42. 42. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Security Module Simplified Diagram System Bus x86 CPU 1 24 or 36 Cores Packet and Flow Classifier and Crypto Accelerator Backplane Supervisor Connection x86 CPU 2 24 or 36 Cores 2 x 100 Gbps 2 x 100 Gbps RAM Ethernet
  43. 43. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Cisco Firepower 9300 Software § Supervisor and security modules use multiple independent images § Infrastructure software bundle for supervisor § Security module firmware bundle § Security application images bundles for modules § All images are digitally signed and validated through Secure Boot § Service application images are in Cisco® Secure Package (CSP) format § Stored on supervisor and deployed to security module on demand § Multiple versions of the same application may be stored § Contains system (for example, CiscoASA) and other images (Cisco ASDM, REST, etc.)
  44. 44. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 Security Services Architecture on Firepower 9300 Cisco® ASA Cluster Security Module 1 Security Module 2 Security Module 3 Supervisor On-Board 8 x 10 GE Interfaces 8 x 10 GE NM Slot 1 Application Image Storage 4 x 40 GE NM Slot 2 Ethernet 1/7 (Management) Ethernet 1/1-8 Ethernet 2/1-8 Ethernet 3/1-4 Logical Device Logical Device Unit Link Decorator Application Connector External Connector Packet Flow Primary Application Decorator Application PortChannel1 Data DDoS DDoS DDoS ASA ASA ASA
  45. 45. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 Management Overview § Chassis management is independent from applications § On-box chassis manager UI and CLI § Cisco® ASDM is the only management GUI for Cisco ASA initially § Future off-box Cisco Firepower Device Manager for both chassis and Cisco applications § SNMP and syslog support for chassis-level counters and events on supervisor § REST API on supervisor for third-party service management § SDN orchestration enablement for security services on demand
  46. 46. Cisco Confidential 46© 2015 Cisco and/or its affiliates. All rights reserved. FTDv
  47. 47. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 FTDv FMC Cisco FTDv for Vmware: Routed, Transparent, Inline Mode
  48. 48. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48 FTDv for Vmware: Passive mode FTDv
  49. 49. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49 BD1 BD2BD1 BD2 • Routed Mode (Go-To) • Transparent Mode (Go-Through) FTDv Service Graph in the ACI Fabric EPG App EPG DB FTDv Graph B 10.0.0.0/24 Tenant B External Internal EPG Web EPG App Graph A 10.0.0.0/24 10.0.0.1 20.0.0.1 20.0.0.0/24 Tenant A External Internal FTDv Bridge Domains need flooding turned on, to allow ASA to see and bridge packets between two EPGsBVI 10.0.0.10 Use port-channels on ESXi hosts instead of NIC teaming. It can break Go-Through mode.
  50. 50. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50 • FTDv can connect to Amazon Virtual Private Cloud (VPC) network which closely resembles a traditional network topology. • The FTDv and FMCv run as guests in AWS private Xen Hypervisor* environment. • Protect your AWS environment by controlling and monitoring traffic. All features, Stateful L3 mode and ERSPAN Passive modes supported. • FTDv Transparent Mode and Active/Standby HA is NOT supported (Roadmap) Cisco FMCv/FTDv in AWS *Note: The FTDv and FMCv do not supportthe Xen Hypervisoroutsideof the AWS environment.
  51. 51. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51 AWS FMCv is optional as many organizations like to use their on premises FMC. • Cisco Smart Licensing,AWS hourly comingsoon • AWS Security Group Accesscontrolmustpermit SSH/HTTPs access to yourinstances • Create and attach Network interfaces and add Route table entry for Internet access • An Elastic IP (Static persistentPublic IP) is required for eitherFTDv or FMCv remote admin access • * 2 managementinterfaces requiredfor AWS FTDv Cisco FMCv/FTDv in AWS Instance Type Interf. Subnets vCPUs RAM (GB) FMCv m3.large 3 2 7.5 FMCv m3.xlarge 3 4 15 FMCv & FTDv* c3.xlarge 2 4 7.5 FMCv c3.2xlarge 8 4 15
  52. 52. Cisco Confidential 52© 2015 Cisco and/or its affiliates. All rights reserved. Licensing
  53. 53. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 Firepower Threat Defense Smart Licensing Structure • Base License enables NGFW • Networking, Firewall and Application Visibility & Control • Perpetual license - included with appliance purchase • Term-based licenses for advanced protection • Threat, Malware and URL Filtering • Smart License Enabled only Base (NGFW) Threat (IPS/SI/DNS) Malware (AMP/TG) URLFiltering Blue = Term-based Green = Perpetual
  54. 54. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 Mapping Classic Licenses to new Smart Licenses Functionality Traditional Licensing Smart Licensing Base License (includes AVC) Protect + Control Base IPS (SI, DNS) (EULA Enforced) Threat AMP/Threat GRID Malware Malware URL Filtering URL Filtering URL Filtering Management FireSIGHT Built into Firepower Management Center
  55. 55. Cisco Confidential 55© 2015 Cisco and/or its affiliates. All rights reserved. Performance: Firepower 4100 and 9300
  56. 56. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56 Performance Highlights 4110 4120 4140 SM-24 SM-36 SM-36x3 Highlights Max FW 20G 40G 60G 75G 80G 225G 1024 AVC 12G 20G 25G 25G 35G 100G 1024 AVC+IPS 10G 15G 20G 20G 30G 90G
  57. 57. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57 FTD Performance 4110 4120 4140 SM-24 SM-36 SM-36x3 Max Throughput: Application Control (AVC) 12G 20G 25G 25G 35G 100G Max Throughput: Application Control (AVC) and IPS 10G 15G 20G 20G 30G 90G Sizing Throughput: AVC (450B) 4G 8G 10G 9G 12.5G 30G Sizing Throughput: AVC+IPS (450B) 3G 5G 6G 6G 8G 20G Maximum concurrent sessions w/AVC 4.5M 11M 14M 28M 29M 57M
  58. 58. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58 ASA Performance 4110 4120 4140 SM-24 SM-36 SM-36x3 Stateful inspection firewall throughput (maximum) 20G 40G 60G 75G 80G 225G Stateful inspection firewall throughput (multiprotocol) 10G 20G 30G 50G 60G 100G Concurrent firewall connections 10M 15M 25M 55M 60M 70M New connections per second 150K 250K 350K 0.6M 0.9M 2M Security contexts 250 250 250 250 250 250 Virtual Interfaces 1024 1024 1024 1024 1024 1024 IPSec 3DES/AES VPN Throughput 8G 10G 14G 15G 18G 18G
  59. 59. Cisco Confidential 59© 2015 Cisco and/or its affiliates. All rights reserved. Deployment Modes and Use Cases
  60. 60. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60 Branding Terms: Review Firepower NGFW New NGFW brand (Unified ASA+Firepower) Firepower Threat Defense New unified appliance software Firepower Management Center New unified manager Firepower Appliances New Firepower4100 Series and Firepower9300 appliances. ASA with FirePOWER Services • ASAApplianceswith ASAand Firepowersoftware,application firewalling and threat defense. • The ASAand FirePOWER functions have separatemanagers. Today Recently Announced
  61. 61. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61 Deployment Modes • Basic deployment modes: Firewall modes (choose one) Routed Transparent • Other interface modes: IPS/IDS modes Inline Inline Tap Passive
  62. 62. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62 Firepower Threat Defense interface modes Routed/TransparentA B C D F G H I Inline Pair 1 Inline Pair 2 Inline Set E J Policy Tables Passive Interfaces Inline Tap
  63. 63. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63 Malware Protection Firepower Threat Defense Network Profiling CISCO COLLECTIVE SECURITY INTELLIGENCE URL Filtering Integrated Software - Single Management WWW Identity-Policy Control Identity Based Policy Control Network Profiling Analytics & AutomationApplication Visibility &Control Intrusion Prevention High Availability Network Firewall and Routing
  64. 64. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64 Internet Edge Use Case Firepower NGFW Requirements Connectivity and Availability Requirements: • Firewall for High Availability (Redundancy) • Firewall should support Routed Mode • Port-Channel for interface redundancy and link speed aggregation • Dynamic Routing Support (OSPF / BGP) Security Requirements: • Single Context mode • Dynamic NAT/PAT and Static NAT • Identity based AVC, URL filtering, IPS and Malware protection • SSL Decryption Solution Security Application: Firepower NGFW appliances with Firepower Management Center VPN connections via separate appliance until until 6.1+ ISP FW in HA Private Network Service Provider Campus/Priv ate Network DMZ Network Port- Channel Internet Edge HSRP Caveats
  65. 65. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65 Cloud Data Center Edge Firepower NGFWv Requirements Connectivity and Availability Requirements: • Virtual appliance form factor AWS / vSphere • Firewall for High Availability (Redundancy) • Firewall in router or transparent mode • Support for both North/South and East/West deployments Security Requirements: • Single Context mode • Identity based AVC, IPS and Malware & CnC protection • SSL Decryption • TrustSec Security Group Tag Support Solution Security Application: Firepower NGFWv virtual appliance with Firepower Management Center KVM support in 6.1 and Microsoft Azure in 6.2 Not suitable for Micro-Segmentation / per server firewalling. ISP FW in HA Service Provider Data Center Network vPC / Port- Channel Data Center Edge Traffic Zone StorageApp Servers WWW Server Caveats
  66. 66. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66 Local Data Center Edge Appliance & Virtual Firepower NGFW Requirements Connectivity and Availability Requirements: • Firewall for High Availability (Redundancy) • Firewall in router or transparent mode • High bandwidth interfaces (10/40Gb/100Gb) and throughput • High bandwidth flow offload support (fast path) • Support for both North/South and East/West deployments Security Requirements: • Single Context mode • Identity based AVC, IPS and Malware & CnC protection • SSL Decryption • TrustSec Security Group Tag Support Solution Security Application: Firepower Threat Defense physical or virtual appliance for Amazon Web Services (AWS) with FMC management Active / Standy Failover only, no clustering until future release. No VXLAN support. ISP FW in HA Service Provider Data Center Network vPC / Port- Channel Data Center Edge Traffic Zone StorageApp Servers WWW Server Caveats
  67. 67. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67 Campus NGFW Firepower NGFW Requirements Connectivity and Availability Requirements: • Firewall for High Availability (Redundancy) • Firewall in router or transparent mode • Dynamic Routing Support (OSPF / BGP) • High bandwidth interfaces (10/40Gb) and throughput • Port-Channel for interface redundancy and firewall-on-a-stick Security Requirements: • Firewall support between security domains within campus • Campus edge firewall • Single Context mode • Identity based AVC, IPS and Malware & CnC protection • TrustSec Security Group Tag Support Security Application: Firepower NGFW appliances with Firepower Management Center Active / Standy Failover only, no clustering until future release. HA for FMC in 6.1+ No EIGRP Support DC / Internet FW in HA Access Layer Port- Channel Data Center Edge Campus Distriubtion Core FW in A/S HA NGFW Database App Servers WWW Database App Servers WWW vPC / Port- Channel Caveats Solution
  68. 68. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68 ASA ASDM/CSM/RESTful API for Management HA and Clustering Network Firewall [Routing | Switching] Data Center Security Service Provider Security Protocol Inspection Identity Based Policy Control VPN Mix Multi Context Mode
  69. 69. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69 Use Case Internet Edge Firewall with VPN Support Requirement Connectivity and Availability Requirement: • Firewall for High Availability (Redundancy) • Firewall in the Router Mode • vPC/Port-Channel for interface redundancy and link speed aggregation Security Requirement: • Dynamic NAT/PAT and Static NAT • Application Inspection • ACL to control the traffic flows • VPN support (S2S, SSL and AnyConnect) Solution Security Application: ASA Firewall ISP FW in HA Private Network Service Provider Campus/Priv ate Network DMZ Network vPC / Port- Channel Internet Edge Remote VPN Users Branch Office HSRP
  70. 70. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70 Map Product to Use Case 5585-X Firepower 4100 & 9300 Firepower 4100 & 9300 ASA with Firepower Services ASA Software Firepower Threat Defense Software NGFW for Data Center & Enterprise Core; anywhere clustering, VPN, on-box managementare required. Dedicated ASA Service Provider, Data Center (Firewall only) Firepower NGFW High-speed Internet Edge (where clustering, VPN, multi-context, and on-box managementare not required) Cisco’s driving rapid feature parity between ASA with FirePOWER Services and Firepower NGFW, with two additional major releases planned for this year.
  71. 71. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71 • There are no EOS/EOL plans: won’t be considered until CY2017 • Superior reputation: 5585-X cited in Nov. 2015 Gartner Research Highlight for Carrier Class Firewalls: our market share is near 50% • As customers migrate to newer platforms over the next 5 years, long-term evolution and protection is assured • Investment protection built into the engineering plan: threat defense innovation will continue to come regularly to both ASA with FirePOWER Services and Firepower NGFWs • Firepower Management Center expected to support mgmt. of key ASA features on 5585-X Q4CY2016* ASA5585-X: 2016 and Beyond ASA 5585 – X: üProven üReliable üSupported * Pre-Commit Date
  72. 72. Cisco Confidential 72© 2015 Cisco and/or its affiliates. All rights reserved. Deployment Considerations
  73. 73. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73 Software Support by Platform Firepower NGFW (Firepower Threat Defense) Firepower NGIPS/ AMP Appliance ASA with FirePOWER Services ASA Radware vDP DDoS FirePOWER 7000/8000 Series ✓ ASA Low/Mid Range (5506/08/16/25/45/55) ✓ ✓ ✓ ASA High-end (5585 SSP-10/20/40/60) ✓ ✓ Firepower 4100/9300 (4110/20/40 / FPR9K, SM-24/36) ✓ ✓ ✓ *Subject to Compliance Hold
  74. 74. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74 Deployment Considerations - Migration • New Deployments All hardware and software options depending on the requirements Firepower appliances for 40/100 Gb interfaces • ASA Refresh All hardware options – ASA and Fireppwer appliances Software Migration ASA to ASA software Limited migration from ASA to FTD in July timeframe Native migration from ASA to FTD in the November timeframe
  75. 75. Cisco Confidential 75© 2015 Cisco and/or its affiliates. All rights reserved. Security Architecture
  76. 76. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76 More than just an NGFW • When considering the move to an NGFW Think about more than just the firewall features Consider the various use cases and integration opportunities Use an architectural approach to ensure the NGFW meets the capabilities required
  77. 77. Cisco Confidential 77© 2015 Cisco and/or its affiliates. All rights reserved.
  78. 78. Thank you.

×