Deploying Next Generation Firewalling with ASA - CX

7,792 views

Published on

This presentation will explain the technology and capabilities behind Cisco’s new context aware firewall: Cisco ASA–CX. We will introduce a new approach to firewall policy creation based on contextual attributes such as: user identity, device type and application usage.

Published in: Technology
3 Comments
8 Likes
Statistics
Notes
No Downloads
Views
Total views
7,792
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
1
Comments
3
Likes
8
Embeds 0
No embeds

No notes for slide

Deploying Next Generation Firewalling with ASA - CX

  1. 1. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 11© 2012 Cisco and/or its affiliates. All rights reserved.Toronto,. CAMay 30th, 2013Eric KostlanCisco Technical MarketingCisco NextGeneration FirewallServices
  2. 2. ObjectivesAt the conclusion of this presentation and demonstration, you will be able to:• Describe the ASA NGFW and PRSM architecture• Describe the feature of the ASA NGFWApplication Visibility and Control (AVC)Web Security Essentials• Utilize the policy frameworkPolicy objects, policies, policy setsDevice and object discovery
  3. 3. Module Map• Architecture• Policy framework• Device import• Eventing and reporting• Demonstration
  4. 4. ASA 5585-X with CX hardware moduleTwo Hard Drives Raid 1(Event Data)10GE and GE portsTwo GE Management Ports8 GB eUSB (System)
  5. 5. The ASA 5500-X series firewalls• Models are 5512-X, 5515-X, 5525-X,5545-X and 5555-X• 1-4 Gbps throughput• Integrated services implemented as asoftware moduleo Intrusion prevention system (IPS)o Context aware next generation firewall(CX)• Feature parity with the ASA CX on the5585-X• Must add a SSD to the ASA 5500-X toinstall the CX module
  6. 6. Cisco Prime Security Manager (PRSM)• Built-inConfigurationEventingReporting• Off-boxConfigurationEventingReportingMulti-device Manager for ASA CXRole Based Access ControlVirtual Machine or UCS AppliancePRSM Virtual Machine supports VMWare ESXi
  7. 7. PRSM  ASA CX communicationRESTful XML[REST = Representational State Transfer]ASA CX PRSMReliable Binary LoggingCisco SIOApplicationIdentificationUpdatesHTTPS HTTPS
  8. 8. Packet flow diagram – ASA and CX• ASA processes all ingress/egress packetsNo packets are directly process by CX except for management• CX provides Next Generation Firewall ServicesEgress after CX ProcessingCX IngressASA IngressCPUComplexFabricSwitchCrypto orRegexEngineCX ModuleCPUComplexFabricSwitchCrypto EngineASA ModulePORTSPORTSASA CXBackplane10GENICs10GENICs
  9. 9. Functional distributionIP FragmentationIP Option InspectionTCP InterceptTCP NormalizationACLNATVPN TerminationRoutingTCP ProxyTLS ProxyAVCMultiple Policy DecisionPointsHTTP InspectionURL Category/ReputationCXASABotnet filtering
  10. 10. TLS ProxyIP FragmentationIP Option InspectionTCP InterceptTCP NormalizationACLNATVPN TerminationRoutingTCP ProxyTLS ProxyAVCMultiple Policy DecisionPointsHTTP InspectionURL Category/ReputationCXASABotnet filtering
  11. 11. TLS proxy acts as man-in-the-middle• Two separate sessions, separate certificates and keys• ASA CX acts as a CA, and issues a certificate for the web serverCorporatenetworkWeb server1. Negotiate algorithms. 1. Negotiate algorithms.2. Authenticate servercertificate.3. Generate proxiedserver certificate.4. Client Authenticates “server”certificate.5. Generate encryptionkeys.5. Generate encryptionkeys.6. Encrypted data channelestablished.6. Encrypted data channelestablished.ASA CXCert is generateddynamically with destinationname but signed by ASA CX.
  12. 12. TLS Proxy – Extending NGFW services to TLS traffic• Decrypts SSL and TLS traffic across any port• Self-signed (default) certificate or customer certificate and keySelf-signed certificate can be downloaded and added to trusted root certificate store on client• Decryption policies can determine which traffic to decryptCX cannot determine the hostname in the client request to choose a decryption policy because the traffic isencryptedFQDN and URL Category are determined using the server certificate• If the decision is made to decrypt, CX acts like man-in-the-middleA new certificate is created, signed by CX or by the customer CAInformation such as FQDN and validity dates are copied from the original certName mismatches and expired certificate errors are ignoredName mismatches and expired certificate errors must be handled by the client
  13. 13. Licensed feature – Application Visibility and ControlIP FragmentationIP Option InspectionTCP InterceptTCP NormalizationACLNATVPN TerminationRoutingTCP ProxyTLS ProxyAVCMultiple Policy DecisionPointsHTTP InspectionURL Category/ReputationCXASABotnet filtering
  14. 14. Application Visibility and Control• Supported Applications 1000+• Supported Micro-Applications 150,000+• Powered by the Cisco Security Intelligence Operation (SIO)Utilizes Application SignaturesBy default, PRSM and CX check for updates every 5 minutes
  15. 15. Broad AVC vs. Web AVC• Broad AVCBroad protocol supportResides in data planeLess granular controlSupports:Application types – for example emailApplications – for exampleSimple Mail Transfer Protocol• Web AVCHTTP and decrypted HTTPS onlyMore granular controlSupports:Application types – for example, Instant MessagingApplications – for example, Yahoo MessengerApplication behavior – for example, File Transfer
  16. 16. None HTTP/HTTPSpacket flow
  17. 17. HTTP packet flow
  18. 18. HTTPS packet flow
  19. 19. Licensed feature – Web Security EssentialsIP FragmentationIP Option InspectionTCP InterceptTCP NormalizationACLNATVPN TerminationRoutingTCP ProxyTLS ProxyAVCMultiple Policy DecisionPointsHTTP InspectionURL Category/ReputationCXASABotnet filtering
  20. 20. -10 +10-5 +50Default web reputation profileDedicated or hijacked sitespersistently distributingkey loggers, root kits andother malware. Almostguaranteed malicious.Aggressive Ad syndicationand user tracking networks.Sites suspected to bemalicious, but not confirmedSites with some history ofResponsible behavioror 3rd party validationPhishing sites, bots, driveby installers. Extremelylikely to be malicious.Well managed,Responsible contentSyndication networks anduser generated contentSites with long history ofResponsible behavior.Have significant volumeand are widely accessedSuspicious(-10 through -6)Not suspicious(-5.9 through +10)Web Security Essentials -- Reputation
  21. 21. Web Security Essentials – URL filtering• Used to enforce acceptable use• Predefined and custom URL categories• 78 predefined URL categories• 20,000,000+ URLs categorized• 60+ languages• Powered by the Cisco Security Intelligence Operation (SIO)Utilizes Application SignaturesBy default, PRSM and CX check for updates every 5 minutes
  22. 22. Active authentication• Requires HTTP request to initiate authentication1. ASA CX sees HTTP request from a client to a remote website2. ASA CX redirects the client to the ASA inside interface (port 885 by default)Redirect is accomplished by sending a proxy redirect to the client(HTTP return code 307) spoofing the remote website3. Sends client authentication request (HTTP return code 401)4. After authentication, the ASA CX redirects the client back to the remote website(HTTP return code 307)• After authentication, ASA CX uses IP address to track userBoth HTTP and non-HTTP traffic will now be associated with the user• Integrates with enterprise infrastructure• Supported directories includeMicrosoft Active DirectoryOpenLDAPIBM Tivoli Directory Server
  23. 23. Passive authentication• Endpoint must be domain member• Supported for all traffic and all clients• Utilizes an agentAgent gathers information from Active Directory serverAgent caches informationASA CX/PRSM queries agent for user informationASA CX/PRSM queries Active Directory server for group membership information• Two agents availableCisco Active Directory Agent (AD agent) – older agentWindows applicationContext Directory Agent (CDA) – newer agentStand alone, Linux based server – can be run as VMIntuitive web based GUI , and Cisco IOS style CLI
  24. 24. Passive authentication protocolsActive DirectoryAD Agent or CDA (RADIUS server)ASA CXClientsWMIRADIUSLDAP
  25. 25. Module Map• Architecture• Policy framework• Device import• Eventing and reporting• Demonstration
  26. 26. Policy objects, policies and policy sets
  27. 27. Policies and policy sets• Policies apply actions to subsets of network traffic• Two main componentsPolicy match – a set of criteria used to match traffic to the policiesAction – the action to be taken if the policy is matched• Three types of policiesAccessIdentityDecryption• A policy set is an ordered collection of policies of a particular typeFor any ASA CX at most one policy set of each type is in usePolicies are assigned using top-down policy matching – order matters!At most one policy is matched for each policy setIf no defined policy match is achieved, implicit policy is enforced• Policy sets implicit policies are as followsAccess policy sets end with implicit allow allDecryption policy sets end with implicit do not decryptIdentity policy sets end with implicit do not require authentication
  28. 28. Policy sets• How users will be identified?Identity• What TLS/SSL traffic should bedecrypted?Decryption• What traffic will be Allowed orDenied?Access
  29. 29. Policy objects• Used to create policiesPolicy objects classify trafficAre used to decide which policy to match• Predefined and user defined• Used to create policies.• May be nested• Many types
  30. 30. URL objects• Used to identify traffic based onURL or URL category• Can only be used as a destinationin a policy• HTTP or HTTPS onlyFor HTTPS, URL object uses informationin the subject of the certificateDo not specify the protocol. URL objectswill match both HTTP and HTTPS• ContainsURLsEnter a domain to match any URL in domainSupports limited string matching:URL categoriesOther URL objects• Contain include and exclude lists
  31. 31. Application objects• Used to identify what applicationthe client is attempting to use• Utilizes the Application VisibilityAnd Control (AVC) functionalityof the ASA CX• ContainsApplications (recognized by the ASA CX)Examples:Facebook photos, webmail, yahoo IMApplication typesExamples:Facebook, e-mail, IMOther Application objects
  32. 32. UserAgent objects• User-agent stringPart of the HTTP request headerIdentifies the client OS and agentExamples:Safari running on an iPadWindows update agent• User agent objectCan only be used for HTTP trafficCan only be used as a sourcein a policyPredefined user agent objectsare sufficientfor most usesContainsUser agent string – An asterisk (*) can be usedto match zero or more characters,Other user agent objects
  33. 33. Example of user-agent string
  34. 34. Secure Mobility objects• Used to create policies specificto AnyConnect VPN traffic• Can only be used as a sourcein a policy• One exists by default:All remote users• Others can be created to matchspecific device types• Can containDevice typesOther Secure Mobility objects
  35. 35. Complex objects• Allow for more complicatedtraffic matching• Contains collections of entries, or rowsElements of each entry are ANDed togetherEntries are then ORed together• Application-Service objectsMatch combinations of applicationsand services• Destination object groupsMatch combinations of URL objectsand Network objects• Source object groupsMatch combinations of:Network objectsIdentity objectsUser Agent ObjectsSecure Mobility Objects
  36. 36. Profiles• File filtering profileHTTP and decryptedHTTPS traffic onlyBlocks the download of specific MIME typesBlocks the upload of specific MIME types• Web reputation profileHTTP and decrypted HTTPS traffic onlyWeb reputation scores are provided for websitesby the Cisco Security Intelligence OperationsWeb reputation scores vary from -10 to 10Default profile considers websites with reputationscore from -10 through -6(the default profile cannot be edited or deleted)Websites without reputation scores are not considered suspiciousThe action that is taken for suspicious website depends on the policy typeFor example, access policies can block websites of low reputation
  37. 37. Module Map• Architecture• Policy framework• Device import• Eventing and reporting• Demonstration
  38. 38. Device discovery and import (multi-device mode only)• First you must enter the IP address (or hostname) of the ASA, along with privilegedcredentials• The CX module will be discovered through the ASA. You must enter the adminpassword to complete the import.• When a device is imported, it is placed into a device group• Device groups are assigned policy sets. Therefore, policies are consistent within adevice group• When the device is imported, you must resolve any policy set naming conflict
  39. 39. Valid Policy Set Assignment
  40. 40. Invalid Policy Set Assignment
  41. 41. ASA object discovery (multi-device mode only)• Network and service objects and groups are imported from ASA during device imported• Added to PRSM policy database and are available for policy configurationModifications made to objects on PRSM are not pushed to ASAModifications made to objects on ASA are not pushed to PRSM• Are automatically renamed if there are naming conflicts_<PRSM name for the ASA > is appended to name of imported object.
  42. 42. Module Map• Architecture• Policy framework• Device import• Eventing and reporting• Demonstration
  43. 43. The Event viewer• Gives visiblity to events generated by the CX module• TabsSystem eventsAll eventsAuthenticationASA (only used if PRSM is a SYSLOG server for ASAs)Encrypted Traffic ViewContext Aware Security  Shows next generation functionality
  44. 44. Context Aware Events
  45. 45. Custom tabs
  46. 46. Two Modes• Real time eventing – user defined refresh interval• Historic eventing – user defined time range
  47. 47. Event viewer filters• Used to reduce the number of events that are displayed• Filters are a list of attribute-value pairsAttribute value pairs with the same attribute are ORed togetherThe expressions for each attribute are then ANDed togetherExample: Username=Fred Username=Gail Application=Twittermeans (Username=Fred OR Username=Gail) AND Application=TwitterMost attributes support the operations = and !=. Some also support > and <• Two ways to add to filterClick on the cell in the event viewer adds that attribute-value pair to the filterSelect attribute (with operation <,=,>) from the Filter drop-down list and then select the valueIf you want the operator to be inequality, you must manually change = to !=• Filters may be saved and recalledSaved filters are added to right-hand side of the Filter drop-down list
  48. 48. Event viewer filters
  49. 49. Event Details
  50. 50. Event Details
  51. 51. Policy correlation
  52. 52. Network Overview (top)
  53. 53. Network Overview (middle)
  54. 54. Network Overview (bottom)
  55. 55. Other tabs
  56. 56. Malicious Traffic
  57. 57. Drill Down (Slide 1 of sequence)
  58. 58. Drill Down (Slide 2 of sequence)
  59. 59. Drill Down to view more details
  60. 60. Drill down to launch event viewer
  61. 61. Drill down to launch event viewer
  62. 62. Sample exported PDF report
  63. 63. Module Map• Architecture• Policy framework• Device import• Eventing and reporting• Demonstration
  64. 64. Complete Your Paper“Session Evaluation”Give us your feedback and you could win1 of 2 fabulous prizes in a random draw.Complete and return your paperevaluation form to the room attendantas you leave this session.Winners will be announced today.You must be present to win!..visit them at BOOTH# 100
  65. 65. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 65Thank you.

×