Firepower Platform Deep Dive

Transcription

1

2 BRKSEC-3035 Firepower Platform Deep Dive Andrew Ossipov, Principal Engineer

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Your Speaker Andrew Ossipov Principal Engineer 8 years in Cisco TAC 20+ years in Networking BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Agenda Hardware and Software Firepower Threat Defense Overview Security Applications on Firepower 4100 and 9300 Availability and Scalability Deployment Example: FTD Cluster on Firepower 4100 Application Use Cases Closing

6 Hardware and Software

7 Next Generation Platform Requirements Modular Compute System hardware components can be upgraded independently Dynamic service insertion based on policy and context Dynamic Service Insertion Architectural Scale Leverage the best of security processing components (x86, NPU, Crypto) and scale with Clustering Services be added, removed, upgraded, and modified without disrupting existing flows Rapid Inline Changes No Single Failure Point All hardware and software components are redundant and as independent as possible Architecture built to quickly add new services as market evolves 3 rd Party Integration Deployment Agnostic Provide the same benefits in physical, virtual, and hybrid SDN environments Offer a unified SDK/API for all services, including unified licensing and logging. Unified API BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Firepower 9300 Overview Supervisor Application deployment and orchestration Network attachment and traffic distribution Clustering base layer for ASA or FTD Network Modules 10GE, 40GE, 100GE Hardware bypass for inline NGIPS 3RU Security Modules Embedded Smart NIC and crypto hardware Cisco (ASA, FTD) and third-party (Radware DDoS) applications Standalone or clustered within and across chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Supervisor Module RJ-45 Console 1GE Management Interface (SFP) Built-in 10GE Data Interfaces (SFP+) Optional Network Modules (NM) 1 2 Overall chassis management and network interaction Network interface allocation and module connectivity (960Gbps internal fabric) Application image storage, deployment, provisioning, and service chaining Clustering infrastructure for supported applications Smart Licensing and NTP for entire chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Supervisor Architecture Security Module 1 Security Module 2 2x40Gbps 2x40Gbps 2x40Gbps Security Module 3 RAM System Bus Ethernet Internal Switch Fabric (up to 24x40GE) x86 CPU 2x40Gbps 5x40Gbps 5x40Gbps On-board 8x10GE interfaces NM Slot 1 NM Slot 2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Firepower 9300 Security Modules Three configurations SM-44 : 88 x86 CPU cores (54Gbps FTD NGFW) SM-36 : 72 x86 CPU cores (42Gbps FTD NGFW) SM-24 : 48 x86 CPU cores (30Gbps FTD NGFW), NEBS Level 3 Certified Dual 800GB SSD in RAID1 by default Built-in hardware Smart NIC and Crypto Accelerator Flow Offload VPN connection acceleration Transit TLS inspection with FTD BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Security Module Architecture RAM 256GB x86 CPU 1 24 or 36 or 44 cores x86 CPU 2 24 or 36 or 44 cores System Bus Ethernet 2x100Gbps Smart NIC and Crypto Accelerator 2x40Gbps Backplane Supervisor Connection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Firepower 4100 Overview Built-in Supervisor and Security Module Same hardware and software architecture as 9300 Fixed configurations (4110, 4120, 4140, 4150) Solid State Drives Independent operation (no RAID) Slot 1 today provides limited AMP storage Slot 2 adds 400GB of AMP storage 1RU Network Modules 10GE and 40GE interchangeable with 9300 Partially overlapping fail-to-wire options BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Firepower 4100 Architecture RAM 4110: 64Gb 4120: 128Gb 4140: 256Gb 4150: 256Gb x86 CPU : 12 cores 4120: 12 cores 4140: 36 cores 4150: 44 cores x86 CPU : N/A 4120: 12 cores 4140: 36 cores 4150: 44 cores 4110: 1x100Gbps : 2x100Gbps Smart NIC and Crypto Accelerator 4110: 1x40Gbps : 2x40Gbps Internal Switch Fabric (up to 18x40GE) RAM x86 CPU System Bus Ethernet 2x40Gbps 5x40Gbps 5x40Gbps On-board 8x10GE interfaces NM Slot 1 NM Slot 2 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Firepower 4100/9300 Smart NIC and Crypto x86 CPU 1 x86 CPU 2 Crypto 1 Crypto 2 Crypto Accelerator Single on 4110, dual elsewhere Up to 20Gbps IPsec/TLS each Configurable core bias to IPsec/TLS IPsec S2S and RAVPN TLS/DTLS RAVPN TLS inspection assistance Cisco Programmable NIC Single on 4110, dual elsewhere 40Gbps connectivity each Packet Matching and Rewrite Tracks 2M flows for Offload FXOS Smart NIC 1 Smart NIC 1 Internal Switch Fabric System Bus Ethernet BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Firepower 2100 Overview Integrated Security Platform for FTD or ASA Application Lightweight virtual Supervisor module Embedded x86 and NPU with Hardware Crypto Acceleration Fixed configurations (2110, 2120, 2130, 2140) Dual redundant power supplies on 2130 and 2140 only SFP/SFP+ Data Interfaces 4x1GE on Firepower 2110 and x10GE on Firepower 2130 and RU Copper Data Interfaces 12x1GE Ethernet Network Module Firepower 2130 and 2140 only Same 8x10GE SFP module as on Firepower 4100/9300 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Firepower 2100 Overview Designed and optimized for FTD application Data Plane runs on integrated NPU and crypto module Threat-centric Advanced Inspection Modules run on x86 No separate Flow Offload engine Supports ASA application as well Single point of management for chassis and application Firepower Device Manager (FDM) for on-box Firepower Management Center (FMC) for multi-device BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Firepower 2100 Architecture x86 CPU 2110: 4 cores 2120: 6 cores 2130: 8 cores 2140: 16 cores RAM : 16GB 2130: 32GB 2140: 64GB System Bus Network Processor Unit (NPU) 2110: 6 cores 2120: 8 cores 2130: 12 cores 2140: 16 cores 2x10Gbps : 2x10Gbps : 1x40Gbps Internal Switch Fabric RAM : 8GB : 16GB Ethernet Management interface On-board 12x1GE copper interfaces 12x1Gbps On-Board 4xSFP interfaces :4x1Gbps : 4x10Gbps 8x10Gbps Interface expansion module ( only) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Standard Network Interfaces Supervisor attaches security modules to network All interfaces are called Ethernet and 1-referenced (i.e. Ethernet1/1) All external network ports require fiber or copper transceivers 8x10GE 4x40GE 2x100GE Firepower 2100, 4100, 9300 Single width 1GE/10GE SFP OIR in FXOS Firepower 4100 and 9300 Single width 4x10GE breakouts for each 40GE port OIR in FXOS Firepower 9300 only Double width QSFP28 connector No breakout support Future single-width 2x100GE and 4x100GE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Fail-to-Wire Network Modules Fixed interfaces, no removable SFP support NGIPS inline interfaces for standalone FTD 6.1+ only Sub-second reaction time to application, software, or hardware failure Designed to engage during unplanned failure or restart events <90ms reaction time for Standby Bypass with full power failure 8x1GE 6x1GE 6x10GE 2x40GE Firepower 2100, 4100 Single width 10M/100M/1GE copper Firepower 2100, 4100 Single width 1GE fiber SX Firepower 2100, 4100, 9300 Single width 10GE SR or LR Firepower 4100 and 9300 Single width 40GE SR4 No 10GE breakout support BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Maximum Transmission Unit (MTU) Layer 2 MTU defines maximum Ethernet frame size on the wire Mostly relevant to switches and other passive Layer 2 devices Frames above the MTU size are discarded, not fragmented 9206 bytes on Firepower 4100/9300 in FXOS 2.1.1; 9216 bytes on 2100 MAC 12 bytes 802.1q 4 bytes Type 2 bytes IP Header 20+ bytes IP Payload FCS 4 bytes Layer 3 MTU defines maximum IP packet size with header Relevant to routers and devices that may perform transit IP reassembly Packets larger than configured MTU are fragmented at IP level Configured on per-interface basis on ASA and FTD 9184 bytes on Firepower 4100/9300 in FXOS 2.1.1; 9194 bytes on 2100 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Firepower 4100/9300 Software Supervisor and security modules use multiple independent images All images are digitally signed and validated through Secure Boot Security application images are in Cisco Secure Package (CSP) format Decorator application from third-party (KVM) Primary application from Cisco (Native) FXOS upgrades are applied to Supervisor and resident provisioning agent on modules Supervisor stores CSP application images Security Module 1 Security Module 2 Security Module 3 DDoS FTD FTD FTD FXOS FXOS FXOS Firepower Extensible Operating System (FXOS) Supervisor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Firepower Platform Bundle Platform Bundle contains all Supervisor and module firmware images fxos-9000-k gspa platform encryption version [g]db [S]igned [S]pecial key revision or [P]roduction FXOS creates an environment for security applications Supervisor automatically selects components to upgrade Relevant components are reloaded automatically during the upgrade FTD application bundle on Firepower 2100 includes virtual FXOS image BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Firepower Supervisor CLI Interface FXOS uses object-based CLI representation similar to UCS Manager scope, enter, or exit select a command mode within the hierarchy create instantiates a new configuration object within the hierarchy set assigns a value to a configuration variable or object show displays object content commit-buffer applies changes to the running configuration FP9300# scope eth-uplink FP9300 /eth-uplink # scope fabric a FP9300 /eth-uplink/fabric # create port-channel 2 FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 11 FP9300 /eth-uplink/fabric/port-channel* # create member-port 1 12 FP9300 /eth-uplink/fabric/port-channel* # set speed 10gbps FP9300 /eth-uplink/fabric/port-channel* # commit-buffer FP9300 /eth-uplink/fabric/port-channel # exit Read-only access on Firepower 2100 with FTD BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Firepower Threat Defense Overview

26 Security Application Convergence ASA L2-L4 Stateful Firewall Scalable CGNAT, ACL, routing Application inspection FirePOWER Threat-centric NGIPS AVC, URL Filtering for NGFW Advanced Malware Protection Firepower Threat Defense (FTD) Converged NGFW/NGIPS image on Firepower 4100/9300 and ASA5500-X platforms Single point of management with Firepower Management Center (FMC) Full FirePOWER functionality for NGFW/NGIPS deployments ASA Data Plane with TCP Normalizer, NAT, ACL, dynamic routing, failover, clustering BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Architecture and Logical Packet Flow FTD Main Access Policy IP Reputation, SI New Flow Lookup Exis ting Anomaly, NGIPS, AMP Advanced Inspection Modules ( Snort ) Data Plane ( Lina ) Prefilter Policy New Flow Creation Pointer Normalization Fastpath Verdict Packet RX Ingress Checks Flow Lookup Exis Clustering VPN ting Egress Checks Packet TX BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Monitoring System Utilization Data Plane Data Plane (most transit traffic) ftd# show cpu detailed Break down of per-core data path versus control point cpu usage: Core 5 sec 1 min 5 min Core ( ) 1.1 ( ) 0.9 ( ) Core ( ) 1.8 ( ) 1.5 ( ) [ ] Core ( ) 0.0 ( ) 0.0 ( ) Advanced Inspection Modules ftd# show asp inspect-dp snort SNORT Inspect Instance Status Info Control Plane (network control and application inspection) Inspection Load Load Distribution Id Pid Cpu-Usage Conns Segs/Pkts Status tot (usr sys) % ( 1% 0%) READY % ( 0% 0%) READY [ ] % ( 2% 0%) READY Processing State BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 NGFW Interface Modes Must choose routed or transparent at deployment Routed / /24 FTD Transparent inside outside inside outside DMZ DMZ / /24 Must configure IP on BVI in transparent mode Integrated Routing and Bridging combines both in routed mode Routed with IRB inside1 BVI:inside /24 FTD /24 outside inside2 DMZ /24 Full feature set and state enforcement VLAN or VxLAN ID must change during traversal FTD BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 NGIPS Interface Modes Any unused interface in routed/transparent can be in NGIPS mode Inline FTD Inline Tap FTD Passive FTD Eth1/1 Eth1/2 Eth1/1 Eth1/2 Eth1/1 Inline pairing at physical/etherchannel level; inline sets allow asymmetry True pass-through mode for VLAN LACP pass-through is supported with standalone interfaces in FXOS Most classic firewall functionality is disabled All security policies still apply Data Plane tracks connections for HA/clustering with no state enforcement NAT, application inspection, and similar ASA-style functionality is disabled Flow Offload is not triggered BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Prefilter Policy First access control phase in Data Plane for each new flow Block: Deny the flow without any further processing Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload Analyze: Pass for evaluation in Main AP, optionally assign tunnel zone Not a high performance substitute to true NGFW policies Non-NGFW traffic match criteria Limited early IP blacklisting Tunneled traffic inspection Allowing high-bandwidth and low latency trusted flows (Flow Offload) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Main Access Policy Second and final access control phase in Snort Block [with reset]: Deny connection [and TCP RST] Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST] Monitor: Log event and continue policy evaluation Trust: Push all subsequent flow processing into Data Plane only Allow: Permit connection to go through NGIPS/File inspection Appropriate place for implementing NGFW policy rules Full NGFW traffic selection criteria Decisions may need multiple packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 FlexConfig Policies Device-level free form CLI policies that follow ASA syntax Supports pre-defined object templates and completely custom objects Natively managed feature commands are blocked Must push an object with negated commands to remove FlexConfig is only supported on best-effort basis Deploy Once; Everytime is for interactions with managed features Always select Append rather than Prepend type BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Security Applications on Firepower 4100 and 9300

35 Security Applications Overview Security services that run on Firepower 9300 modules or 4100 Primary application consumes full resources of an entire module ASA or FTD; no plans for standalone NGIPS image All modules in a chassis run same primary application A decorator application shares a security module with a primary Traffic flows from network interface through decorator to primary application Service chaining with Radware vdefensepro decorator and ASA or FTD 6.2+ BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Firepower 4100/9300 Security Services Architecture Logical Device Logical Device Unit Link Decorator Security Module 1 FTD Cluster Security Module 2 Security Module 3 FTD FTD FTD DDoS DDoS DDoS Primary Application Decorator Application Supervisor Ethernet1/7 (Management) Data Outside PortChannel2 Data Inside PortChannel1 Logical Packet Flow On-board 8x10GE interfaces 4x40GE NM Slot 1 4x40GE NM Slot 2 Application Image Storage Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Radware vdefensepro Summary Available Services Application Behavioral HTTP Flood Protection Server Cracking Signature protection Protection Server DNS Protection Anti-Scan Connection Limit Connection PPS Per-flow PPS Limit Limit Network Behavioral DoS SYN Protection Out-Of-State Blacklist/Whitelist BL/WL Supported with ASA and FTD on Firepower 4100 and 9300 vdp on Firepower 4110 is not supported with ASA only Up to 14Gbps of dirty traffic per module on 6 allocated x86 CPU cores Configurable CPU resource allocation in FXOS Mbps-10Gbps of clean output based on a strictly enforced license Linear scaling with intra- and inter-chassis clustering BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Detailed Inbound Flow with Radware vdp For Your Reference 1. TCP request from /1024 to /80 Outside [Decorated] 8. Two-tuple symmetric hash on {SRC_IP= , DST_IP= } vdp Cluster Radware vdp Module 1 6. Five-tuple symmetric hash on {Proto=TCP, SRC_IP= , SRC_PORT=80, DST_IP= , DST_PORT=1024} 7. ASA cluster statefully redirects to owner, owner reverses NAT FTD Cluster FTD Module 1 5. TCP response from /80 to /1024 Inside [Undecorated] Supervisor Radware vdp Module 2 Supervisor FTD Module 2 Supervisor 2. Two-tuple symmetric hash on {SRC_IP= , DST_IP= } Radware vdp Module 3 FTD Module 3 3. Five-tuple symmetric hash on {Proto=TCP, SRC_IP= , SRC_PORT=1024, DST_IP= , DST_PORT=80} 4. Static NAT / /80 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Future Vision: Multiple Logical Devices Multiple ASA/FTD application containers on a single blade Each application instance represents a tenant CPU/memory resources are dedicated to an instance at provisioning Physical and logical VLAN separation at Supervisor FTD Instance A 4 CPU FTD Instance B 2 CPU FTD Context C 12 CPU FTD Context D 4 CPU ASA Context A 12 CPU Firepower 4100 or Firepower 9300 module Ethernet1/1-3 Ethernet1/4-5 Port-Channel Port-Channel2 Port-Channel Fully tenant management and domain separation in FMC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Future Vision: Security Service Chaining Contextual policy- and outcome based service insertion Meta data exchange with Network Services Header (NSH) For Your Reference Service Function (SF) processes packet, attaches meta data, and returns to SFF Service Classifier (SC) and Service Function Forwarder (SFF) direct incoming traffic through necessary services Security Module DDoS FTD? Stateful Data Path SF, SC, and SFF may influence service path based on policy, context, and meta data Input packets Output packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Smart Licensing Cisco applications request feature license entitlements from Supervisor or FMC Third-party applications may use out-of-band licensing ASA FTD DDoS 1 Supervisor 2 3 HTTP/HTTPS Proxy Cisco Smart Licensing Supervisor or FMC fulfill aggregated entitlement requests with Smart backend through a direct Internet connection, HTTP/HTTPS Proxy, or an on-premise Satellite connector Satellite Connector ASA entitlements: Strong Encryption, Security Contexts, Carrier Inspections FTD entitlements: Threat, Malware, and URL Services BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Management Overview Chassis management is independent from applications On-box chassis manager UI, CLI, and REST SNMP and syslog support for chassis level counters/events on Supervisor Applications are managed through their respective interfaces CLI, REST API, ASDM, and Cisco Security Manager (CSM) for ASA Off-box Firepower Management Center (FMC) for FTD Off-box APsolute Vision for Radware vdp Future off-box FMC support for both chassis and FTD management Already supported on Firepower 2100 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Availability and Scalability

44 High Availability and Scalability Options High Availability High Scalability (Firepower 9300 only) High Availability and Scalability (Firepower 4100/9300 only) ASA Active/Standby Failover (2 modules or appliances) Active/Active Failover (2 modules or appliances) Intra-chassis Clustering ( 3 modules, 240Gbps) Inter-chassis Clustering ( 16 modules, 1.2Tbps) Inter-chassis clustering ( 16 modules, 1.2Tbps) FTD Active/Standby HA (2 modules or appliances) Intra-chassis Clustering ( 3 modules, 100Gbps) Inter-chassis clustering ( 6 modules, 270Gbps) Radware vdp - Intra-chassis Clustering ( 3 modules, 42Gbps) Inter-chassis Clustering ( 16 modules, 224Gbps) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 FTD HA and Clustering FTD inherits failover and clustering infrastructure from ASA Replicates full NGFW/NGIPS configuration and opaque flow state Supports all NGFW/NGIPS interface modes Interface and Snort instance (at least 50%) health monitoring Zero-downtime upgrades for most applications Ensures full stateful flow symmetry in both NGIPS and NGFW modes vpc vpc HA/Failover: Both directions of a flow traverse a single active unit A FTD HA Link S FTD FTD Cluster FTD Clustering: All packets for a flow are redirected to connection Owner vpc vpc BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 FTD and ASA Clustering Overview Inter-Chassis Cluster Control Link Cluster of up to 16 modules across 5+ chassis Off-chassis flow backup for complete redundancy Switch 1 Nexus vpc Switch 2 Chassis 1 Chassis 2 Supervisor Supervisor FTD FTD FTD Cluster Cluster FTD FTD FTD Intra-Chassis Cluster Control Link Same-application modules can be clustered within chassis Bootstrap configuration is applied by Supervisor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Clustering Changes for Firepower 4100/9300 Only Spanned Etherchannel interface mode is supported Additional off-chassis flow backup for N+1 chassis-level fault tolerance Firewall context mode on ASA and SSL ciphers are replicated HTTP flows not replicated by default until 5 seconds of uptime asa(config)# cluster replication delay http Chassis- and cluster-level overflow protection syslogs %ASA : CPU load 80% of module 1 in chassis 1 (unit-1-1) exceeds overflow protection threshold CPU 75%. System may be oversubscribed on member failure. %ASA : Memory load 80% of chassis 1 exceeds overflow protection threshold memory 78%. System may be oversubscribed on chassis failure. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 New TCP Flow with FTD Inter-Chassis Clustering 1. Attempt new flow with TCP SYN Client 5. C1M1: Send to Client 6. C1M1: Calculate Director C1M3, send flow update FTD Module 1 FTD Module 2 FTD Module 3 Chassis 1 O D FTD Cluster 7. C1M1: Calculate off-chassis Backup C2M1, send update 4. C2M3: Redirect to Owner C1M1 from SYN Cookie, become Forwarder FTD Module 1 FTD Module 2 FTD Module 3 Chassis 2 B M F 2. C1M1: Become Owner, add SYN Cookie, send to Server Server 3. Server responds with TCP SYN ACK through another unit M Master O Owner D Director F Forwarder B Off-Chassis Backup Global Role Per-Connection Roles BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Inter-Site Clustering with ASA or FTD North-South insertion with LISP inspection and owner reassignment Site A Site B Inter-Chassis Cluster OTV East-West insertion for first hop redundancy with VM mobility Site A Site B Inter-Chassis Cluster OTV BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Radware vdp Clustering For Your Reference Requires intra-chassis ASA or FTD clustering for operation Control link is shared with primary application and automatically configured Health checks tie primary application and vdp instances on a module together Cookie 3. Asymmetrical L7 session authentication with cookies uses same secret value across cluster. Cookie? OK! vdp Module 1 vdp Module 2 M S vdp Cluster 2. Time-based secret value is replicated from Master to Slaves. S vdp Module 3 1. vdp Master/Slave instances and configured and managed independently. APSolute Vision BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Turbo Performance Mode Automatically enabled on all Firepower 9300 modules in FXOS Accelerates FTD and ASA performance on demand All x86 CPU cores on a module temporarily increase clock frequency Triggered when 25% of ASA or FTD Data Plane cores reach 80% load Disabled when all cores drop below 60% load Boosts performance by 10-20% For Your Reference BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Transport Layer Security Secure Sockets Layer (SSL) is broken, obsolete and no longer in use Transport Layer Security (TLS) is the current generic protocol layer ClientHello, Server Name Identifier (SNI) PKI Phase Client ServerHello, ServerCertificate, ServerHelloDone ClientKeyExchange, ChangeCipherSpec, Finished Server ChangeCipherSpec, Finished ApplicationData Bulk Data Phase Some detectors do not need full session decryption until TLS 1.3 Cleartext SNI extension indicates where client may be going spoofable ServerCertificate contains server identity legitimate, if CA is trusted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Man-in-the-Middle (MITM) Decryption of TLS MITM TLS inspection is two separate sessions with client and server Client Public Key FTD (Resign) or Server (Known) Public Key FTD Public Key Server Public Key Public Key Pinning breaks Resign mode Client certificate authentication or custom encryption always break MITM Hardware acceleration of PKI and Bulk Data phases still leans on x times performance improvement with large transfers (Bulk Data) 7-8 times performance improvement with a transactional profile (PKI) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Single-Flow Performance Considerations A single stateful flow must be processed by one CPU core at a time Trying to share a complex data structure leads to race conditions Stateless parallel processing leads to out-of-order packets No magic trick to single-flow throughput Deploy more powerful CPU cores Reduce the amount of security inspection Pay performance price for real security or deploy a router or a switch instead Source: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Managing Single-Flow Throughput Roughly calculated as overall throughput divided by Snort cores 53Gbps of 1024-byte AVC+IPS on SM44 / 48 Snort cores = ~1.1Gbps Similar on most high-end ASA, FirePOWER, and Firepower platforms Reducing impact on all flows from few superflows is more important Checking if an NGFW automatically reduces inspection is easy Transfer multiple benign and malicious files over a single SMB session Use HTTP pipelining to service multiple requests over one TCP connection What does your security policy tell you to do? NGFW performance capacity must not dictate your security policy Flow Offload vs Intelligent Application Bypass (IAB) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Flow Offload on Firepower 4100/9300 Trusted flow processing with limited security visibility in Smart NIC Up to 39.7Gbps of single-flow UDP throughput with 1500-byte packets 2.9us latency with 64-byte UDP packets Use for long-lived connections only Supports up to 4M offloaded stateful connections in FXOS Static offload for unicast flows on ASA with IP/SGACL in MPF policy-map OFFLOAD_POLICY class TRUSTED_FLOWS set connection advanced-options flow-offload Offload multicast in transparent mode with 2 bridge group ports in ASA 9.6(2) Pre-filter offload policy for IP/TCP/UDP Trust rules in FTD 6.1 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Flow Offload Operation Full Inspection Dynamically program Offload engine after flow establishment Ability to switch between Offload and full inspection on the fly x86 CPU Complex Security Module Full FTD or ASA Engine New and fully inspected flows Offload instructions Flow updates Incoming traffic Smart NIC Flow Classifier Established trusted flows Rewrite Engine Flow Offload Limited state tracking, NAT/PAT, TCP Seq Randomization 20-40Gbps per single TCP/UDP flow, 2.9us UDP latency, 4M tracked flows BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Teardown Exchange Establishment TCP Flow Handling with Flow Offload For Your Reference Flow Classifier Rewrite Engine ASA or FTD TCP SYN TCP SYN ACK TCP ACK TCP Data No flow match No flow match No flow match No flow match TCP conn open Install Offload entry Flow offload request TCP Data TCP FIN Match flow entry Conn termination Flow data sync Packet processed in Offload Path Byte count monitoring TCP FIN ACK No match End flow offload BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Deployment Example: FTD Cluster on Firepower 4100

60 Chassis Manager: Interface Configuration All Chassis: Create a Spanned Etherchannel for data All Chassis: Data interfaces will remain suspended until cluster is formed All Chassis: Add CCL member ports to special Etherchannel All Chassis: Application management port for FTD/ASA All Chassis: Optional interface for FTD event generation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Chassis Manager: Add Logical Device All Chassis: Add new device. All Chassis: Locally significant logical device name All Chassis: Application type All Chassis: Application version from locally loaded images All Chassis: Clustered device Master Chassis: Build a new cluster configuration BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Chassis Manager: FTD Logical Device Creation All Chassis: Verify and assign any additional data interfaces. Do not unassign Po48 (inter-chassis CCL). All Chassis: Configure logical device properties for chassis (4100) or modules (9300) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Chassis Manager: FTD Device Cluster Information All Chassis: Each chassis must have a unique numerical ID All Chassis: Multiple chassis may share same site ID with inter-site clustering All Chassis: CCL control plane encryption key must match Master Chassis: Globally significant cluster name Master Chassis: Dedicated application management interface BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Chassis Manager: FTD Device Settings All Chassis: FMC management registration key must match All Chassis: Application management password for CLI Master Chassis: FMC IP address to connect with Master Chassis: Optional default domain name Master Chassis: NGFW operating mode Master Chassis: Optional default DNS server Master Chassis: Optional cluster FQDN Master Chassis: Optional interface for FTD events BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Chassis Manager: FTD Device Interface Information All Chassis: Management interface addressing: IPv4, IPv6, or both All Chassis: Local member application management IP (4100) or pool (9300) All Chassis: Application management interface subnet All Chassis: Default gateway for application management interface BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Chassis Manager: FTD Device Installation All Chassis: Monitor logical device deployment status BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Chassis Manager: Export Cluster Configuration Master Chassis: Clone common cluster configuration elements to other chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Chassis Manager: Adding Chassis to Cluster Other Chassis: Clone the cluster configuration from master chassis when adding a new chassis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 FMC: Add Individual Cluster Members Add individual clustered chassis or modules to FMC first All Chassis/Modules: FTD application management IP All Chassis/Modules: Unique display name in FMC All Chassis: FMC registration key must match logical device configuration All Chassis/Modules: Feature licenses must match across entire cluster BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 FMC: Add Cluster Proceed only when cluster is formed and all members are added to FMC Select master chassis or module Choose cluster name in FMC Verify that all slave chassis or modules are automatically populated BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Application Use Cases

72 Application Positioning Summary ASA is a powerful and scalable solution for basic stateful segmentation Ease of integration and scaling in large and distributed data centers Infrastructure and Internet edge protection for service providers Scalable and full-featured RAVPN termination FTD is a comprehensive threat-centric security solution NGIPS for data center and service provider environments NGFW for edge protection and single- or multi-site data centers Radware vdp is a behavioral DDoS mitigation solution NGFW Internet edge protection for web commerce and service provider environments Firewall NGIPS DDoS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 ASA or FTD in Data Center Routed or transparent insertion into common data center topologies vpc, VxLAN, PBR, OSPFv2/v3, BGP-4, ECMP, NSF/GR, PIM-SM, BSR Integrated Routing and Bridging (IRB) in ASA 9.7(1) and FTD 6.2 Scalable IP and Trustsec policies in single or multiple contexts Same- and inter-site clustering with LISP integration Core/Edge Layer 2 Data Center Spine Nodes Layer 3 Data Center Services Distribution/ Aggregation Access Leaf Nodes Endpoints VS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Data Center Segmentation with IRB VLAN 11 BVI 1 BVI VLAN VLAN Trunk FTD/ASA Different bridge groups (IP subnets) are routed to each other by a single FTD/ASA context or instance Different VLAN/VxLAN segments (security zones) in same IP subnet are bridged together and separated by transparent FTD/ASA Switch Subnet A Subnet B Each security zone within a subnet is modeled as a separate VLAN (physical hosts) or VxLAN (virtual machines) A single IP subnet contains endpoints from multiple different security zones BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Private VLAN Remapping with ASA ASA 9.5(2) can re-map a set of secondary VLANs to a primary VLAN interface Ethernet1/3 vlan 100 secondary 110, 120, 130 For Your Reference ASA maps frames received from secondary VLANs to primary VLAN subinterface and then processes them normally Switch assigns ports to secondary VLANs and enforces connectivity between different port types within the primary VLAN Community ports can only talk to each other and promiscuous ports Primary VLAN 100 VLAN 100 VLAN 110 VLAN 120 VLAN 130 Community Promiscuous Isolated Private VLAN trunk transmits upstream traffic for all secondary and primary VLANs Promiscuous ports can talk to any other port Isolated ports can only talk to promiscuous ports BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 ASA and FTD for Scalable VPN Termination Use standalone modules or failover for scaling S2S and RA VPN Reverse Route Injection (RRI) with dynamic crypto maps and OSPF/BGP RAVPN with ASA Load-Balancing RRI RRI Chassis 1 Chassis 2 Mas ter ASA/FTD S2S VPN with Nexus ITD RRI RRI Chassis 1 Chassis / / /24 Intelligent /24 Traffic Director VIP / /24 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 ASA for Service Providers For Your Reference Evolved Packet Core Hosted Services MME S-GW PCRF HSS P-GW Protect mobile backhaul connection with scalable S2S VPN Stateful Internet edge protection and CGNAT for mobile clients Stateful Internet edge protection with multiple-context mode for hosted services Protect roaming agreements and billing systems with GTP/Diameter inspection and advanced filtering policies Roaming Partner MME S-GW Internet Stateful perimeter protection for external (Type III) SP PCRF External Service Provider BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 ASA Application Inspection Protocol conformance, NAT/PAT rewrites, dynamic ACL pinholes SIP inspection for scalable VoIP environments (>10K calls per second) SCTP, Diameter, and GTPv2 inspection for Carriers in ASA 9.5(2) TLS Proxy with SIP; multi-core Diameter inspection in ASA 9.6(1) For Your Reference Endpoints establish an inspected control channel TLS connection over TCP ASA uses pre-configured trustpoints to cut into TLS connection, inspect traffic, and open secondary connections as necessary BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Carrier Grade NAT on FTD and ASA Fully conforms to RFC6888 except Port Control Protocol (PCP) support High single-module capacity and further scalability with clustering 60M+ concurrent NAT translation per module with ASA 500K+ new translation creations per second per module with ASA Port Block Allocation for PAT reduces logging volume in ASA 9.5(2) Each PAT client is assigned blocks of ports (512 each by default) for translation A single syslog is recorded for each block allocation event %ASA : Allocated TCP block of ports for translation from inside: to outside: / %ASA : Released TCP block of ports for translation from inside: to outside: / For Your Reference BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 FTD as NGFW at the Edge AVC, Reputation, TLS decryption, URL Filtering, File Analysis, Advanced Malware Protection for outbound connections DNS Sinkholing redirects potentially malicious connections to a local honeypot Honeypot Continuous updates from Talos ensure relevant protection Campus Data Center ACL and NGIPS policies, optional TLS decryption for inbound connections OSPF, BGP, NSF/GR, and similar features for easy network integration NGFW File hashes are checked against AMP cloud, unknown samples are submitted to ThreatGRID; ThreatGRID feeds the data back into AMP/Talos AMP ThreatGRID BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Scalable Edge NGFW with FTD and Nexus ITD 3. Return traffic is routed to correct Firepower 9300 chassis based on separate PAT pools; intra-chassis clustering resolves asymmetry Outside /24 4. Connection switchover is stateful on module failure (same chassis), stateless on chassis failure Firepower 9300 Supervisor PAT Pool Firepower 9300 PAT Pool Firepower 9300 PAT Pool Supervisor Supervisor FTD FTD FTD FTD FTD FTD FTD Cluster 1 FTD Cluster 2 FTD Cluster ITD load-balances packets based on source IP across multiple independent Firepower 9300 FTD intra-chassis clusters Inside-Transit /24.1 Nexus Intelligent Traffic Director (ITD) Inside /24 VIP.1 1. Outgoing edge connections hit an ITD VIP (loopback) on Nexus BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 FTD Identity Management with pxgrid Extended identity attributes with Platform exchange Grid (pxgrid) User identity, Geolocation, Source Security Group and Tag, Device Type Replaces Firepower User Agent with ISE For Your Reference 4. ISE publishes IP Attribute mappings through FMC to FTD ISE NGFW 1. Wireless, wired, and VPN clients authorize network access through ISE 2. ISE authorizes users against AD Active Directory 3. FMC resolves AD group membership; FTD actively authenticates users through LDAP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 Behavioral DDoS with Radware vdp Behavioral detection for maximum efficacy and low false positives For Your Reference Rate-Based Detection Behavioral Detection Effectively protects web, , VoIP, and other services Adaptive behavioral DoS against IPv4/IPv6 TCP/UDP/ICMP/IGMP floods SYN flood protection with active Layer 4 challenges DNS flood protection with request/response record tracking Application signature protection for HTTP, SMTP, FTP, POP3, SIP, SMB, SQL Anomaly protection against basic malformed packets BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 FTD or ASA with DDoS in Enterprise For Your Reference Cloud Scrubbing Service Radware Defense Messaging used to initiate cloud-based mitigation for volumetric attacks beyond onpremise processing capabilities Dirty traffic pulled into Radware DefensePipe, sanitized, and then redirected to edge router over GRE Inbound Internet traffic traverses DDoS and FTD for behavioral and stateful protection at up to 10Gbps per module Radware vdp Cisco FTD Firepower 9300 Data Center Internal traffic traverses FTD only for stateful segmentation Campus BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 Closing Remarks

86 Firepower Platform Summary Next-generation security platform architecture Security service chaining with Cisco and third-party applications Classic stateful firewall, VPN, NGFW, NGIPS, and DDoS protection Intra- and inter-chassis clustering for high scalability Flow Offload for real time applications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

88 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

89 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Thank you

91