Deploying Intrusion Prevention Systems

Transcription

1

2 Deploying Intrusion Prevention Systems Mike Mercier Consulting Systems Engineer BRKSEC-2030

3 Agenda Introduction to IPS Cisco NGIPS Solutions Deploying Cisco NGIPS Migrating to Firepower NGIPS Conclusion

4 Objectives What will you learn in this session? Next Generation Security and IPS Fundamentals Understand the basic premise of Next-Generation Firewalls and IPS Cisco NGIPS Solutions Understand the various Cisco NGIPS solutions offerings and how they differ Deploying Cisco NGIPS Understand the process to select the right NGIPS solution Understand what the important considerations are when deploying NGIPS Migrating to FirePOWER NGIPS High level understanding of the process of migrating to FirePOWER NGIPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Objectives What is not covered (in depth) in this session? Not covered in depth in this session, so check out: Deploying Firewalls BRKSEC Firewall Deployment BRKSEC Deploying Next Generation Firewall with ASA and Firepower Service Troubleshooting FirePOWER BRKSEC Troubleshooting Cisco ASA with FirePOWER Services Detailed Migration to FirePOWER Services BRKSEC Tips and Tricks for Successful Migration to FirePOWER Solutions Tuning FirePOWER BRKSEC FirePOWER: Advanced Configuration and Tuning BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Introduction to IPS

7 2015 Cisco Annual Security Report BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Introduction to IPS What is IPS? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Why do I need IPS Challenges come from every direction Sophisticated Attackers Complicit Users Dynamic Threats Boardroom Engagement Defenders Complex Geopolitics Misaligned Policies BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Cisco NGIPS Solutions

11 Cisco NGIPS Solutions Cisco FirePOWER NGIPS Cisco FirePOWER Next-Generation IPS Next-Generation IPS, Firewall and Anti-Malware Solution Supported on FirePOWER 7000 and 8000 series appliances Supported on ASA5500-X and ASA5585-X, FP4K & FP9K (FTD) Supported on ISRG2 and ISR4000 series (UCS-E) Supported in VMware, AWS and KVM (6.1) Supported on Meraki MX appliances BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Cisco NGIPS Solutions Next-Generation Firewall Next-Generation Firewalls perform deep inspection of traffic and threat prevention, building on traditional firewall with Integrated Signature based IPS engine Application visibility and granular control (AVC) Identity awareness and control URL Filtering Capability to incorporate external information (feeds) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Cisco NGIPS Solutions Traditional IPS Traditional IPS provides signature-based pattern matching for detection and prevention of intrusion attempts. Typically deployed behind a Firewall or in IDS mode Typically Bump in the wire Often looks for exploits rather than vulnerabilities Often overwhelm with irrelevant events Not much contextual information to take action Requires high level of tuning As a result, traditional IPS Often needs additional devices to perform other related tasks Is often minimally effective or isn t used Requires massive amounts of time and resources to make it work May leave organizations exposed BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Cisco NGIPS Solutions Next-Generation IPS Next-Generation IPS extends traditional IPS with Application awareness to enable visibility into new L7 threats and reduce the attack surface Contextual awareness, providing information to help better understand events and to provide automation and reduce cost/complexity/tuning Content awareness, determine different file types and whether or not they are malicious Next-Generation IPS is often deployed as part of a Next- Generation Firewall BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Cisco NGIPS Solutions What does a Security Appliance offer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Cisco NGIPS Solutions ASA with FirePOWER Services Base Hardware and Software 5585-X Bundle SKUs with FirePOWER Services Module 5500-X SKUs running FirePOWER Services Software New 5506/8/16-X for SMB, Distributed Enterprises and Industrial Control Hardware includes Application Visibility and Control (AVC) Security Subscription Services FirePOWER Services Licenses separate from ASA license IPS, URL, Advanced Malware Protection (AMP) Subscription Services One- and Three-Year Term Options Available via ELA Management Firepower Management Center (HW Appliance or Virtual) Cisco Security Manager (CSM) or ASDM to Manage ASA Features ASDM manages both ASA and FirePOWER Services on new ASA low/mid models BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Cisco NGIPS Solutions ASA with FirePOWER Services Architecture ASA processes all ingress/egress packets No packets are directly process by FirePOWER except for management Traffic is forwarded to the FirePOWER module using a policy-map FirePOWER provides Next Generation Firewall Services ASA 5585-X with FirePOWER Services SFR Module Crypto or Regex Engine ASA Module Crypto Engine CPU Complex CPU Complex 10GE NICs 10GE NICs PORTS Fabric Switch Backplane Fabric Switch PORTS ASA Ingress FirePOWER Ingress Egress after FirePOWER Processing BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Cisco NGIPS Solutions ASA with FirePOWER Services ASA 5516-X ASA 5508-X ASA 5506-X ASA 5506W-X ASA 5506H-X Integrated Wireless AP Ruggedized 250 Mbps AVC 125 Mbps AVC+IPS 250 Mbps AVC 125 Mbps AVC+IPS 250 Mbps AVC 125 Mbps AVC+IPS 450 Mbps AVC 250 Mbps AVC+IPS 850 Mbps AVC 450 Mbps AVC+IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Cisco NGIPS Solutions ASA with FirePOWER Services Mid-range ASA 5555-X ASA 5545-X ASA 5525-X ASA 5516-X 900 Mbps AVC 450 Mbps AVC+IPS 1.1 Gbps AVC 650 Mbps AVC+IPS 1.5 Gbps AVC 1 Gbps AVC+IPS 1.75 Gbps AVC 1.25 Gbps AVC+IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Cisco NGIPS Solutions ASA with FirePOWER Services ASA5585 ASA 5585-X SSP 60 ASA 5585-X SSP 40 ASA 5585-X SSP 10 ASA 5585-X SSP EP 10/40 ASA 5585-X SSP 20 ASA 5585-X SSP EP 20/ Gbps AVC 2 Gbps AVC+IPS 4.5 Gbps AVC 4.5 Gbps AVC+IPS 7 Gbps AVC 3.5 Gbps AVC+IPS 7 Gbps AVC 7 Gbps AVC+IPS 10 Gbps AVC 6 Gbps AVC+IPS 15 Gbps AVC 10 Gbps AVC+IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Cisco NGIPS Solutions FirePOWER Appliances Base Hardware and Software Single-pass Architecture 8000 Series Modular Interface Options (Netmods), including 10 and 40 Gbps Clustering support for HA Stacking Capable for increased throughput up to 60 Gbps 71x5 Series with 8 Fail-Closed SFP ports 7000 Series with built-in 1 Gbps Copper interfaces Virtual FirePOWER NGIPSv for VMware ESX(I) Security Subscription Services IPS, URL, Advanced Malware Protection (AMP) Subscription Services One and Three-Year Term Options Available via ELA Management Firepower Management Center (HW Appliance or Virtual) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Cisco NGIPS Solutions FirePOWER Appliances Architecture FirePOWER Applications (NGIPS, AppID, AMP) Application/Control Plane Processing CPU L2-L7 Classification Stateful Flow Processing PKI and Bulk Cryptography Flow-based Load Balancing L2 switching / L3 Routing / NAPT L2-L4 Packet Classification Packet-based load balancing NFE NMSB Physical Interfaces Integrated Bypass Relays NetMods BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Cisco NGIPS Solutions FirePOWER Appliances NGIPSv 8300-series ~ 250 Mbps to ~ 2 Gbps 8100-series 7100-series 7000-series 50 to 250 Mbps 500 Mbps to 2 Gbps 2 to 12 Gbps 10 to 60 Gbps BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Cisco NGIPS Solutions Comparing ASA with FirePOWER Services with FirePOWER Appliances Solution ASA with FirePOWER Services FirePOWER Appliances Form Factor Performance Deployment Use Case Packet Flow Management ASA 5500-X, 5585-X Up to 10Gbps NGIPS on a single 5585-X SSP60 Physical ASA Inline Deployment, HA, Clustering Inline and Promiscuous NGIPS and NGFW From ASA to FirePOWER Module CSM/ASDM for ASA, FMC/ASDM for FirePOWER Services 8000, 7000 Physical and Virtual Appliances Up to 60Gbps on 8390 Physical or SPAN Deployment, HA Inline and Promiscuous NGIPS and NGFW Directly through FirePOWER Appliance Firepower Management Center BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Cisco NGIPS Solutions Comparing ASA with FirePOWER Services with FirePOWER Appliances Solution ASA with FirePOWER Services FirePOWER Appliances Features Multi-Context SSL Decryption VPN HA Routing Identity Bypass All ASA + Most FirePOWER features Ability to apply FirePOWER policy per context and generate reports on a per-context basis Currently only with external appliance Multiple remote-access and site-to-site options (IPSec, SSL) Active/Standby, Active/Active, Clustering Static, EIGRP, OSPF, BGP, RIP, Multicast SFUA AD Agent, CDA and TrustSec on ASA Module Fail-Open FirePOWER features Ability to define Security Zones and apply policy and generate reports per zone Integrated as well as external appliance Limited site-to-site IPSec support Active/Standby (Clustering) Static, OSPF, RIP SFUA, AD Agent, Passive Discovery Automatic Application Bypass, HW Bypass BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Cisco NGFW Platforms New Appliances Cisco Firepower 4100 Series and 9300 Cisco Firepower Threat Defense on ASA 5500-X Cisco FirePOWER Services on ASA 5585-X All* Managed by Cisco Firepower Management Center *5585-X management available 2H CY16 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Converged Software Firepower Threat Defense New Converged Software Image: Firepower Threat Defense Contains all Firepower Services plus select ASA capabilities Single Manager: Firepower Management Center* Same subscriptions as FirePOWER Services: Threat (IPS + SI + DNS) Malware (AMP + ThreatGrid) URL Filtering * Also manages Firepower Appliances, Firepower Services (not ASA Software) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 High-Level Feature Comparison: ASA with FirePOWER Services, Firepower Threat Defense Note: Not an exhaustive list of differences between these offerings. Feature Firepower Services for ASA Firepower Threat Defense HA, NAT Notes for Firepower Threat Defense Routing Multicast & EIGRP in 6.1 Unified ASA and Firepower rules/objects Local Management In 6.1, features differ Multi-Context Inter-chassis Clustering VPN Site-to-Site VPN in 6.1 Hypervisor Support AWS, VMware; KVM in 6.1 Smart Licensing support BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 What Platforms run Firepower Threat Defense? New Appliances Cisco Firepower Threat Defense on Firepower 4100 Series and 9300 Cisco Firepower Threat Defense on ASA 5500-X All* Managed by Cisco Firepower Management Center *5585-X ASA module management being investigated for 2HCY16 Cisco FirePOWER Services on ASA 5585-X Cisco FirePOWER on 7000/8000 Series Appliances BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Cisco Firepower 4100 Series Introducing four new high-performance models Performance and Density Optimization 10-Gbps and 40-Gbps interfaces Up to 80-Gbps throughput 1-rack-unit (RU) form factor Low latency Multiservice Security Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP) Radware DefensePro DDoS ASA and other future third party Unified Management Single management interface with Firepower Threat Defense Unified policy with inheritance Choice of management deployment options BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Cisco Firepower 9300 Platform High-speed, scalable security Modular Benefits Standards and interoperability Flexible architecture Features Template-driven security Secure containerization for customer apps RESTful/JSON API Third-party orchestration and management Multiservice Security Benefits Integration of best-in-class security Dynamic service stitching Features* Cisco ASA container Cisco Firepower Threat Defense containers: NGIPS, AMP, URL, AVC Third-party containers: Radware DDoS Other ecosystem partners Carrier Class Benefits Industry-leading performance: 600% higher performance 30% higher port density Features Compact, 3RU form factor 10-Gbps/40-Gbps I/O; 100-Gbps ready Terabit backplane Low latency, intelligent fast path Network Equipment-Building System (NEBS) ready * Contact Cisco for services availability BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Security Modules Three security module configurations SM36: 72 x86 CPU cores for up to 80 Gbps of firewalled throughput SM24: 48 x86 CPU cores for up to 60 Gbps of firewalled throughput (Future) NEBS: SM24 NEBS certification Dual 800GB SSD in RAID1 by default Built-in hardware packet and flow classifier and crypto accelerator Hardware VPN acceleration is targeted for a subsequent software release BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Cisco Firepower 9300 Overview Supervisor Application deployment and orchestration Network attachment (10/40/100GE) and traffic distribution Clustering base layer for Cisco ASA, NGFW, and NGIPS Security Modules Embedded packet and flow classifier and crypto hardware Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Packet Library (PDTS) Firepower Threat Defense Packet Flow Zero Copy Single OS Flow Lookup L4 Decode Route Lookup NAT Lookup FirePOWER Services File/AMP L2/L3 Decode Inspection checks IPS Event Database AVC Flow Update Routing NAT Ingress NIC Egress NIC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Cisco Firepower Management Center Single Console for Event, Policy and Configuration Management Unified Network-to-endpoint visibility Manages firewall, applications, threats, and files Track, contain, and recover remediation tools Scalable Central, role-based management Multitenancy Policy inheritance Automated Impact assessment Rule recommendations Remediation APIs Cisco Firepower Management Center BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Deploying Cisco NGIPS

37 IPS Deployment Cycle Policy Evaluation Planning & Hardware Selection Implementation & Operation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Policy Network Security Policy Outlines rules for computer network access Determines how policies are enforced Basic Architecture of the network security environment Keep malicious users, applications and traffic out Keep internal data in Attack Mitigation and Incident Response Align to business needs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 IPS Deployment Cycle Policy Evaluation Planning & Hardware Selection Implementation & Operation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Planning and Hardware Selection Define your requirements Details how Security Policy will be met Write up of all requirements to prepare for implementation Determine places in the network to deploy Define the capabilities needed within each place in the network Determine if there are any complementary solutions in place (integration) Good planning will lead to a successful implementation Reduces complexity Predictability and risk awareness Select Devices based on requirements BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Planning and Hardware Selection Define your requirements Use Case Location Hardware Connectivity Features and Licenses Performance Availability and Scaling Management Implementation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Planning and Hardware Selection Define your requirements Use Case Location Connectivity Performance Availability and Scaling Management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Use Case What problem are we solving? Traditional FW 5-tuple Access Control Stateful Protocol Inspection NAT Routing VPN Remote Access Site-to-Site NAT, Routing, NGFW Application Visibility and Control User-Based Controls Filtering Web Access Encrypted Traffic Malware Trojan Horses, Rootkits,.. Scope spreading 0-days NGIPS Intrusion Detection Intrusion Prevention Encrypted Traffic Compliance Network Forensics BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Use Case Inspecting Encrypted Traffic > 30% of Internet traffic is SSL encrypted, hiding it from inspection Google, Facebook, Office 365 Continues to increase with most organization seeing 50-75% Google to prioritize sites using SSL Increasing % of malware is hiding in SSL tunnels Malware downloads CnC connections Data exfiltration Policy enforcement and threat protection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

45 Use Case Inspecting Encrypted Traffic Server Encrypted FirePOWER Use new built-in SSL inspection for simplicity and cost-effectiveness Decrypted SSL Appliance Choose external SSL for high-bandwidth and ability to inspect with other solutions, e.g. DLP Encrypted Client BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

46 Use Case Inspecting Encrypted Traffic with on-box decryption Multiple Deployment modes Passive Inbound (known keys) Inbound Inline (with or without keys) Outbound Inline (without keys) Flexible SSL support for HTTPS & StartTLS based apps E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS Decrypt by URL category and other attributes Centralized enforcement of SSL certificate policies e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

47 Use Case Inspecting Encrypted Traffic with external appliance Cisco SSL Appliance 1500, 2000, 8200 (4, 10 and 20 Gbps) Encrypted traffic flow Decrypted by SSL Appliance Re-encrypted by SSL appliance Plain text traffic flow Forwarded by SSL Appliance Sent to sensor Processed and returned to SSL Appliance Clear text traffic Packets returning from the sensor are not re-encrypted Modifications made to packets by the sensor are not present in the encrypted traffic flow SSL Traffic with Rewritten certificate Inside Network Outside Network SSL Traffic with Original certificate Non-SSL traffic is cut through BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

48 Use Case Intrusion Detection and Reporting (passive) Identify and log Intrusion attempts Need to prioritize events based on Criticality of the asset Relevancy of the attack Potential for damage What signatures to enable? How to avoid noise, false positives and non-relevant events? How to maximize the effectiveness of the analyst? How to deal with encrypted traffic? Contextual Visibility is key! Ethernet Switch Passive Interface SPAN Destination Port BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

49 Use Case Intrusion Prevention Identify, log and/or prevent intrusion attempts All of what matters for IDS also applies to IDS The right tuning is even more important because False Positives may drop good traffic Inline deployment may have an impact on performance Often IPS is deployed as IDS, then tuned before inline deployment Contextual Visibility is key! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

50 Use Case Licensing Functionality Traditional Licensing Smart Licensing Base License (includes AVC) Protect + Control Base IPS (SI, DNS) (EULA Enforced) Threat AMP/Threat GRID Malware Malware URL Filtering URL Filtering URL Filtering Management FireSIGHT Built into Firepower Management Center BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

51 Planning and Hardware Selection Define your requirements Use Case Location Connectivity Performance Availability and Scaling Management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

52 Location What Network Segment do we want to protect? Internet Edge Data Center Branch Core Extranets Critical Network Segments BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

53 Location Internet Edge Enterprise s GW to Cyberspace Serves diverse building blocks Allow outbound employee traffic and inbound traffic to servers Filter outbound employee traffic Need for diversified policy protecting both DMZ and users Expected threats include (D)DoS), Intrusion attempts, application-layer attacks URL and Application filtering, IPS/IDS, SSL Decryption, Anti-malware BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

54 Location Data Center Houses the most critical applications and data Key to security is maintaining service availability Security may affect traffic flows, scalability and failures Perceived Universal DC requirements include High Availability, Ability to deal with asymmetric traffic, Scalability. Expected threat vectors include data loss, unauthorized access Some use-cases for IPS in the DC are Inter-zone inspection and VM-to-VM inspection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

55 Planning Define your requirements Use Case Location Connectivity Performance Availability and Scaling Management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

56 Connectivity What Interfaces are needed How Many Interfaces? Fiber or Copper? Bypass or non-bypass? Interface Speed? Need for bundling Interfaces? Need for Wireless? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

57 Connectivity Interface Options on ASA with FirePOWER Services H 5506-W 5508/ /45/55 Fixed 1GE Interfaces Modular Interfaces NO NO NO NO 6 GE Copper or SFP Integrated Wireless AP NO NO YES NO NO Hardware Fast Path NO NO NO NO NO Monitor-Only Mode YES YES YES YES YES BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

58 Connectivity Interface Options on ASA with FirePOWER Services 5585 SSP10F SSP20F SSP10F SSP20F SSP40F SSP60F60 Fixed 1GE Interfaces SFP+ Sockets 4 (1/10 GE) 6 (1/10 GE) 8 (1/10 GE) Hardware Fast Path NO NO NO Monitor-Only Mode YES YES YES BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

59 Connectivity Interface Options on FirePOWER Appliances NGIPSv Modular Interfaces N.A NO 8 GE Copper or SFP * Up to 3 modules (1,10 GE) Up to 7 modules (1,10,40 GE) Monitoring Interfaces (Max) N.A Hardware Bypass NO YES YES YES YES Hardware Fast Path NO NO NO YES YES * 7115, 7125, and 7150 models only BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

60 Connectivity Network Modules for FirePOWER 8000 Series Integrated Bypass NetMods 1-Gbps 4-port copper 1-Gbps 4-port fiber 10-Gbps 2-port fiber SR (short-reach) 10-Gbps 2-port fiber LR (long-reach) Non-Bypass Netmods 1-Gbps 4-port copper 1-Gbps 4-port fiber 10-Gbps 4-port fiber SR (short-reach) 10-Gbps 4-port fiber (long-reach) 40-Gbps 2-port fiber SR (8200/8300 only) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

61 Connectivity Interface Options on ASA with FirePOWER Services FP4100 FP9300 Fixed 10GE Interfaces 8 8 SFP+ Sockets 2 (8/10 GE SFP+) 2 (4/40 GE QSFP+) 2 (8/10 GE SFP+) 2 (4/40 GE QSFP+) 1 (2/100 GE SFP28) Integrated Bypass Future version Future version Flow Offload Future version Future version Monitor-Only Mode YES YES BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

62 Connectivity Link Aggregation for Link Redundancy and Scaling Combine multiple links into one aggregated link (port-channel) Availability and Throughput Manual (always on) EtherChannel or LACP Supported on ASA, Firepower and FirePOWER appliances ASA: and Firepower multiple firewalls can be member of 1 port-channel (used in Clustering) FirePOWER Appliances: only supported to aggregate interfaces on the same device NGIPS Appliance s1p1 s1p2 s1p3 s1p4 lag0 Switch BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

63 Connectivity How should the IDS/IPS be connected? FirePOWER Appliance Promiscuous Passive interface Inline Interfaces Virtual Switched Mode Virtual Routed Mode ASA With FirePOWER Services Inline Promiscuous Span Port Mode FTD Inline Inline Tap Passive BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

64 Connectivity FirePOWER Appliance Deployment Models Traditional IPS Deployment Bump in the wire, entirely transparent to the network Bypass functionality Easy to insert into an existing network I.e. FirePOWER Inline Interfaces Traditional IDS Deployment SPAN, TAP to send a copy of traffic to IDS Does not impact network traffic Easy to insert into an existing network I.e. Passive Mode Traditional Transparent Firewall Deployment No Bypass functionality Can actively participate in the network (i.e. keeps CAM table, can broadcast ARP request) State-sharing is a requirement for network continuity in HA pairs i.e. Virtual Switched Mode Traditional Routed Firewall Deployment FW is a hop in the network between L3 boundaries Has to be aware of routing protocols State-sharing is a requirement for network continuity in HA pairs I.e. Virtual Routed Mode BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

65 Connectivity FirePOWER Appliance Promiscuous Passive Interface FirePOWER Appliances and NGIPSv Only copies of the packets are sent to the sensor One or more physical ports designated as passive Visibility and Detection Optional prevention through remediation modules Separate device must send copies of the packets Span (or monitor) from a switch Network Taps Ethernet Switch Passive Interface SPAN Destination Port monitor session 1 type local source int fa4/1 destination int fa2/2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

66 Connectivity FirePOWER Appliance Inline - Inline Interfaces Two physical interfaces paired together Paired interfaces must be assigned to an inline set Multiple Pairs can be configured on same sensor as sets IPS between two access-ports on the same switch or between two different switches Traffic passes through the sensor Pass Good Traffic, and Block Bad Redundancy can be provided with STP or additional sensor. Fail-open can be provided with hardware-bypass interfaces Sensor sits between two physical ports on a switch or two different switches Transparent Interfaces Sensor is Layer 2 Bridge BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

67 Connectivity FirePOWER Appliance Inline Configuring Inline Interfaces Create an Inline Set Select Bypass mode Assign one or more interface pairs to the Inline Set Advanced Options: Tap Mode Propagate Link State Transparent Inline Mode Strict TCP Enforcement BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

68 Connectivity FirePOWER Appliance Inline Virtual Switched Mode Virtual Switch is defined within the sensor Traditional L2 Firewall deployment model Two or more Physical Interfaces or VLANS are assigned to the Virtual Switch Traffic passes through the IPS and gets Inspected Incoming VLAN tag is stripped and packets leaving a reencapsulated with egress VLAN tag when leaving Security Redundancy (HA) can be provided with STP deployments Network Availability (Fail-Open) can be provided with a redundant wire HostB VLAN20 VLAN10 HostA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

69 Connectivity FirePOWER Appliance Inline Configuring Inline Switched Mode Create logical switched interfaces for each VLAN * Create a Virtual Switch Add logical or physical interfaces to the Virtual Switch Advanced Options: Static MAC Entries Enable STP Strict TCP Enforcement Drop BPDUs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

70 Connectivity FirePOWER Appliance Inline Virtual Routed Mode Two or more physical or logical (VLAN) interfaces defined as routable interfaces Traditional L3 firewall deployment Route Good Traffic, and Drop Bad Static Routing, RIP, OSPF and BGP are supported Redundancy can be provided through SFRP to a standby sensor Fail-open is NOT supported in routed mode Routed Interfaces BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

71 Connectivity FirePOWER Appliance Inline Configuring Virtual Routed Mode Create logical routed interfaces for each VLAN * Assign IP addresses to logical or physical routed interfaces Create a Virtual Router Add logical or physical interfaces to the Virtual Router Configure Routing type Advanced Options: IPv6 Support DHCP Relay Static Routing Entries Routing Filter Authentication Profile BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

72 Connectivity ASA with FirePOWER Services Deployment Models ASA itself could be deployed in many ways: L2 (Transparent) / L3 (Routed mode) Single-Context / Multi-Context Active/Standby, Active/Active, Clustering Modular Policy Framework (MPF) is used to forward traffic from ASA to FirePOWER Services: Inline Promiscuous Monitor-only policy-map global_policy class class-default sfr fail-open service-policy global_policy global BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

73 Connectivity ASA with FirePOWER Services Inline ASA is deployed Inline ASA Forwards selected traffic through the module As Defined in ASA Policy-map Packets and flows are not dropped by FirePOWER services directly Packets are marked with Drop or Drop with Reset and sent back to the ASA This allows for the ASA to clear the connection from the state tables and send resets if needed. L3 or L2 mode ASA policy-map global_policy class class-default sfr fail-open service-policy global_policy global BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

74 Connectivity ASA with FirePOWER Services Promiscuous ASA is still deployed Inline ASA forwards a copy of the selected traffic through the module As Defined in ASA Policy-map Monitor-only option in Policy-map + L3 or L2 mode ASA Visibility and Detection Optional prevention through remediation modules policy-map global_policy class class-default sfr fail-open monitor-only service-policy global_policy global BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81

75 Connectivity ASA with FirePOWER Services Span port Mode ASA Interface connected to a SPAN port ASA not in Data Path Monitor-only configured on interface This interface cannot be used for regular ASA functionality Other ASA interface can still be inline but cannot forward traffic to the FirePOWER module Only supported in transparent, single-context mode Visibility and Detection + Transparent Mode ASA firewall transparent int g0/0 traffic-forward sfr monitor-only BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

76 Connectivity Firepower Threat Defense Interface Modes A Passive B Routed/Transparent Policy Tables F G Interfaces C D Inline Pair 1 Inline Pair 2 H I Inline Set E Inline Tap J BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

77 Planning Define your requirements Use Case Location Connectivity Performance Availability and Scaling Management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 84

78 Performance How to measure and why it matters? Sizing: Which device do I need to buy? Upgrade of existing or new device? Features: What features am I going to need or want to run? Firewall, IPS, Application Control, URL, Malware? Location: Where is the device in the network? In front of a DNS only datacenter with millions of very small very fast transactions or in front of HTTP web servers serving normal web pages? Datacenter looking at only internal traffic or Internet Edge looking at the wild Internet? As with all performance discussions, YOUR MILEAGE MAY VARY!! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

79 Performance Determining your IPS Performance needs What does your traffic mix look like? What is your peak throughput? What features will you need? What is your peak conn/s and max conn? What is acceptable latency? Is there traffic excluded from inspection? Use Netflow, NBAR, AVC, ASA Stats Expected future growth BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

80 Performance Throughput testing methodology Datasheets generally have some indication of performance. In most cases this includes the infamous throughput measurement. Different product spaces have different typical throughput tests. The firewall industry almost always publishes a max throughput number, usually based on a traffic type that is never helpful in determining sizing of the product. UDP 1518 byte packet size is fairly common. The IPS industry has generally been more conservative about throughput estimates on their datasheets, partly because their performance range is much more variable than firewalls, and partly because of industry choice. TCP 440 byte HTTP is fairly common. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

81 Performance What Metrics do we provide? Solution ASA with FirePOWER Services FirePOWER Appliances Throughput Connections Maximum Stateful Firewall Throughput Maximum VPN Throughput Maximum AVC Throughput Maximum AVC And NGIPS Throughput AVC or IPS Sizing Throughput (440B) Maximum Concurrent Sessions Maximum New Connections / Second FW Throughput IPS Throughput (440B) Maximum Concurrent Sessions Maximum New Connections / Second BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

82 Performance Multiple-Services Performance Guideline If you run AVC or AVC+AMP on top of IPS, reduce the Datasheet IPS throughput by: 30-45% for IPS + AVC 50-65% for IPS + AVC + AMP IPS + AVC +AMP IPS + AVC IPS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

83 Performance FirePOWER Services for ASA Model 5506-X 5508-X 5516-X 5525-X 5545-X 5555-X Max Stateful FW Throughput 750 Mbps 1 Gbps 1.8 Gbps 2 Gbps 3 Gbps 4 Gbps 4 Gbps 10 Gbps 20 Gbps 40 Gbps VPN Throughput 100 Mbps 175 Mbps 250 Mbps 300 Mbps 400 Mbps 700 Mbps 1 Gbps 2 Gbps 3 Gbps 4 Gbps Max AVC Throughput 250 Mbps 450 Mbps 850 Mbps 1,1 Gbps 1,5 Gbps 1,75 Gbps 4,5 Gbps 7 Gbps 10 Gbps 15 Gbps Max AVC and IPS Throughput 125 Mbps 250 Mbps 450 Mbps 650 Mbps 1 Gbps 1,25 Gbps 2 Gbps 3,5 Gbps 6 Gbps 10 Gbps AVC or IPS Sizing Throughput 90 Mbps 180 Mbps 300 Mbps 375 Mbps 575 Mbps 725 Mbps 1,2 Gbps 2 Gbps 3,5 Gbps 6 Gbps Max Connections 50, , , , ,000 1,000, ,000 1,000,000 1,800,000 4,000,000 Max CPS 5,000 10,000 20,000 20,000 30,000 50,000 40,000 75, , ,000 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90

84 Performance FirePOWER Appliances Model Firewall Throughput 500 Mbps 1,5 Gbps 2,5 Gbps 4 Gbps 10 Gbps 30 Gbps 60 Gbps 90 Gbps 120 Gbps IPS Throughput 250 Mbps 750 Mbps 1,25 Gbps 2 Gbps 6 Gbps 15 Gbps 30 Gbps 45 Gbps 60 Gbps Max Connections 500,000 1,500,000 2,500,000 3,000,000 7,000,000 12,000,000 24,000,000 36,000,000 48,000,0000 Max CPS 5,000 27,500 42,500 45, , , , , ,000 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

85 Performance Firepower Appliances Model SM-24 SM-36 SM-36x3 Max Throughput: Application Control (AVC) Max Throughput: Application Control (AVC) and IPS 12G 20G 25G 25G 35G 100G 10G 15G 20G 20G 30G 90G Sizing Throughput: AVC (450B) 4G 8G 10G 9G 12.5G 30G Sizing Throughput: AVC+IPS (450B) Maximum concurrent sessions w/avc 3G 5G 6G 6G 8G 20G 4.5M 11M 14M 28M 29M 57M BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92

86 Cisco FMCv/FTDv in AWS Instance Type Interf. Subnets vcpus RAM (GB) FMCv m3.large FMCv m3.xlarge FMCv & FTDv* c3.xlarge FMCv c3.2xlarge AWS FMCv is optional as many organizations like to use their on premises FMC. Cisco Smart Licensing, AWS hourly coming soon AWS Security Group Access control must permit SSH/HTTPs access to your instances Create and attach Network interfaces and add Route table entry for Internet access An Elastic IP (Static persistent Public IP) is required for either FTDv or FMCv remote admin access * 2 management interfaces required for AWS FTDv BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 93

87 Planning Define your requirements Use Case Location Connectivity Performance Availability and Scaling Management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 94

88 Availability and Scaling What should happen if the IPS fails? Network Availability Security Availability ASA with FirePOWER Services ASA w/ Firepower Fail- Open FirePOWER Appliance - Promiscuous N.A. ASA A/S Failover FirePOWER Clustering Passive Redundancy FirePOWER Appliance Inline Automatic Application Bypass Hardware Bypass Alternate Path FirePOWER Clustering Inline FirePOWER Clustering - Switched FirePOWER Clustering - Routed BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

89 Network Availability Fail-Open for ASA with FirePOWER Services Firepower Module (HW or SW) Fail-Open and Fail-Closed configured in ASA Policy-map Determines what ASA does when the FirePOWER module has failed With Fail-Closed, traffic will be blocked when the module is unavailable With Fail-Open, traffic will be allowed and not inspected when the module is unavailable Only used if the ASA cannot failover policy-map global_policy class class-default sfr fail-open service-policy global_policy global Health Check Failure ASA Firepower Module (HW or SW) ASA Data Flow Data Flow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 96

90 Network Availability Automatic Application Bypass (AAB) for FirePOWER IPS AAB Limits the time allowed to process packets through an interface. Increased processing time may be due to misconfiguration or a SW issue Not the same as Packet / Rule Latency Thresholding Inspection is bypassed if the processing time is exceeded causing all Snort processes to terminate AAB will restart the Snort IPS engine within 10 minutes after failure Bypass threshold: 250ms 6s (3s default) Generates Health Monitoring Alert Supported on FirePOWER Hardware appliances and NGIPS Not supported on ASA with FirePOWER services Processing Time Exceeded Firepower Appliance Data Flow Data Flow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97

91 Ethernet Switch Ethernet Switch Ethernet Switch Network Availability Hardware Bypass for FirePOWER IPS Link Normal Link Ethernet Switch Fail-to-wire Traffic bypasses appliance on power-failure Supported on Physical FirePOWER appliances only Supported on both Copper and Fiber Interfaces Hardware Bypass Network Modules available for 8000 series Inline Interfaces Mode Only Power Loss No Link Ethernet Switch Hardware Bypass Activated Link Ethernet Switch BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98

92 Network Availability Alternate Path for FirePOWER IPS Data Flow Sensor and alternate path between 2 switches or 2 VLANS on the same switch STP determines Forwarding/Blocking path Sensor failure cause STP to place alternate path in forwarding state Blocked by Spanning Tree Data Flow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99

93 Ethernet Switch Ethernet Switch Security Availability A/S Failover for ASA with FirePOWER Services For locations where high availability is the primary concern ACTIVE Data Flow Ethernet Switch ASA s sync connection table ASA configuration automatically synched. STANDBY FirePOWER Configuration should be synched using Firepower Management Center FAILED FirePOWER Modules do not synchronize their connection tables Mid-session pickup on FirePOWER modules Supported in both Routed and Transparent mode Ethernet Switch ACTIVE Data Flow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 100

94 Security Availability Clustering (HA) for FirePOWER Appliances Not the same as ASA Clustering FirePOWER Clustering (HA) establishes resiliency between 2 appliances or 2 stacks Clustered devices can synchronize state via HA link Single logical system In Firepower Management Center for policy application Both devices must me the same model, identical interfaces, same software and licenses Automatic failover happens with appliance health failure, hardware failure, during a system update or device shutdown Multiple Clustered Redundancy Deployment Models: Passive, Inline, Routed, Switched BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 101

95 Data Flow Data Flow Security Availability Clustering for FirePOWER Appliances Passive Deployment Redundancy Active TAP or SPAN feed to multiple appliances in passive mode Standby Appliance brings interfaces up if Active Appliance fails health checks Same as having multiple standalone IDS appliances, except duplicate events are suppressed. SPAN ed Traffic Standby Failed SPAN ed Traffic Active BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 102

96 Security Availability Clustering for FirePOWER Appliances Inline Deployment Redundancy Sensors between 2 switches STP determines Forwarding/Blocking path Sensor failure cause STP to place other sensor in forwarding state Clustering does State Push for session state to ensure flow continuity on failover Data Flow Blocked by Spanning Tree Data Flow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103

97 Security Availability Clustering for FirePOWER Appliances Switched Deployment Redundancy Sensors between switches or VLANs on the same switch Virtual Switch Configuration STP determines Forwarding/Blocking path Sensor failure cause STP to place other sensor in forwarding state Clustering does State Push for session state to ensure flow continuity on failover VLAN 20 Active STP Path VLAN 200 VLAN 20 Path Blocked by STP VLAN 200 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104

98 Ethernet Switch Ethernet Switch Security Availability Clustering for FirePOWER Appliances Routed Deployment Redundancy ACTIVE Virtual Router Configuration Hosts typically have a statically defined GW Redundancy in a routed deployment requires routed interfaces to share a GW IP Address SFRP (similar to VRRP) creates an Active/Passive deployment by advertising the active IP only on 1 interface If that interface goes down, the backup interface begins advertising the IP address Clustering does State Push for session state to ensure flow continuity on failover STANDBY FAILED Data Flow Ethernet Switch Ethernet Switch ACTIVE Data Flow BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 105

99 Availability and Scaling How to scale beyond what 1 Appliance can do? Scaling ASA with FirePOWER Services FirePOWER Appliance - Passive FirePOWER Appliance Inline NA Stacking Stacking NA Firepower with NGFW (FTD) Scaling + Availability ASA Clustering * Passive Clustered Stack FirePOWER Passive Appliances with Etherchannel RSPAN * Clustered Stack ASA with FirePOWER Appliances * Clustering * Can be deployed in asymmetric traffic environments BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106

100 Scaling Stacking for FirePOWER 8000 Series 4x Stacking supported 8300, x Stacking on 8100 Series Gbps 30 Gbps 45 Gbps 60 Gbps BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 107

101 Scaling + Availability Clustering for ASA5500-X Scaling and Availability for FirePOWER Services Can be deployed in an asymmetric environment Up to 16 ASA5585-X or two ASA5500-X with FirePOWER services Stateless load balancing by external switch Support for VPC and LACP Cluster Control Protocol/Link State-sharing between Firewalls for concerted operation and high availability Every session has a primary and secondary owner ASA ASA provides traffic symmetry to FirePOWER modules vpc ASA Cluster vpc BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 108

102 Data Flow Scaling + Availability Clustered Stack of FirePOWER Appliances Active Stack-to-Stack High Availability Supported on 8000 Series Scaling and Availability for FirePOWER Services Supported for passive, inline, switched and routed clustered deployment Not suggested for asymmetric environment Stacks must have identical hardware SPAN ed Traffic Standby Data Flow Blocked by Spanning Tree BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 109

103 Scaling + Availability Etherchannel RSPAN with FirePOWER Passive Appliances Provides IDS Scaling and Availability No FirePOWER Clustering Can be deployed in an asymmetric environment Asymmetric traffic flow through the DC switching infrastructure Switches mirror traffic at key intersection points into an RSPAN VLAN RSPAN collection switch aggregates flows and feeds them into an Etherchannel. FiePOWER appliances process aggregated SPAN traffic in passive mode vpc vpc BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 110

104 Scaling + Availability ASA with Inline FirePOWER Appliances Provides IPS Scaling and Availability Can be deployed in an asymmetric environment ASA appliances deployed as a cluster in multicontext mode In-Line FirePOWER Appliances attached in between the contexts ASA Clustering Automatically redirects asymmetrically received packets to ASA connection owner Local FirePOWER Appliances have full visibility into the flow due to localized processing Cisco Validated Design vpc ASA Cluster vpc BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 111

105 Availability and Scaling Availability and Scaling Options on ASA with FirePOWER Services H 5506-W 5508/ /45/ X Multi-Context NO NO NO YES YES YES High Availability A/S A/S A/S A/S, A/A A/S, A/A A/S, A/A Clustering NO NO NO NO YES (2) YES (16) Module Fail-Open YES YES YES YES YES YES Automatic Application Bypass NO NO NO NO NO NO BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 112

106 Availability and Scaling Availability and Scaling Options on FirePOWER Appliances NGIPSv /8300 FirePOWER Stacking NO NO NO YES (2) YES (4) FirePOWER Clustering NO YES YES YES YES Clustered Stacks NO NO NO YES YES Automatic Application Bypass YES YES YES YES YES Hardware Bypass NO YES YES YES YES * 7115, 7125, and 7150 models only BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 113

107 Availability and Scaling Availability and Scaling Options on Firepower NGFW (FTD) FP4100 FP9300 Multi-Context NO NO High Availability A/S, A/A A/S, A/A Clustering YES (5) * YES (5) * Module Fail-Open NO ** NO ** Automatic Application Bypass NO NO * Clustering will be available in a future release ** Interfaces with built-in bypass available in a future release BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 114

108 Planning Define your requirements Use Case Location Connectivity Performance Availability and Scaling Management BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 115

109 Management Firepower Management Center Management Platforms: Firepower Management Center, ASDM * Firepower Management Center can be an appliance or a VM Firepower Manager Center Appliances can be deployed in HA Determining factors: device type, deployment size, cost, other security devices, scaling requirements, responsibilities * ASDM currently only manages FirePOWER Services on 5506/8/16 Model FMC Server, webbased UI ASDM On-box Form Factor VM or Appliance Runs on ASA # devices Up to Cost $ No Charge Manages Contextual Awareness and Visibility FirePOWER, FirePOWER services Detailed Event Collection Extensive Basic Reporting Extensive Basic Health Monitoring Basic: CPU, Memory ASA, FirePOWER services on select platforms Basic, no IoC or Impact Assessment Extensive BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 116

110 Management Firepower Management Center Appliances Virtual Maximum devices managed* Virtual FireSIGHT Management Center Up to 25 managed devices Event storage 100 GB 1.8 TB 3.2 TB ASA or FirePOWER appliances Maximum network map (hosts/users) Events per second (EPS) 2000/ ,000/ 150, ,000/ 600, ,000 20,000 Virtual FireSIGHT Management for 2 or 10 ASA devices only! Not upgradeable FS-VMW-2-SW-K9 FS-VMW-10-SW-K9 Max number of devices is dependent upon sensor type and event rate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 117

111 IPS Deployment Process Policy Evaluation Planning & Hardware Selection Implementation & Operation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 118

112 Implementation Installation, Basic Configuration and Insertion into the network 1. Installation of Firepower Management Center 2. Installing FirePOWER appliance or FirePOWER Services for ASA 3. Adding FirePOWER appliance/module into Firepower Management Center 4. Apply Basic Configuration 5. Insertion into the network 6. Tuning 7. Optional: Move from Audit mode to inline mode 8. Operation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 119

113 GUI: FMC IP address and key Implementation Adding a FirePOWER device into Firepower Management Center 1. On the FirePOWER device, identify the Firepower Management Center that will be managing the device. This can be done via CLI or LCD panel * or GUI * > Configure manager add cisco123 Manager successfully configured. CLI: FMC IP address and key 2. On the Firepower Manager, navigate to Device Manager to add the new device Device IP address and registration key Default Access Control Policy Licenses applied to FireSIGHT MC * LCD Panel/GUI option only apply to physical FirePOWER appliances BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 120

114 Implementation Basic Configuration Access Control Policy IPS policy Default Action BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 122

115 Implementation Policies Platform and System Policy: manages system-level settings such as audit logs, mail relay, etc Health Policy: a collection of health module settings to check the health of devices Network Discovery Policy: defines how the system collects data of network assets Malware & File Policy: used to perform AMP and file filtering Intrusion Policy: defines IPS rules to be enabled for inspection SSL Policy: defines what traffic to decrypt and how to decrypt it Access Control Policy: permits/denies traffic through the device, defines which Intrusion/File policies are applied to traffic flows DNS Policy: defines custom DNS policies and the system provided default policy Identity Policy: associates traffic with an authoritative identity source (LDAP, AD or ISE) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 123

116 Implementation What are the different Base IPS Policies? Connectivity over Security: ~ 500 Rules CVSS Score of 10 Age of Vulnerability: 1 year and newer Balanced : ~ 7700 Rules CVSS Score of 9 or greater Age of Vulnerability: 1 year and newer Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit Security over Connectivity: ~ Rules CVSS Score of 8 or greater Age of Vulnerability: 2 years and newer Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect Maximum Detection: ~ 5600 Rules CVSS Score of 7.5 since 2005 with critical rules malware and exploit kit rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 124

117 Implementation Audit Mode Inline deployment without actually affecting traffic Disable Drop when inline when creating IPS Policy In passive deployments, the system cannot affect traffic regardless of the drop behavior Events will show Would have dropped when the sensor is deployed passively or when drop when inline is disabled Audit Mode BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 125

118 Operation Features for more effective operation Host, User Discovery and Application Identification Host Profiles Impact Levels FireSIGHT Recommendations Indications of Compromise BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 126

119 Operation Network Discovery Host discovery Application identification User discovery Identifies OS, protocols and services running on each host Reports on potential vulnerabilities present on each host based on the information it s gathered FireSIGHT can identify over 1900 unique applications using OpenAppID Includes applications that run over web services such as Facebook or LinkedIn Applications can be used as criteria for access control Monitors for user IDs transmitted as services are used Integrates with MS AD servers to authoritatively ID users Authoritative users can be used as access control criteria BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 127

120 Host Profile What have we learned? All information we know about each host we monitor Current and historic users Indications of Compromise OS, Servers, Applications Indications of Compromise Malware Detections Vulnerabilities BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 128

121 Network Discovery How is the Information used? FireSIGHT Recommendations Users information we learned about each host Automatically selection of rules that apply to your environment Impact Assessment Correlation of IPS Events with Impact on the Target host Indications of Compromise Tags that indicate a likely host infection has occurred FireSIGHT tracks and correlations IoCs across all sensor points with Security Intelligence and Malware Active. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 129

122 Impact Assessment How Relevant is the Attack? IMPACT FLAG 1 ADMINISTRATOR ACTION Act Immediately, Vulnerable WHY Event corresponds to vulnerability mapped to host 2 Investigate, Potentially Vulnerable Relevant port open or protocol in use, but no vuln mapped 3 Good to Know, Currently Not Vulnerable Relevant port not open or protocol not in use 4 Good to Know, Unknown Target Monitored network, but unknown host 0 Good to Know, Unknown Network Unmonitored network BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 130

123 FireSIGHT Recommendations Automatic tuning based on your environment IPS Rule Recommendations based on what is learned from Network Discovery Associates the OS, server, applications detected with rules specific to those assets Identifies the current state of rules in your base policy and recommends and/or sets rule state changes Combining a Cisco provided default Policy with FireSIGHT recommendations results in an IPS policy matching the TALOS recommended settings for your assets. Recommendations BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 131

124 Indications of Compromise (IoCs) IPS Events SI Events Malware Events Malware Backdoors CnC Connections Connections to Known CnC IPs Malware Detections Malware Executions Exploit Kits Admin Privilege Escalations Office/PDF/Java Compromises Dropper Infections Web App Attacks BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 132

125 IPS Deployment Process Policy Evaluation Planning & Hardware Selection Implementation & Operation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 133

126 Evaluation Is the IPS Deployment Effective? Initially: (Fine) tuning Continuously: Signature Updates FireSIGHT Recommendations Periodically: Vulnerability scan Penetration testing BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 134

127 Migrating to Firepower NGIPS

128 Migrating to FirePOWER NGIPS Things to Consider when migrating Additional hardware needs New software, licensing and Management needs Can the current hardware deliver the required performance What additional features will we be using? Not a 1:1 Migration Migration Strategy to use How to install a new FirePOWER module on an existing ASA How will you migrate your policies and rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 136

129 Migrating to FirePOWER Services for ASA Sizing Guidance when Migrating When replacing an existing service module like Cisco CX or the classic IPS module: Understand the traffic load the device is seeing Understand the inspection load the current device is under Compare the current inspection load if possible, to the expected load on the new module, reducing available throughput based on the features required If you run more features, the performance will be impacted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 137

130 Migrating to FirePOWER Services for ASA Sizing Guidance when Migrating from Legacy Cisco IPS IPS-only test comparing throughput of FirePOWER Services for ASA to the Legacy IPS module. Tested using the same 440 byte HTTP Transactional test that was the benchmark for legacy IPS FirePOWER Services On ASA Classic IPS on ASA NA NA NA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 138

131 Migrating to FirePOWER Services for ASA Sizing Guidance when Migrating from Legacy Cisco IPS When upgrading from classic IPS to FirePOWER services, adding new features can require a platform change. Generally each new major feature is a step up, assuming the box is near capacity. Model 5506-X 5508-X 5512-X 5516-X 5525-X 5545-X 5555-X Classic IPS Module NA NA 150 NA FirePOWER AVC or IPS FirePOWER IPS + AVC FirePOWER IPS + AVC + AMP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 139

132 Migrating to FirePOWER NGIPS Appliances Migration Strategies based on Risk Assessment 1. Cut over to FirePOWER in Inline IPS Mode Replace legacy IPS with FirePOWER in IPS mode. Monitor closely, and adjust the policy. Most risky option for Legitimate Traffic. 2. Cut over to FirePOWER in Inline Audit Mode Replace legacy IPS with FirePOWER in Audit mode. Monitor traffic and alerts, and then put sensor in IPS mode. Most risky option vs malicious traffic and for compliance. 3. Run Both Legacy IPS and FirePOWER IPS in Audit Mode Temporarily Connect FirePOWER IPS in Audit mode to the untrusted side of the existing Legacy IPS. Monitor traffic and tune where needed, then complete migration by removing the Legacy IPS and turning off Audit mode. FirePOWER may miss what is blocked by the legacy IPS 4. Run Both Legacy IPS and FirePOWER IDS Temporarily Install FirePOWER in IDS Mode, connected to a SPAN port or other method of capturing network traffic. Monitor the sensor and adjust policy accordingly. When sensor is tuned, complete migration with either option 1 or 2, above. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 140

133 Migrating to FirePOWER NGIPS Appliances Both Legacy IPS and FirePOWER IPS in Audit mode Temporarily Audit Mode BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 141

134 Migrating to FirePOWER NGIPS Appliances Both Legacy IPS and FirePOWER IDS Temporarily BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 142

135 Migrating to FirePOWER NGIPS Appliances Migration Tool, Guide and Training Cisco Legacy IPS to FirePOWER NGIPS Migration Guidance Tool Consumes a Cisco IPS configuration file and generates a recommendations document Standalone IPS appliances as well as ASA IPS Modules Areas of focus: Network Insertion, Policies and Signatures/rules Matches Snort rules to Cisco IPS signatures Cisco Legacy IPS to FirePOWER NGIPS Migration Guide Focused on standalone Appliances Explains FirePOWER in Cisco terminology BRKSEC Tips and Tricks for Successful Migration to FirePOWER Solutions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 143

136 Conclusion

137 Deploying IPS Conclusion NGIPS extends classic IPS with Application awareness, Contextual awareness and Content awareness to provide automation and reduce complexity Cisco NGIPS is Available as FirePOWER appliances, Virtual form factor and FirePOWER Services for the ASA Multiple Deployment Options to address a multitude of Use Cases / Locations Connection Needs Performance Requirements High Availability and Scaling Management Requirements Migrating to FirePOWER Appliances involves determining additional hardware, software, licensing and management needs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 145

138 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 146

139 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 147

140 Thank you

141

142 Security Cisco Education Offerings Course Description Cisco Certification CCIE Security Implementing Cisco Edge Network Security Solutions (SENSS) Implementing Cisco Threat Control Solutions (SITCS) Implementing Cisco Secure Access Solutions (SISAS) Implementing Cisco Secure Mobility Solutions (SIMOS) Expert Level certification in Security, for comprehensive understanding of security architectures, technologies, controls, systems, and risks. Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls Deploy Cisco s Next Generation Firewall (NGFW) as well as Web Security, Security and Cloud Web Security Deploy Cisco s Identity Services Engine and 802.1X secure network access Protect data traversing a public or shared infrastructure such as the Internet by implementing and maintaining Cisco VPN solutions CCIE Security CCNP Security Implementing Cisco Network Security (IINS 3.0) Securing Cisco Networks with Threat Detection and Analysis (SCYBER) Network Security Product Training Focuses on the design, implementation, and monitoring of a comprehensive security policy, using Cisco IOS security features Designed for security analysts who work in a Security Operations Center, the course covers essential areas of security operations competency, including event monitoring, security event/alarm/traffic analysis (detection), and incident response For official product training on Cisco s latest security products, including Adaptive Security Appliances, NGIPS, Advanced Malware Protection, Identity Services Engine, and Web Security Appliances. CCNA Security Cisco Cybersecurity Specialist For more details, please visit: or Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 150

143 Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community to connect with peers & Cisco s Security product teams Monthly technical & roadmap briefings via WebEx Opportunities to influence product direction Members Strong Join in World of Solutions Security zone Customer Connection stand Learn about CCP and Join New member thank-you gift* Customer Connection Member badge ribbon Local in-person meet ups starting Fall 2016 New member thank you gift * & badge ribbon when you join in the Cisco Security booth Other CCP tracks: Collaboration & Enterprise Networks Join Online Come to Security zone to get your new member gift* and ribbon BRKSEC-2030 * While supplies last 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 151