Best Security and deployment strategies SMB NGFW deployment

Size: px

Start display at page:

Download "Best Security and deployment strategies SMB NGFW deployment"

Theodore Robinson
6 years ago
Views:

2 Best Security and deployment strategies SMB NGFW deployment Anant Mathur, Manager Technical Marketing

Install Spark or go directly to the space 4.

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot# 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

4 SESSION ID SESSION DESCRIPTION SPEAKER BRKSEC-1020 Cisco Firewall Basics Mark Cairns BRKSEC-2020 Firepower NGFW Deployment in Data Center and Enterprise Steve Chimes Best Security and deployment strategies SMB NGFW Deployment Anant Mathur BRKSEC-2050 Firepower NGFW Internet Edge Deployment Scenarios Jeff Fanelli BRKSEC-2058 A Deep Dive into using Firepower Manager Will Young BRKSEC-2064 NGFWv and ASAv in Public Cloud (AWS and Azure) Anubhav Swami BRKSEC-2501 Deploying AnyConnect SSL VPN with ASA and FTD Hakan Nohre BRKSEC-3020 NGFW Clustering Deep Dive Kevin Klous BRKSEC-3035 Firepower Platforms Deep Dive Andrew Ossipov BRKSEC-3300 Advanced IPS Deployment Gary Halleen BRKSEC-3455 Dissecting Firepower NGFW Installation & Troubleshooting Veronika Klauzova 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Agenda Types of security threats and attacks in SMB Technologies used to mitigate and stop attacks Best practices to a use security technologies with Cisco NGFW for SMB And how to choose right NGFW for your requirement.

6 How we define SMB?

7 What is SMB SMB often refers to companies with less than 100 employees, while mediumsized business often refers to those with less than 500 employees. Cisco defines SMB pretty much along the lines of the EU definition Gartner definition Small Organizations have less than 100 employees and Medium Organizations have employees between 100 and 1000 Small Organizations have revenue less than $50 m and Medium Organizations have revenue less than $ 1billion 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

8 News SMBs have not historically been the target of cybercrime but in 2015 something drastically changed The latest Government Security Breaches Survey found that nearly 74% of small organization reported security breach in About half of all cyberattacks target small businesses Cyber Attacks on Small Businesses on the Rise Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Why SMBs 90% Admins in SMB are not security experts Lack in Security Infrastructure Lack of Security knowledge Constraint by budget and resources Compromise on security for network performance 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

11 Common Attacks in SMB

12 Client Side Attacks Bob receives an from what appears to be a legitimate user in your network. The explains it is important for you to visit the new customer service link for your organization. You click on the link and are presented with a web site appearing to be legitimate (malicious web sites are pretty easy to make look legitimate). At this point your system may have already been exploited and the attacker has access to your operating system. How you ask? 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Client Side attacks Client machines running software like PDF, MS Office etc.. might be vulnerable to exploits Use bait the user techniques. Piggy back on Social Media requests Tools and techniques to execute these are getting better day by day Vulnerable software (due to lack of upgrades and patches) Buffer Overflow Session Hijacking SQL Injections Cross Site Scripting 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Fake Apps try to connect to CNC server, Open remote shell to the server.

14 Fake App Attacks Attackers are using fake applications to bait the user. There can be fake AV applications, ex Fake AV Website 32. Fake Apps try to connect to CNC server, Open remote shell to the server. Mobile platforms are susceptible to such kind of attacks 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Virus A computer virus is a program or piece of code that is loaded onto your computer without your knowledge or permission Viruses are usually hidden in a commonly used program, such as a game or

15 Virus A computer virus is a program or piece of code that is loaded onto your computer without your knowledge or permission Viruses are usually hidden in a commonly used program, such as a game or PDF viewer, or you may receive an infected file attached to an or from another file you downloaded from the Internet ILoveYou, Code Red etc.. are known viruses Virus is a legacy code, not used by hackers/attackers a lot Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Malware Malware is a malicious software that is specifically designed to gain or damage computer and information asset without knowledge of the owner Malware are highly sophisticated behavior based

16 Malware Malware is a malicious software that is specifically designed to gain or damage computer and information asset without knowledge of the owner Malware are highly sophisticated behavior based attacks. Files, Software downloaded from the internet usually carries malware Malwares are binary code that cannot be inspected static tools Malware examples Virus Adware Spyware Botnets 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

18 Security Technologies

19 Intrusion Prevention System (IPS) Stops attacks like DOS Exploits (buffer Overflow, session high jacking, Cross site scripting, etc...) Worms Virus Signature based engine that sniff packets to find abnormalities Signatures are regular expression that matches the pattern in the traffic. Classic IPS generates alerts based on signature match, result is enormous events. NGIPS is a game changer Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Gateway Anti Virus Anti Virus are traditional way to fight against computer malware Anti virus are signature based, and sometimes combined with heuristic engine.

20 Gateway Anti Virus Anti Virus are traditional way to fight against computer malware Anti virus are signature based, and sometimes combined with heuristic engine. Use deep packet inspection to find tools used to exploit hosts. Cannot detect sophisticated Malwares 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Protection against Malware Cannot be stopped by legacy Anti Virus, or IPS technologies There are many technologies that used to identify Malware.

21 Protection against Malware Cannot be stopped by legacy Anti Virus, or IPS technologies There are many technologies that used to identify Malware. Sandboxing, Reputation of network connection, IOC There is no silver bullet to kill the Malware SMBs/Branches are very much prone to Malware attack Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Sandboxing Method to run executable code in isolated environment to analyze the behavior Sandbox runs the Malware in the isolated machines, and reads the behavior of the file installed.

22 Sandboxing Method to run executable code in isolated environment to analyze the behavior Sandbox runs the Malware in the isolated machines, and reads the behavior of the file installed. Based on the execution patterns it verdicts. These days Malwares are also very much aware of Sandbox Environment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Security Intelligence Assigns reputation to the IP and Domains. There are different levels of reputation. Saves lots of computational power on the box. Blocks bad domains, CnC servers Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Access Control: Application Visibility and Control (AVC) Capabilities to control Applications and Microapplications. Reduces attack surface Improves business productivity Application visibility is like IPS, a deep packet inspection that looks for application patterns in the traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 URL Filtering and Protection Method to block the web page based on reputation. Block URL and Categories to control business requirements Ex Adult Content, Gambling, Job portals etc.. Also reduce attack surface 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Key Products covering Security Technology

Unified Threat Management Unified threat management (UTM) is a converged platform of point security products Typical set of AV, Web gateway security, Anti Spam, URL filtering, IPS, Firewall.

27 Unified Threat Management Unified threat management (UTM) is a converged platform of point security products Typical set of AV, Web gateway security, Anti Spam, URL filtering, IPS, Firewall. Though not very optimized to run all features. UTM is known for all feature convergence not for Security effectiveness. UTM solely compete on price 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Next Generation Firewall Provide superior security with high detection rate Extends beyond policy enforcements Provides greater contextual data for use in policy decision NGIPS, Malware, Analytics, etc Cisco and/or its affiliates. All rights reserved. Cisco Public 28

30 Cisco Next Generation Firewall for SMB/Branch Office

VPN capabilities Desktop 5506-X Wireless AP 5506W-X Ruggedized 5506H-X Rackmount

31 Extend the value of your NGFW Start with the hardware option that fits best All with built-in Application Visibility and Control (AVC), network firewalling, and VPN capabilities Desktop 5506-X Wireless AP 5506W-X Ruggedized 5506H-X Rackmount 5508-X/5516-X 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Offering extensive contextual visibility The more you see, the better you can protect Client applications Operating systems Threats Typical IPS User s Applicatio n protocols File transfers Web applications C & C Servers Malware Router and switches Mobile Devices Printers Typical NGFW Network Servers Cisco Firepower NGFW VOIP phones 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Block or allow access to URLs and domains Web controls Filtering NGFW Security feeds URL IP DNS Safe Search Cisco URL Database gambling Allow Block Allow Block DNS Sinkhole Category-based Policy Creation Admin Classify 280M+ URLs Filter sites using 80+ categories Manage allow/block lists easily Block latest malicious URLs 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Provide next-generation visibility into app usage Application Visibility & Control Cisco database 4,000+ apps 180,000+ Micro-apps 1 Network & users Unmapped 2 Prioritize traffic See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Understand threat details and quickly respond Next-Generation Intrusion Prevention System (NGIPS) App & Device Data ISE Blended threats 1 2 Prioritize response Automate policies Block Data packets Communications Network profiling Phishing attacks Innocuous payloads Infrequent callouts 3 Accept Scan network traffic Correlate data Detect stealthy threats Respond based on priority 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Uncover hidden threats in the environment Advanced Malware Protection (AMP) File Engines c File & Device Trajectory AMP for Endpoint Log AMP for Network Log? Known Signatures Fuzzy Fingerprinting Indications of compromise Threat Grid Sandboxing Advanced Analytics Dynamic analysis Threat intelligence Threat Disposition Uncertain Safe Risky Sandbox Analysis Enforcement across all endpoints Block known malware Investigate files safely Detect new threats Respond to alerts 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Get real-time protection against global threats Tales Threat Intelligence Security Coverage Research Response 1.5 million daily malware samples WWW Endpoints Web 250+ Researchers 600 billion daily messages Networks NGIPS Jan 24 x 7 x 365 Operations 16 billion daily web requests Devices Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Choosing the Right Manager

39 Firepower Device Manager & Firepower Management Center Designed for SMB customers Easy Deployment Single Device Manager Intuitive GUI Simplified User policies Contextual Visibility Extensive Eventing and Reporting Deeper configuration tunings Multi Device Manager Automation IOC, Impact Analysis 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Quick Recommendation to choose right manager Centralized- FMC Local - FDM Multiple Device Deployment Tuning Security Policies like IPS rule tuning, Custom Signatures File

required Extensive Eventing and Reporting capabilities.

40 Quick Recommendation to choose right manager Centralized- FMC Local - FDM Multiple Device Deployment Tuning Security Policies like IPS rule tuning, Custom Signatures File Policy tuning to detect and block files, white listing, leverage engines like machine learning, Dynamic analysis, and visibility into patient zero Visibility into network is required Extensive Eventing and Reporting capabilities. Network Operation managing Security Rely on pre-canned profiles for IPS and File policies Wanted to block malware, not interested in advance inspection Rely on intuitive GUI and wizard to create policies Requirement is simplicity Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Cisco Defense Orchestrator Defense Orchestrator Helps You Manage All of Your Security Policy Change management: Get visibility into the impact of change on affected security services and devices Change Impact Modeling Object and Policy Analysis Cisco Defense Orchestrator Auditing: Gain policy awareness and identify issues Security Policy Management Reports Device Onboarding Import from offline Discover directly from device Optimization: Adjust security policy rule sets to optimize performance OOB Notifications Monitoring: Track policy implementation and activity across all affected security services and devices 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 NGFW deployments using FDM

43 Basic NGFW deployment Internet/ Cloud Services Internet/ Cloud Services Inline or Passive Inline Inline Tap VPN, NAT, Routing, IPS, AMP, URL, AVC, Access Control etc IPS, AMP, Routing, URL, AVC, Access Control etc.. Passive Routed Mode Transparent Mode 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Management Access list /var/log/firstboot.ngfw-onbox.

Integrated Routing and Bridging- Soft Switch 2017 Cisco

47 Bob, an IT admin of a small firms just bought 5506-X

48 Deploy the Box

Default device Setup 1. Connect Management port and data port G1/2 to the L2 Switch, in same VLAN. 2. Connect G 1/1 to the ISP. 3. Switch is required to send management traffic to internet 4.

49 Default device Setup 1. Connect Management port and data port G1/2 to the L2 Switch, in same VLAN. 2. Connect G 1/1 to the ISP. 3. Switch is required to send management traffic to internet 4. Management port is not routable, because of security. Post 6.2 you can choose data port for management connectivity and get rid of switch 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Easy Configuration: Step2 Rules to allow traffic, and default is to block all the traffic

Easy Configuration: Step 3 2017 Cisco and/or its

Easy Configuration: Step 4 2017 Cisco and/or its

54 Will my Box stop attack with default configuration By default the box drops everything IPS profile, Security Intelligence, Access Control must be configured By default the box drops everything Default Access Policies, Default IPS policies. No Rules 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Bob wants to Allow Dropbox Download :- Controlling the access

56 Access Control using Firepower Device Manager Rules under Access polies Mother policy to control and block traffic Default Action 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Authenticating Users Fallback as guest 1. Create Realm 2.

Access Rule on FMC More attributes to create access rule Stitch inspection

62 Bob wants to inspect files getting downloaded from Dropbox :- Inspecting allowed Traffic

Inspecting Dropbox traffic 2017 Cisco and/or its

64 IPS Policies on FDM Security over Connectivity Maximum Detection Pre-canned Profiles Connectivity Over Security Balanced Security and connectivity Security Over Connectivity Maximum detection Intrusion Policy part of Access Rule IPS has performance overhead Connectivity over security Balanced Security and connectivity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Understand IPS profiles Security over Connectivity Maximum Detection Balanced Security and Connectivity has mix of rule set that address need for SMB organizations. Rules are set to drop and generate events It has ~7000 rules, that stop attacks like exploits, Virus, Worms, Trojans etc. Connectivity over security Balanced Security and connectivity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

IPS tuning : FMC Auto Tuning of IPS rules Four Precanned profiles Rule

Controlling the default behavior Enable IPS policies Change the default policy to

68 Bob wants to restrict access to online Games: Control the web access

URL Filtering on Firepower Device Manager URLs URL categories

URL Filtering on Firepower Device Manager:

lookup for unknown URLs 2017 Cisco and/or its

URL Filtering on FMC Various Actions Also Assign reputation to the URL categories Around 81

72 Bob realized wants to save the network from Advance attacks like malwares

73 Controlling and Blocking Malware: FDM Pre-canned Profiles Connects to the cloud to detect malware. Cloud runs powerful engine for malware detection 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Controlling and Blocking Malware: FMC Allows to perform Dynamic Analysis, Machine learning. Allow to capture files Allow to choose file types and Categories Custom black list. Watch Threat Score Patient Zero 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Bob is at the branch and he want to connect to the head office

Site to Site VPN Site to Site VPN 2017 Cisco and/or

Steps for configuration 2017 Cisco and/or its

Choose Protocol Privacy Configuration IKE Policy & Proposal Custom IKE Policies

Site to Site VPN on FMC Multiple deployments Certificates Advance tuning IPsec,

82 Bob wants to secure his remote users

83 RAVPN support on FTD Secured Access AnyConnect Client SSL, IPsec AAA LDAP/AD/Radius, certificates Radius Authorization Attribute- DACL, Group Policy Address Assignment Radius Accounting Connectivity Experience Split Tunneling, DNS, Address Assignment, Access Hours, ACLs, Time outs Troubleshooting & Reporting User, User Activity, Usage etc. Availability FTD-HA, Dual ISP, multiple AAA servers Smart Licensing Apex, Plus, VPN only Management Intuitive GUI 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 Remote Access VPN AnyConnect Client Configuration Device Identity and Client Addressing Connection Settings Summary & Instructions User can t use RA VPN if his FTD is in Evaluation mode of Smart Licensing. A user needs to have a Smart Licensing account and he should have a valid licensing token for the RA-VPN feature to work with FDM 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

87 Step3: Connection Settings Timeouts Dealing with Browser Proxy During VPN Session Address Pool Split Tunneling NAT exemption Inside Network AnyConnect Client Profile(Optional) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

89 Useful CLI commands.. vpn-sessiondb anyconnect vpn-sessiondb detail anyconnect vpn-sessiondb licensesummary ssl errors ssl ciphers aaa-server asp table socket crypto ca certificates crypto ca crls crypto ca trustpoints webvpn anyconnect webvpn group-alias webvpn group-url webvpn hostscan webvpn statistics webvpn saml idp uauth ip local pool <name of ipv4 pool> 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

How to protect endpoint not on corporate network 2017 Cisco

91 Bob must backup configuration- Backup Restore

Backup and Recovery 2017 Cisco and/or its

93 Monitoring & Troubleshooting

System Information Aggregated Throughput Resource Usage Real Time

95 Understanding Performance

96 Performance X 5508-X 5516-X 5525-X 5545-X 5555-X Datasheet numbers are for RFPs, References Real world numbers must be considered for sizing Each service degrades performance by some percentage. Performance Degrades with smaller packet size. Real World IPS DataSheet IPS 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96

98 Evaluating NGFW for SMB

99 Evaluating Features Evaluating Features Application Control Web Filtering IPS Malware Easy Deployment VPN Manageability You Need UTM if All Above mediocre and Anti Virus 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 Performance Evaluate Device Performance with Sizing data. Always plan for all feature enabled (Suggested) Consider the degrades by enabling the services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

Plan for future Security requirements are changing: today, still virus can be buying criteria, but in year or two it will not be. Have a contingency for performance.

101 Plan for future Security requirements are changing: today, still virus can be buying criteria, but in year or two it will not be. Have a contingency for performance. Check if hardware can adopt to future requirements: upgrades etc.. How frequent is the updates Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 What we have learned

103 Things you have learned Security Attacks Technologies Protect your network How to use them for your network How to evaluate NGFW 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

Security Beta Programs Security Beta Products Customer Benefits ASA AMP for Endpoints ISE Firepower NGFW/NGIPS ISR OpenDNS Firepower

Demos and feedback sessions on product usability, design, and roadmaps Risk-free testing in the customer environment prior to FCS To

com Beta customer S1-3 issues fixed in GA release I've been involved in many beta programs I must say that this one has been the best

104 Security Beta Programs Security Beta Products Customer Benefits ASA AMP for Endpoints ISE Firepower NGFW/NGIPS ISR OpenDNS Firepower Platforms ESA Stealthwatch Learning Networks Free test hardware Early experience with and training on new features and functionality Demos and feedback sessions on product usability, design, and roadmaps Risk-free testing in the customer environment prior to FCS To participate in Beta: or Beta customer S1-3 issues fixed in GA release I've been involved in many beta programs I must say that this one has been the best organized. This beta has taken a very active, hands-on approach. - Liberal Arts College Customer Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

105 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

107 Thank you

108

109 Appendix

110 Bob must also know best practice to secure Wireless

111 Brief on Setup Integrated Cisco 702i AP, as hardware module AP is by default Off. Use CLI to AP console to enable Dot11radio Use IP to connect to AP to create SSIDs etc Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 Securing SSID Human Error Rogue Access Points WEP/WPA cracking Pre-Shared Key guess WPA2-AES the "gold standard" for data encryption 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112

113 Other Cisco Security Products

Umbrella Protection when off the VPN no additional agents required Visibility and enforcement at the DNS-layer Block requests to malicious domains and IPs Predictive

114 Umbrella Protection when off the VPN no additional agents required Visibility and enforcement at the DNS-layer Block requests to malicious domains and IPs Predictive intelligence uncover current and emergent threats Subscription based Model Integrated with AnyConnect 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114

115 Meraki Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS, Anti-Malware, Geo-Firewall Networking NAT/DHCP, 3G/4G Cellular, Intelligent WAN (IWAN) Application Control Web Caching, Traffic Shaping, Content Filtering 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115

Cisco Integrated Services Router (ISR) For the ISR 4k, services are deployed on a UCS-E blade Blade contains Six hypervisor Architecture similar to ASA with Firepower Services Also called Cisco

116 Cisco Integrated Services Router (ISR) For the ISR 4k, services are deployed on a UCS-E blade Blade contains Six hypervisor Architecture similar to ASA with Firepower Services Also called Cisco Firepower Threat Defense for ISR Snort integration is road-mapped for lower-end ISR routers Similar to Meraki Snort deployment Snort without the full Sourcefire sensor 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco Firepower NGFW. Anticipate, block, and respond to threats Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid