next generation firewall · cisco firepower® 2100 series cisco firepower 4100 series cisco...
TRANSCRIPT
Luc Billot
Cyber Security Technical Architect - Cisco
April 2019
Anticipate, block, and respond to threats
Next Generation Firewall
© 2019 Cisco and/or its affiliates. All rights reserved.
Why Cisco BoughtSourceFire ?
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
It is a 2.7 Billion $ question…
• SNORT
• VRT
• Immunet
• ClamAV
• FirePower
• FireSight
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
3rd Party Vuln Data
Security is an Integration Game
4
NGIPS
NGFW
Firepower Management Center
ISE
AMP for Endpoints
AMP
DataThreatgrid
Stealthwatch
Web Security
Umbrella
EmailSecurity
DNS
LoggingSEIM
Orchestration
Investigate
TetrationAD
Sending Datato SEIM
API transaction
Identity from ISE
3rd Party ThreatIntelligence
© 2019 Cisco and/or its affiliates. All rights reserved.
PRODUCTS & INTELLIGENCE
Talos is the intelligence backbone for all Cisco Security Products and Services.
P R O D U C T S
D E T E C T I O N S E R V I C E S
ESA | ClamAV
SpamCop
SenderBase
Email Reputation
Malware
Protection
URL, Domain, IP
Reputation
Phishing
Protection
Spam Detection
Open Source
Snort Rules
ClamAV Sigs
ClamAV
Vulnerability
Protection
Malware
Protection
Policy & Control
End Point
AMP
ClamAV
Cloud & End
Point IOCs
Malware
Protection
IP Reputation
Cloud
OpenDNS
CES
URL, Domain, IP
Reputation
Malware
Protection
AVC
Web
WSA
URL, Domain, IP
Reputation
Malware
Protection
AVC
Network
FirePower/ASA
ISR
Meraki
Policy & Control
Malware
Protection
URL, Domain, IP
Reputation
Vulnerability
Protection
Services
ATA
IR
Cloud & End
Point IOCs
Malware
Protection
URL, Domain, IP
Reputation
Vulnerability
Protection
Custom
Protection
Intelligence
ThreatGrid
Cloud & End
Point IOCs
Malware
Protection
URL, Domain, IP
Reputation
Network
Protection
© 2019 Cisco and/or its affiliates. All rights reserved.
Product Protection Protection Protection
AMP
CWS N/A
Firewall
Threat Grid
Umbrella N/A
WSA N/A
NotPetyaJune 2017
WannaCryMay 2017
VPNFilterMay 2018
Cisco Firewalls have you covered
© 2019 Cisco and/or its affiliates. All rights reserved.
Automatic Threat Prevention
Security Intelligence, URL Filtering, DNS Sinkhole
Block or allow access to URLs and domains
Classify 280M+ URLs Filter sites using 80+ categories Manage Acceptable Use Policy Block latest malicious URLs
Category-based
Policy Creation
Allow Block
Admin
DNS Sinkhole
01
00
10
10
10
0
00
10
01
01
10
1
Security feeds
URL | IP | DNS
NGFWFiltering
BlockAllow
Safe Search
gambling
Next-Generation Intrusion Prevention System (NGIPS)
Understand threat details and quickly respond
Communications
App & Device Data
010111010010
10 010001101
010010 10 10
Data packets
Prioritize
response
Blended threats
• Network profiling
• Phishing attacks
• Innocuous payloads
• Infrequent callouts
3
1
2
Accept
Block
Automate
policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
Automated Impact Assessment
Correlates all intrusion events
to an impact of the attack against the target
Impact Flag Administrator Action Why
1 Act immediately; vulnerable
Event corresponds
to vulnerability mapped to
host
2Investigate;
potentially vulnerable
Relevant port open
or protocol in use,
but no vulnerability mapped
3Good to know; currently not
vulnerable
Relevant port not open or
protocol
not in use
4Good to know; unknown
target
Monitored network, but
unknown host
0Good to know; unknown
networkUnmonitored network
Indications of Compromise (IoCs) Detection & Threat Correlation
IPS Events
Malware Backdoors CnC Connections
Exploit KitsAdmin Privilege
Escalations
Web App Attacks
Security IntelligenceEvents
Connections to Known CnC IPs; DNS Servers,
Suspect URLs
MalwareEvents
Malware Detections Malware Executions
Office/PDF/Java Compromises
Dropper Infections
Firepower Recommendations Knows what I Do Not
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioral
Indications
of Compromise
Threat
Hunting
Retrospective
Detection
Advanced Malware Protection (AMP)
Uncover hidden threats in the environment
AMP in Action
Who
What
Where
When
How
Focus on these users first
These applications are affected
The breach impacted
these areas
This is the scope of exposure
over time
Here is the origin and
progression
of the threat
Network and Endpoint CorrelationIN FIREPOWER MANAGEMENT CENTER
4.6 HoursMedian time to detection
with Cisco security*
WeeksIndustry average time
to detection
The results speak for themselves
* Source: Cisco 2018 Annual CyberSecurity Report
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network and Security
Visibility and Analysis
• Visibility into threat activity
across users, hosts, networks,
and infrastructure
• Network file trajectory maps
how hosts transfer files,
including malware files, across
your network to scope an
attack, set outbreak controls,
and identify the source of the
threat
• Centralized management
provides contextual threat
analysis and reporting, with
consolidated visibility into
security and network
operations
See more and detect
threats faster
More visibility equals faster time to detection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“You can’t protect against what you can’t see”
Gain more insight with increased visibility
Malware
Client applications
Operating systems
Mobile devices
VoIP phones
Routers and switches
Printers
Command
and control
servers
Network servers
Users
File transfers
Web applications
Application
protocols
Threats
Typical IPS
Typical NGFW
Cisco Firepower™ NGFW
OpenAppID
Application Visibility & Control
Provide next-generation visibility into app usage
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database
• 4,000+ pre-defined
apps
Network & users
1
2
Prioritize traffic
OpenAppID - Crowdsourcing Application Detection
Extend AVC to proprietary and custom apps
Easily customize application detectors Detect custom and proprietary applications Share detectors with other users
Open-SourceSelf-Service
Decrypt traffic in hardware and software
TLS/SSL decryption engine
Uncover hidden threats at the edge
Log
TLS
decryption engine
Enforcement
decisions
Encrypted Traffic
AVC
https://www.%$&^*#$@#$.com
https://www.%$&^*#$@#$.com
Inspect deciphered packets Track and log all TLS sessions
NGIPS
gambling
elicit
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
https://www.%$*#$@#$.com
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility Provides Context
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Detailed Threat Analytics
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility Provides Context
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility Provides Context
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customizable Monitoring and Reporting
© 2019 Cisco and/or its affiliates. All rights reserved.
Closing
© 2019 Cisco and/or its affiliates. All rights reserved.
Products https://www.cisco.com/c/en/us/products/security/firewalls/index.html#~products
Cisco Firepower®
2100 Series
Cisco Firepower
4100 Series
Cisco Firepower 9300
Security Appliance
• Internet edge,
high-performance
enterprise environments
• Firewall throughput and
threat inspection from
20 to 60 gigabytes
• Stateful firewall, AVC,
NGIPS, AMP, URL filtering,
DDoS (Radware vDP)
• Internet edge to small data
center environments.
Better security, more
visibility
• Firewall throughput and
sustained performance with
threat inspection from 2.0
to 8.5 gigabytes
• Stateful firewall, AVC,
NGIPS, AMP, URL filtering
• Service provider,
data center
• Firewall throughput up to
225 gigabytes and threat
inspection up to 90
gigabytes
• Firewall, AVC, NGIPS,
AMP, URL filtering, DDoS
(Radware vDP)
To learn more, visit Cisco Next-Generation Firewalls
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual and Cloud Solutions
28
Firewall
AVC
NGIPS
AMP
URL
VPN
(IPSEC and SSL)
Managed by FMC and FDM