Firepower 9300 Deep Dive

Transcription

1

2 Firepower 9300 Deep Dive Andrew Ossipov, Principal Engineer BRKSEC-3035

3 Your Speaker Andrew Ossipov Principal Engineer 8 years in Cisco TAC 19+ years in Networking BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 Agenda Next Generation Security Architecture Hardware and Software Security Applications On-Box Manager Demo Availability and Scalability Application Use Cases Closing and Q&A

5 Next Generation Security Architecture

6 Platform-Based Security Architecture Management Common Security Policy and Management Security Services and Applications Security Services Platform Infrastructure Element Layer Cisco Security Applications Access Context Control Awareness Security Management APIs Common Security Policy & Management Cisco ONE APIs Third-Party Security Applications Content Application Threat Inspection Visibility Prevention Orchestration Platform APIs Physical Appliance Virtual Cloud APIs Device API: OnePK, OpenFlow, CLI Cloud Intelligence APIs Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider) ASIC Data Plane Route Switch Compute APIs Software Data Plane BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Next Generation Platform Requirements Modular Compute System hardware components can be upgraded independently Dynamic service insertion based on policy and context Dynamic Service Insertion Architectural Scale Leverage the best of security processing components (x86, NPU, Crypto) and scale with Clustering Services be added, removed, upgraded, and modified without disrupting existing flows Rapid Inline Changes No Single Failure Point All hardware and software components are redundant and as independent as possible Architecture built to quickly add new services as market evolves 3 rd Party Integration Deployment Agnostic Provide the same benefits in physical, virtual, and hybrid SDN environments Offer a unified SDK/API for all services, including unified licensing and logging. Unified API BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Security Application Convergence ASA L2-L4 Stateful Firewall Scalable CGNAT, ACL, routing Application inspection FirePOWER Threat-centric NGIPS AVC, URL Filtering for NGFW Advanced Malware Protection Firepower Threat Defense (FTD) New converged NGFW/NGIPS image Single point of management with Firepower Management Center Full FirePOWER functionality for NGFW/NGIPS deployments ASA Data Plane with TCP Normalizer, NAT, ACL, dynamic routing, failover functions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Hardware and Software

10 Firepower 9300 Overview Supervisor Application deployment and orchestration Network attachment and traffic distribution Clustering base layer for ASA or FTD Network Modules 10GE, 40GE, 100GE Hardware bypass for inline NGIPS 3RU Security Modules Embedded Smart NIC and crypto hardware Cisco (ASA, FTD) and third-party (Radware DDoS) applications Standalone or clustered within and across chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Supervisor Module RJ-45 Console 1GE Management (SFP) Built-in 10GE Data (SFP+) Optional Network Modules (NM) 1 2 Overall chassis management and network interaction Network interface allocation and module connectivity (960Gbps internal fabric) Application image storage, deployment, provisioning, and service chaining Clustering infrastructure for supported applications Smart Licensing and NTP for entire chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Supervisor Simplified Hardware Diagram Security Module 1 Security Module 2 2x40Gbps 2x40Gbps 2x40Gbps Security Module 3 RAM System Bus Ethernet Internal Switch Fabric (up to 24x40GE) x86 CPU 2x40Gbps 5x40Gbps 5x40Gbps On-board 8x10GE interfaces NM Slot 1 NM Slot 2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Standard Network Interfaces Supervisor attaches security modules to network All interfaces are called Ethernet and 1-referenced (i.e. Ethernet1/1) All external network ports require fiber or copper transceivers Network modules support online insertion and removal Maximum IP MTU is 8970 bytes now, 9184 bytes soon 8x10GE 4x40GE 2x100GE Firepower 4100 and 9300 Single width 1GE/10GE SFP Firepower 4100 and 9300 Single width 4x10GE breakouts for each 40GE port Firepower 9300 only Double width QSFP28 connector No breakout support BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Fail-to-Wire Network Modules Fixed interfaces, no removable SFP support NGIPS inline interfaces in FXOS for standalone FTD 6.1 only Sub-second reaction time to application, software, or hardware failure 6x1GE 6x10GE 2x40GE Firepower 4100 only Single width 1GE fiber SX Firepower 4100 and 9300 Single width 10GE SR or LR Firepower 4100 and 9300 Single width 40GE SR4 No 10GE breakout support BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Security Modules Three configurations SM-44 : 88 x86 CPU cores (70Gbps real-world ASA) in FXOS SM-36 : 72 x86 CPU cores (60Gbps real-world ASA) SM-24 : 48 x86 CPU cores (50Gbps real-world ASA), NEBS Ready Dual 800GB SSD in RAID1 by default Built-in hardware Smart NIC and Crypto Accelerator Flow Offload VPN connection acceleration Future transit TLS inspection with FTD BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Security Module Simplified Diagram RAM 256GB x86 CPU 1 24 or 36 or 44 cores x86 CPU 2 24 or 36 or 44 cores System Bus Ethernet 2x100Gbps Smart NIC and Crypto Accelerator 2x40Gbps Backplane Supervisor Connection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Firepower 4100 Overview Built-in Supervisor and Security Module Same hardware and software architecture as 9300 Fixed configurations (4110, 4120, 4140, 4150) FXOS for , for 4150 Solid State Drives Independent operation (no RAID) Slot 1 today provides limited AMP storage Slot 2 adds 400GB of AMP storage in FXOS RU Network Modules 10GE and 40GE interchangeable with 9300 Partially overlapping fail-to-wire controller options BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Firepower 4100 Logical Diagram RAM 4110: 64Gb 4120: 128Gb 4140: 256Gb 4150: 256Gb x86 CPU : 12 cores 4120: 12 cores 4140: 36 cores 4150: 44 cores Smart NIC and Crypto Accelerator x86 CPU : N/A 4120: 12 cores 4140: 36 cores 4150: 44 cores 4110: 1x100Gbps : 2x100Gbps 4110: 1x40Gbps : 2x40Gbps RAM System Bus Ethernet Internal Switch Fabric (up to 18x40GE) x86 CPU 2x40Gbps 5x40Gbps 5x40Gbps On-board 8x10GE interfaces NM Slot 1 NM Slot 2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Firepower 9300 Software Supervisor and security modules use multiple independent images All images are digitally signed and validated through Secure Boot Security application images are in Cisco Secure Package (CSP) format Decorator application from third-party (KVM) Primary application from Cisco (Native) FXOS upgrades are applied to Supervisor and resident provisioning agent on modules Supervisor stores CSP application images Security Module 1 Security Module 2 Security Module 3 DDoS ASA ASA ASA FXOS FXOS FXOS Firepower Extensible Operating System (FXOS) Supervisor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Firepower 9300 Platform Bundle Platform Bundle contains all Supervisor and module firmware images fxos-9000-k gspa platform encryption version [g]db [S]igned [S]pecial key revision or [P]roduction FXOS creates an environment for security applications Supervisor automatically selects components to upgrade Relevant components are reloaded automatically during the upgrade BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Supervisor CLI Interface FXOS uses object-based CLI representation similar to UCS Manager scope, enter, or exit select a command mode within the hierarchy create instantiates a new configuration object within the hierarchy set assigns a value to a configuration variable or object show displays object content commit-buffer applies changes to the running configuration FP9300# scope eth-uplink FP9300 /eth-uplink # scope fabric a FP9300 /eth-uplink/fabric # create port-channel 2 FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 11 FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 12 FP9300 /eth-uplink/fabric/port-channel* # set speed 10gbps FP9300 /eth-uplink/fabric/port-channel* # commit-buffer FP9300 /eth-uplink/fabric/port-channel # exit BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Security Applications

23 Security Applications Overview Applications are security services that run on Firepower 9300 modules Primary application consumes full resources of an entire module ASA or FTD; no plans for standalone NGIPS image All modules in a chassis run same primary application A decorator application shares a security module with a primary Traffic flows from network interface through decorator to primary application Service chaining with Radware vdefensepro decorator and ASA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Security Services Architecture Logical Device Logical Device Unit Link Decorator Security Module 1 ASA Cluster Security Module 2 Security Module 3 ASA ASA ASA DDoS DDoS DDoS Primary Application Decorator Application Supervisor Ethernet1/7 (Management) Data Outside PortChannel2 Data Inside PortChannel1 Logical Packet Flow On-board 8x10GE interfaces 4x40GE NM Slot 1 4x40GE NM Slot 2 Application Image Storage Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Radware vdefensepro Summary Available Services Application Behavioral HTTP Flood Protection Server Cracking Signature protection Protection Server DNS Protection Anti-Scan Connection Limit Connection PPS Per-flow PPS Limit Limit Network Behavioral DoS SYN Protection Out-Of-State Blacklist/Whitelist BL/WL Up to 10Gbps per module on 6 allocated x86 CPU cores vdp intra-chassis clustering allows up to 30Gbps with 3 modules Future inter-chassis clustering support Impact to ASA throughput from core allocation is 10-15% BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Detailed Inbound Flow with Radware vdp 1. TCP request from /1024 to /80 Outside [Decorated] 8. Two-tuple symmetric hash on {SRC_IP= , DST_IP= } vdp Cluster Radware vdp Module 1 6. Five-tuple symmetric hash on {Proto=TCP, SRC_IP= , SRC_PORT=80, DST_IP= , DST_PORT=1024} 7. ASA cluster statefully redirects to owner, owner reverses NAT ASA Cluster ASA Module 1 5. TCP response from /80 to /1024 Inside [Undecorated] Supervisor Radware vdp Module 2 Supervisor ASA Module 2 Supervisor 2. Two-tuple symmetric hash on {SRC_IP= , DST_IP= } Radware vdp Module 3 ASA Module 3 3. Five-tuple symmetric hash on {Proto=TCP, SRC_IP= , SRC_PORT=1024, DST_IP= , DST_PORT=80} 4. Static NAT / /80 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Future Vision: Security Service Chaining Contextual policy- and outcome based service insertion Meta data exchange with Network Services Header (NSH) Service Function (SF) processes packet, attaches meta data, and returns to SFF Service Classifier (SC) and Service Function Forwarder (SFF) direct incoming traffic through necessary services Security Module DDoS FTD? Stateful Data Path SF, SC, and SFF may influence service path based on policy, context, and meta data Input packets Output packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Smart Licensing Cisco applications request feature license entitlements from Supervisor Third-party applications may use out-of-band licensing ASA FTD DDoS 1 Supervisor 2 3 HTTP/HTTPS Proxy Cisco Smart Licensing Supervisor fulfills aggregated entitlement requests with Smart backend through a direct Internet connection, HTTP/HTTPS Proxy, or an on-premise Satellite connector Satellite Connector ASA entitlements: Strong Encryption, Security Contexts, Carrier Inspections FTD entitlements: Threat, Malware, and URL Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Management Overview Chassis management is independent from applications On-box chassis manager UI, CLI, and REST SNMP and syslog support for chassis level counters/events on Supervisor Applications are managed through their respective interfaces CLI, REST API, ASDM, and off-box Cisco Security Manager (CSM) 4.9 SP1 for ASA Off-box Firepower Management Center (FMC) for FTD Off-box APsolute Vision for Radware vdp Future off-box FMC support for both chassis and FTD management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 On-Box Manager Demo

31 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Availability and Scalability

33 High Availability and Scalability Options High Availability High Scalability High Availability and Scalability ASA Active/Standby Failover (2 modules) Active/Active Failover (2 modules) Intra-chassis Clustering ( 3 modules, 240Gbps) Inter-chassis Clustering ( 16 modules, 1.2Tbps) Inter-chassis clustering ( 16 modules, 1.2Tbps) FTD Radware vdp Active/Standby HA (2 modules) Intra-chassis Clustering ( 3 modules, 100Gbps) - Intra-chassis Clustering ( 3 modules, 30Gbps) - - BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 ASA Failover for High Availability Active/Standby or Active/Active failover at module level Full stateful connection synchronization as with ASA appliances Failover control and state links are configured at application level Recommend VLAN multiplexing of failover links with a management interface type Per-pair Physical Data Interfaces (ASA and FTD) Shared Management VLAN Trunk (ASA only) Eth1/1 Eth1/2 Eth1/3 Eth1/1 Eth1/2 Eth1/3 Port-Channel1 Eth1/1-2 Eth1/1-2 Port-Channel1 Supervisor Supervisor Eth1/1 Eth1/2 Eth1/3 Eth1/1 Eth1/2 Eth1/3 Pri ASA 1 Sec ASA 3 Pri ASA 3 Sec ASA 1 VLAN 10 VLAN 20 Pri ASA 1 Supervisor VLAN 30 VLAN 10 VLAN 20 Sec ASA 3 Pri ASA 3 Supervisor VLAN 30 Sec ASA 1 Pri ASA 2 Chassis 1 Sec ASA 2 Chassis 2 Pri ASA 2 Chassis 1 Sec ASA 2 Inter-Chassis Failover Control and State Link Connection Chassis 2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 ASA Clustering Overview Inter-Chassis Cluster Control Link Cluster of up to 16 modules across 5+ chassis Off-chassis flow backup for complete redundancy Switch 1 Nexus vpc Switch 2 Chassis 1 Chassis 2 Supervisor Supervisor ASA ASA ASA Cluster Cluster ASA ASA ASA Intra-Chassis Cluster Control Link Same-application modules can be clustered within chassis Bootstrap configuration is applied by Supervisor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Platform Specifics for ASA Clustering Only Spanned Etherchannel interface mode is supported Additional off-chassis flow backup for N+1 chassis-level fault tolerance Firewall context mode, 3DES/AES license, SSL ciphers are replicated HTTP flows are not replicated by default until 5 seconds of uptime cluster replication delay 5 match tcp any any eq www Chassis- and cluster-level overflow protection syslogs %ASA : CPU load 80% of module 1 in chassis 1 (unit-1-1) exceeds overflow protection threshold CPU 75%. System may be oversubscribed on member failure. %ASA : Memory load 80% of chassis 1 exceeds overflow protection threshold memory 78%. System may be oversubscribed on chassis failure. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 New TCP Flow with ASA Inter-Chassis Clustering 1. Attempt new flow with TCP SYN Client 5. C1M1: Send to Client 6. C1M1: Calculate Director C1M3, send flow update ASA Module 1 ASA Module 2 ASA Module 3 Chassis 1 O D ASA Cluster 7. C1M1: Calculate off-chassis Backup C2M1, send update 4. C2M3: Redirect to Owner C1M1 from SYN Cookie, become Forwarder ASA Module 1 ASA Module 2 ASA Module 3 Chassis 2 B M F 2. C1M1: Become Owner, add SYN Cookie, send to Server Server 3. Server responds with TCP SYN ACK through another unit M Master O Owner D Director F Forwarder B Off-Chassis Backup Global Role Per-Connection Roles BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Inter-Site Clustering with ASA North-South insertion with LISP inspection and owner reassignment Site A Site B Inter-Chassis Cluster OTV East-West insertion for first hop redundancy with VM mobility Site A Site B Inter-Chassis Cluster OTV BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 FTD Failover and Clustering FTD uses ASA Data Plane and similar failover/clustering infrastructure Enhanced to replicate full NGFW/NGIPS configuration and opaque flow state Current intra-chassis clustering support on Firepower 9300 platform only Module-level Active/Standby failover for inter-chassis high availability Ensures full stateful flow symmetry in both NGIPS and NGFW modes vpc vpc Failover: Both directions of a flow traverse a single active unit A FTD Failover S FTD FTD Cluster FTD Clustering: All packets for a flow are redirected to connection Owner vpc vpc BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Radware vdp Clustering Requires intra-chassis ASA clustering for operation CCL is shared with ASA and automatically configured Health checking ties ASA and vdp instances on a module together Cookie 3. Asymmetrical L4/L7 session authentication with cookies uses same secret value across cluster. Cookie? OK! vdp Module 1 vdp Module 2 M S vdp Cluster 2. Time-based secret value is replicated from Master to Slaves. S vdp Module 3 1. vdp Master/Slave instances and configured and managed independently. APSolute Vision BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Turbo Performance Mode Automatically enabled on all Firepower 9300 modules in FXOS Accelerates FTD and ASA performance on demand All x86 CPU cores on a module temporarily increase clock frequency Triggered when 25% of ASA or FTD Data Plane cores reach 80% load Disabled when all cores drop below 60% load Boosts performance by 10-20% BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Flow Offload Trusted flow processing with limited security visibility in Smart NIC Up to 39Gbps of single-flow UDP throughput with 1500-byte packets 2.9us latency with 64-byte UDP packets Supports up to 128K offloaded stateful connections Untagged IPv4 TCP/UDP (32K) and GRE (32K), 32K each with VLAN tags Static offload for unicast flows on ASA with IP/SGACL in MPF policy-map OFFLOAD_POLICY class TRUSTED_FLOWS set connection advanced-options flow-offload Offload multicast in transparent mode with 2 bridge group ports in 9.6(2) Pre-filter offload policy for IP/TCP/UDP Trust rules in FTD 6.1 Dynamic offload for fast-forwarded connections in the future BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Flow Offload Operation Full Inspection Dynamically program Offload engine after flow establishment Ability to switch between Offload and full inspection on the fly Extended Offload Path (Future) Dedicated x86 cores for advanced processing Packet capture and extended statistics x86 CPU Complex Security Module Full ASA or FTD Engine Lightweight Data Path New and fully inspected flows Offload instructions Flow updates Advanced Processing Incoming traffic Smart NIC Flow Classifier Established trusted flows Rewrite Engine Flow Offload Limited state tracking, NAT/PAT, TCP Seq Randomization 30-40Gbps per single TCP/UDP flow, 2.9us UDP latency, 128K tracked flows BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Teardown Exchange Establishment TCP Flow Handling with Flow Offload Flow Classifier Rewrite Engine ASA or FTD TCP SYN TCP SYN ACK TCP ACK TCP Data No flow match No flow match No flow match No flow match TCP conn open Install Offload entry Flow offload request TCP Data TCP FIN Match flow entry Conn termination Flow data sync Packet processed in Offload Path Byte count monitoring TCP FIN ACK No match End flow offload BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Application Use Cases

46 Application Positioning Summary ASA is a powerful and scalable solution for basic stateful segmentation Ease of integration and scaling in large and distributed data centers Real-time trading and high performance application protection with Flow Offload Infrastructure and Internet edge protection for service providers FTD is a comprehensive threat-centric security solution NGIPS for data center and service provider environments NGFW for edge protection and smaller data centers Radware vdp is a behavioral DDoS mitigation solution Internet edge protection for web commerce and service provider environments NGFW Firewall NGIPS DDoS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 ASA in Data Center Routed or transparent insertion into common data center topologies vpc, VxLAN, PBR, OSPFv2/v3, BGP-4, ECMP, NSF/GR, PIM-SM, BSR Scalable IP and Trustsec policies in single or multiple contexts Same- and inter-site clustering with LISP integration Layer 2 Data Center Layer 3 Data Center Core/Edge Services Distribution/ Aggregation Access Spine Nodes Leaf Nodes Endpoints 1000v BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Private VLAN Remapping with ASA ASA 9.5(2) can re-map a set of secondary VLANs to a primary VLAN interface Ethernet1/3 vlan 100 secondary 110, 120, 130 Reference ASA maps frames received from secondary VLANs to primary VLAN subinterface and then processes them normally Switch assigns ports to secondary VLANs and enforces connectivity between different port types within the primary VLAN Community ports can only talk to each other and promiscuous ports Primary VLAN 100 VLAN 100 VLAN 110 VLAN 120 VLAN 130 Community Promiscuous Isolated Private VLAN trunk transmits upstream traffic for all secondary and primary VLANs Promiscuous ports can talk to any other port Isolated ports can only talk to promiscuous ports BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 ASA for Scalable VPN Termination Use standalone modules or failover for scaling S2S and RA VPN Reverse Route Injection (RRI) with dynamic crypto maps and OSPF/BGP RAVPN with ASA Load-Balancing RRI RRI Chassis 1 Chassis 2 Mas ter S2S VPN with Nexus ITD RRI RRI Chassis 1 Chassis / / /24 Intelligent /24 Traffic Director VIP / /24 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 ASA for Service Providers Evolved Packet Core Hosted Services MME S-GW PCRF HSS P-GW Protect mobile backhaul connection with S2S VPN Stateful Internet edge protection and CGNAT for mobile clients Stateful Internet edge protection with multiple-context mode for hosted services Protect roaming agreements and billing systems with GTP/Diameter inspection and advanced filtering policies Roaming Partner MME S-GW Internet Stateful perimeter protection for external (Type III) SP PCRF External Service Provider BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 ASA Application Inspection Protocol conformance, NAT/PAT rewrites, dynamic ACL pinholes SIP inspection for scalable VoIP environments (>10K calls per second) SCTP, Diameter, and GTPv2 inspection for Carriers in ASA 9.5(2) TLS Proxy with SIP; multi-core Diameter inspection in ASA 9.6(1) Endpoints establish an inspected control channel TLS connection over TCP ASA uses pre-configured trustpoints to cut into TLS connection, inspect traffic, and open secondary connections as necessary BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Carrier Grade NAT with ASA Fully conforms to RFC6888 except Port Control Protocol (PCP) support High single-module capacity and further scalability with clustering 60M+ concurrent NAT translation per module 500K+ new translation creations per second per module Port Block Allocation for PAT reduces logging volume in ASA 9.5(2) Each PAT client is assigned blocks of ports (512 each by default) for translation A single syslog is recorded for each block allocation event %ASA : Allocated TCP block of ports for translation from inside: to outside: / %ASA : Released TCP block of ports for translation from inside: to outside: / BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 FTD Deployment Modes FTD can act as both NGFW and NGIPS on different network interfaces NGFW inherits operational modes from ASA and adds FirePOWER features NGIPS operates as standalone FirePOWER with limited ASA data plane functionality NGFW NGIPS Routed Transparent / /24 FTD inside outside DMZ /24 FTD inside outside DMZ /24 Inline Inline Tap Passive Eth1/1 Eth1/1 Eth1/1 FTD FTD FTD Eth1/2 Eth1/2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 FTD as NGFW at the Edge AVC, Reputation, TLS decryption, URL Filtering, File Analysis, Advanced Malware Protection for outbound connections DNS Sinkholing redirects potentially malicious connections to a local honeypot Honeypot Continuous updates from Talos ensure relevant protection Campus Data Center ACL and NGIPS policies, optional TLS decryption for inbound connections OSPF, BGP, NSF/GR, and similar features for easy network integration NGFW File hashes are checked against AMP cloud, unknown samples are submitted to ThreatGRID; ThreatGRID feeds the data back into AMP/Talos AMP ThreatGRID BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 FTD Identity Management with pxgrid Extended identity attributes with Platform exchange Grid (pxgrid) User identity, Geolocation, Source Security Group and Tag, Device Type Replaces Firepower User Agent with ISE 4. ISE publishes IP Attribute mappings through FMC to FTD ISE NGFW 1. Wireless, wired, and VPN clients authorize network access through ISE 2. ISE authorizes users against AD Active Directory 3. FMC resolves AD group membership; FTD actively authenticates users through LDAP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Behavioral DDoS with Radware vdp Behavioral detection for maximum efficacy and low false positives Rate-Based Detection Behavioral Detection Effectively protects web, , VoIP, and other services Adaptive behavioral DoS against IPv4/IPv6 TCP/UDP/ICMP/IGMP floods SYN flood protection with active Layer 4 challenges DNS flood protection with request/response record tracking Application signature protection for HTTP/SMTP/FTP/POP3/SIP/SMB/SQL Anomaly protection against basic malformed packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 ASA and DDoS in Enterprise Cloud Scrubbing Service Radware Defense Messaging used to initiate cloud-based mitigation for volumetric attacks beyond onpremise processing capabilities Dirty traffic pulled into Radware DefensePipe, sanitized, and then redirected to edge router over GRE Inbound Internet traffic traverses DDoS and ASA for behavioral and stateful protection at up to 10Gbps per module Radware vdp Cisco ASA Firepower 9300 Data Center Internal traffic traverses ASA only for stateful segmentation Campus BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Closing Remarks

59 Firepower 9300 Summary Next-generation security platform architecture Security service chaining with Cisco and third-party applications Classic stateful firewall, VPN, NGFW, NGIPS, and DDoS protection Intra- and inter-chassis clustering for high scalability Flow Offload for real time applications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community to connect with peers & Cisco s Security product teams Monthly technical & roadmap briefings via WebEx Opportunities to influence product direction Members Strong Join in World of Solutions Security zone Customer Connection stand Learn about CCP and Join New member thank-you gift* Customer Connection Member badge ribbon Local in-person meet ups starting Fall 2016 New member thank you gift * & badge ribbon when you join in the Cisco Security booth Other CCP tracks: Collaboration & Enterprise Networks Join Online Come to Security zone to get your new member gift* and ribbon BRKSEC-3035 * While supplies last 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Please join us for the Service Provider Innovation Talk featuring: Yvette Kanouff Senior Vice President and General Manager, SP Business Joe Cozzolino Senior Vice President, Cisco Services Thursday, July 14 th, :30 am - 12:30pm, In the Oceanside A room What to expect from this innovation talk Insights on market trends and forecasts Preview of key technologies and capabilities Innovative demonstrations of the latest and greatest products Better understanding of how Cisco can help you succeed Register to attend the session live now or watch the broadcast on cisco.com

64 Thank you

65