Firepower 9300 Deep Dive
|
|
- Magnus Hill
- 5 years ago
- Views:
Transcription
1
2 Firepower 9300 Deep Dive Andrew Ossipov, Principal Engineer BRKSEC-3035
3 Your Speaker Andrew Ossipov Principal Engineer 8 years in Cisco TAC 19+ years in Networking BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3
4 Agenda Next Generation Security Architecture Hardware and Software Security Applications On-Box Manager Demo Availability and Scalability Application Use Cases Closing and Q&A
5 Next Generation Security Architecture
6 Platform-Based Security Architecture Management Common Security Policy and Management Security Services and Applications Security Services Platform Infrastructure Element Layer Cisco Security Applications Access Context Control Awareness Security Management APIs Common Security Policy & Management Cisco ONE APIs Third-Party Security Applications Content Application Threat Inspection Visibility Prevention Orchestration Platform APIs Physical Appliance Virtual Cloud APIs Device API: OnePK, OpenFlow, CLI Cloud Intelligence APIs Cisco Networking Operating Systems (Enterprise, Data Center, Service Provider) ASIC Data Plane Route Switch Compute APIs Software Data Plane BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 Next Generation Platform Requirements Modular Compute System hardware components can be upgraded independently Dynamic service insertion based on policy and context Dynamic Service Insertion Architectural Scale Leverage the best of security processing components (x86, NPU, Crypto) and scale with Clustering Services be added, removed, upgraded, and modified without disrupting existing flows Rapid Inline Changes No Single Failure Point All hardware and software components are redundant and as independent as possible Architecture built to quickly add new services as market evolves 3 rd Party Integration Deployment Agnostic Provide the same benefits in physical, virtual, and hybrid SDN environments Offer a unified SDK/API for all services, including unified licensing and logging. Unified API BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7
8 Security Application Convergence ASA L2-L4 Stateful Firewall Scalable CGNAT, ACL, routing Application inspection FirePOWER Threat-centric NGIPS AVC, URL Filtering for NGFW Advanced Malware Protection Firepower Threat Defense (FTD) New converged NGFW/NGIPS image Single point of management with Firepower Management Center Full FirePOWER functionality for NGFW/NGIPS deployments ASA Data Plane with TCP Normalizer, NAT, ACL, dynamic routing, failover functions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8
9 Hardware and Software
10 Firepower 9300 Overview Supervisor Application deployment and orchestration Network attachment and traffic distribution Clustering base layer for ASA or FTD Network Modules 10GE, 40GE, 100GE Hardware bypass for inline NGIPS 3RU Security Modules Embedded Smart NIC and crypto hardware Cisco (ASA, FTD) and third-party (Radware DDoS) applications Standalone or clustered within and across chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10
11 Supervisor Module RJ-45 Console 1GE Management (SFP) Built-in 10GE Data (SFP+) Optional Network Modules (NM) 1 2 Overall chassis management and network interaction Network interface allocation and module connectivity (960Gbps internal fabric) Application image storage, deployment, provisioning, and service chaining Clustering infrastructure for supported applications Smart Licensing and NTP for entire chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12 Supervisor Simplified Hardware Diagram Security Module 1 Security Module 2 2x40Gbps 2x40Gbps 2x40Gbps Security Module 3 RAM System Bus Ethernet Internal Switch Fabric (up to 24x40GE) x86 CPU 2x40Gbps 5x40Gbps 5x40Gbps On-board 8x10GE interfaces NM Slot 1 NM Slot 2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13 Standard Network Interfaces Supervisor attaches security modules to network All interfaces are called Ethernet and 1-referenced (i.e. Ethernet1/1) All external network ports require fiber or copper transceivers Network modules support online insertion and removal Maximum IP MTU is 8970 bytes now, 9184 bytes soon 8x10GE 4x40GE 2x100GE Firepower 4100 and 9300 Single width 1GE/10GE SFP Firepower 4100 and 9300 Single width 4x10GE breakouts for each 40GE port Firepower 9300 only Double width QSFP28 connector No breakout support BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14 Fail-to-Wire Network Modules Fixed interfaces, no removable SFP support NGIPS inline interfaces in FXOS for standalone FTD 6.1 only Sub-second reaction time to application, software, or hardware failure 6x1GE 6x10GE 2x40GE Firepower 4100 only Single width 1GE fiber SX Firepower 4100 and 9300 Single width 10GE SR or LR Firepower 4100 and 9300 Single width 40GE SR4 No 10GE breakout support BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15 Security Modules Three configurations SM-44 : 88 x86 CPU cores (70Gbps real-world ASA) in FXOS SM-36 : 72 x86 CPU cores (60Gbps real-world ASA) SM-24 : 48 x86 CPU cores (50Gbps real-world ASA), NEBS Ready Dual 800GB SSD in RAID1 by default Built-in hardware Smart NIC and Crypto Accelerator Flow Offload VPN connection acceleration Future transit TLS inspection with FTD BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15
16 Security Module Simplified Diagram RAM 256GB x86 CPU 1 24 or 36 or 44 cores x86 CPU 2 24 or 36 or 44 cores System Bus Ethernet 2x100Gbps Smart NIC and Crypto Accelerator 2x40Gbps Backplane Supervisor Connection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17 Firepower 4100 Overview Built-in Supervisor and Security Module Same hardware and software architecture as 9300 Fixed configurations (4110, 4120, 4140, 4150) FXOS for , for 4150 Solid State Drives Independent operation (no RAID) Slot 1 today provides limited AMP storage Slot 2 adds 400GB of AMP storage in FXOS RU Network Modules 10GE and 40GE interchangeable with 9300 Partially overlapping fail-to-wire controller options BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 Firepower 4100 Logical Diagram RAM 4110: 64Gb 4120: 128Gb 4140: 256Gb 4150: 256Gb x86 CPU : 12 cores 4120: 12 cores 4140: 36 cores 4150: 44 cores Smart NIC and Crypto Accelerator x86 CPU : N/A 4120: 12 cores 4140: 36 cores 4150: 44 cores 4110: 1x100Gbps : 2x100Gbps 4110: 1x40Gbps : 2x40Gbps RAM System Bus Ethernet Internal Switch Fabric (up to 18x40GE) x86 CPU 2x40Gbps 5x40Gbps 5x40Gbps On-board 8x10GE interfaces NM Slot 1 NM Slot 2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 Firepower 9300 Software Supervisor and security modules use multiple independent images All images are digitally signed and validated through Secure Boot Security application images are in Cisco Secure Package (CSP) format Decorator application from third-party (KVM) Primary application from Cisco (Native) FXOS upgrades are applied to Supervisor and resident provisioning agent on modules Supervisor stores CSP application images Security Module 1 Security Module 2 Security Module 3 DDoS ASA ASA ASA FXOS FXOS FXOS Firepower Extensible Operating System (FXOS) Supervisor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20 Firepower 9300 Platform Bundle Platform Bundle contains all Supervisor and module firmware images fxos-9000-k gspa platform encryption version [g]db [S]igned [S]pecial key revision or [P]roduction FXOS creates an environment for security applications Supervisor automatically selects components to upgrade Relevant components are reloaded automatically during the upgrade BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 Supervisor CLI Interface FXOS uses object-based CLI representation similar to UCS Manager scope, enter, or exit select a command mode within the hierarchy create instantiates a new configuration object within the hierarchy set assigns a value to a configuration variable or object show displays object content commit-buffer applies changes to the running configuration FP9300# scope eth-uplink FP9300 /eth-uplink # scope fabric a FP9300 /eth-uplink/fabric # create port-channel 2 FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 11 FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 12 FP9300 /eth-uplink/fabric/port-channel* # set speed 10gbps FP9300 /eth-uplink/fabric/port-channel* # commit-buffer FP9300 /eth-uplink/fabric/port-channel # exit BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22 Security Applications
23 Security Applications Overview Applications are security services that run on Firepower 9300 modules Primary application consumes full resources of an entire module ASA or FTD; no plans for standalone NGIPS image All modules in a chassis run same primary application A decorator application shares a security module with a primary Traffic flows from network interface through decorator to primary application Service chaining with Radware vdefensepro decorator and ASA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 Security Services Architecture Logical Device Logical Device Unit Link Decorator Security Module 1 ASA Cluster Security Module 2 Security Module 3 ASA ASA ASA DDoS DDoS DDoS Primary Application Decorator Application Supervisor Ethernet1/7 (Management) Data Outside PortChannel2 Data Inside PortChannel1 Logical Packet Flow On-board 8x10GE interfaces 4x40GE NM Slot 1 4x40GE NM Slot 2 Application Image Storage Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24
25 Radware vdefensepro Summary Available Services Application Behavioral HTTP Flood Protection Server Cracking Signature protection Protection Server DNS Protection Anti-Scan Connection Limit Connection PPS Per-flow PPS Limit Limit Network Behavioral DoS SYN Protection Out-Of-State Blacklist/Whitelist BL/WL Up to 10Gbps per module on 6 allocated x86 CPU cores vdp intra-chassis clustering allows up to 30Gbps with 3 modules Future inter-chassis clustering support Impact to ASA throughput from core allocation is 10-15% BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 Detailed Inbound Flow with Radware vdp 1. TCP request from /1024 to /80 Outside [Decorated] 8. Two-tuple symmetric hash on {SRC_IP= , DST_IP= } vdp Cluster Radware vdp Module 1 6. Five-tuple symmetric hash on {Proto=TCP, SRC_IP= , SRC_PORT=80, DST_IP= , DST_PORT=1024} 7. ASA cluster statefully redirects to owner, owner reverses NAT ASA Cluster ASA Module 1 5. TCP response from /80 to /1024 Inside [Undecorated] Supervisor Radware vdp Module 2 Supervisor ASA Module 2 Supervisor 2. Two-tuple symmetric hash on {SRC_IP= , DST_IP= } Radware vdp Module 3 ASA Module 3 3. Five-tuple symmetric hash on {Proto=TCP, SRC_IP= , SRC_PORT=1024, DST_IP= , DST_PORT=80} 4. Static NAT / /80 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 Future Vision: Security Service Chaining Contextual policy- and outcome based service insertion Meta data exchange with Network Services Header (NSH) Service Function (SF) processes packet, attaches meta data, and returns to SFF Service Classifier (SC) and Service Function Forwarder (SFF) direct incoming traffic through necessary services Security Module DDoS FTD? Stateful Data Path SF, SC, and SFF may influence service path based on policy, context, and meta data Input packets Output packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 Smart Licensing Cisco applications request feature license entitlements from Supervisor Third-party applications may use out-of-band licensing ASA FTD DDoS 1 Supervisor 2 3 HTTP/HTTPS Proxy Cisco Smart Licensing Supervisor fulfills aggregated entitlement requests with Smart backend through a direct Internet connection, HTTP/HTTPS Proxy, or an on-premise Satellite connector Satellite Connector ASA entitlements: Strong Encryption, Security Contexts, Carrier Inspections FTD entitlements: Threat, Malware, and URL Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29 Management Overview Chassis management is independent from applications On-box chassis manager UI, CLI, and REST SNMP and syslog support for chassis level counters/events on Supervisor Applications are managed through their respective interfaces CLI, REST API, ASDM, and off-box Cisco Security Manager (CSM) 4.9 SP1 for ASA Off-box Firepower Management Center (FMC) for FTD Off-box APsolute Vision for Radware vdp Future off-box FMC support for both chassis and FTD management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30 On-Box Manager Demo
31 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32 Availability and Scalability
33 High Availability and Scalability Options High Availability High Scalability High Availability and Scalability ASA Active/Standby Failover (2 modules) Active/Active Failover (2 modules) Intra-chassis Clustering ( 3 modules, 240Gbps) Inter-chassis Clustering ( 16 modules, 1.2Tbps) Inter-chassis clustering ( 16 modules, 1.2Tbps) FTD Radware vdp Active/Standby HA (2 modules) Intra-chassis Clustering ( 3 modules, 100Gbps) - Intra-chassis Clustering ( 3 modules, 30Gbps) - - BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 ASA Failover for High Availability Active/Standby or Active/Active failover at module level Full stateful connection synchronization as with ASA appliances Failover control and state links are configured at application level Recommend VLAN multiplexing of failover links with a management interface type Per-pair Physical Data Interfaces (ASA and FTD) Shared Management VLAN Trunk (ASA only) Eth1/1 Eth1/2 Eth1/3 Eth1/1 Eth1/2 Eth1/3 Port-Channel1 Eth1/1-2 Eth1/1-2 Port-Channel1 Supervisor Supervisor Eth1/1 Eth1/2 Eth1/3 Eth1/1 Eth1/2 Eth1/3 Pri ASA 1 Sec ASA 3 Pri ASA 3 Sec ASA 1 VLAN 10 VLAN 20 Pri ASA 1 Supervisor VLAN 30 VLAN 10 VLAN 20 Sec ASA 3 Pri ASA 3 Supervisor VLAN 30 Sec ASA 1 Pri ASA 2 Chassis 1 Sec ASA 2 Chassis 2 Pri ASA 2 Chassis 1 Sec ASA 2 Inter-Chassis Failover Control and State Link Connection Chassis 2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 ASA Clustering Overview Inter-Chassis Cluster Control Link Cluster of up to 16 modules across 5+ chassis Off-chassis flow backup for complete redundancy Switch 1 Nexus vpc Switch 2 Chassis 1 Chassis 2 Supervisor Supervisor ASA ASA ASA Cluster Cluster ASA ASA ASA Intra-Chassis Cluster Control Link Same-application modules can be clustered within chassis Bootstrap configuration is applied by Supervisor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 Platform Specifics for ASA Clustering Only Spanned Etherchannel interface mode is supported Additional off-chassis flow backup for N+1 chassis-level fault tolerance Firewall context mode, 3DES/AES license, SSL ciphers are replicated HTTP flows are not replicated by default until 5 seconds of uptime cluster replication delay 5 match tcp any any eq www Chassis- and cluster-level overflow protection syslogs %ASA : CPU load 80% of module 1 in chassis 1 (unit-1-1) exceeds overflow protection threshold CPU 75%. System may be oversubscribed on member failure. %ASA : Memory load 80% of chassis 1 exceeds overflow protection threshold memory 78%. System may be oversubscribed on chassis failure. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 New TCP Flow with ASA Inter-Chassis Clustering 1. Attempt new flow with TCP SYN Client 5. C1M1: Send to Client 6. C1M1: Calculate Director C1M3, send flow update ASA Module 1 ASA Module 2 ASA Module 3 Chassis 1 O D ASA Cluster 7. C1M1: Calculate off-chassis Backup C2M1, send update 4. C2M3: Redirect to Owner C1M1 from SYN Cookie, become Forwarder ASA Module 1 ASA Module 2 ASA Module 3 Chassis 2 B M F 2. C1M1: Become Owner, add SYN Cookie, send to Server Server 3. Server responds with TCP SYN ACK through another unit M Master O Owner D Director F Forwarder B Off-Chassis Backup Global Role Per-Connection Roles BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 Inter-Site Clustering with ASA North-South insertion with LISP inspection and owner reassignment Site A Site B Inter-Chassis Cluster OTV East-West insertion for first hop redundancy with VM mobility Site A Site B Inter-Chassis Cluster OTV BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38
39 FTD Failover and Clustering FTD uses ASA Data Plane and similar failover/clustering infrastructure Enhanced to replicate full NGFW/NGIPS configuration and opaque flow state Current intra-chassis clustering support on Firepower 9300 platform only Module-level Active/Standby failover for inter-chassis high availability Ensures full stateful flow symmetry in both NGIPS and NGFW modes vpc vpc Failover: Both directions of a flow traverse a single active unit A FTD Failover S FTD FTD Cluster FTD Clustering: All packets for a flow are redirected to connection Owner vpc vpc BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39
40 Radware vdp Clustering Requires intra-chassis ASA clustering for operation CCL is shared with ASA and automatically configured Health checking ties ASA and vdp instances on a module together Cookie 3. Asymmetrical L4/L7 session authentication with cookies uses same secret value across cluster. Cookie? OK! vdp Module 1 vdp Module 2 M S vdp Cluster 2. Time-based secret value is replicated from Master to Slaves. S vdp Module 3 1. vdp Master/Slave instances and configured and managed independently. APSolute Vision BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41 Turbo Performance Mode Automatically enabled on all Firepower 9300 modules in FXOS Accelerates FTD and ASA performance on demand All x86 CPU cores on a module temporarily increase clock frequency Triggered when 25% of ASA or FTD Data Plane cores reach 80% load Disabled when all cores drop below 60% load Boosts performance by 10-20% BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41
42 Flow Offload Trusted flow processing with limited security visibility in Smart NIC Up to 39Gbps of single-flow UDP throughput with 1500-byte packets 2.9us latency with 64-byte UDP packets Supports up to 128K offloaded stateful connections Untagged IPv4 TCP/UDP (32K) and GRE (32K), 32K each with VLAN tags Static offload for unicast flows on ASA with IP/SGACL in MPF policy-map OFFLOAD_POLICY class TRUSTED_FLOWS set connection advanced-options flow-offload Offload multicast in transparent mode with 2 bridge group ports in 9.6(2) Pre-filter offload policy for IP/TCP/UDP Trust rules in FTD 6.1 Dynamic offload for fast-forwarded connections in the future BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43 Flow Offload Operation Full Inspection Dynamically program Offload engine after flow establishment Ability to switch between Offload and full inspection on the fly Extended Offload Path (Future) Dedicated x86 cores for advanced processing Packet capture and extended statistics x86 CPU Complex Security Module Full ASA or FTD Engine Lightweight Data Path New and fully inspected flows Offload instructions Flow updates Advanced Processing Incoming traffic Smart NIC Flow Classifier Established trusted flows Rewrite Engine Flow Offload Limited state tracking, NAT/PAT, TCP Seq Randomization 30-40Gbps per single TCP/UDP flow, 2.9us UDP latency, 128K tracked flows BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44 Teardown Exchange Establishment TCP Flow Handling with Flow Offload Flow Classifier Rewrite Engine ASA or FTD TCP SYN TCP SYN ACK TCP ACK TCP Data No flow match No flow match No flow match No flow match TCP conn open Install Offload entry Flow offload request TCP Data TCP FIN Match flow entry Conn termination Flow data sync Packet processed in Offload Path Byte count monitoring TCP FIN ACK No match End flow offload BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45 Application Use Cases
46 Application Positioning Summary ASA is a powerful and scalable solution for basic stateful segmentation Ease of integration and scaling in large and distributed data centers Real-time trading and high performance application protection with Flow Offload Infrastructure and Internet edge protection for service providers FTD is a comprehensive threat-centric security solution NGIPS for data center and service provider environments NGFW for edge protection and smaller data centers Radware vdp is a behavioral DDoS mitigation solution Internet edge protection for web commerce and service provider environments NGFW Firewall NGIPS DDoS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47 ASA in Data Center Routed or transparent insertion into common data center topologies vpc, VxLAN, PBR, OSPFv2/v3, BGP-4, ECMP, NSF/GR, PIM-SM, BSR Scalable IP and Trustsec policies in single or multiple contexts Same- and inter-site clustering with LISP integration Layer 2 Data Center Layer 3 Data Center Core/Edge Services Distribution/ Aggregation Access Spine Nodes Leaf Nodes Endpoints 1000v BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 Private VLAN Remapping with ASA ASA 9.5(2) can re-map a set of secondary VLANs to a primary VLAN interface Ethernet1/3 vlan 100 secondary 110, 120, 130 Reference ASA maps frames received from secondary VLANs to primary VLAN subinterface and then processes them normally Switch assigns ports to secondary VLANs and enforces connectivity between different port types within the primary VLAN Community ports can only talk to each other and promiscuous ports Primary VLAN 100 VLAN 100 VLAN 110 VLAN 120 VLAN 130 Community Promiscuous Isolated Private VLAN trunk transmits upstream traffic for all secondary and primary VLANs Promiscuous ports can talk to any other port Isolated ports can only talk to promiscuous ports BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49 ASA for Scalable VPN Termination Use standalone modules or failover for scaling S2S and RA VPN Reverse Route Injection (RRI) with dynamic crypto maps and OSPF/BGP RAVPN with ASA Load-Balancing RRI RRI Chassis 1 Chassis 2 Mas ter S2S VPN with Nexus ITD RRI RRI Chassis 1 Chassis / / /24 Intelligent /24 Traffic Director VIP / /24 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50 ASA for Service Providers Evolved Packet Core Hosted Services MME S-GW PCRF HSS P-GW Protect mobile backhaul connection with S2S VPN Stateful Internet edge protection and CGNAT for mobile clients Stateful Internet edge protection with multiple-context mode for hosted services Protect roaming agreements and billing systems with GTP/Diameter inspection and advanced filtering policies Roaming Partner MME S-GW Internet Stateful perimeter protection for external (Type III) SP PCRF External Service Provider BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51 ASA Application Inspection Protocol conformance, NAT/PAT rewrites, dynamic ACL pinholes SIP inspection for scalable VoIP environments (>10K calls per second) SCTP, Diameter, and GTPv2 inspection for Carriers in ASA 9.5(2) TLS Proxy with SIP; multi-core Diameter inspection in ASA 9.6(1) Endpoints establish an inspected control channel TLS connection over TCP ASA uses pre-configured trustpoints to cut into TLS connection, inspect traffic, and open secondary connections as necessary BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52 Carrier Grade NAT with ASA Fully conforms to RFC6888 except Port Control Protocol (PCP) support High single-module capacity and further scalability with clustering 60M+ concurrent NAT translation per module 500K+ new translation creations per second per module Port Block Allocation for PAT reduces logging volume in ASA 9.5(2) Each PAT client is assigned blocks of ports (512 each by default) for translation A single syslog is recorded for each block allocation event %ASA : Allocated TCP block of ports for translation from inside: to outside: / %ASA : Released TCP block of ports for translation from inside: to outside: / BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 FTD Deployment Modes FTD can act as both NGFW and NGIPS on different network interfaces NGFW inherits operational modes from ASA and adds FirePOWER features NGIPS operates as standalone FirePOWER with limited ASA data plane functionality NGFW NGIPS Routed Transparent / /24 FTD inside outside DMZ /24 FTD inside outside DMZ /24 Inline Inline Tap Passive Eth1/1 Eth1/1 Eth1/1 FTD FTD FTD Eth1/2 Eth1/2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53
54 FTD as NGFW at the Edge AVC, Reputation, TLS decryption, URL Filtering, File Analysis, Advanced Malware Protection for outbound connections DNS Sinkholing redirects potentially malicious connections to a local honeypot Honeypot Continuous updates from Talos ensure relevant protection Campus Data Center ACL and NGIPS policies, optional TLS decryption for inbound connections OSPF, BGP, NSF/GR, and similar features for easy network integration NGFW File hashes are checked against AMP cloud, unknown samples are submitted to ThreatGRID; ThreatGRID feeds the data back into AMP/Talos AMP ThreatGRID BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55 FTD Identity Management with pxgrid Extended identity attributes with Platform exchange Grid (pxgrid) User identity, Geolocation, Source Security Group and Tag, Device Type Replaces Firepower User Agent with ISE 4. ISE publishes IP Attribute mappings through FMC to FTD ISE NGFW 1. Wireless, wired, and VPN clients authorize network access through ISE 2. ISE authorizes users against AD Active Directory 3. FMC resolves AD group membership; FTD actively authenticates users through LDAP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56 Behavioral DDoS with Radware vdp Behavioral detection for maximum efficacy and low false positives Rate-Based Detection Behavioral Detection Effectively protects web, , VoIP, and other services Adaptive behavioral DoS against IPv4/IPv6 TCP/UDP/ICMP/IGMP floods SYN flood protection with active Layer 4 challenges DNS flood protection with request/response record tracking Application signature protection for HTTP/SMTP/FTP/POP3/SIP/SMB/SQL Anomaly protection against basic malformed packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57 ASA and DDoS in Enterprise Cloud Scrubbing Service Radware Defense Messaging used to initiate cloud-based mitigation for volumetric attacks beyond onpremise processing capabilities Dirty traffic pulled into Radware DefensePipe, sanitized, and then redirected to edge router over GRE Inbound Internet traffic traverses DDoS and ASA for behavioral and stateful protection at up to 10Gbps per module Radware vdp Cisco ASA Firepower 9300 Data Center Internal traffic traverses ASA only for stateful segmentation Campus BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57
58 Closing Remarks
59 Firepower 9300 Summary Next-generation security platform architecture Security service chaining with Cisco and third-party applications Classic stateful firewall, VPN, NGFW, NGIPS, and DDoS protection Intra- and inter-chassis clustering for high scalability Flow Offload for real time applications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community to connect with peers & Cisco s Security product teams Monthly technical & roadmap briefings via WebEx Opportunities to influence product direction Members Strong Join in World of Solutions Security zone Customer Connection stand Learn about CCP and Join New member thank-you gift* Customer Connection Member badge ribbon Local in-person meet ups starting Fall 2016 New member thank you gift * & badge ribbon when you join in the Cisco Security booth Other CCP tracks: Collaboration & Enterprise Networks Join Online Come to Security zone to get your new member gift* and ribbon BRKSEC-3035 * While supplies last 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 Please join us for the Service Provider Innovation Talk featuring: Yvette Kanouff Senior Vice President and General Manager, SP Business Joe Cozzolino Senior Vice President, Cisco Services Thursday, July 14 th, :30 am - 12:30pm, In the Oceanside A room What to expect from this innovation talk Insights on market trends and forecasts Preview of key technologies and capabilities Innovative demonstrations of the latest and greatest products Better understanding of how Cisco can help you succeed Register to attend the session live now or watch the broadcast on cisco.com
64 Thank you
65
Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationFirepower Platform Deep Dive
BRKSEC-3035 Firepower Platform Deep Dive Andrew Ossipov, Principal Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco
More informationCisco Firepower Thread Defence. Claudiu Boar
Cisco Firepower Thread Defence Claudiu Boar Security everywhere Stop threats at the edge Control who gets onto your network Find and contain problems fast Protect users wherever they work Simplify network
More informationCisco Tetration Analytics
Cisco Tetration Analytics Real-time application visibility and policy management using advanced analytics Yogesh Kaushik, Sr. Director Product Management PSOACI-2100 Agenda Market context Introduction:
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationFirepower Threat Defense Cluster for the Firepower 4100/9300
Firepower Threat Defense Cluster for the Firepower 4100/9300 Clustering lets you group multiple Firepower Threat Defense units together as a single logical device. Clustering is only supported for the
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationASA Cluster for the Firepower 4100/9300 Chassis
Clustering lets you group multiple Firepower 4100/9300 chassis ASAs together as a single logical device. The Firepower 4100/9300 chassis series includes the Firepower 9300 and Firepower 4100 series. A
More informationASA Cluster for the Firepower 4100/9300 Chassis
Clustering lets you group multiple Firepower 4100/9300 chassis ASAs together as a single logical device. The Firepower 4100/9300 chassis series includes the Firepower 9300 and Firepower 4100 series. A
More informationCorrigendum 3. Tender Number: 10/ dated
(A premier Public Sector Bank) Information Technology Division Head Office, Mangalore Corrigendum 3 Tender Number: 10/2016-17 dated 07.09.2016 for Supply, Installation and Maintenance of Distributed Denial
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years
More informationASA Cluster for the Firepower 4100/9300 Chassis
Clustering lets you group multiple Firepower 4100/9300 chassis ASAs together as a single logical device. The Firepower 4100/9300 chassis series includes the Firepower 9300 and Firepower 4100 series. A
More informationData Center Security. Fuat KILIÇ Consulting Systems
Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized
More informationThis section describes the clustering architecture and how it works. Management access to each ASA for configuration and monitoring.
Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased
More informationCisco - ASA Lab Camp v9.0
Cisco - ASA Lab Camp v9.0 Code: 0007 Lengt h: 5 days URL: View Online Based on our enhanced SASAC v1.0 and SASAA v1.2 courses, this exclusive, lab-based course, provides you with your own set of equipment
More informationEvolution of Data Center Security Automated Security for Today s Dynamic Data Centers
Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any
More informationCisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339
Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Agenda Introduction to Lab Exercises Platforms and Solutions ASA with
More informationVRF, MPLS and MP-BGP Fundamentals
VRF, MPLS and MP-BGP Fundamentals Jason Gooley, CCIEx2 (RS, SP) #38759 Twitter: @ccie38759 LinkedIn: http://www.linkedin.com/in/jgooley Agenda Introduction to Virtualization VRF-Lite MPLS & BGP Free Core
More informationSome features are not supported when using clustering. See Unsupported Features with Clustering, on page 11.
Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased
More informationDeploying Intrusion Prevention Systems
Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS
More informationASA Cluster for the Firepower 9300 Chassis
Clustering lets you group multiple Firepower 9300 chassis ASAs together as a single logical device. The Firepower 9300 chassis series includes the Firepower 9300. A cluster provides all the convenience
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationRequest for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )
Appendix 1 1st Tier Firewall The Solution shall be rack-mountable into standard 19-inch (482.6-mm) EIA rack. The firewall shall minimally support the following technologies and features: (a) Stateful inspection;
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationOpenStack Enabling DevOps Shannon McFarland CCIE #5245 Distinguished DEVNET-1104
OpenStack Enabling DevOps Shannon McFarland CCIE #5245 Distinguished Engineer @eyepv6 DEVNET-1104 Agenda Introduction DevOps OpenStack Virtualization CI/CD Pipeline Orchestration Conclusion What is DevOps?
More informationInterfaces for Firepower Threat Defense
This chapter includes Firepower Threat Defense interface configuration including Ethernet settings, EtherChannels, VLAN subinterfaces, IP addressing, and more. About Firepower Threat Defense Interfaces,
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationNGFWv & ASAv in Public Cloud (AWS & Azure)
& in Public Cloud (AWS & Azure) Anubhav Swami, CCIE# 21208 Technical Marketing Engineer Your Speaker Anubhav Swami answami@cisco.com Technical Marketing Engineer 5 years in Cisco TAC 2 years in ASA BU
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationASA Cluster for the Firepower 9300 Chassis
Clustering lets you group multiple Firepower 9300 chassis ASAs together as a single logical device. The Firepower 9300 chassis series includes the Firepower 9300. A cluster provides all the convenience
More informationThe IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.
I n t r o d u c t i o n The CCNA Security IINS exam topics have been refreshed from version 2.0 to version 3.0. This document will highlight exam topic changes between the current 640-554 IINS exam and
More informationVirtual Security Gateway Overview
This chapter contains the following sections: Information About the Cisco Virtual Security Gateway, page 1 Cisco Virtual Security Gateway Configuration for the Network, page 10 Feature History for Overview,
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,
More informationBorderless Networks. Tom Schepers, Director Systems Engineering
Borderless Networks Tom Schepers, Director Systems Engineering Agenda Introducing Enterprise Network Architecture Unified Access Cloud Intelligent Network & Unified Services Enterprise Networks in Action
More informationNew Features for ASA Version 9.0(2)
FIREWALL Features New Features for ASA Version 9.0(2) Cisco Adaptive Security Appliance (ASA) Software Release 9.0 is the latest release of the software that powers the Cisco ASA family. The same core
More informationDeploying Intrusion Prevention Systems
Deploying Intrusion Prevention Systems Mike Mercier Consulting Systems Engineer BRKSEC-2030 Agenda Introduction to IPS Cisco NGIPS Solutions Deploying Cisco NGIPS Migrating to Firepower NGIPS Conclusion
More informationCisco ASA 5500 Series IPS Solution
Cisco ASA 5500 Series IPS Product Overview As mobile devices and Web 2.0 applications proliferate, it becomes harder to secure corporate perimeters. Traditional firewall and intrusion prevention system
More informationFully Integrated, Threat-Focused Next-Generation Firewall
Cisco Firepower NGFW Fully Integrated, Threat-Focused Next-Generation Firewall Fuat KILIÇ, fkilic@cisco.com, +905339284608 Security Consulting Systems Engineer, CCIE #21150 September 2016 Get ahead of
More informationCisco Next Generation Firewall Services
Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the
More informationPrepKing. PrepKing
PrepKing Number: 642-961 Passing Score: 800 Time Limit: 120 min File Version: 6.8 http://www.gratisexam.com/ PrepKing 642-961 Exam A QUESTION 1 Which statement best describes the data center core layer?
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationLicenses: Smart Software Licensing (ASAv, ASA on Firepower)
Licenses: Smart Software Licensing (ASAv, ASA on Firepower) Cisco Smart Software Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationCisco Virtual Networking Solution for OpenStack
Data Sheet Cisco Virtual Networking Solution for OpenStack Product Overview Extend enterprise-class networking features to OpenStack cloud environments. A reliable virtual network infrastructure that provides
More informationCisco Firepower 9300 Security Appliance
Data Sheet Cisco Firepower 9300 Security Appliance The Cisco Firepower 9300 is a scalable, carrier-grade platform designed for service providers and others requiring low latency and exceptional throughput,
More informationDisclaimer CONFIDENTIAL 2
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Adding Devices to the Firepower Management
More informationASACAMP - ASA Lab Camp (5316)
ASACAMP - ASA Lab Camp (5316) Price: $4,595 Cisco Course v1.0 Cisco Security Appliance Software v8.0 Based on our enhanced FIREWALL and VPN courses, this exclusive, lab-based course is designed to provide
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on
More informationwith ACI Any workload anywhere.
Cisco IT: Scalable Enterprise UCS with ACI Any workload anywhere. Hugh Flanagan, Senior IT Engineer Jason Stevens, IT Engineer BRKCOC-0 Agenda Introduction Challenges of Large Scale UCS Deployments in
More informationFirepower Techupdate April Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017
Firepower 6.2.1 Techupdate April 2017 Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017 Firepower 6.2.1 Nr. 1 most important!! Firepower 6.2.1 BUGFIXES!!!!! Alle kendte severity
More informationImplementing Cisco Network Security (IINS) 3.0
Implementing Cisco Network Security (IINS) 3.0 COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationFirepower NGFW Deployment in the Data Center and Enterprise Network Edge Using FTD
Firepower NGFW Deployment in the Data Center and Enterprise Network Edge Using FTD Steven Chimes, Consulting Systems Engineer BRKSEC-2020 Agenda Deploy L3 Firewalls at the Edge Interfaces, Routing & NAT
More informationCisco ACI Multi-Pod and Service Node Integration
White Paper Cisco ACI Multi-Pod and Service Node Integration 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 68 Contents Introduction... 3 Prerequisites...
More informationInterfaces for Firepower Threat Defense
This chapter includes Firepower Threat Defense interface configuration including Ethernet settings, EtherChannels, VLAN subinterfaces, IP addressing, and more. About Firepower Threat Defense Interfaces,
More informationDeploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework
White Paper Deploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework August 2015 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
More informationCisco FirePOWER 8000 Series Appliances
Data Sheet Cisco FirePOWER 8000 Series Appliances Product Overview Finding a network security appliance with exactly the right throughput, interface options, and threat protection for all the different
More informationArista 7300X and 7250X Series: Q&A
Arista 7300X and 7250X Series: Q&A Product Overview What are the 7300X and 7250X Family? The Arista 7300X Series are purpose built 10/40GbE data center modular switches in a new category called Spline
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationWhat is New in Cisco ACE 4710 Application Control Engine Software Release 3.1
What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1 PB478675 Product Overview The Cisco ACE Application Control Engine 4710 represents the next generation of application switches
More informationCisco Intelligent Traffic Director Deployment Guide with Cisco ASA
Cisco Intelligent Traffic Director with Cisco ASA Cisco Intelligent Traffic Director Deployment Guide with Cisco ASA 2016 Cisco and/or its affiliates. All rights reserved. 1 Cisco Intelligent Traffic Director
More informationA10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS
DEPLOYMENT GUIDE A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS A10 NETWORKS SSL INSIGHT & FIREWALL LOAD BALANCING SOLUTION FOR SONICWALL SUPERMASSIVE NEXT GENERATION FIREWALLS OVERVIEW This document describes
More informationBusiness Resiliency Through Superior Threat Defense
Business Resiliency Through Superior Threat Defense Firepower 2100 Series/ Cisco Identity Services Engine Andre Lambertsen, Consulting Systems Engineer ala@cisco.com Cisco Firepower NGFW Fully Integrated
More informationIntuit Application Centric ACI Deployment Case Study
Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco Agenda Introduction Architecture / Principle Design Rollout Key
More informationFeatures. HDX WAN optimization. QoS
May 2013 Citrix CloudBridge Accelerates, controls and optimizes applications to all locations: datacenter, branch offices, public and private clouds and mobile users Citrix CloudBridge provides a unified
More informationCHECK POINT NEXT GENERATION SECURITY GATEWAY FOR THE DATACENTER
CHECK POINT 23500 NEXT GENERATION SECURITY GATEWAY FOR THE DATACENTER CHECK POINT 23500 NEXT GENERATION SECURITY GATEWAY Data center grade security, performance and reliability Product Benefits High performance
More informationTestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified
TestOut Network Pro - English 4.1.x COURSE OUTLINE Modified 2017-07-06 TestOut Network Pro Outline - English 4.1.x Videos: 141 (18:42:14) Demonstrations: 81 (10:38:59) Simulations: 92 Fact Sheets: 145
More informationCisco ASA Next-Generation Firewall Services
Q&A Cisco ASA Next-Generation Firewall Services Q. What are Cisco ASA Next-Generation Firewall Services? A. Cisco ASA Next-Generation Firewall Services are a modular security service that extends the Cisco
More informationCisco HyperFlex Systems
White Paper Cisco HyperFlex Systems Install and Manage Cisco HyperFlex Systems in a Cisco ACI Environment Original Update: January 2017 Updated: March 2018 Note: This document contains material and data
More informationISG-600 Cloud Gateway
ISG-600 Cloud Gateway Cumilon ISG Integrated Security Gateway Integrated Security Gateway Cumilon ISG-600C cloud gateway is the security product developed by Systrome for the distributed access network
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The
More informationSecurity Overview and Cisco ACE Replacement
Security Overview and Cisco ACE Replacement March, 2014 Florian Hartmann, Senior Systems Engineer DACH A10 Corporate Introduction Headquarters in San Jose 800+ Employees Offices in 32 countries Customers
More informationLayer 4 to Layer 7 Design
Service Graphs and Layer 4 to Layer 7 Services Integration, page 1 Firewall Service Graphs, page 5 Service Node Failover, page 10 Service Graphs with Multiple Consumers and Providers, page 12 Reusing a
More information21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer
21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal By Adeyemi Ademola E. Cloud Engineer 1 Contents Introduction... 5 1.2 Document Purpose and Scope...5 Service Definition...
More informationDeploying Cisco ASA Firewall Solutions (FIREWALL v1.0)
Cisco 642-617 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0) Version: 4.8 QUESTION NO: 1 Which Cisco ASA feature enables the ASA to do these two things? 1) Act as a proxy for the server and generate
More informationCisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13
Q&A Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13 Q. What is the Cisco Cloud Services Router 1000V? A. The Cisco Cloud Services Router 1000V (CSR 1000V) is a router in virtual
More informationVXLAN Overview: Cisco Nexus 9000 Series Switches
White Paper VXLAN Overview: Cisco Nexus 9000 Series Switches What You Will Learn Traditional network segmentation has been provided by VLANs that are standardized under the IEEE 802.1Q group. VLANs provide
More informationCisco Virtual Office High-Scalability Design
Solution Overview Cisco Virtual Office High-Scalability Design Contents Scope of Document... 2 Introduction... 2 Platforms and Images... 2 Design A... 3 1. Configure the ACE Module... 3 2. Configure the
More informationTestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified
TestOut Network Pro - English 5.0.x COURSE OUTLINE Modified 2018-03-06 TestOut Network Pro Outline - English 5.0.x Videos: 130 (17:10:31) Demonstrations: 78 (8:46:15) Simulations: 88 Fact Sheets: 136 Exams:
More informationCisco Nexus Data Broker
Data Sheet Cisco Nexus Data Broker Product Overview You used to monitor traffic mainly to manage network operations. Today, when you monitor traffic you can find out instantly what is happening throughout
More informationDeploying Cloud Network Services Prime Network Services Controller (formerly VNMC)
Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC) Dedi Shindler - Sr. Manager Product Management Cloud System Management Technology Group Cisco Agenda Trends Influencing
More informationData collected by Trend Micro is subject to the conditions stated in the Trend Micro Privacy Policy:
Privacy and Personal Data Collection Disclosure Certain features available in Trend Micro products collect and send feedback regarding product usage and detection information to Trend Micro. Some of this
More informationSteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN
Data Sheet SteelConnect The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN The Business Challenge Delivery of applications is becoming
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationTraffic Flow, Inspection, and Device Behavior During Upgrade
Traffic Flow, Inspection, and Device Behavior During Upgrade You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur: When you upgrade the operating
More informationASA/PIX Security Appliance
I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail
More informationTALK THUNDER SOFTWARE FOR BARE METAL HIGH-PERFORMANCE SOFTWARE FOR THE MODERN DATA CENTER WITH A10 DATASHEET YOUR CHOICE OF HARDWARE
DATASHEET THUNDER SOFTWARE FOR BARE METAL YOUR CHOICE OF HARDWARE A10 Networks application networking and security solutions for bare metal raise the bar on performance with an industryleading software
More informationQuestion No : 1 Which three options are basic design principles of the Cisco Nexus 7000 Series for data center virtualization? (Choose three.
Volume: 162 Questions Question No : 1 Which three options are basic design principles of the Cisco Nexus 7000 Series for data center virtualization? (Choose three.) A. easy management B. infrastructure
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationWHITE PAPER A10 SSL INSIGHT & FIREWALL LOAD BALANCING WITH SONICWALL NEXT-GEN FIREWALLS
WHITE PAPER A10 SSL INSIGHT & FIREWALL LOAD BALANCING WITH SONICWALL NEXT-GEN FIREWALLS TABLE OF CONTENTS EXECUTIVE SUMMARY... 3 INTRODUCTION... 3 SOLUTION REQUIREMENTS... 3 SOLUTION COMPONENTS... 4 SOLUTION
More informationArista 7170 series: Q&A
Arista 7170 series: Q&A Product Overview What are the 7170 series? The Arista 7170 Series are purpose built multifunctional programmable 100GbE systems built for the highest performance environments and
More informationVeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH
VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. 1 Agenda 1. Overview and company presentation 2. Solution presentation 3. Main benefits to show to customers 4. Deployment models 2 VeloCloud Company
More informationThis release of the product includes these new features that have been added since NGFW 5.5.
Release Notes Revision A McAfee Next Generation Firewall 5.7.8 Contents About this release New features Enhancements Known limitations Resolved issues System requirements Installation instructions Upgrade
More informationConfigure FTD Interfaces in Inline-Pair Mode
Configure FTD Interfaces in Inline-Pair Mode Contents Introduction Prerequisites Requirements Components Used Background Information Configure Inline Pair Interface on FTD Network Diagram Verify Verify
More informationF5 Synthesis Information Session. April, 2014
F5 Synthesis Information Session April, 2014 Agenda Welcome and Introduction to Customer Technology Challenges Software Defined Application Services Reference Architectures for Today s Customer Challenges
More informationContain known and unknown malware with leading Cisco Advanced Malware Protection (AMP) and sandboxing.
Data Sheet Cisco Firepower NGFW The Cisco Firepower NGFW (next-generation firewall) is the industry s first fully integrated, threat-focused next-gen firewall with unified management. It uniquely provides
More informationAgile Security Solutions
Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization
More informationBRKCOC-2399 Inside Cisco IT: Integrating Spark with existing large deployments
Inside Cisco IT: Integrating Spark with existing large deployments Jan Seynaeve, Sr. Collaborations Engineer Luke Clifford, Sr. Collaborations Engineer Cisco Spark How Questions? Use Cisco Spark to communicate
More informationEnterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.
2 CHAPTER Cisco's Disaster Recovery as a Service (DRaaS) architecture supports virtual data centers that consist of a collection of geographically-dispersed data center locations. Since data centers are
More informationTransparent or Routed Firewall Mode
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple
More information