Cisco Firepower Next-Generation Firewall Solutions

5,746 views

Published on

Presentation on Cisco's NGFW solutions, including Cisco's Adaptive Security Appliance (ASA) with FirePower services.

Published in: Technology
  • Be the first to comment

Cisco Firepower Next-Generation Firewall Solutions

  1. 1. Cisco Confidential 1C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Firepower NGFW Solutions Jim Kotantoulas Consulting SE – Cisco Federal jimk@cisco.com May 2016
  2. 2. Cisco Confidential 2C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Integrated Threat Defense Across the Attack Continuum Firewall/VPN NGIPS Security Intelligence Web Security Advanced Malware Protection BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Attack Continuum Visibility and Automation Granular App Control Modern Threat Control Retrospective Security IoCs/Incident Response
  3. 3. Cisco Confidential 3C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. NGFW Firepower Appliances
  4. 4. Cisco Confidential 4C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Introduction Industry’s First Threat-Focused Next-Generation Firewall (NGFW) #1 Cisco® security announcement of the year  Integrate defense layers so that organizations get the best visibility  Help enable dynamic controls to automatically adapt  Protect against advanced threats across the entire attack continuum Proven Cisco ASA firewalling Industry-leading NGIPS and AMP Cisco ASA with FirePOWER™ Services
  5. 5. Cisco Confidential 5C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Superior Integrated and Multilayered Protection Cisco ASA Identity-Policy Control and VPN URL Filtering (Subscription) FireSIGHT™ Analytics and Automation Advanced Malware Protection (Subscription) Application Visibility and Control Network Firewall Routing | Switching Clustering and High Availability WWW Cisco® Collective Security Intelligence Enabled Built-in Network Profiling Intrusion Prevention (Subscription) World’s most widely deployed, enterprise-class, ASA stateful firewall Granular Cisco Application Visibility and Control (AVC) Industry-leading FirePOWER™ next-generation IPS (NGIPS) Reputation- and category-based URL filtering Advanced malware protection
  6. 6. Cisco Confidential 6C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Deployment options and New Appliances
  7. 7. Cisco Confidential 7C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Security Modules • Embedded Smart NIC and crypto hardware • Cisco (ASA, FTD) and third-party (Radware DDoS) applications • Standalone or clustered within and across chassis Supervisor • Application deployment and orchestration • Network attachment and traffic distribution • Clustering base layer for ASA/FTD Introducing the Firepower 9300 Network Modules • 10GE, 40GE, and 100GE • Hardware bypass for inline NGIPS 3RU
  8. 8. Cisco Confidential 8C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.  Same modules must be installed across entire chassis or cluster  SM-36: 72 x86 CPU cores  SM-24: 48 x86 CPU cores, NEBS Ready  x86 Turbo Mode for all security modules (FXOS 2.0.1)  Triggered when 25% of ASA cores reach 80% load  Disabled when all ASA cores drop below 60% load  Increases performance by 10-20% Firepower 9300 Security Modules
  9. 9. Cisco Confidential 9C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Introducing the Firepower 4100 1RU Built-in Supervisor and Security Module • Same hardware and software architecture as 9300 • Fixed configurations (4110, 4120, 4140, 4150) • FXOS 1.1.4 for 4110-4140, 2.0.1 for 4150 Solid State Drives • Independent operation (no RAID) • Slot 1 today provides limited AMP storage • Slot 2 will add 400GB of AMP storage in FXOS 2.0.1 Network Modules • 10GE/40GE interchangeable with 9300 • Partially overlapping fail-to-wire controller options
  10. 10. Cisco Confidential 10C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.  All external network modules require fiber or copper transceivers  Support online insertion and removal Standard Network Modules 8x10GE 4x40GE 2x100GE • Firepower 4100 and 9300 • Single width • 4x10GE breakouts for each 40GE port • Firepower 9300 only • Double width • QSFP28 connector • Firepower 4100 and 9300 • Single width • 1GE/10GE SFP FXOS 1.1.4
  11. 11. Cisco Confidential 11C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.  Fixed interfaces, no removable SFP support  NGIPS inline interfaces for standalone FTD 6.1 only  Sub-second reaction time to application, software, or hardware failure Fail-to-Wire Network Modules 6x1GE 6x10GE 2x40GE • Firepower 4100 and 9300 • Single width • 10GE SR or LR • Firepower 4100 and 9300 • Single width • 40GE SR4 • No 10GE breakout support • Firepower 4100 only • Single width • 1GE fiber SX FXOS 2.0.1
  12. 12. Cisco Confidential 12C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. 4110 4120 4140 SM-24 SM-36 SM-36x3 Stateful inspection firewall throughput (maximum) 20Gbps 40Gbps 60Gbps 75Gbps 80Gbps 225Gbps Stateful inspection firewall throughput (multiprotocol) 10Gbps 20Gbps 30Gbps 50Gbps 60Gbps 130Gbps Concurrent firewall connections 10M 15M 25M 55M 60M 70M New connections per second 150K 250K 350K 0.6M 0.9M 2M Security contexts 250 250 250 250 250 250 Virtual Interfaces 1024 1024 1024 1024 1024 1024 IPSec 3DES/AES VPN Throughput 8Gbps 10Gbps 14Gbps 15Gbps 18Gbps 54Gbps Firepower 4100 and 9300 Series - ASA Performance
  13. 13. Cisco Confidential 13C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Firepower 4100 and 9300 Series – Firepower Threat Defense Performance 4110 4120 4140 SM-24 SM-36 SM-36x3 Max Throughput: Application Control (AVC) 12Gbps 20Gbps 25Gbps 25Gbps 35Gbps 100Gbps Max Throughput: Application Control (AVC) and IPS 10Gbps 15Gbps 20Gbps 20Gbps 30Gbps 90Gbps Sizing Throughput: AVC (450B) 4Gbps 8Gbps 10Gbps 9Gbps 12.5Gbps 30Gbps Sizing Throughput: AVC+IPS (450B) 3Gbps 5Gbps 6Gbps 6Gbps 8Gbps 20Gbps Maximum concurrent sessions w/AVC 4.5M 11M 14M 28M 29M 57M
  14. 14. Cisco Confidential 14C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Trusted flow processing at ultra-high speed using SMART NIC • Hardware-based offload with no x86 dependency • 30-40Gbps per single TCP/UDP flow, <5us latency. Use Cases: • High Frequency Trading • High Performance Computing Research Sites • Intra/Inter DC storage Backup or Database Sync • GRE Tunneled Packets Flow Offload Operation for the FP9300/FP4100 Security Engine Supervisor Module Hardware Accelerator ASA 40Gpbs single flow Policy Policy matched flows Flow processed by the Hardware NIC Source Destination 1 2
  15. 15. Cisco Confidential 15C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Firepower 5500-X – Firepower Threat Defense Performance 5506 (all variants) 5508 5516 5525 5545 5555 Max Throughput: Application Control (AVC) 250Mbps 450Mbps 850Mbps 1.1Gbps 1.5Gbps 1.75Gbps Max Throughput: Application Control (AVC) and IPS 125Mbps 250Mbps 450Mbps 650Mbps 1Gbps 1.25Gbps Sizing Throughput: AVC or IPS (440B) 90Mbps 180Mbps 300Mbps 375Mbps 575Mbps 725Mbps Sizing Throughput: AVC and IPS (440B) 65Mbps 115Mbps 200Mbps 255Mbps 360Mbps 450Mbps Note: Firepower Threat Defense performance numbers and sizing guidance for 5500-X are the same as for Firepower Services for ASA. Refer to the “Cisco ASA with FirePOWER Services Data Sheet” for performance numbers. http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html
  16. 16. Cisco Confidential 16C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. FirePOWER Services Support All Current ASA Deployment Models Multi-context mode for policy flexibility Each ASA Interface appears as a separate interface to FirePOWER Services module Allows for granular policy enforcement on both ASA and FirePOWER services *State sharing does not occur between FirePOWER Services Modules Clustering for linear scalability Up to 16x ASA in cluster Eliminates Asymmetrical traffic issues Each FirePOWER Services module inspects traffic independently HA for increased redundancy Redundancy and state sharing (A/S & A/A pair) L2 and L3 designs
  17. 17. Cisco Confidential 17C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. FirePOWER Services Features
  18. 18. Cisco Confidential 18C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
  19. 19. Cisco Confidential 19C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. 19 Application Identification and Control Reduce attack surface and inspection requirements Reclaim bandwidth from streaming / sharing apps Limit social media to control malware and data leakage Restrict mobile apps in BYOD environments Deep visibility into app usage, regardless of port/protocol
  20. 20. Cisco Confidential 20C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. OpenAppID The power of Open Source comes to application-layer security • Create, share and implement custom application detections • Put control into the hands of customers and the larger security community • Community development accelerates the creation of detectors and controls Library of OpenAppID Detectors • Extendable sample detectors • > 3000 detectors contributed by Cisco • Thousands of downloads of the detection pack since last September Open source application-focused detection language that enables users to create, share and implement custom application detection.
  21. 21. Cisco Confidential 21C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
  22. 22. Cisco Confidential 22C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. URL Filtering • Block non-business-related sites by category • Based on user and user group
  23. 23. Cisco Confidential 23C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. URL Filtering • Dozens of Content Categories • URLs Categorized by Risk
  24. 24. Cisco Confidential 24© 2015 Cisco and/or its affiliates. All rights reserved.  > 30% of Internet traffic is SSL encrypted, hiding it from inspection  Google, Facebook, Office 365  Expected to increase by 50% in 2017  Google to prioritize sites using SSL  Increasing % of malware is hiding in SSL tunnels  Malware downloads  CnC connections  Data exfiltration Integrated SSL Decryption –
  25. 25. Cisco Confidential 25© 2015 Cisco and/or its affiliates. All rights reserved.  Multiple Deployment modes  Passive Inbound (known keys)  Inbound Inline (with or without keys)  Outbound Inline (without keys)  Flexible SSL support for HTTPS & StartTLS based apps  E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS  Decrypt by URL category and other attributes  Centralized enforcement of SSL certificate policies  e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices Integrated SSL Decryption
  26. 26. Cisco Confidential 26© 2015 Cisco and/or its affiliates. All rights reserved.  Attackers are leveraging DNS !  Blacklist domains and URLs associated with Bots, CnC, Malware Delivery  Fast-flux: High Frequency DNS Record Changes  Control C&C traffic  Seize control of Botnets  Restrict access to domains violating corporate policy URL and DNS Protection
  27. 27. Cisco Confidential 27© 2015 Cisco and/or its affiliates. All rights reserved.  Security Intelligence support for domains  Addresses challenges with fast-flux domains  Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor  Indications of Compromise extended with DNS Security Intelligence  Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing  New Dashboard widget for URL/DNS SI DNS Inspection DNS List Action
  28. 28. Cisco Confidential 28© 2015 Cisco and/or its affiliates. All rights reserved. DNS Inspection: Domain Not Found Local DNS Server NGFW Policy Can configure: Lists/Feeds/Global lists Action: DNS NXDOMAIN Generates SI events
  29. 29. Cisco Confidential 29© 2015 Cisco and/or its affiliates. All rights reserved. DNS Inspection: DNS Sinkhole Local DNS Server SinkholeXConnection to Sinkhole IP NGFW Policy DNS SI: C&C servers Action: DNS Sinkhole Generates SI events & IOC’s Endpoint (10.15.0.21)
  30. 30. Cisco Confidential 30© 2015 Cisco and/or its affiliates. All rights reserved.
  31. 31. Cisco Confidential 31© 2015 Cisco and/or its affiliates. All rights reserved.  Receive identity data from pxGrid / ISE  More than just AD  Receive device-type/network Security Group Tags from pxGrid / ISE  Ability to exert control based on the above in rules  i.e. block HR users from using personal iPads ISE Integration
  32. 32. Cisco Confidential 32© 2015 Cisco and/or its affiliates. All rights reserved. ISE Integration for Rapid Threat Containment
  33. 33. Cisco Confidential 33© 2015 Cisco and/or its affiliates. All rights reserved. RTC Use Case Dynamic Segmentation using TrustSec 110000111000 110000111000 Ops Backbone Threat Detection SIEM Floor 1 SW Floor 2 SW Data Center DC FW Sinkhole High Security DB ISE OS Type: Windows XP Embedded User: Mary AD Group: Employee Asset Registration: Yes MAC Address: aa:bb:cc:dd:ee:ff TS Server GFE Workstation PxGrid/EPS Change SGT to: Non-Compliant Source: FirePower Event: TCP SYNC Scan Source IP: 1.2.3.4 Response: Quarantine Security Group = Non-Compliant Contain and/or use Non-Compliant tag for further forensics Non-Compliant tag follows compromised endpoint Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 SGACL Policy
  34. 34. Cisco Confidential 34© 2015 Cisco and/or its affiliates. All rights reserved.  Migration to ThreatGRID for Dynamic File Analysis/Sandboxing  Cisco owned Sandboxing Technology  Ability to use on-premise (private) sandbox appliances as well as public sandbox cloud  Seamless migration requiring no customer intervention  Public AMP / Public ThreatGRID  Public AMP / Private ThreatGRID  Use of Private AMP Cloud is currently not supported in Drambuie ThreatGRID Integration
  35. 35. Cisco Confidential 35© 2015 Cisco and/or its affiliates. All rights reserved. How Cisco AMP Works: Network File Trajectory Use Case
  36. 36. Cisco Confidential 36© 2015 Cisco and/or its affiliates. All rights reserved.
  37. 37. Cisco Confidential 37© 2015 Cisco and/or its affiliates. All rights reserved. An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
  38. 38. Cisco Confidential 38© 2015 Cisco and/or its affiliates. All rights reserved. At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
  39. 39. Cisco Confidential 39© 2015 Cisco and/or its affiliates. All rights reserved. Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
  40. 40. Cisco Confidential 40© 2015 Cisco and/or its affiliates. All rights reserved. The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
  41. 41. Cisco Confidential 41© 2015 Cisco and/or its affiliates. All rights reserved. The Cisco Talos Intelligence has learned this file is malicious and a retrospective event is raised for all four devices immediately.
  42. 42. Cisco Confidential 42© 2015 Cisco and/or its affiliates. All rights reserved. At the same time, a device with the AMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
  43. 43. Cisco Confidential 43© 2015 Cisco and/or its affiliates. All rights reserved. 8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
  44. 44. Cisco Confidential 44© 2015 Cisco and/or its affiliates. All rights reserved. ThreatGRID Integration – Summary Threat Report
  45. 45. Cisco Confidential 45© 2015 Cisco and/or its affiliates. All rights reserved. ThreatGRID Integration – Full Threat Report
  46. 46. Cisco Confidential 46© 2015 Cisco and/or its affiliates. All rights reserved.
  47. 47. Cisco Confidential 47© 2015 Cisco and/or its affiliates. All rights reserved.
  48. 48. Cisco Confidential 48© 2015 Cisco and/or its affiliates. All rights reserved.
  49. 49. Cisco Confidential 49© 2015 Cisco and/or its affiliates. All rights reserved.
  50. 50. Cisco Confidential 50© 2015 Cisco and/or its affiliates. All rights reserved. AMP at the Endpoint
  51. 51. Cisco Confidential 51© 2015 Cisco and/or its affiliates. All rights reserved. AMP for Endpoint – Public + Private Cloud Options
  52. 52. Cisco Confidential 52© 2015 Cisco and/or its affiliates. All rights reserved. AMP for Endpoint – Indicators of Compromise
  53. 53. Cisco Confidential 53© 2015 Cisco and/or its affiliates. All rights reserved. AMP for Endpoint - Stop malware and provide visibility
  54. 54. Cisco Confidential 54© 2015 Cisco and/or its affiliates. All rights reserved. With AMP for NGFW + AMP for Endpoints… NGFW AMP + Endpoint AMP = Better Context in FMC Detecting malware is great, but it could have been blocked on the client by AV or AMP for Endpoint Knowing the malware executed makes prioritizing response much easier
  55. 55. Cisco Confidential 55© 2015 Cisco and/or its affiliates. All rights reserved. A device with the AMP for Endpoints connector reacts to a retrospective event and immediately stops and quarantines the newly detected malware NGFW AMP + Endpoint AMP = Better Context in FMC
  56. 56. Cisco Confidential 56© 2015 Cisco and/or its affiliates. All rights reserved.
  57. 57. Cisco Confidential 57C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
  58. 58. Cisco Confidential 58C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Operating Systems Client Applications Network Servers Mobile Devices Cisco FireSIGHT Provides Unmatched Visibility for Accurate Threat Detection and Adaptive Defense
  59. 59. Cisco Confidential 59C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Indications of Compromise (IoCs) IPS Events Malware Backdoors CnC Connections Exploit Kits Admin Privilege Escalations Web App Attacks SI Events Connections to Known CnC IPs Malware Events Malware Detections Malware Executions Office/PDF/Java Compromises Dropper Infections
  60. 60. Cisco Confidential 60C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Impact Assessment Correlates all intrusion events to an impact of the attack against the target 1 2 3 4 0 IMPACT FLAG ADMINISTRATOR ACTION WHY Act Immediately, Vulnerable Event corresponds to vulnerability mapped to host Investigate, Potentially Vulnerable Relevant port open or protocol in use, but no vuln mapped Good to Know, Currently Not Vulnerable Relevant port not open or protocol not in use Good to Know, Unknown Target Monitored network, but unknown host Good to Know, Unknown Network Unmonitored network
  61. 61. Cisco Confidential 61C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. FireSIGHT Management Center Single console for event, policy, and configuration management
  62. 62. Cisco Confidential 62C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. Awareness Delivers Insight OS & version Identified Server applications and version Client Applications Who is at the host Client Version Application What other systems / IPs did user have, when?
  63. 63. Cisco Confidential 63C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.  Use cases  Large Enterprises  MSSP  Benefits  Segmentation  Granular RBAC  Overlapping IP Addresses  Maintaining Privacy Multi-Tenancy through Domains and Multiple Network Maps
  64. 64. Cisco Confidential 64C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. UK/London Domain Overview West Region East Region Supports up to 50 domains and 3 levels Available for all platforms running 6.0 UK UK/Oxford 1 2 3
  65. 65. Thank You

×