global vision. local knowledge. - cisco€¦ · william young security solutions architect, global...

Cisco Forum KyivCountry • Day Month Year

Global vision.Local knowledge.

William YoungSecurity Solutions Architect, Global Security Architecture TeamDecember 2018

Subtitle goes hereFirepower Next Generation Firewall

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

The move to digital business has increased exposure to attacks

21BIoT devices

90%

2/3all IP traffic

80%of organizations not “fully aware” of the devices accessing their network

of all traffic will be encrypted

2020


Threats are constantly evolving and getting smarter

191 days time to detection

Motivated and targeted adversaries

Insider threatsIncreased attacksophistication

data breach averages

66 days time to contain


3 Security Concerns of IT Leaders

They aren’t confident in their ability to prevent the next big breach.

Prevention

They lack visibility needed to be able to see and stop threats quickly.

Visibility

They have limited budgets, staff and time.Resources


Ask more from your firewall. Ask if it can…

Deep network and security visibility to

detect and stop threats fast

Automate operations to save time, reduce

complexity, and work smart

Prevent breaches automatically to keep the business moving

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Prevent breaches automatically to keep the business moving


PRODUCTS & INTELLIGENCETalos is the intelligence backbone for all Cisco Security Products and Services.

P R O D U C T S

D E T E C T I O N S E R V I C E S

Email

ESA | ClamAVSpamCopSenderBase

Email ReputationMalware ProtectionURL, Domain, IP ReputationPhishing ProtectionSpam Detection

Open Source

Snort RulesClamAV SigsClamAV

Vulnerability ProtectionMalware ProtectionPolicy & Control

End Point

AMPClamAV

Cloud & End Point IOCsMalware ProtectionIP Reputation

Cloud

OpenDNSCES

URL, Domain, IP ReputationMalware ProtectionAVC

Web

WSA

URL, Domain, IP ReputationMalware ProtectionAVC

Network

FirePower/ASAISRMeraki

Policy & Control

Malware ProtectionURL, Domain, IP ReputationVulnerability Protection

Services

ATAIR

Cloud & End Point IOCsMalware ProtectionURL, Domain, IP ReputationVulnerability ProtectionCustom Protection

Intelligence

ThreatGrid

Cloud & End Point IOCsMalware ProtectionURL, Domain, IP ReputationNetwork Protection


Product Protection Protection Protection

AMP

CWS N/AFirewall

Threat Grid

Umbrella N/AWSA N/A

NotPetyaJune 2017

WannaCryMay 2017

VPNFilterMay 2018

Cisco Firewalls have you covered


Security Intelligence, URL Filtering, DNS Sinkhole

Block or allow access to URLs and domains

Classify 280M+ URLs Filter sites using 80+ categories Manage Acceptable Use Policy Block latest malicious URLs

Category-basedPolicy Creation

Allow Block

AdminDNS Sinkhole

0100101010000100101101

Security feedsURL | IP | DNS

NGFWFiltering

BlockAllow

Safe Searchgambling

ü û


Next-Generation Intrusion Prevention System (NGIPS)

Understand threat details and quickly respond

Communications

App & Device Data

01011101001010

010001101 010010 10 10

Data packets

Prioritizeresponse

Blended threats

• Network profiling

• Phishing attacks

• Innocuous payloads

• Infrequent callouts

3

1

2

Accept

Block

Automate policies

ISE

Scan network traffic Correlate data Detect stealthy threats Respond based on priority


Automated Impact Assessment

Correlates all intrusion events to an impact of the attack against the target

Impact Flag Administrator Action Why

1 Act immediately; vulnerable

Event corresponds to vulnerability mapped to host

2Investigate; potentially vulnerable

Relevant port open or protocol in use, but no vulnerability

mapped

3Good to know; currently not

vulnerable

Relevant port not open or protocol

not in use

4 Good to know; unknown target

Monitored network, but unknown host

0 Good to know; unknown network

Unmonitored network


Indications of Compromise (IoCs) Detection & Threat Correlation

IPS Events

Malware Backdoors CnC Connections

Exploit Kits Admin Privilege Escalations

Web App Attacks

SecurityIntelligence

Events

Connections to Known CnC IPs; DNS Servers, Suspect URLs

MalwareEvents

Malware Detections

Malware Executions

Office/PDF/Java Compromises Dropper Infections


Firepower Recommendations Knows what I Do Not


0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints NetworkEmail DevicesIPS

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream

Talos + Threat Grid Intelligence

TrajectoryBehavioralIndications

of Compromise

Threat Hunting

Retrospective Detection

Advanced Malware Protection (AMP)

Uncover hidden threats in the environment


AMP in Action

Who

What

Where

When

How

Focus on these users first

These applications are affected

The breach impacted these areas

This is the scope of exposure over time

Here is the origin and progression of the threat

Network and Endpoint CorrelationIN FIREPOWER MANAGEMENT CENTER


4.6 HoursMedian time to detectionwith Cisco security*WeeksIndustry average time to detection

The results speak for themselves

* Source: Cisco 2018 Annual CyberSecurity Report


Deep network and security visibility to detect and stop threats fast


“You can’t protect against what you can’t see”

Gain more insight with increased visibility

Malware

Client applications

Operating systems

Mobile devices

VoIP phones

Routers and switches

Printers

Command and control

servers

Network servers

Users

File transfers

Web applications

Applicationprotocols

Threats

Typical IPS

Typical NGFW

Cisco Firepower™ NGFW


OpenAppID

Application Visibility & ControlProvide next-generation visibility into app usage

See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps

Cisco database• 4,000+ pre-defined

appsNetwork & users

üû

û

ü

û

û

ü

1

2

Prioritize traffic


OpenAppID - Crowdsourcing Application DetectionExtend AVC to proprietary and custom apps

Easily customize application detectors Detect custom and proprietary applications Share detectors with other users

Open-SourceSelf-Service


Decrypt traffic in hardware and software

TLS/SSL decryption engineUncover hidden threats at the edge

Log

TLS decryption engine

Enforcement decisions

Encrypted Traffic

AVC

https://www.%$&^*#$@#$.com

https://www.%$&^*#$@#$.com

Inspect deciphered packets Track and log all TLS sessions

NGIPS

gambling

elicit

https://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.comhttps://www.%$*#$@#$.com

û

ü

û

ü

ü

ü

û

ü

û

û


Visibility Provides Context


Automate operations to save time, reduce complexity, and work smarter


Save time and work smarter with NGFW automation

• Automated policy application and enforcement frees up time so you can focus on high priority items

• Automatic IPS tuning blocks more threats and reduces the volume of alerts

• Prioritized threat alerts show you where to focus on what matters

Automate operations to

save time, reduce

complexity, and work smarter


Effective security requires an integrated approach with a Cisco firewall at its foundation

FirewallTetration

Web Security

Email Security Secure SD-WAN / RouterISR • CSR • ASR • vEDGE • Meraki MX

Identity Services Engine (ISE) +pxGRID

Umbrella+INVESTIGATE

Digital Network ArchitectureCATALYST • NEXUS •

MERAKI MSAIRONET/WLC • MERAKI MR

Firepower NGFW / Meraki MX

Cloudlock

AMP for Endpoints & Threat Grid


TrustSec

Identity Services Engine (ISE)Ensure compliance before granting access

Set access control policies Propagate rules and context Remediate breaches automatically

pxGrid

Propagate• User Context

• Device Profile

• Access Policies

Employee Tag

Supplier Tag

Server Tag

Guest Tag

Quarantine Tag

Suspicious Tag

ISE

Policy automation

ISE

Establish a secure network

Management Console

BYOD

Guest Access

Segmentation


Cisco Threat Intelligence DirectorIntegrate third-party security intelligence

Firepower Management Center

Ingest Security Intelligence

Generate Rich Incident ReportsCorrelate Observations Refine Security Posture

Ingest Observables

Cisco Security Sensors•Firepower NGFW •FirePOWER NGIPS•AMP

Threat IntelligenceDirector

CSVEvents


Device APIs and Events - Scale and Efficiency

CDO

API

FTD

Automation scripts

SIEM Homegrown or 3rd party tools

Event connector

FDMConnection, Security, AAA

ManagementEventing

CLIFMC

FMC

Syslog servers

New


Secure workloads consistently across the data center and public cloud

PrivatePublic

Internet usersInternet users accessing IaaSresources using translated IPs

Corporate users

Security Operations Center (SOC)

3rd party management tools(via REST-API)

Corporate data center

Firepower Management Center

IaaS

VPC

NGIPS, AVC, AMP

VPN

Access Control

IaaS vendormanagement console

Internet

NGFWv

Subnet 1 Subnet 2

Web Applications


Remote and site-to-site VPNExtend security to remote users and branches

Extend access remotely Protect important data Maintain applicationperformance Support multiple sites

AnyConnect

IKEv2 support

Third-party VPN


SYN flood attacksDDoS attacksNonstandard packet attacks

Flood traffic

Prevent network and application downtime

Stop attacks within seconds of detection Block or allow traffic automatically

Maintain up to 42 Gbpstotal mitigation capacity

Handle 627,000connections per second

Block 5,400,000 packets of flood traffic per second

110101010101000101011011101010010010101010101001010101011101010010101101010101010001010110111010100100101010101010010101010111010101001010100101010111010101010100010101101110101001001010101

Legitimatetraffic

Network and applications

Cloud scrubber

Firepower DDoS MitigationAvailable on the Firepower 9300 and 4100 series appliances.


Cisco Firepower NGFW Deployment & Management Options


Cisco has an NGFW solution for every business…

Small and Midsized Business Midrange Enterprise

ASA 5525-X/ ASA 5545-X/

ASA 5555-X

Firepower

2130/2140

Firepower

2110/2120

ASA 5506-X / 5506W-X / 5506H-X /

5508-X / 5516-X

Firepower

4110/4120/4140/4150 Firepower 9300

NGFWs for SMBs and distributed

enterprises with integrated threat defense,

a low TCO, and simplified security

management.

Enterprise-class security for the internet

edge, with superior threat defense,

sustained performance, and simple

management.

From the internet edge to carrier grade

security for data centers and other high-

performance settings, with multiservice

security, flexible architecture, and unified

management.


Virtual and Cloud Solutions

Firewall

AVC

NGIPS

AMP

URL

VPN(IPSEC and SSL)

Managed by FMC and FDM


Inline or Passive Fail-to-wire NetMods Additional options

NetMod

Virtual or Physical

Routed

Transparent

101110

101110

Inline

Inline Tap

Passive

Pick from many deployment modesFirewall deployment modes

Available on 2100, 4100 and 9300


Link Scalability Distributed Plan Inter-site Clustering

Increasethroughput

Handle more connections Combine multiple

individual firewallsand manage as one

Deliver scalable performance across many sitesFirewall Clustering

Location A Location B


Multi-Instance for true Multi-Tenancy

• Firepower 4100 and 9300 only

• Instantiate multiple logical devices on a single module or appliance• Complete traffic processing and management separation

• CPU/memory/disk resources are dedicated to an instance at provisioning• Physical and logical interface and VLAN separation at Supervisor

44

Firepower 4100 or Firepower 9300 module

FTD Instance A4 CPU

FTD Instance B2 CPU

FTD Instance C12 CPU

FTD Instance D4 CPU

ASA Instance A (Future)12 CPU

Ethernet1/1-3 Ethernet1/4-5 Port-Channel1.100-101 Port-Channel1.101-102Port-Channel2

New


Flow Offload

45

New


Management Options

Cisco Defense Orchestrator (CDO)

Enables cloud-based policy management of multiple deployments

Cloud-based

Enables comprehensive security administration and

automation of multiple appliances

Firepower Management Center (FMC)

Centralized

Firepower Device Manager (FDM)

Enables easy on-box management of

common security and policy tasks

On-box

New


Manage across many sites Control access and set policies Investigate incidents Prioritize response

Firepower Management CenterCentralized management for multi-site deployments

Multi-domain management

Role-based access control

High availability

APIs and pxGrid integration

NGIPS

Firewall & AVC

AMP

Security Intelligence

…Available in physical and virtual options

Firepower Management Center (FMC)


Set up easily Control access and set policies Automate Configuration Enhanced Control

Firepower Device ManagerIntegrated on-box option for single instance deployment

Physical and virtual options

Easy set-up NAT and Routing

Role-based access control Intrusion and Malwareprevention

High availability Device monitoring

VPN support

Firepower Device Manager (FDM) New


Plan and model security policy changes before deploying them across the cloud

Deploy changes across virtual environments in real time or offline

Receive notifications about any unplanned changes to security policies and objects

• Import From Offline

• Discover Direct From Device

Device Onboarding

Object & Policy Analysis

Application, URL, Malware & Threat

Policy Management

Change Impact

Modeling

Security Templates

Simplify security policy management in the cloud with Cisco Defense Orchestrator Security

ReportsNotifications

Simple Search-Based Management

Security Policy Management

Cisco Defense Orchestrator (CDO) New


Address modern security needs and challenges


With eight business-critical use cases

Campus NGFW Internet Edge Cloud Data Center Edge Local Data Center Edge

Acceptable Use ACI Integration Complex remote access Rapid Threat Containment


Extend secure access to other locations

I want to…

Internet

Stop threats from getting in by extending secure access to all users. Firewall Highlights

0100101010000100101101

Block

Allow

AVC NGIPS

• High bandwidth• High availability• Hardware and virtual options

SSL Decryption

Engine

#$%*

VPN

VPN

VPN

Firewall

Firewall Headquarters

Firewall

DistributedEnterprise

Branch

Remote user

Branch WAN and Remote Users

Firewall

Security feedsURL | IP | DNS


Defend the network with Rapid Threat Containment

FirepowerManagement Center

ISE

Alerts

pxGrid

Automatic Isolation

I want to…www

Isolate compromised resources quickly before the problem grows.

TrustSec

Employee Tag

Supplier Tag

Guest Tag

Quarantine TagQuarantine Tag

Alerts

pxGrid Receive alert of intrusion eventIssue quarantine command


Migration


Migration Options

FMC Based Migration

API Based Firepower

Migration Tool

New


• Takes away the pain of installing another FMC for migration• Independent windows executable • Independent releases with enhancements and bug fixes

API Based ASA To FTD Migration

Independent from FMC

• Supports migration of features supported in FMC Rest API• Will support migration to FDM in the future • Scalable

Rest API based

• Ability to edit the configuration being migrated • Pre and post migration reports • Live running logs, graceful error handling and resume from failure• Object conflict detection and resolution

Improved Workflow and reporting


API Based Firepower Migration ToolEasy Deployment

Windows ExecutableChrome Browser

5585-X

FP4100 FP4100

Import

Reimage to FTD

.cfg/.txt

• 55xx, 2100, 4100, 9300, and Virtual• FMC 6.2.3+ and beyond

API


Deploy security in multiple environments flexibly with NGFW

Flexiblelicensing model

Openarchitecture

Consolidatedsecurity posturing

Consistentsecurity efficacy

APIs andautomation


• Extending deployment opportunities• Multi-Instance• Air-gapped licensing• Unified Eventing and Contextual

Cross-launch• New Network Modules• ISA 3000 FTD enhancements• On-box Firepower Device Manage

(FDM) HA• Additional FDM enhancements• TLS in Hardware for the 2100

Key Features of the 6.3 Release

• CoA for RA VPN

• FQDN based network objects

• New migration tool

• Other Enhancements• Dynamic Flow Offload

• Clustering enhancements

• Backup and restore for RMA

• Snort restart improvements

• FMC REST API enhancements


Next steps

1

2

3

Learn more about whatFirepower NGFW can do for you at https://cisco.com/go/ngfw

Schedule a demo today for a hands-on experience at https://dcloud.cisco.com

Set up a POV to see how it can improve your network. Contact your local Cisco security representative

http://cisco.com/go/ngfw

https://dcloud.cisco.com/

Thank You!

global vision. local knowledge. - cisco€¦ · william young security solutions architect, global...

Documents