Cisco Canada, profile picture
Uploaded byCisco Canada
PDF, PPTX513 views

Putting firepower into the next generation firewall

The document discusses Cisco's Firepower Next Generation Firewall (NGFW) capabilities. It provides an overview of the Firepower software and NGFW platforms like the ASA 5500-X and Firepower 2100/4100 series. It covers the various management options including the Firepower Device Manager, Firepower Management Center, and ASDM. Integration with Cisco Identity Services Engine and third-party systems is also summarized. Finally, it presents an example use case of deploying Firepower NGFWs at the internet edge and in branch offices.

Embed presentation

Download as PDF, PPTX
Cisco Public© 2016 Cisco and/or its affiliates. All rights reserved. 1 Putting Firepower into the Next Generation Firewall Intégrer Firepower au pare-feu de prochaine génération Jeff Fanelli Principal Systems Engineer jefanell@cisco.com
Cisco Public 2© 2016 Cisco and/or its affiliates. All rights reserved. About your speaker Jeff Fanelli Principal Systems Engineer Cisco Global Security Sales Organization I’m from the U.S. state with the largest FRESH water coastline in the world!
Cisco Public 3© 2016 Cisco and/or its affiliates. All rights reserved. MICHIGAN (the “mitten” state..)
• Firepower Software Overview • ASA & Firepower NGFW Platforms • Management Options • Integration • Internet Edge Use Case Today’s Agenda
Cisco Public 5© 2016 Cisco and/or its affiliates. All rights reserved. Firepower NGFW Software
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Firepower Threat Defense Malware Protection Network Profiling CISCO COLLECTIVE SECURITY INTELLIGENCE URL Filtering Integrated Software - Single Management WWW Identity-Policy Control Identity Based Policy Control Network Profiling Analytics & AutomationApplication Visibility &Control Intrusion Prevention High Availability Network Firewall and Routing
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Firepower Threat Defense ASA (L2-L4) • L2-L4 Stateful Firewall • Scalable CGNAT, ACL, routing • Application inspection Firepower (L7) • Threat-Centric NGIPS • AVC, URL Filtering for NGFW • Advanced Malware Protection Full Feature Set Continuous Feature Migration Firepower Threat Defense Single Converged OS Firewall URL Visibility Threats Firepower Management Center (FMC) ASA with Firepower Services
Cisco Public 8© 2016 Cisco and/or its affiliates. All rights reserved. ASA & Firepower Platforms
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Cisco NGFW Platforms NGFW capabilities all managed by Firepower Management Center 250 Mb -> 1.75 Gb (NGFW + IPS Throughput) Firepower Threat Defense for ASA 5500-X 2 Gb -> 8 GB (NGFW + IPS Throughput) Firepower 2100 Series 41xx = 10 Gb -> 24 Gb 93xx = 24 Gb -> 53Gb Firepower 4100 Series and Firepower 9300 Up to 16x with clustering!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Software Support - Virtual Platforms ASA Firepower NGIPS Firepower Threat Defense ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓ Firepower NGIPSv (vSphere + ISR UCSE) ✓ Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 OpenAppID Next-generation visibility with OpenAppID Application Visibility & Control See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps Cisco database • 4,000+ apps • 180,000+ Micro- apps Network & users ü û û ü û û ü 1 2 Prioritize traffic
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Web acceptable use controls and threat prevention URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs Category-based Policy Creation Allow Block Admin Cisco URL Database DNS Sinkhole 01001010100 00100101101 Security feeds URL | IP | DNS NGFW Filtering BlockAllow Safe Search ………… ü û
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Decrypt 3.5 Gbps traffic over five million simultaneous flows Granular SSL Decryption Capabilities SSL TLS handshake certificate inspection and TLS decryption engine Log SSL decryption engine Enforcement decisions Encrypted Traffic AVC http://www.%$&^*#$@#$.com http://www.%$&^*#$@#$.com Inspect deciphered packets Track and log all SSL sessions NGIPS gambling elicit http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com û ü û ü ü ü û ü û û
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Application and Context aware Intrusion Prevention Next-Generation Intrusion Prevention System (NGIPS) Communications App & Device Data 01011101001 010 010001101 010010 10 10 Data packets Prioritize response Blended threats • Network profiling • Phishing attacks • Innocuous payloads • Infrequent callouts 3 1 2 Accept Block Automate policies ISE Scan network traffic Correlate data Detect stealthy threats Respond based on priority
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 c File Reputation Malware and ransomware detection and blocking Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing) • Known Signatures • Fuzzy Fingerprinting • Indications of compromise û Block known malware Investigate files safely Detect new threats Respond to alerts File & Device Trajectory AMP for Network Log ü Threat Grid Sandboxing • Advanced Analytics • Dynamic analysis • Threat intelligence ? AMP for Endpoint Log Threat Disposition Enforcement across all endpoints RiskySafeUncertain Sandbox Analysis
Cisco Public 16© 2016 Cisco and/or its affiliates. All rights reserved. Management Platform Options
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 • On-box manager for managing a single Firepower Threat Defense device • Targeted for SMB market • Designed for Networking Security Administrator • Simple & Intuitive • On-screen troubleshooting Firepower Device Manager
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
Firepower Management Center
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box Centralized On-box Management Options
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
Cisco Public 23© 2016 Cisco and/or its affiliates. All rights reserved. Integration Capabilities
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 ISE remediation in using pxGrid
Cisco Public 25© 2016 Cisco and/or its affiliates. All rights reserved. 3rd Party Integration SNMP, Syslog, NetFlow or eStreamer
LiveAction
Cisco Public 30© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Threat Intelligence Director
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Cisco Threat Intelligence Director (CTID) • Uses customer threat intelligence to identify threats • Automatically blocks supported indicators on Cisco NGFW • Provides a single integration point for all STIX and CSV intelligence sources
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Hail a TAXII !! • Free source of TAXII feeds • Website URL: http://hailataxii.com • Multiple feeds • To configure the TAXII intelligence source URL: http://hailataxii.com/taxii-discovery-service USERNAME: guest PASSWORD: guest
Cisco Public 33© 2016 Cisco and/or its affiliates. All rights reserved. Deployment Designs Use Case
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Use Case Internet Edge Firewall Requirement Connectivity and Availability Requirement: • High Availability ROUTED mode • Firewall should support Router or Transparent Mode Routing Requirements: • Static and BGP Routing • Dynamic NAT/PAT and Static NAT Security Requirements: • Application Control + URL Acceptable Use enforcement • IPS and Malware protection • SSL Decryption Authentication Requirements: • User authentication and device identity Solution Security Application: Firepower Threat Defense application with FMC ISP FW in HA Private Network Service Provider Campus/Priv ate Network DMZ Network Port- Channel Internet Edge
Cisco Public 35© 2016 Cisco and/or its affiliates. All rights reserved. Connectivity and Availability
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 10.1.1.0/24 192.168.1.0/24 192.168.1.1 10.1.1.1 IP:192.168.1.100 GW: 192.168.1.1 NAT DRP Firewall Design: Modes of Operation • Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts. • Transparent Mode is where the firewall acts as a bridge functioning at L2. Transparent mode firewall offers some unique benefits in the DC. Transparent deployment is tightly integrated with our ‘best practice’ data center designs.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Link Redundancy Resiliency with link failures Link and Platform Redundancy Capabilities Firewall Link Aggregation – High Availability - Clustering Inter-chassis Clustering Combine up to 16 9300 blades or 4100 chasses Active / Standby HA LACP Link Redundancy LACP Link Aggregation Control Protocol
Cisco Public 38© 2016 Cisco and/or its affiliates. All rights reserved. Routing Requirements
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Dynamic NAT for Direct Internet Access Automatic and Manual (complex) NAT Support for FTD including IPv6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Routing Protocol support • OSPF and OSPFv3 (IPv6) • BGP (IPv4 & IPv6) • Static Route Tunneled Route support for VPNs Reverse Route Injection for VPNs • Multicast Routing IGMP PIM • EIGRP via FlexConfig IPv4 and IPv6 advanced routing
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 4 1 BRK Rate limiting Cloud File Sharing Traffic QOS Policy is a new policy type with separate policy table Upload and download rate limiting per application with identity!
Cisco Public 42© 2016 Cisco and/or its affiliates. All rights reserved. Security Requirements
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Access Control Policy blocking inappropriate content
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Granular SSL Decrypt Can specify by application, certificate fields / status, ciphers, etc. Decrypt Cert required!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Custom IPS Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Malware and File Analysis Attached to Access Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 URL-Based Security Intelligence • Extension of IP-based SI • TALOS dynamic feed, 3rd party feeds and lists • Multiple categories: Malware, Phishing, CnC,… • Multiple Actions: Allow, Monitor, Block, Interactive Block,… • Policy configured via Access Rules or black- list • IoC tags for CnC and Malware URLs • New Dashboard widget for UR SI • Black/White-list URL with one click URL-SI Categories
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 DNS Inspection • Security Intelligence support for domains • Addresses challenges with fast-flux domains • Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing • Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor • Indications of Compromise extended with DNS Security Intelligence DNS List Action
Cisco Public 49© 2016 Cisco and/or its affiliates. All rights reserved. Identity Requirements Authentication and Authorization
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Access Control Policy Identity Control Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 TrustSec Security Group Tag based identity from ISE Can also reference Identity Services Engine identified Device Profiles
Cisco Public 52© 2016 Cisco and/or its affiliates. All rights reserved. Branch Firewall Use Cases Site to Site and Remote Access VPN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Headquarters and Branch NGFW Example Use of Groups in FMC for organization • ONE policy sets applied to all branch firewalls
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Headquarters and Branch NGFW Example Dynamic Endpoint option for sites with DHCP Outside Interface • VPN can be backup to MPLS or dedicated WAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 Secure Remote Access for Roaming User ISP FP2100 in HA Private Network Campus/Priv ate Network Internet Edge • Secure SSL/IPsec AnyConnect access to corporate network • AMP and File inspection Policy to monitor roaming user data. • Easy RA VPN Wizard to configure AnyConnect Remote Access VPN • Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data. • Monitoring and Troubleshooting to monitor remote access activity and simplified tool for troubleshooting. Secure access using Firepower
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Remote Access VPN • AnyConnect client- based VPN • Use cases: Split or full tunnel Multiple Connection profiles Username / password and or certificate authentication support
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Firepower Threat Defense Summary Power Internet Edge and Branch WAN Platform • Powerful Threat Defense Capabilities • Advanced Site to Site VPN and routing protocol support • AnyConnect Remote Access Unified Management Robust NGFW Feature set Flexible Deployment
Thank you.

More Related Content

PDF
Cisco connect winnipeg 2018 putting firepower into the next generation fire...
byCisco Canada
 
PDF
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
byCisco Canada
 
PDF
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
byCisco Canada
 
PDF
Cisco Connect Montreal 2017 - Optimizing Your Client's Wi-Fi Experience
byCisco Canada
 
PDF
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
byCisco Canada
 
PDF
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
byCisco Canada
 
PDF
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
byCisco Canada
 
PDF
Gain Insight and Programmability with Cisco DC Networking
byCisco Canada
 
Cisco connect winnipeg 2018 putting firepower into the next generation fire...
byCisco Canada
 
Cisco Connect Vancouver 2017 - Putting firepower into the next generation fir...
byCisco Canada
 
Cisco Connect Toronto 2017 - Optimizing your client's Wi-Fi Experience
byCisco Canada
 
Cisco Connect Montreal 2017 - Optimizing Your Client's Wi-Fi Experience
byCisco Canada
 
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
byCisco Canada
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
byCisco Canada
 
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
byCisco Canada
 
Gain Insight and Programmability with Cisco DC Networking
byCisco Canada
 

What's hot

PDF
Security and Virtualization in the Data Center
byCisco Canada
 
PDF
Cisco Connect Toronto 2017 - Anatomy-of-attack
byCisco Canada
 
PDF
Leverage the Network
byCisco Canada
 
PDF
Cisco Meraki - Simplifying Powerful Technology
byCisco Canada
 
PDF
Cisco Connect Toronto 2017 - Your time is now
byCisco Canada
 
PDF
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...
byCisco Canada
 
PDF
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural design
byCisco Canada
 
PDF
Network Function Virtualization (NFV) using IOS-XR
byCisco Canada
 
PDF
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 dc-aci-anywhere
byCisco Canada
 
PDF
TAC Vision & Strategy
byCisco Canada
 
PDF
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
byCisco Canada
 
PDF
Cisco Meraki - Let Simple Work for You
byCisco Canada
 
PDF
Cisco Connect Halifax 2018 Putting firepower into the next generation firewall
byCisco Canada
 
PDF
Hosted Security as a Service - Solution Architecture Design
byCisco Canada
 
PDF
Cisco Intelligent Branch - Enabling the Next Generation Branch
byCisco Canada
 
PDF
Accelerating incident response in organizations of any size
byCisco Canada
 
PDF
Cisco Connect Toronto 2017 - UCS and Hyperflex update
byCisco Canada
 
PDF
Cisco Connect Vancouver 2017 - Optimizing your client's wi fi experience
byCisco Canada
 
PPTX
Magical meeting experiences
byCisco Canada
 
Security and Virtualization in the Data Center
byCisco Canada
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
byCisco Canada
 
Leverage the Network
byCisco Canada
 
Cisco Meraki - Simplifying Powerful Technology
byCisco Canada
 
Cisco Connect Toronto 2017 - Your time is now
byCisco Canada
 
Cisco connect winnipeg 2018 understanding cisco's next generation sdwan sol...
byCisco Canada
 
Cisco Connect Halifax 2018 Cisco Spark hybrid services architectural design
byCisco Canada
 
Network Function Virtualization (NFV) using IOS-XR
byCisco Canada
 
Cisco Connect Toronto 2017 - Understanding Cisco Next Generation SD-WAN
byCisco Canada
 
Cisco Connect Toronto 2018 dc-aci-anywhere
byCisco Canada
 
TAC Vision & Strategy
byCisco Canada
 
Cisco Connect Toronto 2017 - NFV/SDN Platform for Orchestrating Cloud and vBr...
byCisco Canada
 
Cisco Meraki - Let Simple Work for You
byCisco Canada
 
Cisco Connect Halifax 2018 Putting firepower into the next generation firewall
byCisco Canada
 
Hosted Security as a Service - Solution Architecture Design
byCisco Canada
 
Cisco Intelligent Branch - Enabling the Next Generation Branch
byCisco Canada
 
Accelerating incident response in organizations of any size
byCisco Canada
 
Cisco Connect Toronto 2017 - UCS and Hyperflex update
byCisco Canada
 
Cisco Connect Vancouver 2017 - Optimizing your client's wi fi experience
byCisco Canada
 
Magical meeting experiences
byCisco Canada
 

Similar to Putting firepower into the next generation firewall

PDF
ASA Firepower NGFW Update and Deployment Scenarios
byCisco Canada
 
PDF
Firepower ngfw internet
byRony Melo
 
PDF
Cisco Connect Toronto 2017 - Putting Firepower into the Next Generation Firewall
byCisco Canada
 
PDF
Cisco Next Generation Firewall with Firepower
byhumayun1343
 
PDF
Putting Firepower Into The Next Generation Firewall
byCisco Canada
 
PDF
Next Generation Security
byCisco Canada
 
PDF
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
byCisco do Brasil
 
PPTX
Cisco Security portfolio update
byAtanas Gergiminov
 
PDF
Cisco Security Architecture
byCisco Canada
 
PDF
Cisco Firepower Next-Generation Firewall (NGFW).pdf
byTaherAzzam2
 
PDF
Putting Firepower into the Next Generation Firewall
byCisco Canada
 
DOCX
Migration to cisco next generation firewall
byIT Tech
 
PDF
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
byBGA Cyber Security
 
PDF
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
byBGA Cyber Security
 
PDF
Scalar Security Roadshow - Toronto Presentation
byScalar Decisions
 
PPTX
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
byChrysostomos Christofi
 
PDF
Presentación - Cisco ASA with FirePOWER Services
byOscar Romano
 
PDF
Cisco ASA con fire power services
byFelipe Lamus
 
PPTX
Isday 2017 - Atelier Cisco
byInforsud Diffusion
 
PDF
Cisco NGFW AMP
byCisco Canada
 
ASA Firepower NGFW Update and Deployment Scenarios
byCisco Canada
 
Firepower ngfw internet
byRony Melo
 
Cisco Connect Toronto 2017 - Putting Firepower into the Next Generation Firewall
byCisco Canada
 
Cisco Next Generation Firewall with Firepower
byhumayun1343
 
Putting Firepower Into The Next Generation Firewall
byCisco Canada
 
Next Generation Security
byCisco Canada
 
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
byCisco do Brasil
 
Cisco Security portfolio update
byAtanas Gergiminov
 
Cisco Security Architecture
byCisco Canada
 
Cisco Firepower Next-Generation Firewall (NGFW).pdf
byTaherAzzam2
 
Putting Firepower into the Next Generation Firewall
byCisco Canada
 
Migration to cisco next generation firewall
byIT Tech
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
byBGA Cyber Security
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
byBGA Cyber Security
 
Scalar Security Roadshow - Toronto Presentation
byScalar Decisions
 
apl5iy2ftxiwofbhsmxj-signature-584e2459f99b5370bda435f09b42cc84cc8c063b8cd454...
byChrysostomos Christofi
 
Presentación - Cisco ASA with FirePOWER Services
byOscar Romano
 
Cisco ASA con fire power services
byFelipe Lamus
 
Isday 2017 - Atelier Cisco
byInforsud Diffusion
 
Cisco NGFW AMP
byCisco Canada
 

More from Cisco Canada

PDF
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
byCisco Canada
 
PPTX
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
byCisco Canada
 
PDF
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 DNA assurance
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
byCisco Canada
 
PDF
Cisco connect montreal 2018 saalvare md-program-xr-v2
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 sixty to zero
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 network-slicing
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 DevNet Overview
byCisco Canada
 
PDF
Cisco connect montreal 2018 net devops
byCisco Canada
 
PDF
Cisco connect montreal 2018 collaboration les services webex hybrides
byCisco Canada
 
PDF
Cisco connect montreal 2018 secure dc
byCisco Canada
 
PDF
Cisco connect montreal 2018 vision mondiale analyse locale
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
byCisco Canada
 
PDF
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
byCisco Canada
 
PDF
Cisco connect montreal 2018 compute v final
byCisco Canada
 
PDF
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
byCisco Canada
 
PDF
Integration cisco et microsoft connect montreal 2018
byCisco Canada
 
PDF
Cisco connect montreal 2018 iot demo kinetic fr
byCisco Canada
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
byCisco Canada
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
byCisco Canada
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
byCisco Canada
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
byCisco Canada
 
Cisco Connect Toronto 2018 DNA assurance
byCisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
byCisco Canada
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
byCisco Canada
 
Cisco Connect Toronto 2018 sixty to zero
byCisco Canada
 
Cisco Connect Toronto 2018 network-slicing
byCisco Canada
 
Cisco Connect Toronto 2018 DevNet Overview
byCisco Canada
 
Cisco connect montreal 2018 net devops
byCisco Canada
 
Cisco connect montreal 2018 collaboration les services webex hybrides
byCisco Canada
 
Cisco connect montreal 2018 secure dc
byCisco Canada
 
Cisco connect montreal 2018 vision mondiale analyse locale
byCisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
byCisco Canada
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
byCisco Canada
 
Cisco connect montreal 2018 compute v final
byCisco Canada
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
byCisco Canada
 
Integration cisco et microsoft connect montreal 2018
byCisco Canada
 
Cisco connect montreal 2018 iot demo kinetic fr
byCisco Canada
 

Recently uploaded

PDF
Guided Tour of Vienna History, Culture, and Hidden Gems .pdf
byWienguide
 
PPTX
Mercedes Sprinter Hire — Prague.....pptx
byMOTTIFY s.r.o.
 
PPTX
Best-Things-To-Do-on-Boxing-Day-in-London
byMowbray Court Hotel London
 
PPTX
Travel Experience of a Tourism Destination – Presentation
bySamim Reza
 
PPTX
Beautiful Souk Al Seef in Dubai UAE.pptx
byDubai Umrah
 
PDF
What Can You See on an Athens Half-Day Tour A Helpful Guide for Visitors and ...
byLuxury Greek Tour
 
PDF
India in Three Frames The Golden Triangle Travel Story.pdf
byNoble House Tours
 
PDF
kilitrip pdf When to See the Great Migration.pdf
bykilitripseo
 
PDF
Why Venetian Masks Are the Heartbeat of Carnival - 9 Iconic Designs Explained
byOvidiu Tutunaru
 
PDF
Prayagraj Magh Mela Tent Booking 2026.pdf
byEpicYatra
 
PDF
Best Time to Undertake the Amarnath Yatra.pdf
byEpicYatra
 
PDF
Navshya Ganapati Temple Timings, Darshan Guide, and Local Attractions
byEpicYatra
 
DOCX
Complete Tanzania Travel Handbook for First-Time Visitors
byadhilfadhi33
 
PDF
Top 7 Traditional Festivals in Cambodia Every Traveler Should Experience
byAsia Pioneer Travel
 
PDF
Book Affordable Chandigarh to Delhi Taxi with H&B Cabs​
byH & B Cab
 
Guided Tour of Vienna History, Culture, and Hidden Gems .pdf
byWienguide
 
Mercedes Sprinter Hire — Prague.....pptx
byMOTTIFY s.r.o.
 
Best-Things-To-Do-on-Boxing-Day-in-London
byMowbray Court Hotel London
 
Travel Experience of a Tourism Destination – Presentation
bySamim Reza
 
Beautiful Souk Al Seef in Dubai UAE.pptx
byDubai Umrah
 
What Can You See on an Athens Half-Day Tour A Helpful Guide for Visitors and ...
byLuxury Greek Tour
 
India in Three Frames The Golden Triangle Travel Story.pdf
byNoble House Tours
 
kilitrip pdf When to See the Great Migration.pdf
bykilitripseo
 
Why Venetian Masks Are the Heartbeat of Carnival - 9 Iconic Designs Explained
byOvidiu Tutunaru
 
Prayagraj Magh Mela Tent Booking 2026.pdf
byEpicYatra
 
Best Time to Undertake the Amarnath Yatra.pdf
byEpicYatra
 
Navshya Ganapati Temple Timings, Darshan Guide, and Local Attractions
byEpicYatra
 
Complete Tanzania Travel Handbook for First-Time Visitors
byadhilfadhi33
 
Top 7 Traditional Festivals in Cambodia Every Traveler Should Experience
byAsia Pioneer Travel
 
Book Affordable Chandigarh to Delhi Taxi with H&B Cabs​
byH & B Cab
 

Putting firepower into the next generation firewall

  • 1.
    Cisco Public© 2016Cisco and/or its affiliates. All rights reserved. 1 Putting Firepower into the Next Generation Firewall Intégrer Firepower au pare-feu de prochaine génération Jeff Fanelli Principal Systems Engineer jefanell@cisco.com
  • 2.
    Cisco Public 2©2016 Cisco and/or its affiliates. All rights reserved. About your speaker Jeff Fanelli Principal Systems Engineer Cisco Global Security Sales Organization I’m from the U.S. state with the largest FRESH water coastline in the world!
  • 3.
    Cisco Public 3©2016 Cisco and/or its affiliates. All rights reserved. MICHIGAN (the “mitten” state..)
  • 4.
    • Firepower SoftwareOverview • ASA & Firepower NGFW Platforms • Management Options • Integration • Internet Edge Use Case Today’s Agenda
  • 5.
    Cisco Public 5©2016 Cisco and/or its affiliates. All rights reserved. Firepower NGFW Software
  • 6.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 6 Firepower Threat Defense Malware Protection Network Profiling CISCO COLLECTIVE SECURITY INTELLIGENCE URL Filtering Integrated Software - Single Management WWW Identity-Policy Control Identity Based Policy Control Network Profiling Analytics & AutomationApplication Visibility &Control Intrusion Prevention High Availability Network Firewall and Routing
  • 7.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 7 Firepower Threat Defense ASA (L2-L4) • L2-L4 Stateful Firewall • Scalable CGNAT, ACL, routing • Application inspection Firepower (L7) • Threat-Centric NGIPS • AVC, URL Filtering for NGFW • Advanced Malware Protection Full Feature Set Continuous Feature Migration Firepower Threat Defense Single Converged OS Firewall URL Visibility Threats Firepower Management Center (FMC) ASA with Firepower Services
  • 8.
    Cisco Public 8©2016 Cisco and/or its affiliates. All rights reserved. ASA & Firepower Platforms
  • 9.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 9 Cisco NGFW Platforms NGFW capabilities all managed by Firepower Management Center 250 Mb -> 1.75 Gb (NGFW + IPS Throughput) Firepower Threat Defense for ASA 5500-X 2 Gb -> 8 GB (NGFW + IPS Throughput) Firepower 2100 Series 41xx = 10 Gb -> 24 Gb 93xx = 24 Gb -> 53Gb Firepower 4100 Series and Firepower 9300 Up to 16x with clustering!
  • 10.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 10 Software Support - Virtual Platforms ASA Firepower NGIPS Firepower Threat Defense ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓ Firepower NGIPSv (vSphere + ISR UCSE) ✓ Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
  • 11.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 11 OpenAppID Next-generation visibility with OpenAppID Application Visibility & Control See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps Cisco database • 4,000+ apps • 180,000+ Micro- apps Network & users ü û û ü û û ü 1 2 Prioritize traffic
  • 12.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 12 Web acceptable use controls and threat prevention URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs Category-based Policy Creation Allow Block Admin Cisco URL Database DNS Sinkhole 01001010100 00100101101 Security feeds URL | IP | DNS NGFW Filtering BlockAllow Safe Search ………… ü û
  • 13.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 13 Decrypt 3.5 Gbps traffic over five million simultaneous flows Granular SSL Decryption Capabilities SSL TLS handshake certificate inspection and TLS decryption engine Log SSL decryption engine Enforcement decisions Encrypted Traffic AVC http://www.%$&^*#$@#$.com http://www.%$&^*#$@#$.com Inspect deciphered packets Track and log all SSL sessions NGIPS gambling elicit http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com û ü û ü ü ü û ü û û
  • 14.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 14 Application and Context aware Intrusion Prevention Next-Generation Intrusion Prevention System (NGIPS) Communications App & Device Data 01011101001 010 010001101 010010 10 10 Data packets Prioritize response Blended threats • Network profiling • Phishing attacks • Innocuous payloads • Infrequent callouts 3 1 2 Accept Block Automate policies ISE Scan network traffic Correlate data Detect stealthy threats Respond based on priority
  • 15.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 15 c File Reputation Malware and ransomware detection and blocking Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing) • Known Signatures • Fuzzy Fingerprinting • Indications of compromise û Block known malware Investigate files safely Detect new threats Respond to alerts File & Device Trajectory AMP for Network Log ü Threat Grid Sandboxing • Advanced Analytics • Dynamic analysis • Threat intelligence ? AMP for Endpoint Log Threat Disposition Enforcement across all endpoints RiskySafeUncertain Sandbox Analysis
  • 16.
    Cisco Public 16©2016 Cisco and/or its affiliates. All rights reserved. Management Platform Options
  • 17.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 17 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
  • 18.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 18 • On-box manager for managing a single Firepower Threat Defense device • Targeted for SMB market • Designed for Networking Security Administrator • Simple & Intuitive • On-screen troubleshooting Firepower Device Manager
  • 19.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 19 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
  • 20.
  • 21.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 21 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box Centralized On-box Management Options
  • 22.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 22 Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center On-box Centralized Management Options ASDM with FirePOWER Services Enables easy on- box migration and management of ASA with Firepower On-box
  • 23.
    Cisco Public 23©2016 Cisco and/or its affiliates. All rights reserved. Integration Capabilities
  • 24.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 24 ISE remediation in using pxGrid
  • 25.
    Cisco Public 25©2016 Cisco and/or its affiliates. All rights reserved. 3rd Party Integration SNMP, Syslog, NetFlow or eStreamer
  • 29.
  • 30.
    Cisco Public 30©2016 Cisco and/or its affiliates. All rights reserved. Cisco Threat Intelligence Director
  • 31.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 31 Cisco Threat Intelligence Director (CTID) • Uses customer threat intelligence to identify threats • Automatically blocks supported indicators on Cisco NGFW • Provides a single integration point for all STIX and CSV intelligence sources
  • 32.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 32 Hail a TAXII !! • Free source of TAXII feeds • Website URL: http://hailataxii.com • Multiple feeds • To configure the TAXII intelligence source URL: http://hailataxii.com/taxii-discovery-service USERNAME: guest PASSWORD: guest
  • 33.
    Cisco Public 33©2016 Cisco and/or its affiliates. All rights reserved. Deployment Designs Use Case
  • 34.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 34 Use Case Internet Edge Firewall Requirement Connectivity and Availability Requirement: • High Availability ROUTED mode • Firewall should support Router or Transparent Mode Routing Requirements: • Static and BGP Routing • Dynamic NAT/PAT and Static NAT Security Requirements: • Application Control + URL Acceptable Use enforcement • IPS and Malware protection • SSL Decryption Authentication Requirements: • User authentication and device identity Solution Security Application: Firepower Threat Defense application with FMC ISP FW in HA Private Network Service Provider Campus/Priv ate Network DMZ Network Port- Channel Internet Edge
  • 35.
    Cisco Public 35©2016 Cisco and/or its affiliates. All rights reserved. Connectivity and Availability
  • 36.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 36 10.1.1.0/24 192.168.1.0/24 192.168.1.1 10.1.1.1 IP:192.168.1.100 GW: 192.168.1.1 NAT DRP Firewall Design: Modes of Operation • Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts. • Transparent Mode is where the firewall acts as a bridge functioning at L2. Transparent mode firewall offers some unique benefits in the DC. Transparent deployment is tightly integrated with our ‘best practice’ data center designs.
  • 37.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 37 Link Redundancy Resiliency with link failures Link and Platform Redundancy Capabilities Firewall Link Aggregation – High Availability - Clustering Inter-chassis Clustering Combine up to 16 9300 blades or 4100 chasses Active / Standby HA LACP Link Redundancy LACP Link Aggregation Control Protocol
  • 38.
    Cisco Public 38©2016 Cisco and/or its affiliates. All rights reserved. Routing Requirements
  • 39.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 39 Dynamic NAT for Direct Internet Access Automatic and Manual (complex) NAT Support for FTD including IPv6
  • 40.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 40 Routing Protocol support • OSPF and OSPFv3 (IPv6) • BGP (IPv4 & IPv6) • Static Route Tunneled Route support for VPNs Reverse Route Injection for VPNs • Multicast Routing IGMP PIM • EIGRP via FlexConfig IPv4 and IPv6 advanced routing
  • 41.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 41 4 1 BRK Rate limiting Cloud File Sharing Traffic QOS Policy is a new policy type with separate policy table Upload and download rate limiting per application with identity!
  • 42.
    Cisco Public 42©2016 Cisco and/or its affiliates. All rights reserved. Security Requirements
  • 43.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 43 Access Control Policy blocking inappropriate content
  • 44.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 44 Granular SSL Decrypt Can specify by application, certificate fields / status, ciphers, etc. Decrypt Cert required!
  • 45.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 45 Custom IPS Policy
  • 46.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 46 Malware and File Analysis Attached to Access Policy
  • 47.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 47 URL-Based Security Intelligence • Extension of IP-based SI • TALOS dynamic feed, 3rd party feeds and lists • Multiple categories: Malware, Phishing, CnC,… • Multiple Actions: Allow, Monitor, Block, Interactive Block,… • Policy configured via Access Rules or black- list • IoC tags for CnC and Malware URLs • New Dashboard widget for UR SI • Black/White-list URL with one click URL-SI Categories
  • 48.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 48 DNS Inspection • Security Intelligence support for domains • Addresses challenges with fast-flux domains • Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing • Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor • Indications of Compromise extended with DNS Security Intelligence DNS List Action
  • 49.
    Cisco Public 49©2016 Cisco and/or its affiliates. All rights reserved. Identity Requirements Authentication and Authorization
  • 50.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 50 Access Control Policy Identity Control Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
  • 51.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 51 TrustSec Security Group Tag based identity from ISE Can also reference Identity Services Engine identified Device Profiles
  • 52.
    Cisco Public 52©2016 Cisco and/or its affiliates. All rights reserved. Branch Firewall Use Cases Site to Site and Remote Access VPN
  • 53.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 53 Headquarters and Branch NGFW Example Use of Groups in FMC for organization • ONE policy sets applied to all branch firewalls
  • 54.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 54 Headquarters and Branch NGFW Example Dynamic Endpoint option for sites with DHCP Outside Interface • VPN can be backup to MPLS or dedicated WAN
  • 55.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 55 Secure Remote Access for Roaming User ISP FP2100 in HA Private Network Campus/Priv ate Network Internet Edge • Secure SSL/IPsec AnyConnect access to corporate network • AMP and File inspection Policy to monitor roaming user data. • Easy RA VPN Wizard to configure AnyConnect Remote Access VPN • Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data. • Monitoring and Troubleshooting to monitor remote access activity and simplified tool for troubleshooting. Secure access using Firepower
  • 56.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 56 Remote Access VPN • AnyConnect client- based VPN • Use cases: Split or full tunnel Multiple Connection profiles Username / password and or certificate authentication support
  • 57.
    © 2016 Ciscoand/or its affiliates. All rights reserved. Cisco Public 57 Firepower Threat Defense Summary Power Internet Edge and Branch WAN Platform • Powerful Threat Defense Capabilities • Advanced Site to Site VPN and routing protocol support • AnyConnect Remote Access Unified Management Robust NGFW Feature set Flexible Deployment
  • 58.