Fully Integrated, Threat-Focused Next-Generation Firewall

Transcription

1 Cisco Firepower NGFW Fully Integrated, Threat-Focused Next-Generation Firewall Fuat KILIÇ, Security Consulting Systems Engineer, CCIE #21150 September 2016

2 Get ahead of attackers with threat-centric security solutions In our live Security Experts Webinars discover all the items needed to help set up the best security architecture. What a Next Generation Firewall should be Protect your and web gateways Advanced Malware Protection ISE/Access Control And many other hot security topics so check our Security Experts Page and register to our upcoming webinars- ww.cisco.com/go/securityexperts

3 Digital Transformation on a Massive Scale Title Goes Here 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years Attack Sophistication Global Cybercrime Market: $450B to $1T

4 Typical NGFWs are focused too narrowly and Title are Goes too Here hard to manage Network Threat Threat Content Malware Analysis IPS Access VPN Threat Web Security NGFW Access Control Security Firewall Malware Protection Focused on apps, not threats Another silo to manage

5 They protect before an attack but are less effective during or after one Attack Continuum BEFORE DURING AFTER Typical NGFW Silos Enable applications IPS URL GAP DDoS Sandbox Incident Response

6 We are committed to addressing this problem Security is Cisco s number 1 priority. We are going big and making strategic investments to become our customers and partners most trusted security advisor. John Chambers Executive Chairman, Cisco April 2015 In the last 18 months, we invested over $3.7B in security

7 Enable your business with a fully integrated, threat-focused solution Cisco NGFW Stop more threats Gain more insight Detect earlier, act faster Reduce complexity Get more from your network Threat Focused Fully Integrated

8 Stop more threats across the entire attack continuum BEFORE DURING AFTER Cisco NGFW Discover threats and enforce security policies Detect, block, and defend against attacks Remediate breaches and prevent future attacks

9 Gain more insight with increased visibility You can t protect what you can t see Client applications Operating systems Threats Typical IPS Users Application protocols File transfers Web applications Command and control servers Malware Routers and switches Mobile devices Printers Typical NGFW Cisco NGFW Network servers VoIP phones

10 Reduce complexity with simplified, consistent management Unified Network-to-endpoint visibility Manages firewall, applications, threats, and files Track, contain, and recover remediation tools Scalable Central, role-based management Multitenancy Policy inheritance Automated Impact assessment Rule recommendations Remediation APIs Cisco Firepower Management Center

11 Get more from your network through integrated defenses Shared intelligence Talos Shared contextual awareness Visibility Radware DDoS URL Network analysis Threats Identity and NAC DNS Firewall Consistent policy enforcement Firepower 4100 Series Firepower 9300 Platform Cisco Firepower Management Center

12 Threat Focused Threat Intelligence I00I III0I III00II 0II00II I0I I000 0II0 00 0III000 II III000III0 I00I II0I III [Talos] II0 00 0III000 III0I00II II II0000I II0 100I II0I III00II 0II00II I0I000 0II III0 I00I II0I III00II 0II00II Research Response Endpoints Web Networks IPS Devices 100 TB Intelligence 1.6M sensors 150 million+ endpoints 35% world wide FireAMP, 3+ million 13B web req WWW AEGIS & SPARK Open Source Communities 180,000+ Files per Day 1B SBRS Queries per Day 3.6PB Monthly though CWS Advanced Industry Disclosures Outreach Activities Dynamic Analysis Threat Centric Detection Content SEU/SRU Sandbox VDB Security Intelligence & Web Reputation 2014 Cisco and/or its affiliates. All rights reserved. 12

13 With Cisco NGFW, security can be a business growth engine Cisco NGFW Stop more threats Gain more insight Detect earlier, act faster Reduce complexity Get more from your network Threat Focused Fully Integrated

14 Product and Services

15 Next Generation Firewall (NGFW) Essentials Cisco Collective Security Intelligence Enabled WWW High Availability NGIPS Advanced Malware Protection URL Filtering Analytics & Automation Network Firewall Routing Switching Application Visibility & Control Built-in Network Profiling Identity-Policy Control & VPN One Operating System + One Management 2015 Cisco and/or its affiliates. All rights reserved. 15

16 Cisco NGFW Evolution Two Appliances One Appliance Two Images One Appliance One Image Two Management Consoles Two Management Consoles One Management Console ASA FW FirePOWER NGIPS ASA + FirePOWER Services FirePOWER NGIPS ASA FW Code Firewall URL Visibility Threats Cisco Firepower Threat-focused Unified NGFW

17 Introducing Cisco NGFW Fully Integrated Threat Focused Unified Management FW / applications / IPS Cisco AMP network / endpoint Analysis and remediation Cisco security solutions Networkwide visibility Industry-best threat protection Known and unknown threats Track / contain / recover Across attack continuum Manage, control, and investigate Automatically protect

18 Cisco NGFW Platforms New Appliances Cisco Firepower 4100 Series and 9300 Cisco ASA with Firepower Services on ASA 5500-X Cisco FirePOWER Services on ASA 5585-X All* Managed by Cisco Firepower Management Center *5585-X management available 2H CY16

19 Cisco Firepower 4100 Series Introducing four new high-performance models Performance and Density Optimization 10-Gbps and 40-Gbps interfaces Up to 80-Gbps throughput 1-rack-unit (RU) form factor Low latency Multiservice Security Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMPRadware DefensePro DDoS) ASA and other future third party Unified Management Single management interface with Firepower Threat Defense Unified policy with inheritance Choice of management deployment options

20 Cisco Firepower 9300 Platform High-speed, scalable security Modular Benefits Standards and interoperability Flexible architecture Features Template-driven security Secure containerization for customer apps RESTful/JSON API Third-party orchestration and management Multiservice Security Benefits Integration of best-in-class security Dynamic service stitching Features* Cisco ASA container Cisco Firepower Threat Defense containers: NGIPS, AMP, URL, AVC Third-party containers: Radware DDoS Other ecosystem partners Carrier Class Benefits Industry-leading performance: 600% higher performance 30% higher port density Features Compact, 3RU form factor 10-Gbps/40-Gbps I/O; 100-Gbps ready Terabit backplane Low latency, intelligent fast path Network Equipment-Building System (NEBS) ready * Contact Cisco for services availability

21 Features

22 Automated, Integrated Defenses Context and Threat Correlation Context and Threat Correlation Priority 1 Priority 2 Priority 3 Impact Assessment

23 Automated, Integrated Defenses Dynamic Security Control Dynamic Security Control WWW WEB WWW WWW Adapt Policy to Risks

24 Automated, Integrated Defenses Multivector Correlation Admin Request 5 IoCs Host A Multivector Correlation Mail PDF Admin Request PDF Mail 3 IoCs Host B Early Warning for Advanced Threats Host C

25 Advanced Malware Protection - Preventive All detection is less than 100% One-to-One Signature Fuzzy Finger-Printing Machine Learning Advanced Analytics Dynamic Analysis Reputation Filtering and File Sandboxing

26 Automated, Integrated Defenses Retrospective Security Retrospective Security Shrink Time Between Detection and Cure

27 Expanding Advanced Malware Protection Everywhere ASA Dedicated FirePOWER Appliance Web & Security Appliances Cloud Based Web Security & Hosted Private Cloud PC / MAC Mobile Virtual NGIPS /NGFW on FirePOWER Continuous & Zero-Day Detection Advanced Analytics And Correlation Enterprise Capabilities

28 We are committed to addressing this problem Security is Cisco s number 1 priority. We are going big and making strategic investments to become our customers and partners most trusted security advisor. John Chambers Executive Chairman, Cisco April 2015 In the last 18 months, we invested over $3.7B in security

29 Cisco Firepower 6.1 Introduction

30 Firepower 6.1 A Quick Glance NGFW & Network Firewall Integration & Infrastructure Management Site-to-Site VPN Traffic Rate-Limiting Routing Enhancements Tunneled Traffic Policies Safe Search enforcement True-IP Policy (XFF) SSL Client Hello Captive Portal Enhancements ISE Remediation Inline SGT Tags KVM Support Converged CLI AMP Private Cloud Fail-to-Wire Improved Scale Usability Improvements Integrated Risk Reports High Availability Firepower Device Manager Available only on Firepower Threat Defense Software (FTD)

31 With Firepower 6.1 Software Internet Edge Focus An Integrated Cisco Story Local Management Enhanced Virtualization

32 Software Support by Platform Firepower Threat Defense Firepower NGIPS ASA Firewall Firepower Services on ASA Old (Series 2) FirePOWER Appliances FirePOWER 7000 Series FirePOWER 8000 Series ASA Low-end (5506/08/16) (reimage) ASA Mid-Range (5512/15/25/45/55) (reimage) ASA High-end (5585 SSP-10/20/40/60) Firepower 4100, 9300 (SSP 3RU - SM-24/36) VMware AWS KVM

33 Threat (IPS / SI / DNS) Malware (AMP / TG) URL Filtering Licensing Structure Base License enables NGFW Networking, Firewall and Application Visibility & Control Perpetual license - included with appliance purchase Term-based licenses for advanced protection Threat, Malware and URL Filtering Traditional ASA, FirePOWER licenses not needed Base (NGFW) Blue = Term-based Green = Perpetual Applicable only for Firepower Threat Defense Software (FTD)

34 Firepower 6.1 Feature Overview

35 NGFW and Network Firewall

36 Site-to-Site VPN Between multiple FTDs or between FTD and ASA Topology based design Point to point Hub and Spoke Full Mesh Uses pre-shared key only, no PKI Available only on Firepower Threat Defense Software (FTD)

37 Routing enhancements FTD now supports multicast routing IGMP version 1 and version 2 are supported PIM only sparse mode is supported Multicast Boundary supported Available only on Firepower Threat Defense Software (FTD)

38 Inline Security Group Tags (SGT) Behavior in 6.1 SGTs in network traffic are utilized SGTs seen in traffic take precedence SGT to IP mapping provided by ISE Untagged traffic is still matched to rule using IP to SGT mapping provided by ISE ISE integration is no longer needed SGTs can be defined in FMC Sensor does not add or remove tags from traffic Available only on Firepower Threat Defense Software (FTD)

39 Rate limiting Rate limiting provides Limits based on apps/groups, user/groups, Networks/Geo, Ports, URL, etc. Separate limits can be applied for download or upload Rate limits applied on routed mode interface objects Limits can be expressed in terms of actual rate or percentage of overall interface bandwidth Supported only on FTD Limitations Maximum number of QoS rules is 32 per interface on which rate limiting is getting applied Rate Limiting range is 8000 bits to 2Gbs (same as ASA) Available only on Firepower Threat Defense Software (FTD)

40 True-IP Policy In 6.1 True-IP Policy can be used in policy decisions X-Forwarded-For True-Client-IP header Custom headers that support XFF like syntax see RFC 7239 Precedence is set in the HTTP pre-processor settings Can specify which source IPs (Proxy servers) are trusted for these headers

41 Safe Search YouTube EDU enforcement Enforce Safe Search using supported search engines Utilizes a new Snort preprocessor: HTTP header modification Pre-processor Last preprocessor in Snort preprocessor chain:, AppID Access Control Rules Engine HTTP HTTP Header Modification Safe Search Action varies depending on search engine YouTube EDU Injects X-YouTube-Edu-Filter

42 Active authentication enhancements Kerberos authentication is now supported in 6.1 Guest access Before 6.1, guest policies could be provided to users that failed authentication With 6.1, there is a new button on the portal page. This button allows a user to choose guest access without trying to authenticate.

43 Prefilter Policies New type of policy called Prefilter policies Precedes access control policy Together with access control policy, allows control of both tunneled and tunneling protocol Also used to facilitate tools to migrate from ASA w/ FirePOWER services to FTD Prefilter Policies are implemented without involving Snort Prefilter Policy is associated with one or more Access Control Policies Available only on Firepower Threat Defense Software (FTD)

44 Integration and Infrastructure

45 ISE remediation via pxgrid Ability to register from FMC to ISE's Endpoint Services Protection providing the ability to quarantine, unquarantine or deactivate ports on endpoints visible to ISE ISE 1.3 and 2.0 are supported FMC SGTs and Endpoint Profiles Remediation requests (quarantine, un-quarantine) ISE Internet Sensor Servicing Router Client PC

46 AMP Private Cloud Firepower 6.1 is capable of using both the AMP Private Cloud and ThreatGrid Private Cloud 1. Log into your Private Cloud Portal 2. Navigate to Integrations Defense Center 3. Follow the instructions provided

47 KVM Support FMCv and FTDv are supported on KVM Both are functionally equivalent to FMCv on VMware Virtio driver support FMCv "Graceful Shutdown" - Allows the FMC to save critical data before shutting down Restrictions and Limitations Nested hypervisors (KVM running on top of VMware/ESXi) are not supported. Only bare-metal KVM deployments are supported Onbox management is not supported Available only on Firepower Threat Defense Software (FTD)

48 Management Specific Features

49 FMC HA Active/Standby Deployment Manual Failover Sybase database duplicated Both FMC nodes receive events from each sensor Policy changes made on primary are copied over to the secondary

50 FMC HA 5.4 vs FMC HA is Active/Standby. In 5.4.x, it was Active/Active Active FMC: fully functional. As good as standalone Standby FMC: read-only. Most of the tabs/sub-tabs on UI are hidden. Standby FMC: No CSM processes. Except VmsDbEngine. Standby FMC: Configuration database (Sybase) is read-only. No sync for events. Events are pushed to both the FMCs (no change from 5.4.x) FMC HA is supported on 4K, 2K, 3500 and Not supported on Virtual All configuration related tables of MySQL are moved to Sybase FMC HA 5.4 FMC HA managed FP only; FMC HA 6.1 managed HA for both FP and FTD

51 Integrated Risk Reports There are three risk reports Advanced Malware Attacks Network Prior to 6.1 risk reports where generated offline Generated by Cisco or partners Customers could not create reports. In 6.1 reports are integrated into the FMC UI

52 Analysis Tool: Lookup The Lookup tool can be used to get: Geolocation for an IP Address Whois Information for an IP Address Internet Connectivity is required

53 Firepower Device Manager

54 Firepower Device Manager Free local manager for managing a single Firepower Threat Defense device Targeted for SMB market Designed for Networking Security Administrator Beta is only available on Kenton models Available only for Firepower Threat Defense Software (FTD)

55 On-box Vs. Off-box Comparison at 6.1 NAT & Routing Access Control Intrusion & Malware Device & Events Monitoring Site to Site VPN Security Intelligence Other Policies: SSL, Identity, Rate Limiting (QoS) etc. Active/Passive Authentications Threat Intelligence & Analytics Risk Reports Correlation & Remediation Easy Device Setup Firepower Management Center (Off-box) Firepower Device Manager (On-box) In Roadmap In Roadmap In Roadmap In Roadmap NCP NCP NCP => Detailed => Optimized for SMBs => Not Present NCP => No Current Plan Available only for Firepower Threat Defense Software (FTD)

56 Demo

57