Cisco Next Generation Firewall Services

Transcription

1 Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing Cisco and/or its affiliates. All rights reserved. Cisco Connect 1

2 Objectives At the conclusion of this presentation and demonstration, you will be able to: Describe the ASA NGFW and PRSM architecture Describe the feature of the ASA NGFW Application Visibility and Control (AVC) Web Security Essentials Utilize the policy framework Policy objects, policies, policy sets Device and object discovery

3 Module Map Architecture Policy framework Device import Eventing and reporting Demonstration

4 ASA 5585-X with CX hardware module Two Hard Drives Raid 1 (Event Data) 8 GB eusb (System) 10GE and GE ports Two GE Management Ports

5 The ASA 5500-X series firewalls Models are 5512-X, 5515-X, 5525-X, 5545-X and 5555-X 1-4 Gbps throughput Integrated services implemented as a software module o Intrusion prevention system (IPS) o Context aware next generation firewall (CX) Feature parity with the ASA CX on the 5585-X Must add a SSD to the ASA 5500-X to install the CX module

6 Cisco Prime Security Manager (PRSM) Built-in Configuration Eventing Reporting Off-box Configuration Eventing Reporting Multi-device Manager for ASA CX Role Based Access Control Virtual Machine or UCS Appliance PRSM Virtual Machine supports VMWare ESXi

7 PRSM ASA CX communication Cisco SIO ASA CX Application Identification Updates RESTful XML [REST = Representational State Transfer] Reliable Binary Logging PRSM HTTPS HTTPS

8 Packet flow diagram ASA and CX ASA processes all ingress/egress packets No packets are directly process by CX except for management CX provides Next Generation Firewall Services ASA CX CX Module PORTS Crypto or Regex Engine CPU Complex 10GE NICs Fabric Switch Backplane ASA Module Crypto Engine CPU Complex 10GE NICs Fabric Switch ASA Ingress CX Ingress Egress after CX Processing PORTS

9 Functional distribution URL Category/Reputation HTTP Inspection AVC TLS Proxy TCP Proxy TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet filtering Multiple Policy Decision Points NAT Routing ACL VPN Termination ASA CX

10 TLS Proxy URL Category/Reputation HTTP Inspection AVC TLS Proxy TCP Proxy TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet filtering Multiple Policy Decision Points NAT Routing ACL VPN Termination ASA CX

11 TLS proxy acts as man-in-the-middle Two separate sessions, separate certificates and keys ASA CX acts as a CA, and issues a certificate for the web server Corporate network ASA CX 1. Negotiate algorithms. 1. Negotiate algorithms. Web server 4. Client Authenticates server certificate. Cert is generated dynamically with destination name but signed by ASA CX. 3. Generate proxied server certificate. 5. Generate encryption keys. 6. Encrypted data channel established. 2. Authenticate server certificate. 5. Generate encryption keys. 6. Encrypted data channel established.

12 TLS Proxy Extending NGFW services to TLS traffic Decrypts SSL and TLS traffic across any port Self-signed (default) certificate or customer certificate and key Self-signed certificate can be downloaded and added to trusted root certificate store on client Decryption policies can determine which traffic to decrypt CX cannot determine the hostname in the client request to choose a decryption policy because the traffic is encrypted FQDN and URL Category are determined using the server certificate If the decision is made to decrypt, CX acts like man-in-the-middle A new certificate is created, signed by CX or by the customer CA Information such as FQDN and validity dates are copied from the original cert Name mismatches and expired certificate errors are ignored Name mismatches and expired certificate errors must be handled by the client

13 Licensed feature Application Visibility and Control URL Category/Reputation HTTP Inspection AVC TLS Proxy TCP Proxy TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet filtering Multiple Policy Decision Points NAT Routing ACL VPN Termination ASA CX

14 Application Visibility and Control Supported Applications Supported Micro-Applications 150,000+ Powered by the Cisco Security Intelligence Operation (SIO) Utilizes Application Signatures By default, PRSM and CX check for updates every 5 minutes

15 Broad AVC vs. Web AVC Broad AVC Broad protocol support Resides in data plane Less granular control Supports: Application types for example Applications for example Simple Mail Transfer Protocol Web AVC HTTP and decrypted HTTPS only More granular control Supports: Application types for example, Instant Messaging Applications for example, Yahoo Messenger Application behavior for example, File Transfer

16 None HTTP/HTTPS packet flow

17 HTTP packet flow

18 HTTPS packet flow

19 Licensed feature Web Security Essentials URL Category/Reputation HTTP Inspection AVC TLS Proxy TCP Proxy TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet filtering Multiple Policy Decision Points NAT Routing ACL VPN Termination ASA CX

20 Web Security Essentials -- Reputation Dedicated or hijacked sites persistently distributing key loggers, root kits and other malware. Almost guaranteed malicious. Aggressive Ad syndication and user tracking networks. Sites suspected to be malicious, but not confirmed Sites with some history of Responsible behavior or 3 rd party validation Phishing sites, bots, drive by installers. Extremely likely to be malicious. Well managed, Responsible content Syndication networks and user generated content Sites with long history of Responsible behavior. Have significant volume and are widely accessed Suspicious (-10 through -6) Default web reputation profile Not suspicious (-5.9 through +10)

21 Web Security Essentials URL filtering Used to enforce acceptable use Predefined and custom URL categories 78 predefined URL categories 20,000,000+ URLs categorized 60+ languages Powered by the Cisco Security Intelligence Operation (SIO) Utilizes Application Signatures By default, PRSM and CX check for updates every 5 minutes

22 Active authentication Requires HTTP request to initiate authentication 1. ASA CX sees HTTP request from a client to a remote website 2. ASA CX redirects the client to the ASA inside interface (port 885 by default) Redirect is accomplished by sending a proxy redirect to the client (HTTP return code 307) spoofing the remote website 3. Sends client authentication request (HTTP return code 401) 4. After authentication, the ASA CX redirects the client back to the remote website (HTTP return code 307) After authentication, ASA CX uses IP address to track user Both HTTP and non-http traffic will now be associated with the user Integrates with enterprise infrastructure Supported directories include Microsoft Active Directory OpenLDAP IBM Tivoli Directory Server

23 Passive authentication Endpoint must be domain member Supported for all traffic and all clients Utilizes an agent Agent gathers information from Active Directory server Agent caches information ASA CX/PRSM queries agent for user information ASA CX/PRSM queries Active Directory server for group membership information Two agents available Cisco Active Directory Agent (AD agent) older agent Windows application Context Directory Agent (CDA) newer agent Stand alone, Linux based server can be run as VM Intuitive web based GUI, and Cisco IOS style CLI

24 Passive authentication protocols AD Agent or CDA (RADIUS server) RADIUS WMI Active Directory ASA CX LDAP Clients

25 Module Map Architecture Policy framework Device import Eventing and reporting Demonstration

26 Policy objects, policies and policy sets

27 Policies and policy sets Policies apply actions to subsets of network traffic Two main components Policy match a set of criteria used to match traffic to the policies Action the action to be taken if the policy is matched Three types of policies Access Identity Decryption A policy set is an ordered collection of policies of a particular type For any ASA CX at most one policy set of each type is in use Policies are assigned using top-down policy matching order matters! At most one policy is matched for each policy set If no defined policy match is achieved, implicit policy is enforced Policy sets implicit policies are as follows Access policy sets end with implicit allow all Decryption policy sets end with implicit do not decrypt Identity policy sets end with implicit do not require authentication

28 Policy sets Access What traffic will be Allowed or Denied? Identity How users will be identified? Decryption What TLS/SSL traffic should be decrypted?

29 Policy objects Used to create policies Policy objects classify traffic Are used to decide which policy to match Predefined and user defined Used to create policies. May be nested Many types

30 URL objects Used to identify traffic based on URL or URL category Can only be used as a destination in a policy HTTP or HTTPS only For HTTPS, URL object uses information in the subject of the certificate Do not specify the protocol. URL objects will match both HTTP and HTTPS Contains URLs Enter a domain to match any URL in domain Supports limited string matching: URL categories Other URL objects Contain include and exclude lists

31 Application objects Used to identify what application the client is attempting to use Utilizes the Application Visibility And Control (AVC) functionality of the ASA CX Contains Applications (recognized by the ASA CX) Examples: Facebook photos, webmail, yahoo IM Application types Examples: Facebook, , IM Other Application objects

32 UserAgent objects User-agent string Part of the HTTP request header Identifies the client OS and agent Examples: Safari running on an ipad Windows update agent User agent object Can only be used for HTTP traffic Can only be used as a source in a policy Predefined user agent objectsare sufficient for most uses Contains User agent string An asterisk (*) can be used to match zero or more characters, Other user agent objects

33 Example of user-agent string

34 Secure Mobility objects Used to create policies specific to AnyConnect VPN traffic Can only be used as a source in a policy One exists by default: All remote users Others can be created to match specific device types Can contain Device types Other Secure Mobility objects

35 Complex objects Allow for more complicated traffic matching Contains collections of entries, or rows Elements of each entry are ANDed together Entries are then ORed together Application-Service objects Match combinations of applications and services Destination object groups Match combinations of URL objects and Network objects Source object groups Match combinations of: Network objects Identity objects User Agent Objects Secure Mobility Objects

36 Profiles File filtering profile HTTP and decryptedhttps traffic only Blocks the download of specific MIME types Blocks the upload of specific MIME types Web reputation profile HTTP and decrypted HTTPS traffic only Web reputation scores are provided for websites by the Cisco Security Intelligence Operations Web reputation scores vary from -10 to 10 Default profile considers websites with reputation score from -10 through -6 (the default profile cannot be edited or deleted) Websites without reputation scores are not considered suspicious The action that is taken for suspicious website depends on the policy type For example, access policies can block websites of low reputation

37 Module Map Architecture Policy framework Device import Eventing and reporting Demonstration

38 Device discovery and import (multi-device mode only) First you must enter the IP address (or hostname) of the ASA, along with privileged credentials The CX module will be discovered through the ASA. You must enter the admin password to complete the import. When a device is imported, it is placed into a device group Device groups are assigned policy sets. Therefore, policies are consistent within a device group When the device is imported, you must resolve any policy set naming conflict

39 Valid Policy Set Assignment

40 Invalid Policy Set Assignment

41 ASA object discovery (multi-device mode only) Network and service objects and groups are imported from ASA during device imported Added to PRSM policy database and are available for policy configuration Modifications made to objects on PRSM are not pushed to ASA Modifications made to objects on ASA are not pushed to PRSM Are automatically renamed if there are naming conflicts _<PRSM name for the ASA > is appended to name of imported object.

42 Module Map Architecture Policy framework Device import Eventing and reporting Demonstration

43 The Event viewer Gives visiblity to events generated by the CX module Tabs System events All events Authentication ASA (only used if PRSM is a SYSLOG server for ASAs) Encrypted Traffic View Context Aware Security Shows next generation functionality

44 Context Aware Events

45 Custom tabs

46 Two Modes Real time eventing user defined refresh interval Historic eventing user defined time range

47 Event viewer filters Used to reduce the number of events that are displayed Filters are a list of attribute-value pairs Attribute value pairs with the same attribute are ORed together The expressions for each attribute are then ANDed together Example: Username=Fred Username=Gail Application=Twitter means (Username=Fred OR Username=Gail) AND Application=Twitter Most attributes support the operations = and!=. Some also support > and < Two ways to add to filter Click on the cell in the event viewer adds that attribute-value pair to the filter Select attribute (with operation <,=,>) from the Filter drop-down list and then select the value If you want the operator to be inequality, you must manually change = to!= Filters may be saved and recalled Saved filters are added to right-hand side of the Filter drop-down list

48 Event viewer filters

49 Event Details

50 Event Details

51 Policy correlation

52 Network Overview (top)

53 Network Overview (middle)

54 Network Overview (bottom)

55 Other tabs

56 Malicious Traffic

57 Drill Down (Slide 1 of sequence)

58 Drill Down (Slide 2 of sequence)

59 Drill Down to view more details

60 Drill down to launch event viewer

61 Drill down to launch event viewer

62 Sample exported PDF report

63 Module Map Architecture Policy framework Device import Eventing and reporting Demonstration

64 Complete Your Paper Session Evaluation Give us your feedback and you could win 1 of 2 fabulous prizes in a random draw. Complete and return your paper evaluation form to the room attendant as you leave this session. Winners will be announced today. You must be present to win!..visit them at BOOTH# 100

65 Thank you Cisco and/or its affiliates. All rights reserved. Cisco Connect 65