NGFWv and ASAv in Public Cloud

Size: px

Start display at page:

Download "NGFWv and ASAv in Public Cloud"

Geraldine Sherman
5 years ago
Views:

1 and ASAv in Amazon Web Services (AWS) and Azure Jesper Rathsach Consulting cybersecurity systems engineer, Cisco Systems 29 th August 2018

2 Introduktion til public cloud Overblik over, FMCv og ASAv Dagens Agenda & ASAv I Azure med use-cases & ASAv I AWS med use-cases Licensing og diverse Tak for I dag

High availability Regions and Availability zones Partners Data Center

3 Public cloud has great benefits Public Cloud Applications or Workload Application agility Customers Scalability Scale-up and scale-down Employees High availability Regions and Availability zones Partners Data Center Applications Or Workload Cost effectiveness Per-hour, per-minute and per-second billing options 5

4 Public cloud comes with challenges L2 abstraction Connection to Data Center (IPSEC, DX or Express Route) New Services/Environment 6

5 Shared security model in Firewall, AVC, Threat-Centric Customer Responsibility Network URL filtering, AMP & VPN NSG SG NACL ASAv Firewall & VPN Physical Infrastructure Network Infrastructure Virtualization Layer 7

6 AWS components

AWS components Overview Code us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 Name US East (N. Virginia) US East (Ohio) US West (N.

7 AWS components Overview Code us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 Name US East (N. Virginia) US East (Ohio) US West (N. California) US West (Oregon) Canada (Central) EU (Frankfurt) EU (Ireland) EU (London) EU (Paris) ap-northeast-1 Asia Pacific (Tokyo) ap-northeast-2 Asia Pacific (Seoul) ap-northeast-3 Asia Pacific (Osaka-Local) ap-southeast- 1 ap-southeast- 2 ap-south-1 sa-east-1 Asia Pacific (Singapore) Asia Pacific (Sydney) Asia Pacific (Mumbai) South America (São Paulo) 9

AWS components Overview Virtual Private Cloud inside-1c mgmt-1c

us-east-1c mgmt-2c LB Direct Connect Virtual Private Gateway IGW

ALB Internet Gateway workload2 outside-2c us-east-2c destination

8 AWS components Overview Virtual Private Cloud inside-1c mgmt-1c Elastic IP Availability Zone VPC workload1 inside-2c outside-1c us-east-1c mgmt-2c LB Direct Connect Virtual Private Gateway IGW Subnet EC2 Instance Workload Elastic IP Load Balancer NLB, CLB and ALB Internet Gateway workload2 outside-2c us-east-2c destination Route Table: RT next-hop IGW Route Table VGW & Direct Connect 10

Route Table and VPC Limitations Route Table Route table is associated to a subnet User defined route can be added Route Table destination subnet next-hop 192.168.0.

9 Route Table and VPC Limitations Route Table Route table is associated to a subnet User defined route can be added Route Table destination subnet next-hop /16 local CIDR /16 EC2 instance VPC More specific routes are not permit /0 IGW /24 x.x.x.x Network limitation No link local multicast or broadcast No IGPs No Proxy ARP and Gratuitous ARP Complex environment for native HA support but workarounds are available for resilient and scalable design IGW More specific route is not permitted in route table /24 Group /24 Network ACL Reference: AWS RT 17

Workload security in AWS Groups (SG) and Network ACL (NACL) Group SG acts as a virtual firewall for instance to control inbound and outbound traffic, only L4 rules groups are can only have allow

10 Workload security in AWS Groups (SG) and Network ACL (NACL) Group SG acts as a virtual firewall for instance to control inbound and outbound traffic, only L4 rules groups are can only have allow action not deny SGs are stateful SG limit per region 50 Maximum rule per SG 100 Network ACL Same as SG but applied to subnet L4 visibility Action Allow or Deny EC2 instance /24 Group /24 Network ACL VPC Reference: AWS Service Limits 18

11 Azure components

12 Azure components Region and Availability Zone 27

13 Azure components New: Availability Zone vnet Resource Group WEB APP WEB-UDR Destination Next Hop x.x.x.x NVA (Internal) APP-UDR Destination Next Hop x.x.x.x NVA (Internal) ASAv Network Virtual Appliance (NVA) LB Virtual Network vnet Subnet Workload VM User Defined Route UDR Network Virtual Appliance NVA DB Destination x.x.x.x DB-UDR Next Hop NVA (Internal) Availability Set Virtual Network Gateway Gateway Subnet Azure Express Route Availability Set Load Balancer Internal and External Express Route 28

Workload security in Azure Network Group (NSG) NSG restricts traffic to resources in a virtual network Action Allow or Deny Direction Inbound and outbound L4 rules Source IP

14 Workload security in Azure Network Group (NSG) NSG restricts traffic to resources in a virtual network Action Allow or Deny Direction Inbound and outbound L4 rules Source IP Destination IP Port Protocol NSG limit 5000 (per region per subscription) NSG rule limit 1000 (per NSG) NSG eth0 eth / /24 NSG NSG vnet Reference: Azure Limits and Quotas 29

15 Azure components Route Table and vnet Route Table Route table is associated to subnet User defined route can be added in RT UDRs takes precedence over system routes API integration with UDR Network limitation No link local multicast or broadcast No IGPs No Proxy ARP and Gratuitous ARP No native high availability support for NVA ASAv HA is available ERSPAN is not support because GRE is blocked Destination x.x.x.x Destination x.x.x.x Destination x.x.x.x WEB-UDR Next Hop NVA (Internal) APP-UDR Next Hop NVA (Internal) DB-UDR Next Hop NVA (Internal) vnet /16 Web /24 App /24 Db /24 30

16 Azure and AWS components are similar Virtual Network vnet Availability Set Subnet Azure Virtual Machine VM User Defined Route UDR ARM Template Load Balancer Internal, external and ILB Standard ExpressRoute Public IP Group NACL Network Group Virtual Private Cloud VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation Template CF template Load Balancer NLB, CLB, ALB, Internal and External Direct Connect Elastic IP EIP 37

17 and ASAv Overview

18 Why are we here? Let s begin journey towards secured cloud environment 39

model in public cloud is not enough Cloud Providers

Workload NSG SG NACL Layer 4 Visibility Network

AVC, NGIPS, AMP VPN and URL Filtering (L4-L7

19 model in public cloud is not enough Cloud Providers Customer Physical Infrastructure Network and Workload NSG SG NACL Layer 4 Visibility Network Infrastructure ASAv Virtualization Layer Firewall, AVC, NGIPS, AMP VPN and URL Filtering (L4-L7 visibility) Cisco for Stateful firewall, NAT, Routing, ACL and VPN 40

20 /FTDv overview NGIPS Firewall URL AVC AMP AVC - Application Visibility and Control NGIPS Next-Generation Intrusion Prevention System AMP Advanced Malware Protection VPN Virtual Private Network URL URL filtering VPN (IPSEC and SSL) FTD Appliance Managed by Firepower Management Center (FMC) 41

21 Firepower Management Center Centralized Management Total Visibility Real-time threat management Automation FMC Appliance 42

22 ASAv overview Stateful F/W, NAT, Routing and ACL ASAv 9.9.x VPN IPSEC and SSL REST API Route based VPN VTI ASA Appliance 44

ASAv Management options Cisco ASDM (on-box manager)

Orchestrator (Cloud Based) For easy on-box management of

configuration Helps administrators enforce consistent

and view summarized reports across the deployment For

23 ASAv Management options Cisco ASDM (on-box manager) Cisco Manager (Centralized Manager) Cisco Defense Orchestrator (Cloud Based) For easy on-box management of common security and policy tasks and CLI based configuration Helps administrators enforce consistent access policies, rapidly troubleshoot security events, and view summarized reports across the deployment For centralized cloud-based policy management of multiple deployments *only for ASA 45

24 and ASAv In public cloud

25 , FMCv and ASAv in Instance types Instance (Marketplace) ASA instance (Marketplace) c3.xlarge, c4.xlarge c3.large, c3.xlarge FMCv Instance (Marketplace) c4. large, c4.xlarge c3.xlarge, c3.2xlarge m4.large, m4.xlarge c4.xlarge, c4.2xlarge large instance is ASAv10, xlarge instance is ASAv30 SSD storage on c3 instance and EBS storage on c4 or m4 instance Instance (Marketplace) Standard D3 and Dv2 ASAv Instance (Marketplace) Standard D3 and D3v2 D3 and D3v2 instance is ASAv30 49

26 in AWS Deploy in routed or passive mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities An elastic IP (static persistent public IP) is required for either or Cisco Firepower Management Centre Virtual remote admin access. AWS Group Access control must permit SSH/HTTPs access to your instances and 8305 for SF tunnel Two management interfaces required for AWS eth0 eth1 eth2 eth3 Interface eth0 and eth1 are mgmt. interfaces Interface eth2 and eth3 are data interfaces Instance Type Interfaces Number of vcpus RAM (GB) FMCv & FMCv c3.xlarge c4.xlarge c3.2xlarge c4.2xlarge 2 + 2*

in Azure Deploy in Routed Mode supports Routed mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities NSG should allow SSH/HTTPs and TCP 8305 (SF-Tunnel)

27 in Azure Deploy in Routed Mode supports Routed mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities NSG should allow SSH/HTTPs and TCP 8305 (SF-Tunnel) access to your instances on eth0 interface for management access. Two management interfaces required for in Azure North/South, East/West traffic inspection and Microsegmentation eth0 eth1 eth2 eth3 Interface eth0 and eth1 are mgmt. interfaces Interface eth2 and eth3 are data interfaces Supported Machine Size Number of Interfaces (Subnets) NGFW Platform Number of vcpus Standard D3 & D3v2 4 (2+2*) 4 14 RAM (GB) * Management interface 53

28 & ASAv Datasheet Numbers Instance Instance type Throughput Interfaces VPN endpoint AWS c3.xlarge, c4.xlarge 1 Gbps 2 + 2* 250 FMCv c3.xlarge, c4.xlarge c3.2xlarge, c4.2xlarge (-) Management (-) ASAv c3/c4/m4.large (ASAv10) 1 Gbps 2 + 1* 250 c3/c4/m4.xlarge (ASAv30) 1 Gbps 3 + 1* 750 Azure Instance Instance type Throughput Interfaces VPN endpoint Standard D3, D3v2 1 Gbps 2 + 2* 250 ASAv Standard D3, D3v2 (ASAv30) Note: Maximum throughput is measured with traffic under ideal conditions Standard D3, D3v2 supports ASAv5, ASAv10 and ASAv30 license entitlement 100 Mbps (ASAv5) 1 Gbps (ASAv10, ASAv30) 3 + 1* 50, 250 or 750 * Management interface 58

29 Deployment modes

30 Deployment Modes in Routed mode () - AWS Passive mode () - AWS Routed mode () - Azure Passive mode is only applicable to in AWS 60

31 ASAv Deployment Modes in Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure 61

32 in Azure Routed Mode Deployment Deploy in routed mode (L3) available in Azure marketplace Next hop for workloads in Azure vnet Internal Management Managed by FMC or FMCv Public or private IP for Management Use cases VPN (S2S and RA VPN) Firewall, NGIPS, URL-filtering & AMP integration eth1 (diagnostic interface) Internet & RA users eth3 eth2 External Internet FMC 62

33 ASAv in Azure Routed Mode Deployment Deploy in routed mode (L3) ASAv is available in Azure marketplace (ASAv30) Next hop for workloads in AWS ASAv HA (Active/Standby) vnet Inside Management Management interface can be used as a data interface DMZ2 ASAv DMZ2 Use cases Management VPN (S2S and RA VPN) and Firewall Option of installing license for 250 or 750 VPN endpoint Internet & RA users Internet 63

34 in AWS Routed Mode Deployment Deploy in routed mode (L3) and FMCv available in AWS marketplace Next hop for workloads in AWS VPC Internal Management Managed by FMC or FMCv Elastic or private IP for Management Mgmt FMC Use cases VPN (S2S and RA VPN) Firewall, IPS, URL & AMP integration Internet & RA users External IGW 64

in AWS Passive Mode Deployment Deploy in Passive Mode Management Managed by FMC or FMCv Elastic or private IP for Management VPC Internal Passive mode requirement Cisco Cloud Services Router

35 in AWS Passive Mode Deployment Deploy in Passive Mode Management Managed by FMC or FMCv Elastic or private IP for Management VPC Internal Passive mode requirement Cisco Cloud Services Router forward copy of the traffic to passively inspects traffic sent over ERSPAN session sets interface type as ERSPAN and sets MTU 1600 and assigns IP address Internet & RA users CSRv External IGW 65

ASAv in AWS Routed Mode Deployment Deploy ASAv in routed mode (L3) Next hop for workloads in AWS VPC Inside Management Elastic or private IP for Management Managed using CLI,

36 ASAv in AWS Routed Mode Deployment Deploy ASAv in routed mode (L3) Next hop for workloads in AWS VPC Inside Management Elastic or private IP for Management Managed using CLI, Cisco Manager, ASDM, REST-API and Cisco Defense Orchestrator (CDO) Use cases VPN (S2S and RA VPN) Inter-subnet filtering DMZ1 Internet & RA users ASAv Management/Outside IGW DMZ2 66

37 Management access

Management access AWS vnet Azure Internet Internet Manage using private IP (AWS Direct Connect DX) IGW Manage using public IP (Internet) FMC Manage using private

38 Management access AWS vnet Azure Internet Internet Manage using private IP (AWS Direct Connect DX) IGW Manage using public IP (Internet) FMC Manage using private IP (Azure Express Route) Manage using public IP (Internet) FMC Direct Connect Data Center Virtual Network Gateway Gateway Subnet Azure Express Route Data Center 68

39 Use cases (Azure)

40 Azure User defined route (UDR) Traffic is forwarded based on the routes in the UDR UDR overrides system routes Destination Default route Default gateway on WebServer01 is WEB-UDR Next Hop ASAv Inside WebServer01 WEB /24 Associated to a subnet APP, DB ASAv Inside Next-hop option (virtual appliance, VNG, vnet, Internet and none) APP ASAv DB vnet API integration to modify routes Internet 72

41 E/W traffic inspection - vnet Youtube: Demo Destination WEB-UDR Next Hop Highlighted routes are required for Micro Segmentation WEB Internet, WEB, DB & DC WEB (Internal) (Internal) Internet & RAVPN users APP-UDR Destination Internet, WEB, DB & DC Next Hop (Internal) Internal External Internet APP APP (Internal) SF tunnel between FMC and (management) DB-UDR GW-Subnet-UDR FMC DB Destination Internet, WEB, APP & DC DB Next Hop (Internal) (Internal) Destination WEB, APP & DB Next Hop (Internal) Azure Express Route Virtual Network Gateway Gateway Subnet Data Center 73

42 E/W traffic inspection - ASAv vnet WEB WEB-UDR Destination Next Hop Internet, WEB, DB & DC ASAv (Inside) DB ASAv (Inside) Highlighted routes are required for Micro Segmentation Internet & RAVPN users APP-UDR Destination Internet, WEB, DB & DC Next Hop ASAv (Inside) Inside ASAv Outside Internet APP DB ASAv (Inside) DB-UDR GW-Subnet-UDR DB Destination Internet, WEB, APP & DC DB Next Hop ASAv (Inside) ASAv (Inside) Destination WEB, APP & DB Next Hop ASAv (Inside) Azure Express Route Virtual Network Gateway same-security-traffic permit intra-interface command is required on ASA for hairpinning Gateway Subnet Data Center 74

43 /ASAv scalable design using Azure ILB with HA ports Azure ILB standard with HA ILB is next hop in UDR ILB load balances complete IP traffic ILB is design to provide traffic symmetry WEB / Nva-subnet /24 Destination APP Destination WEB WEB-UDR Next Hop ILB VIP APP-UDR Next Hop ILB VIP Azure ILB with HA ports APP / FWv01 ilb-ha-fw1 FWv02 ilb-ha-fw2 FWv03 ilb-ha-fw3 FWv04 ilb-ha-fw4 Default route on FWs

44 Service vnet and ASAv Scalable design vnet01 Multiple Subnet Destination All-Subnets All-Subnets-UDR Next Hop ILB VIP Spoke Destination All-Subnets All-Subnets-UDR Next Hop ILB VIP Multiple Subnet vnet02 service vnet Gateway Subnet Virtual Network Gateway Hub ILB HA Default route on FWs FWv01 ilb-ha-fw1 FWv02 ilb-ha-fw2 Nva-Subnet /24 FWv03 ilb-ha-fw3 FWv04 ilb-ha-fw4 83

45 Interconnecting vnet UDR detail FMC Internal vnet1 vnet2 Internal External Site to Site VPN Tunnel External Internal-UDR Internal-UDR Destination Next Hop Destination Next Hop Internet (Inside) Internet (Inside) vnet2 subnets (Inside) vnet1 subnets (Inside) 84

Internet and RAVPN Internet ASAv USE cases Network Address Translation (NAT) Site to Site Tunnel

46 Site-to-site and RAVPN UDR detail Internal Internal-UDR RA VPN Users Destination Internet RAVPN Pool Datacenter (DC) Next Hop (Inside) (Inside) (Inside) External Site to Site VPN Tunnel Internet and RAVPN Internet ASAv USE cases Network Address Translation (NAT) Site to Site Tunnel NGFW vnet Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC Data Centre 85

AVC WEB Internet Internet users APP-UDR WEB-UDR Destination Next Hop Destination Next

47 Inter subnet filtering APP USE cases Network Address Translation (NAT) Site to Site Tunnel Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC WEB Internet Internet users APP-UDR WEB-UDR Destination Next Hop Destination Next Hop Internet (Inside) Internet -edge(inside) vnet WEB (Inside) WEB -Internal(Outside) 86

and ASAv scalable design Azure internal load balancer (ILB) standard & external load balancer WEB APP Destination Default/Internet DB, APP and DC Destination Default/Internet DB, WEB and DC WEB-UDR

48 and ASAv scalable design Azure internal load balancer (ILB) standard & external load balancer WEB APP Destination Default/Internet DB, APP and DC Destination Default/Internet DB, WEB and DC WEB-UDR APP-UDR Next Hop ILB VIP ILB VIP Next Hop ILB VIP ILB VIP ILB Standard x (VIP) HA Port FW01 FW02 FW..n Firewalls in Availability Set ExternalL B vnet Internet Stateless Switchover Internet Users DB DB-UDR Destination Next Hop Default/Internet ILB VIP APP, WEB & DC ILB VIP NVA Subnet (inside) Destination WEB, APP & DB GW-UDR Next Hop ILB VIP Azure Express Route Virtual Network Gateway Gateway Subnet Youtube: overview FMC Data Center 87

49 ARM template deployment

Azure Resource Manager (ARM) Template JSON based template for deploying and ASAv Multiple/repeated deployments Add firewall to exiting resource group Add additional attributes for scalable deployment

50 Azure Resource Manager (ARM) Template JSON based template for deploying and ASAv Multiple/repeated deployments Add firewall to exiting resource group Add additional attributes for scalable deployment i.e. Availability Set Publish tested templates Deploy multiple Azure resources using single ARM template Create following resources before deploying ASA or using template Resource group, availability set, vnet, subnet and storage account ASAv ASAv ASAv ASAv 89

Azure Resource Manager Template ARM templates and demo videos ARM Template: http://cs.

51 Azure Resource Manager Template ARM templates and demo videos ARM Template: Youtube: Demo ASAv ARM Template: Youtube: Demo ARM Template (LB Sandwich): coming soon Youtube: coming soon 90

52 Use cases (AWS)

Advantage of using CF template Simplified infrastructure management Repeated or multiple

53 CloudFormation Template CF template deploys resources in AWS Group of resources in template are called stack Resources are added using JSON object Publish CF template using S3 bucket Advantage of using CF template Simplified infrastructure management Repeated or multiple deployment Reduced human errors Version control using template Update stack and track changes 92

54 Intersubnet filtering VPC CIDR /16 DB /24 CIDR has a local route for VPC Specific route is not allowed in route table Default route will not cover local network Host routes are required to enable Intersubnet filtering destination subnet RT-DB next-hop /16 local /0 eningfwv(internal) destination subnet RT-WEB next-hop /16 local /0 eni-asav(inside) WEB ASAv External IGW 93

55 Secure Transit VPC - VPC A VPC B Spoke VPC AZ1 AZ2 CSRv CSRv Internet RT Transit VPC 94

56 Scalable design

57 scalable design using AWS NLB Network Load Balancer (NLB) VPC inside-1c management-1c FMCv Elastic IP outside-1c Stateless switchover WebServer01 us-east-1c inside-1d management-1d NLB IGW WebServer02 outside-1d us-east-1d Route Table: RT subnet next-hop IGW Youtube: Demo 96

58 scalable design using AWS NLB Network Load Balancer (NLB) VPC inside-1c management-1c FMCv Elastic IP outside-1c Stateless switchover WebServer01 us-east-1c inside-1d management-1d NLB IGW WebServer02 outside-1d Route Table: RT subnet next-hop IGW us-east-1d Multiple firewalls can be added per Availability Zone to provide AZ level scalability Youtube: Demo 97

59 Advanced Malware protection in Azure and AWS

integration with AMP AWS and Azure integrates with AMP solution and provide following features VPC CIDR - 192.168.0.0/16 DB 192.168.100.

The integration of Threat Grid allows you to examine unknown and suspicious files in a safe, highly secure sandbox environment, either

60 integration with AMP AWS and Azure integrates with AMP solution and provide following features VPC CIDR /16 DB /24 AMP for network Continuous analysis Retrospective security Reduce event notifications Integrated malware analysis WEB Malware is detected and dropped by File capture allows you to store and retrieve files for further analysis. The integration of Threat Grid allows you to examine unknown and suspicious files in a safe, highly secure sandbox environment, either in the cloud or locally IGW 99

61 Licensing

62 Licensing Base License (Firewall and AVC) Standard License (Firewall and throughput) NGFW Term based (Threat, URL and AMP) ASA Anyconnect Apex License (SSL and IPSEC) AWS Cisco Smart Licensing Bring your own license (BYOL) Pay as you go model Hourly and annual license Azure Cisco Smart Licensing Bring your own license (BYOL) Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one year TAC support from listed partner: 101

63 Important Resources

64 YouTube Channel Youtube Channel: 103

65 and ASAv Marketplace Listings Product Marketplace listing BYOL Marketplace listing Hourly & Annual FMCv Marketplace listing BYOL ASAv Marketplace listing BYOL, Hourly & Annual Product Marketplace listing BYOL ASAv Marketplace listing BYOL ASAv HA Marketplace listing - BYOL AWS Marketplace Listing Azure Marketplace Listing

66 Importance Links in public cloud Youtube channel Cisco, ASAv and FMC Chalk talk in Technical Decision Maker Deck (TDM) (Partner level access required) Cisco ASAv licensing (BYOL) Cisco licensing (BYOL) ARM Template ASAv ARM Template 105

NGFWv & ASAv in Public Cloud (AWS & Azure)

NGFWv & ASAv in Public Cloud (AWS & Azure) & in Public Cloud (AWS & Azure) Anubhav Swami, CCIE# 21208 Technical Marketing Engineer Your Speaker Anubhav Swami answami@cisco.com Technical Marketing Engineer 5 years in Cisco TAC 2 years in ASA BU