next generation security

The Internet of Everything is changing Everything

Next Generation Security

John Tzortzakakis

Security Solutions Architect, Security Business Group

November 2014

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Threat Landscape evolution

100% of companies connect

to domains that host

malicious files or services

54% of breaches

remain undiscovered

for months

60% of data is

stolen in

hours

avoids detection and

attacks swiftly

It is a Community

that hides in plain sight


‘Defense-in-Depth’ Security Alone is Not Enough

Poor Visibility

Undetected

multivector and

advanced threats

Siloed Approach

Increased complexity

and reduced

effectiveness

Manual and Static

Slow, manual,

inefficient

response


Building a Threat-Centric Cisco Security Architecture

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Detect

Block

Defend

DURING

Attack Continuum


Security Intelligence and Services 6

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Detect

Block

Defend

DURING

Attack Continuum

Building a Threat-Centric Cisco Security Architecture

NGFW

Secure Access + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behavior Analysis

Sandboxing

TrustSec

Visibility - Automation - Management


100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 01100110 0110 00

01000 01000111 0100 11101 1000111010011101 1000111010011101 1100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011

Security is more than Application Control

Focus on the Apps

Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.

0100001000111 0100 1110101001 1101 111 0011 0

100 0111100 011 1010011101 1

01000 01000111 0100 01000111 0100 1001 11 0011 111 00111 1110101001 1101 111 0011 0111001 1110101001 1101 111 0011 0111001 1110101001 1101 111 0011 0111001

01000111 0100 01000111 0100 1001 11 0011 111 00111 1110101001 1101 111 0011 0111001 1110101001 1101 111 0011 0111001 1110101001 1101 111 0011 0111001?

Application Detection is NOT Security

But miss the threat…


Cisco’s Next Generation Security Offerings

FirePOWER NGIPS

• Best-of-Breed NGIPS for

Advanced Threat Protection

• Scalability up to 60Gbps+

• Application and Identity Aware

• Lower TCO Through Automation

ASA w/ FirePOWER Services Embedded Advanced

Malware Prevention (AMP) • Class-leading advanced

malware solution

• File reputation and sandboxing

• Malware Forensics reports

• Malware and file Retrospection

• Cisco AMP Everywhere ensures pervasive coverage

Appliance Virtual Flexible Deployment Cloud

• Only threat-focused NGFW to cover full attack continuum

• Available on existing ASA-x platforms

• Integrated NGIPS + AMP

• Ultra-Granular Policies: App, Identity, Risk, Business Relevance

Cisco NGFW

Common Technology across all offerings


Introducing Industry’s First Adaptive Threat-Focused NGFW

#1 Cisco Security announcement of the year! Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco ASA with FirePOWER Services

Proven Cisco ASA firewalling

+ Industry leading NGIPS and AMP


Cisco Adaptive Security Appliance (ASA)

► Built upon 15 years of security innovation

► Widely deployed stateful firewall in Enterprise networks

► Class-leading AnyConnect® VPN

► Network-wide identity and device access policy

► Multiple form factors (Physical & Virtual)

► Ready for Next Generation Networks like Software Defined Networks (SDN), Application Centric Infrastructure (ACI), NFV architectures and Open APIs.

ASA Platform

World’s most proven Stateful inspection firewall


Cisco ASA with FirePOWER Services Industry’s First Adaptive, Threat-Focused NGFW

► Cisco® ASA firewalling combined with Sourcefire® next-generation IPS

► Integrated threat defense over the entire attack continuum

► Best-in-class security intelligence, application visibility and control (AVC), and URL filtering

Features

► Superior, multilayered threat protection

► Unprecedented network visibility

► Advanced malware protection

► Reduced cost and complexity

Benefits


Superior Integrated & Multilayered Protection

► Cisco ASA enterprise-class stateful

firewall

► Granular Cisco® Application

Visibility and Control (AVC)

► Industry-leading FirePOWER next-

generation IPS (NGIPS)

► Reputation- and category-based

URL filtering

► Advanced malware protection Cisco ASA

Identity-Policy

Control & VPN

URL Filtering (Subscription)

FireSIGHT

Analytics &

Automation

Advanced

Malware

Protection (Subscription)

Application

Visibility &

Control

Network Firewall

Routing | Switching

Clustering &

High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network

Profiling

Intrusion

Prevention (Subscription)


Cisco ASA with FirePOWER Services A New, Adaptive, Threat-Focused NGFW

Superior Visibility

Integrated

Threat Defense

Best-in-class, multilayered

protection in a

single device

Full contextual

awareness to

eliminate gaps

Automation

Simplified operations

and dynamic response

and remediation


Unprecedented Network Visibility

Categories FirePOWER Services Typical IPS Typical NGFW

Threats

Users

Web Applications

Application Protocols

File Transfers

Malware

Command & Control Servers

Client Applications

Network Servers

Operating Systems

Routers & Switches

Mobile Devices

Printers

VoIP Phones

Virtual Machines


Pervasive Enforcement

Security Intelligence and Research Group

ANY EDGE

Network

Internet

Email

ANY WHERE

Private DC

Public DC

Cisco Cloud

Cisco’s Information Superiority

93B Daily Email Messages

Endpoints

100M

100TB Security Intelligence

Daily Web Request

16B

180K Daily Malwares


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors

CnC Connections

Exploit Kits Admin Privilege

Escalations

Web App Attacks

SI Events

Connections to Known CnC IPs

Malware Events

Malware Detections

Malware Executions

Office/PDF/Java Compromises

Dropper Infections


Impact Assessment

Correlates all intrusion events to an

impact of the attack against the target

1

2

3

4

0

IMPACT FLAG ADMINISTRATOR

ACTION WHY

Act Immediately,

Vulnerable

Event corresponds

to vulnerability

mapped to host

Investigate,

Potentially

Vulnerable

Relevant port open

or protocol in use,

but no vuln mapped

Good to Know,

Currently Not

Vulnerable

Relevant port not

open or protocol not

in use

Good to Know,

Unknown Target

Monitored network,

but unknown host

Good to Know,

Unknown Network

Unmonitored

network


AMP Provides Continuous Retrospective Security

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

Continuous Feed

Continuous Analysis

Telemetry

Stream

Web

WWW

Endpoints Network Email

Devices

IPS

File Fingerprint and Metadata

File and Network I/O

Process Information

Breadth of

Control Points

Cisco FireSIGHT Management Center Demo

19


Cisco FireSIGHT Management Center Demo The Power of FireSIGHT

“So do any network security vendors understand data center and what’s needed to accommodate network security? Cisco certainly does.”

“Cisco is disrupting the advanced threat defense industry.” “… AMP will be one of the

most beneficial aspects of the [Sourcefire] acquisition.”

“Based on our (Breach Detection Systems) reports, Advanced Malware Protection from Cisco should be on everyone’s short list.”

2014 Vendor Rating for Security: Positive

Recognition Market

The AMP products will provide deeper capability to

Cisco's role in providing secure services for the Internet

of Everything (IoE).


Reduced Cost and Complexity

Annual Costs of IPS Maintenance

Impact Assessment of IPS Events

IPS Tuning Linking IPS Events to Users

$144.000

$72.000

$59.400

$24.300 $18.000

$3.000

Typical IPS Next-Generation IPS

Cisco’s FirePOWER Next-Generation

IPS collectively saves this customer

$230,100 per year.

Source: SANS

• Multilayered

protection in a single

device

• Highly scalable

• Automates security

tasks

Impact assessment

Policy tuning

User identification

• Integrates with third-

party security

solutions


Reduced time for:

Security management:

– 26.4%

Address and remediate

security breaches:

– 78.2%

Security audits:

– 49.3%

IDC STAP Analysis (Specialized Threat Analysis and Protection products)

http://idcdocserv.com/251134

Annual Benefits of Limiting the Impact of Malware Infections

http://idcdocserv.com/251134


Start with Best-of-breed Products NSS Labs Testing – Sept, 2014 NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS


NSS Labs – Breach Detection Systems Security Value Map

Source: NSS Labs 2014

Cisco Advanced Malware

Protection (AMP) has the

lowest TCO of any product

tested. It is also a a leader in

security effectiveness

achieving detection of 99

percent of all tested attacks

AMP excelled in time-to-

detection, catching threats

faster than competing

Breach Detection Systems.



NSS Labs – Intrusion Prevention Systems Security Value Map

Sourcefire Virtual IPS Sourcefire 3D8120 Sourcefire 3D8250

Sourcefire 3D8260


Based on individual and comparative testing of vendors in the IPS market Cisco* FirePOWER NGIPS leads the Security Value Map and provides the best protection possible while also leading the class in total cost of ownership. * Formerly Sourcefire FirePOWER



2014 NSS Labs NGFW Security Value MapTM

http://www.cisco.com/go/nssngfw2014

• Consistent, industry-

leading security

effectiveness

• Strong resistance to

evasion

• High performance –

above published

throughput

• Competitive total cost

of ownership

http://www.cisco.com/go/nssngfw2014


Cisco ASA with FirePOWER Services

Base Hardware and Software

New ASA 5585-X Bundle SKUs with FirePOWER Services Module

New ASA 5500-X SKUs running FirePOWER Services Software

FirePOWER Services Spare Module/Blade for ASA 5585-X Series

Spare SSD SKU for upgrading existing ASA 5500-X

FirePOWER Services Software

Hardware includes Application Visibility and Control (AVC)

Management

FireSIGHT Management Center (HW Appliance or Virtual)

Cisco Security Manager (CSM) or ASDM

Support

SmartNET

Software Application Support plus Upgrades


Five Subscription Packages to Choose From for Each Appliance

URL

IPS

URL

• AVC is part of the default

offering

• 1 & 3 year terms

• SMARTnet is ordered

separately with the

appliance IPS

AMP

IPS

“NGFW”

Packages

“NGIPS”

Packages

AMP

URL

IPS

Cisco ASA - Stateful Firewall Licenses

Performance and Deployment Options


Cisco ASA Multi-scale Performance

Security for the Internet Edge

1 Gbps Max

100K Connections

10,000 CPS

Branch Locations Small / Medium Internet Edge

ASA 5512-X

1.2 Gbps Max

250K Connections

15,000 CPS

ASA 5515-X

2 Gbps Max

500K Connections

20,000 CPS

3 Gbps Max

750K Connections

30,000 CPS

4 Gbps Max

1M Connections

50,000 CPS

ASA 5525-X

ASA 5545-X

ASA 5555-X


Cisco ASA Multi-scale Performance

Security for the Enterprise and Data Center

Enterprise Internet Edge and Data Center

4 Gbps Max

1 Million Connections

50,000 CPS

ASA 5585-SSP10 10 Gbps Max


125,000 CPS



200,000 CPS



360,000 CPS

ASA 5585-SSP60


Performance Impacts by Location

Firewall max throughput numbers tend to be based on non-helpful packet

sizes (UDP 1518 byte packet size is fairly common)

IPS performance range is much more variable than firewalls, and partly

because of industry choice (TCP 440 byte HTTP is fairly common)

NGFW Performance Impact Factors

Direct • Different traffic types

• Different average packet

• Sizes

Indirect • Physical Placement

• Amount of traffic to be

inspected

• Level of malicious traffic

• Level of analysis and

logging

Multi-features devices must somehow provide useful, accurate performance numbers


Location Specific Traffic Profiles

– When deploying FirePOWER Services for ASA, the traffic profiles at the location can impact the performance of the device differently than standard test methods.

– Educational, ISP, and SMB protocol mixes have a slight impact

– Enterprise applications and Enterprise Datacenter have a greater impact


FirePOWER Services for ASA Data Sheet

FirePOWER Services for ASA will include both a maximum throughput number as well as a TCP 440 Byte HTTP number more relevant for sizing.

Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60

Maximum

Application

Control

Throughput in

Mbps

300 500 1100 1500 1750 4500 7000 10000 15000

Maximum

Application

Control and IPS

Throughput in

Mbps

150 250 650 1000 1250 2000 3500 6000 10000

Application

Control or IPS

Sizing

Throughput in

Mbps (440 Byte

HTTP)

100 150 375 575 725 1200 2000 3500 6000


FirePOWER Services vs. ASA Classic IPS

– IPS-only test comparing throughput of FirePOWER Services for ASA to the classic IPS only module.

– Tested using the same 440 byte HTTP Transactional test that was the benchmark for classic IPS.

5512 5515 5525 5545 5555 5585-10 5585-20 5585-40 5585-60

FirePOWER

Services

On ASA

100 150 375 575 725 1200 2000 3500 6000

Classic IPS on

ASA 150 250 400 600 850 1150 1500 3000 5000


Upgrading from ASA Classic IPS to FirePOWER Services for ASA

When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity.

Model 5512-X 5515-X 5525-X 5545-X 5555-X 5585-10 5585-20 5585-40 5585-60

Original IPS

Module 150 250 400 600 850 1150 1500 3000 5000

FirePOWER

IPS + AVC 75 100 255 360 450 800 1200 2100 3500

FirePOWER

IPS + AVC + AMP 60 85 205 310 340 550 850 1500 2300


Investment Protection: Pay as you Grow Horizontal Scaling

FW MAX Throughput: 640 Gbps

FW+FirePOWER IPS Maximum Throughput: 160+ Gbps

FirePOWER IPS 440 Byte Throughput: 96 Gbps

Up to 16 ASA 5585-X Devices


FirePOWER Services Support All Current ASA Deployment Models*

Multi-context mode for policy flexibility

Each ASA Interface appears as a separate interface to FirePOWER Services module

Allows for granular policy enforcement on both ASA and FirePOWER services

*State sharing does not occur between FirePOWER Services Modules

Clustering for linear scalability

Up to 16x ASA in cluster

Eliminates Asymmetrical traffic issues

Each FirePOWER Services module inspects traffic independently

HA for increased redundancy

Redundancy and state sharing (A/S & A/A pair)

L2 and L3 designs

Features - Packet Flow


Functional Distribution of Features

IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing

*Botnet Traffic Filter

Advanced Malware Protection

File Type filtering Application Visibility and Control

NGIPS

URL Category/Reputation

File capture FirePOWER Services

ASA


Packet Processing Order of Operations

– ASA Module processes all ingress packets against ACL, Connection tables, Normalization and CBAC before traffic is forwarded to the FirePOWER Services module

– ASA provides flow normalization and context-aware selection/filtering to the FirePOWER Services

– Clustered ASA provides flow symmetry and HA to the FirePOWER Services

– Packets and flows are not dropped by FirePOWER Services – Packets are marked for Drop or Drop with Reset and sent back to ASA

– This allow the ASA to clear the connection from the state tables and send resets if needed

RX

Pkt Ingress

Interface

Existing

Conn NAT

Rule

ACL

Permit MPF

Inspection

Sec

Checks

NAT IP

Header

Egress

Interface

L3

Route TX

Pkt

L2

Addr

Yes

No

Yes

No

No

DROP

Yes Yes

No

Yes

No

FirePOWER

Services

Module

DROP

Original IP

Session

metadata

No

DROP

No

DROP DROP


ASA 5585-X Data Port Utilization

ASA SSP processes all ingress and egress packets

– No packets are directly processed by FirePOWER SSP ports except for the FirePOWER SSP management port.

– ASA configures and controls the FirePOWER SSP data ports

CPU

Complex

Fabric

Switch

Signature

Engine

SFR-SSP Module

CPU

Complex

Fabric

Switch

Mezzanine

Slot

ASA-SSP Module

PORTS

PORTS

ASA5585-X


ASA 5500-X Data Port Utilization

SFR S/W Module

ASA KVM

Firewall Services

ASA OS

Memory

Based

Packet

Rings

PORTS

ASA5500-X Mid-Range

ASA OS processes all ingress and egress packets

– No packets are directly processed by FirePOWER Services

– Backplane communication between ASA and FirePOWER Services

– Traffic is dropped at ASA OS Level

Management


Managing Cisco ASA FirePOWER Services

Two Managers with Cross-launch

Cisco FireSIGHT Management Center

Models: 750, 1500, 3500,

Virtual Appliance (Promo PID available)

Cisco Security Manager

(CSM) or ASDM

CSM version 4.7


ASA Single Device Manager

Device Dashboard

Firewall Dashboard

FireSIGHT*

Traffic Reports *Roadmap


FirePOWER & FireSIGHT benefits

Enhanced Visibility

1,800+ Applications + stats

File types, transfer direction/protocol

Mobile Device type, OS, version

Geolocation (country, postcode, time zone, lat/long., ISP, etc.)

IPv6 address support throughout

Improved UI/Admin

Visual Device Management

Security and Network Admin Roles

Admin Role Editor

Dashboards/Reporting

Customizable Widgets

Graphical Reports – Report Creator


FirePOWER & FireSIGHT benefits

• Expanded Controls

Application Control on NGIPS

URL Filtering

File Blocking

Security Intelligence / IP Blacklisting

Geolocation Blocking (in v5.3)

• Security Automation

Impact Assessment

Recommended Rules

• Advanced Malware Protection

Network File Trajectory

Network Malware Blocking


FireSIGHT Management Center Models

* Max number of devices is dependent upon sensor type and event rate

750 1500 2000 3500 4000 Virtual

Max. Devices

Managed 10 35 70 150 300 Virtual FireSIGHT

Management

Center

Up to 25

Managed Devices

Event

Storage 100 GB 125 GB 1.8 TB 400 GB 4.8/6.3 TB

Max. Network

Map (hosts /

users)

2K/2K 50K/50K 150K/150K 300K/300K 600K/600K Virtual FireSIGHT

Management

Center offerings

limited to 2 or 10

Managed Devices FS-VMW-2-SW-K9

FS-VMW-10-SW-K9

Events per

Sec (EPS) 2000 6000 12000 10000 20000


Cisco Security Manager Multi-Device Management Centralized, Unified and comprehensive Firewall, VPN and IPS management

Device View

Policy View

Map View

Event View

Device View

Policy View

Map View

Event View

Report View


Cisco Security Manager At-a-Glance

Comprehensive Policy Management for FW,

VPN & IPS on heterogeneous devices (ASA,

Cisco classic IPS, FWSM, PIX, ISR/ASR)

Log Management – Firewall (Syslogs) and

Cisco classic IPS (SDEE) events

Health & Performance Monitoring for ASA

and Cisco classic IPS

Reports for Firewall and Cisco classic IPS

Devices

Image Management for ASA and Cisco

classic IPS

API for Policy Access

Supports hundreds of devices in a single

deployment

Windows Based: Appliance Form factor and

also available as a Software Installable

Cisco Security Manager

Policy

Log

Reports

Network Health

Image

API


FireSIGHT Management Center Cross-launch Menu CSM Client FMC WEB UI

Crosslaunches directly to FMC

without prompting for login and

navigates to dashboard of device

in context


Enhance with Cisco Security Services

Advisory Integration

Managed

Custom Threat

Intelligence

Technical Security

Assessments

Integration

Services

Security Optimization

Services

Managed Threat

Defense

Remote Managed

Services


Cisco Services Portfolio

Managed Security

Hosted Security

Product Support

Deployment

Migration

Optimization Program Strategy

Architecture and Design

Assessments


3rd Party

Response

Forensics

Threat Summary

Execution Reports Save File Content

Policy Control Safe Retrieval

File Detection

Custom Apps

SHA256

Dynamic Analysis File Threat Scores

Block by Threat Score

FirePOWER Services New Capabilities

Block Source

Block Destination

Country

Continent

Prioritize Response

Discover infected hosts Correlates data from all engines

Endpoint and Network working

together

Thank you

next generation security

Technology

cisco andor

id cisco public ciscos

id cisco public defense

depth security

security controls

file retrospection cisco

security business group

threatfocused ngfw