asa firepower ngfw typical deployment...
TRANSCRIPT
ASA Firepower NGFW Typical Deployment Scenarios
Jeff Fanelli - Principal Systems Engineer - [email protected]
BRKSEC-2050
#jefanell
About your speaker
Jeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organization
I’m from the U.S. state with the longest suspension bridge in the western hemisphere!
MICHIGAN (the “mitten” state..)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower Sessions: Building Blocks
BRKSEC-2058
A Deep Dive into using the Firepower
Manager
Tuesday 16:45
BRKSEC-2056
Threat Centric Network Security
Tuesday 11:15
BRKSEC-3032
NGFW Clustering Deep Dive
Wednesday 9:00
BRKSEC-3035
Firepower Platform Deep Dive
Thursday 9:00
BRKSEC-2050
ASA Firepower NGFW typical deployment
scenarios
Tuesday 14:15
BRKSEC-3455
Dissecting Firepower NGFW (FTD+FPS)
Friday 9:00
BRKSEC-2050 5
• Firepower System Architecture Overview
• Platforms & Capabilities
• Firepower Software Deep Dive
• Firepower 6.1 / 6.2 New Capabilities
• Management Options
• Deployment Modes
• Deployment Use Cases
Today’s Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abbreviation Key!
ASA = Adaptive Security Appliance
FTD = Firepower Threat Defense
FPS = Firepower Services
FMC = Firepower Management Center
FDM = Firepower Device Manager
NGFW = Next Generation Firewall
NGIPS = Next Generation Intrusion Prevention System
AMP = Advanced Malware Protection
API = Application Programming Interface
ISE = Identity Services Engine
IoC = Indicator of Compromise
PAN = Place to cook your eggs
BRKSEC-2050 7
Systems Architecture Overview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How did we get here from there?
• Adaptive Security Appliance (ASA)
• FirePOWER NGIPS
• ASA with FirePOWER Services?
• Firepower NGFW?
BRKSEC-2050 9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA “Adaptive Security Appliance”
ASDM (OnBox) / Command Line
Cisco Security Manager / RESTful API for Management
HA and Clustering
Network Firewall[Routing | Switching]
Data Center
Security
Service Provider
Security
Protocol
Inspection
Identity Based
Policy Control
VPN
Mix Multi Context
Mode
BRKSEC-2050 10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA with FirePOWER Services
► Cisco ASA is world’s most widely
deployed, enterprise-class stateful
firewall
► Granular Cisco® Application
Visibility and Control (AVC)
► Industry-leading FirePOWER next-
generation IPS (NGIPS)
► Reputation- and category-based
URL filtering
► Advanced malware protection
Cisco ASA
Identity-Policy
Control & VPN
URL Filtering(Subscription)
FireSIGHT
Analytics &
Automation
Advanced
Malware
Protection(Subscription)
Application
Visibility &
Control
Network Firewall
Routing | Switching
Clustering &
High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network
Profiling
Intrusion
Prevention (Subscription)
BRKSEC-2050 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware
Protection
Firepower Threat Defense
Network
Profiling
CISCO COLLECTIVE SECURITY INTELLIGENCE
URL Filtering
Integrated Software - Single Management
WWW
Identity-Policy
Control
Identity Based
Policy Control
Network
Profiling
Analytics &
AutomationApplication
Visibility
&Control
Intrusion
Prevention
High
Availability
Network
Firewall and
Routing
BRKSEC-2050 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Threat Defense (FTD) Software
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
Firepower (L7)
• Threat-Centric NGIPS
• AVC, URL Filtering for NGFW
• Advanced Malware Protection
Full Feature Set
Continuous Feature
Migration
Firepower Threat Defense
Single Converged OS
Firewall URL Visibility Threats
Firepower Management
Center (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
ASA with Firepower
Services
BRKSEC-2050 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Feature Comparison: ASA with Firepower Services and Firepower Threat Defense
Features Firepower Threat Defense Firepower Services for ASA
SIM
ILA
RIT
IES
Routing +NAT✔
(OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR
via FlexConfig)
✔(OSPF, BGP, EIGRP, static, RIP,
Multicast)
OnBox Management ✔ ✔
HA (Active/Passive) ✔ ✔
Clustering (Active/Active) ✔ ✔
Site to Site VPN ✔ ✔
Policy based on SGT tags ✔ ✔
DIF
FE
RE
NC
ES
Unified ASA and Firepower rules and objects ✔ ✘
Hypervisor Support ✔(AWS, VMware, KVM, Azure 6.2)
✘
Smart Licensing Support ✔ ✘
Multi-Context Support ✘(Coming Soon!) ✔
Remote Access VPN ✔ (6.2.1) ✔
Note: Not an exhaustive feature list
BRKSEC-2050 14
What are the Firepower Deployment Options?
Firepower Appliances Firepower Threat Defense (Unified Software Image)
ASA with Firepower Services
FirePOWER
Services
ASA 9.5.x
Firepower
Threat DefenseFirepower
Appliances
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual Firepower 2100 / 4100 / 9300
5585 cannot run FTD Image!
All Managed by Firepower Management Center
Platforms & Capabilities
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ASA 5500-X
5506 / 5508 / 5516
PerformanceUnified Management
• 1-Gbp interfaces
• Up to 1.2 Gbps throughput
• 5545 / 5555 Redundant
Power Supply and SSD
option
• Firepower Threat Defense or
ASA Software Options
• 1-Gbp interfaces
• Up to 450 Mbps throughput
• Wireless Option for 5506-X
• Software Switching capability
• Firepower Threat Defense or
ASA Software Options
• Firepower Management Center
(Enterprise Management)
• Firepower Device Manager
(On Box Manager)
• Cisco Defense Orchestrator
(Cloud Management)
SMB and Enterprise Branch NGFW
5525 / 5545 / 5555
Performance
BRKSEC-2050 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower 2100 Series
Performance and
Density OptimizationUnified Management Purpose Built NGFW
• Integrated inspection engines
for FW, NGIPS, Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• 1-Gbp and 10-Gbps interfaces
• Up to 8.5-Gbps throughput
• 1-rack-unit (RU) form factor
• Dual SSD slots
• 12x RJ45 ports, 4xSFP(+)
• 2130 / 2140 Models
• 1x Network Module
• Fail to Wire Option
• DC & Dual PSU support
• Firepower Management Center
(Enterprise Management)
• Firepower Device Manager
(On Box Manager)
• Cisco Defense Orchestrator
(Cloud Management)
Introducing four high-performance models
BRKSEC-2050 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput
NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Throughput
NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions 1 M 1.2 M 2 M 3.5 M
Maximum new
connections per
second 12000 16000 24000 40000
Firepower 2100 Series Performance
Note: Early Performance Numbers
NO DROP IN PERFORMACE!
19BRKSEC-2050
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower 4100 SeriesHigh performance campus and data center
Performance and
Density OptimizationUnified Management
Multiservice
Security
• Integrated inspection engines
for FW, NGIPS, Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• Radware DefensePro DDoS
• ASA and other future
third party
• 10-Gb and 40-Gb interfaces
• Up to 24-Gbps throughput
• 1-rack-unit (RU) form factor
• Low latency
• Firepower Management Center
(Enterprise Management)
• Firepower Device Manager
(On Box Manager)
• Cisco Defense Orchestrator
(Cloud Management)
BRKSEC-2050 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower 9300 Platform
Benefits• Integration of best-in-class security• Dynamic service stitching
Features*• ASA container option• Firepower™ Threat Defense:
• NGIPS, AMP, URL, AVC• Third-party containers:
• Radware DDoS
Benefits• Standards and interoperability• Flexible architecture
Features• Template-driven security• Secure containerization for
customer apps• RESTful/JSON API• Third-party orchestration and
management
Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps
ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building
System (NEBS) ready
* Contact Cisco for services availability
Modular Carrier ClassMultiservice
Security
High performance data center
BRKSEC-2050 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco NGFW Platforms
NGFW capabilities all managed by Firepower Management Center
250 Mb -> 1.75 Gb
(NGFW + IPS Throughput)
Firepower Threat Defense for
ASA 5500-X
2 Gb -> 8 GB
(NGFW + IPS Throughput)
Firepower 2100 Series
41xx = 10 Gb -> 24 Gb
93xx = 24 Gb -> 53Gb
Firepower 4100 Series
and Firepower 9300
Up to 6x with clustering!
BRKSEC-2050 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software Support – Physical Platforms
ASAFirepower
NGIPS
ASA with
FirePOWER
Services
Firepower
Threat
Defense
ASA 5506X -> 5555X (all models) ✓ ✓ ✓
Firepower 2100 (all models) NO! ✓
Firepower 4100 (all models) ✓ ✓
Firepower 9300 (all models) ✓ ✓
ASA 5585 (With SSP blade) ✓ ✓
Firepower 7000 / 8000 (IPS appliances) ✓
BRKSEC-2050 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software Support - Virtual Platforms
ASAFirepower
NGIPS
Firepower Threat
Defense
ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓
Firepower NGIPSv (vSphere + ISR UCSE) ✓
Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
BRKSEC-2050 24
Firepower NGFW Software
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenAppID
Application Visibility & Control
Provide next-generation visibility into app usage
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database
• 4,000+ apps
• 180,000+ Micro-
apps
Network &
users
1
2
Prioritize traffic
26BRKSEC-2050
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenAppID Integration
• What is OpenAppID ?
• Open source app-focused detection language
• > 2500 detectors contributed by Cisco
• > 20,000 downloads of the detection pack since last September
• Snort-community supported
• Simple Language
• Reduced dependency on vendor release cycles
• Written using the Lua scripting language
Open source application-focused detection language that enables users to create, share and implement custom application detection.
BRKSEC-2050 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Web acceptable use controls and threat prevention
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Category-based
Policy Creation
Allow Block
Admin
Cisco URL Database
DNS Sinkhole
01
00
10
10
100
00
10
01
01
101
Security feeds
URL | IP | DNS
NGFWFiltering
BlockAllow
Safe Search
…………
28BRKSEC-2050
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL-Based Security Intelligence
• Extension of IP-based SI
• TALOS dynamic feed, 3rd party feeds and lists
• Multiple categories: Malware, Phishing, CnC,…
• Multiple Actions: Allow, Monitor, Block, Interactive Block,…
• Policy configured via Access Rules or black-list
• IoC tags for CnC and Malware URLs
• New Dashboard widget for UR SI
• Black/White-list URL with one click URL-SI
CategoriesBRKSEC-2050 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS Inspection
• Security Intelligence support for domains
• Addresses challenges with fast-flux domains
• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing
• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor
• Indications of Compromise extended with DNS Security Intelligence
• New Dashboard widget for DNS SI
DNS List Action
BRKSEC-2050 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS Inspection: DNS Sinkhole
Local DNS Server
SinkholeXConnection to Sinkhole IP
NGFW PolicyDNS SI: C&C servers
Action: DNS Sinkhole
Generates SI events & IOC’s
Endpoint(10.15.0.21)
BRKSEC-2050 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Decrypt 3.5 Gbps traffic over
five million simultaneous flows
SSL TLS handshake certificate inspection and TLS decryption engine
Visibility for encrypted traffic
Log
SSL
decryption engine
Enforcement
decisions
Encrypted Traffic
AVC
http://www.%$&^*#$@#$.com
http://www.%$&^*#$@#$.com
Inspect deciphered packets Track and log all SSL sessions
NGIPS
gambling
elicit
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
32BRKSEC-2050
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrated SSL Decryption
• Multiple Deployment modes
• Passive Inbound (known keys)
• Inbound Inline (with or without keys)
• Outbound Inline (without keys)
• Flexible SSL support for HTTPS & StartTLS based apps
• E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS
• Decrypt by URL category and other attributes
• Centralized enforcement of SSL certificate policies
• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices
BRKSEC-2050 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Next-Generation Intrusion Prevention System (NGIPS)
Application and Context aware Intrusion Prevention
Communications
App & Device Data
01011101001
010
010001101
010010 10 10
Data packets
Prioritize
response
Blended threats
• Network
profiling
• Phishing
attacks
• Innocuous
payloads
• Infrequent
callouts
3
1
2
Accept
Block
Automate
policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
BRKSEC-2050 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2050 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
c
File Reputation
Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
Malware and ransomware detection and blocking
• Known Signatures
• Fuzzy Fingerprinting
• Indications of compromise
Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device TrajectoryAMP for
Network Log
Threat Grid Sandboxing
• Advanced Analytics
• Dynamic analysis
• Threat intelligence
?
AMP for
Endpoint Log
Threat Disposition
Enforcement across
all endpoints
RiskySafeUncertain
Sandbox Analysis
BRKSEC-2050 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Firewall Features
Improve traffic control with new features
Identity Integration
Target threats accurately
• ISE
• pxGrid
• VDI
Captive Portal
Enforce authentication
• Active/Passive
• NTLM
• Kerberos
Rate limiting
Control application usage
• Rule-based limits
• Reports
• QoS rules
FlexConfig
Granular Config Controls
• CLI policies
• Legacy ASA
feature control
Tunnel Policy
Block unwanted traffic early
• Pre-filtering
• Priority policy
• Policy migration
BRKSEC-2050 37
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Integration
• pxGrid feed to retrieve form ISE:
• AD Username (Group lookup via AD Realm)
• Device type profile & location
• TrustSec Security Group Tag (SGT)
• Ability to exert control based on the above in rules• i.e. block HR users from using personal iPads
• Reduces ACL size and complexity
BRKSEC-2050 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Integration Screen Shot
BRKSEC-2050 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Captive Portal / Active Authentication
• Enforces Authentication through the appliance
• Multiple Authentication modes (Passive, Active, Passive with Active Fallback)
• Various Supported Authentication types (e.g. Basic, NTLM, Advanced, Form)
• Guest / Non Windows Device Authentication Support
• Multi Realm Support
Method Source LDAP/AD Authoritative?
Active Forced authentication through device LDAP and AD yes
Passive Identity and IP mapping from AD Agent AD yes
User Discovery Username scraped from traffic. LDAP and AD,
passive from the
wire
no
BRKSEC-2050 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Captive Portal - Configuration
Authentication Type
Action
Exclude User Agent
BRKSEC-2050 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42BRKSEC-2050
Rate limiting configuration
• QOS Policy is a new policy type with separate policy table
• Not associated with an Access Control Policy – directly associated with devices
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Provides a way to configure ASA features not exposed directly by Firepower Management Center
FlexConfig
• EIGRP Routing
• PBR
• ISIS Routing
• NetFlow (NSEL) export
• VXLAN
• ALG inspections
• IPv6 header inspection
• BFD
• Platform Sysopt commands
• WCCP
BRKSEC-2050 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Description: Configure IPv6 Prefix Delegation on FTD
• Configure:
• One outside (Prefix Delegation client) interface
• One inside interface (recipient of delegated prefix) for IPv6 prefix delegation.
• This template should be copied and the variables modified as appropriate.
FlexConfig Example: DHCPv6_Prefix_Delegation_Configure
BRKSEC-2050 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
## Outside interface (PD client): logical name, prefix pool name, prefix hint#set ( $pdoutside = ["outside", "Outside-Prefix", "::/56"] )#foreach($j in $SYS_FTD_ROUTED_INTF_MAP_LIST)#if($j.intf_logical_name == $pdoutside.get(0))
interface $j.intf_hardwarare_idipv6 dhcp client pd $pdoutside.get(1)ipv6 dhcp client pd hint $pdoutside.get(2)#end#end
## Inside interface (recipient of delegate prefix): logical name, prefix pool name, suffix#set ( $pdinside = ["inside", "Outside-Prefix", "::1:0:0:0:4/64"] )#foreach($j in $SYS_FTD_ROUTED_INTF_MAP_LIST)#if($j.intf_logical_name == $pdinside.get(0))
interface $j.intf_hardwarare_idipv6 address $pdinside.get(1) $pdinside.get(2)#end#end
FlexConfig Example: DHCPv6_Prefix_Delegation_Configure
BRKSEC-2050 45
Firepower Management CenterNew Capabilities
Troubleshooting: Packet Tracer• Displays logs for a single simulated (virtual) packet
• Tracing data will include information from Snort & preprocessors about
verdicts and actions taken while processing a packet
47
Troubleshooting: Packet Capture with Trace• Captures and displays packets from live traffic
• Allows PCAP file download of the capture buffer
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lookup features – Geolocation & WHOIS
BRKSEC-2050 49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lookup Feature: URL
BRKSEC-2050 50
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE remediation in using pxGrid
BRKSEC-2050 51
Cisco Threat Intelligence Director
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Uses customer threat intelligence to identify threats
• Automatically blocks supported indicators on Cisco NGFW
• Provides a single integration point for all STIX and CSV intelligence sources
Cisco Threat Intelligence Director (CTID)
BRKSEC-2050 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Threat Intelligence Director Overview
Cisco Threat
Intelligence
Director
BRKSEC-2050 54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Free source of TAXII feeds
• Website URL: http://hailataxii.com
• Multiple feeds
• To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest
Hail a TAXII !!
BRKSEC-2050
Management Platform Options
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management Center
Cisco Defense
Orchestrator
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
BRKSEC-2050 57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management Center
Cisco Defense
Orchestrator
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
BRKSEC-2050 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Free local manager for managing a single Firepower Threat Defense device
• Targeted for SMB market
• Designed for NetworkingSecurity Administrator
• Simple & Intuitive
Firepower Device Manager
BRKSEC-2050 59
Firepower Device Manager Demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management Center
Cisco Defense
Orchestrator
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
BRKSEC-2050 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Management Center: Overview
• Single manager for Firepower Threat Defense
• Can also manage Firepower appliance and “Services” deployments
• Unified policy management for Firepower appliances and Firepower Threat Defense
• Broadest set of security capabilities for Firepower platforms!One
Rule
Table
BRKSEC-2050 62
Firepower Management Center Demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management Center
Cisco Defense
Orchestrator
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
BRKSEC-2050 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management Center
Cisco Defense
Orchestrator
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
CDO
BRKSEC-2050 65
On-box vs Off-boxFirepower Management Center (Off-box) Firepower Device Manager (On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
VPN - Site to Site & RA
Security Intelligence
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
Active/Passive Authentications
Firewall Mode Router / Transparent Routed
Threat Intelligence & Analytics
Correlation & Remediation
Risk Reports
Device Setup Wizard
Interface Port-Channel
High Availability
Deployment Designs Use Case
Firepower Threat DefenseInternet / WAN Edge
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case Internet Edge Firewall
Requirement
Connectivity and Availability Requirement:• High Availability ROUTED mode
• Firewall should support Router or Transparent Mode
Routing Requirements:
• Static and BGP Routing
• Dynamic NAT/PAT and Static NAT
Security Requirements:
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection
• SSL Decryption
Authentication Requirements:
• User authentication and device identity
Solution
Security Application: Firepower Threat Defense application with
FMC
ISP
FW in HA
Private Network
Service
Provider
Campus/Priv
ate Network
DMZ Network
vPC / Port-
Channel
Internet
Edge
HSRP
BRKSEC-2050 68
Connectivity and Availability
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Link Redundancy
Resiliency
with link
failures
Deliver scalable performance across many sitesFirewall Link Aggregation – High Availability - Clustering
Inter-chassis Clustering
Combine up to
69300 blades or
4100 chasses
Active / Standby HA
LACP Link
Redundancy
LACP Link
Aggregation
Control
Protocol
BRKSEC-3032
NGFW Clustering Deep Dive
BRKSEC-2050 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.1.1.0/24
192.168.1.0/24
192.168.1.1
10.1.1.1
IP:192.168.1.100GW: 192.168.1.1
NAT
DRP
• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.
Firewall Design: Modes of Operation
BRKSEC-2050 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
192.168.1.0/24
192.168.1.1
IP:192.168.1.100GW: 192.168.1.1
Firewall Design: Modes of Operation
VLAN192
VLAN1920
• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts.
• Transparent Mode is where the firewall acts as a bridge functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC.
• Transparent deployment is tightly integrated with our ‘best practice’ data center designs.
• Note:
• No multiple context mode available on FTD today.
• Routed or transparent mode configured with setup dialog.• Changing between these modes requires re-registering with FMC.
• Policies will be re-deployed.
BRKSEC-2050 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wired and Wireless in same zone
IPv4 + IPv6 Support
Routing Requirements
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic NAT for Direct Internet AccessAutomatic and Manual (complex) NAT Support for FTD including IPv6
BRKSEC-2050 75
Security Requirements
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy blocking inappropriate content
BRKSEC-2050 77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL Decrypt is fully configurableCan specify by application, certificate fields / status, ciphers, etc
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS Sink-holing / Traffic Drop Rule SetBased on DNS query results of client
BRKSEC-2050 79
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Intelligence DNS Global SettingsWhitelist / Blacklist capabilities
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom IPS Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware and File AnalysisAttached to Access Policy
Identity Requirements
Authentication and Authorization
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity Policy based on Passive Authentication
Attaches to Access Control Policy
BRKSEC-2050 84
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy Identity ControlCan Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Active Directory “Realm” Configuration
• Multiple Entries
• LDAP / LDAPS
• Assigned to Identity Policy for Active or Passive Authentication
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity Services Engine pxGrid Integration
• MUST install ROOT certificate (chain) on FMC that signed ISE pxGridCert
• MUST install ROOT certificate (chain) on ISE that signed FMC Cert
• Private keys not needed (of course!)
BRKSEC-2050 87
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Security Group Tag based identity from ISECan also reference Identity Services Engine identified Device Profiles
BRKSEC-2050 88
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• LDAP / AD or RADIUS
• Example allows “External Users” to be defined that exist in Active-Directory for FMC or shell login
• Can stack multiple methods
External Authenticationfor Administration
BRKSEC-2050 89
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Connection with Branch Office
• Simplified IPsec Wizard for Site to Site VPN
Configuration
• Advanced Application level inspection can be
enabled VPN traffic of Partner and Vendor Network.
• Prefilter policy to bypass Advance inspection and
improve performance.
• Authentication supports both Pre-Share Key and PKI.
• Branch Office Deployment to secure connection with
Head Office.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Secure Connection with Branch Office
Edge Router
FRP2100
Failover
IPSec VPN
ISP
BRKSEC-2050 90
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Firepower Management Center will provide monitoring of VPN tunnels
• Pre-shared key support
• PKI Certificate authentication support
Site-to-Site VPN
BRKSEC-2050 91
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Remote Access for Roaming User
ISP
FP2100 in
HA
Private Network
Campus/Priv
ate Network
Internet
Edge
• Secure SSL/IPsec AnyConnect access to corporate
network
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote
Access User data.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Secure access using Firepower
BRKSEC-2050 92
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• AnyConnect client-based VPN
• Limitations:
• No clientless VPN support (client download only)
• No legacy Cisco IPsec IKEv1 client support
• No Dynamic Access Policies
Remote Access VPN
Deployment Designs Use Cases
Other Modes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inline or Passive Fail-to-wire NetMods Additional options
NetMod
Virtual or Physical
Routed
Transparent
101110
101110
Inline
Inline Tap
Passive
Firepower Threat Defense Deployment ModesCan Mix and Match on same hardware to maximize value and visibility
✔
BRKSEC-2050 95
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Allows IPS (or IDS) inspection of traffic bridge between physical interfaces.
• Can be configuration in addition to routed / transparent NGFW interfaces on FTP Device
• Be careful not to exceed platform performance limitations!
Firepower Threat Defense Inline Pairs
BRKSEC-2050 96
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SPAN Destination Port
or VACL Capture
Promiscuous Interface
Ethernet Switch
Promiscuous Interface
• Only copies of the packets are sent to the sensor
• Mostly detection, limited protection
• Optional prevention through external blocking
• Separate device must send copies of the packets
• Span (or monitor) from a switch
• VACL capture from a switch
• Network Taps
BRKSEC-2050 97
Virtual Deployment Modes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual FTD prerequisites
Multi-Hypervisor Support
KVM
VMWare vSphere 5.5+
Cisco Cloud Services Platform
Provide necessary virtual resources
4 x vCPUs
4-8GB of RAM
48GB of disk space
BRKSEC-2050 99
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Threat Defense for AWS & Azure
• Global AWS data center support
• Smart license capable (“BYOL”)
• Manage with FMC
Integrated Routing and Bridging
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• ”Software Switch” capability
• Allows configuration of bridges in routed firewall mode
• Regular routed interfaces can now co-exist with BVI interfaces and
interfaces that are members of bridge groups.
Integrated Routing and Bridging
FTD or ASA (Single Context)
BVI 1 BVI 2 OutsideDept. X
BRKSEC-2050 102
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrated Routing and Bridging = Software Switch
SAME VLAN
BRKSEC-2050 103
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• BVI interface can now have name assigned to it this enables it to participate in routing
• Only static routing is enabled on BVI interfaces in
Integrated Routing and Bridging
ASA - FTD Migration Tool
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA – FTD MigrationFirepower 6.1+ introduces migration support for key ASA configurations
Access Rules,
NAT and
referenced
Objects
For Partners
and customers
Support for
ASA 9.1.x
onwards
Better
Scale
Expanded config
SupportRoadmap
BRKSEC-2050 106
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migration Tool Features
• Migration tool features: ASA to FTD Configuration Migration
Migrated policies downloadable as .sfo file importable in FMC
Migration Report
• Migration tools supports ASA Access-Rules, NAT policies and its referenced objects
• Qualified with10,000 ACEs and objects, with no more than 50,000 flattened rule entries.
BRKSEC-2050 107
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migration Process Overview
ASA .cfg
or .txr
file
FMCv
Deployed
as
migration
Tool
FMC .sfo
file
Migrati
on
Report
FMC
( Managing
FTD
Device )
ASA
FirePower
RegisterApply Migrated
Policy
Import as Access Control
Policy or Prefilter policy
BRKSEC-2050 108
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migration Capabilities – Today & Roadmap
Firepower 6.1/6.2
ACLs
NAT
Objects
ASA Versions
Ability to migrate Access Control Rules
Ability to migrate NAT rules
Support for migrating objects
corresponding to ACL, NAT rules
Except Users, Time Range, FQDN, SGT
Support for ASA 9.1+ versions
Firepower 6.x- Roadmap
Additional Object Support
User Experience
Device Configurations
ASA Versions
Ability to migrate additional types of
objects for access rules-Users, Time Range, FQDN, SGT
Improved usabilityTool, report improvements
Routing, VPN, Platform Settings etc.
Support for ASA 8.4+ versions
BRKSEC-2050 109
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Threat Defense Summary
Robust NGFW
Feature setFlexible
Deployment Unified Management
Extending our threat
leadership
Enabling more NGFW use
cases
Delivering on our
convergence story
BRKSEC-2050 110
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
BRKSEC-2050 111
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
112BRKSEC-2050
Thank You