Cisco Firepower Thread Defence. Claudiu Boar

Transcription

1 Cisco Firepower Thread Defence Claudiu Boar

2 Security everywhere Stop threats at the edge Control who gets onto your network Find and contain problems fast Protect users wherever they work Simplify network segmentation

3 Portfolio ASA 5585-X SSP60 ASA 5505 ASA 5515-X ASA 5512-X ASA 5555-X ASA 5545-X ASA 5525-X ASA 5585-X SSP40 ASA 5585-X SSP20 ASA 5585-X SSP10 SMB/SOHO Branch Internet Edge Data Center

4 Portfolio ASA 5506-X ASA 5508-X ASA 5516-X ASA 5585-X SSP60 ASA 5505 ASA 5515-X ASA 5512-X ASA 5555-X ASA 5545-X ASA 5525-X ASA 5585-X SSP40 ASA 5585-X SSP20 ASA 5585-X SSP10 SMB/SOHO Branch Internet Edge Data Center

5 Portfolio ASA 5506-X ASA 5508-X FPR SM-24 FPR SM-36 FPR SM-44 ASA 5516-X ASA 5585-X SSP60 ASA 5505 ASA 5515-X ASA 5512-X ASA 5555-X ASA 5545-X ASA 5525-X ASA 5585-X SSP40 ASA 5585-X SSP20 ASA 5585-X SSP10 SMB/SOHO Branch Internet Edge Data Center Service Provider

6 Portfolio ASA 5506-X ASA 5508-X ASA 5516-X FPR 4110 FPR 4120 FPR 4140 FPR 4150 FPR SM-24 FPR SM-36 FPR SM-44 ASA 5585-X SSP60 ASA 5505 ASA 5515-X ASA 5512-X ASA 5555-X ASA 5545-X ASA 5525-X ASA 5585-X SSP40 ASA 5585-X SSP20 ASA 5585-X SSP10 SMB/SOHO Branch Internet Edge Data Center Service Provider

7 Portfolio ASA 5506-X ASA 5508-X ASA 5516-X FPR 2100 Series FPR 4110 FPR 4120 FPR 4140 FPR 4150 FPR SM-24 FPR SM-36 FPR SM-44 ASA 5585-X SSP60 ASA 5505 ASA 5515-X ASA 5512-X ASA 5555-X ASA 5545-X ASA 5525-X ASA 5585-X SSP40 ASA 5585-X SSP20 ASA 5585-X SSP10 SMB/SOHO Branch Internet Edge Data Center Service Provider

8 Firepower 2100, 4100, 9300 Snapshot Features FPR 2100 FPR 4100 FPR 9300 Throughput range Firewall + AVC Throughput range Firewall + AVC+IPS 2 to 8 Gbps 12 to 30 Gbps 30 to 54 Gbps 2 to 8 Gbps 10 to 24 Gbps 24 to 53 Gbps Interface Speed 1/10 Gbps 1/10/40 Gbps 1/10/ 40/100 Gbps Rack Unit size 1 RU 1 RU 3 RU Clustering Roadmap Yes (6.2) Yes (6.2) Other Apps No Yes (Radware DDoS) Yes (Radware DDoS) Chassis Manager Unified With FMC / FDM Yes Yes

9 Firepower 2100 Series FPR x 1G 12x 10G Port Firepower 2100 High Performance, Purpose Built Hardware for Cisco NGFW FPR x-1G 12x 10G Port Firepower 2100 Available in 4 Platforms FPR x 1G Port Firepower 2100 Higher Port Density in 1 Rack Unit FPR x 1G Port Firepower Gbps Support (2130 and 2140)

10 Firepower 2100 Series Performance FPR 2110 FPR 2120 FPR 2130 FPR 2140 Throughput FW + AVC 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps Throughput FW + AVC + NGIPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps Maximum concurrent sessions, with AVC 1 M 1.2 M 2 M 3.5 M Maximum new connections per second, with AVC

11 Hardware Architecture Overview Advance Inspection (x86 CPU) Dual CPU X86 CPU for Advanced Inspections NPU for Stateful Firewall Stateful Inspection (Octeon NPU) SSD SSD Fabric USB CON Console MGMT GE RJ45 12 Port GE RJ45 4 Port SFP+ 4 port 10GE -8 Port NM Slot

12 Hardware Architecture Overview Advance Inspection (x86 CPU) SSD SSD Stateful Inspection (Octeon NPU) Fabric Prefilter Action: Block, Fastpath, Analyze NAT VPN Routing QoS Stateful Firewall High Availability USB CON Console MGMT GE RJ45 12 Port GE RJ45 4 Port SFP+ 4 port 10GE -8 Port NM Slot

13 Hardware Architecture Overview SSD SSD Advance Inspection (x86 CPU) Stateful Inspection (Octeon NPU) Advance Inspection AVC with OpenAppID NGIPS Malware & File inspection (AMP) Security Intelligence URL Filter User Identity Fabric USB CON Console MGMT GE RJ45 12 Port GE RJ45 4 Port SFP+ 4 port 10GE -8 Port NM Slot

14 FPR 2100 with Firepower Threat Defense New in FTD 6.2.x RA VPN S2S VPN Packet tracer and Capture

15 Management Options On-box Centralized Cloud-based Firepower Device Manager Firepower Management Center Cisco Defense Orchestrator Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Enables centralized cloud-based policy management of multiple deployments

16 On-box vs Off-box Firepower Management Center (Off-box) Firepower Device Manager (On-box) NAT & Routing Access Control Intrusion & Malware Device & Events Monitoring VPN - Site to Site & RA Security Intelligence Other Policies: SSL, Identity, Rate Limiting (QoS) etc. Active/Passive Authentications Firewall Mode Router / Transparent Routed Threat Intelligence & Analytics Correlation & Remediation Risk Reports Device Setup Wizard Interface Port-Channel High Availability

17 VPN Only Threat (IPS / SI / DNS) Malware (AMP / TG) URL Filtering AnyCon nect Plus Apex FTD Licensing Structure Base License enables NGFW Networking, Firewall and Application Visibility & Control Perpetual License - included with Appliance purchase Term-based licenses for advanced protection Threat, Malware and URL Filtering VPN License VPN only AnyConnect Plus AnyConnect Apex Base (NGFW) Blue = Term-based Green = Perpetual

18 Migration Capabilities Migration of ASA Configuration to FTD ACL Ability to migrate Access Control Rules NAT Ability to migrate NAT rules Objects Support for migrating objects corresponding to ACL, NAT rules Except Time Range, FQDN ASA Versions Support for ASA 8.4+ versions

19 Migration Process Overview Import as Access Control Policy or Prefilter policy Migration Tool FMC.sfo file FMC ( Managing FTD Device ) ASA.cfg or.txr file Migration Report Register Apply Migrated Policy Firepower 2100 ASA

20 Firepower 2100 Physical Characteristics FPR 2100 Series 1RU x x 19.8 Chassis Design Front to back cooling FIPS opacity optional kit Dual SSD Fixed ports 12x RJ45 ports, 4xSFP(+) and USB2.0 Management Ethernet & Console Port Rack Mount Rails Kit optional FPR 2130 / x Network Module Dual PSU DC PSU support 1RU 16.89

21 Firepower 4100 Hardware Overview 1RU x x Front to Back Cooling (6x dual fan) Built-in modules Supervisor Module Security Engine 8x SFP+ (10G) fixed ports Modular system 2x Network Modules (NetMod) slots (Common across Firepower Platform) 2x 2.5 SSD Slot 2x Universal 950 DC PSU (or) 2x Universal 1100W AC PSU FAN Units 1RU tall (1.73 ) Note: Except power supply unit, all the physical specifications are same for FP4110, FP4120, FP4140 and FP4150

22 Firepower 4120, 4140 and Hardware Components Supervisor Module: Console and Management Port 8 10G Fixed Ethernet Ports 2 x Network Modules Security Engine 2x100Gbps SSD SSD Security Engine: Dual CPU, each connected with a Smart NIC and Crypto accelerator card Two SSD - 1 Default + 1 Optional (For AMP service) SSD Size 200GB for GB for 4140 Smart NIC + Crypto Accelerator 2x40Gpbs Internal 720G Switch Fabric 2x40Gbps 80G 5x40Gbps 200G 200G 5x40Gbps Built-in 8x10GE interfaces NM Slot 1 NM Slot 2 Console RAM X86 CPU Mgmt. Port Backplane 80GB Backplane support 8x 10G (or) 4x 40G Network Module

23 FP 4100 Series Performance Specification Category FP 4110 FP 4120 FP 4140 Large Packet Firewall (1500 byte UDP) 20Gbps 40Gbps 60Gbps Firewall Throughput 10Gbps 20Gbps 30Gbps Firewall Packet Per Second (64byte UDP) 3 M 6 M 10 M UDP Latency (1500 LDR) 18 µ sec 31 µ sec 30 µ sec Connections per Second 150K 250K 350K Concurrent Connections 10M 15M 25M NGFW - FW+AVC Perf. (440byte) 3.5 Gbps 7 Gbps 10 Gbps NGFW - FW+AVC+IPS Perf.(440byte) 2.5 Gbps 4.5 Gbps 6.5 Gbps

24 Firepower 4100 Software FP 4100 Series of platform supported from FXOS Primary application from Cisco (Native) Decorator application from third-party (KVM) FXOS provides interface for device management and provisioning of the security application on security engine. DDoS (Radware) ASA or FTD FXOS Firepower Extensible Operating System (FXOS) Supervisor Security Engine All images are digitally signed and validated through Secure Boot. Security application images are in Cisco Secure Package (CSP) format Multiple version of same application can be stored in Supervisor. It can deployed to Security Engine on demand Contains system (i.e. ASA, FTD) and other images (i.e. ASDM, REST, and so on)

25 DDoS Attacks breaking all layers of the DC Internet Pipe Firewall IPS/IDS Load Balancer/ADC Server Under Attack SQL Server DDoS Protection on the Firewall protects from 64% of the DDoS attacks. Pipe Saturation attacks require an integrated cloud protection 9

26 Firepower Threat Defense

27 Advanced Malware Risk Report

28 Network Risk Report

29 Attack Risk Report

30 Thank you! Parteneri media