Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Similar documents
Cisco Firepower Thread Defence. Claudiu Boar

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Business Resiliency Through Superior Threat Defense

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Firepower Techupdate April Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017

FirePower 2100 NGFW. Elodie Heurtevent Security BDM Commercial. 21 March 2017

Fully Integrated, Threat-Focused Next-Generation Firewall

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year

Agile Security Solutions

Cisco ASA with FirePOWER Services

Deploying Intrusion Prevention Systems

The Internet of Everything is changing Everything

Deploying Intrusion Prevention Systems

Cisco FirePOWER 8000 Series Appliances

Cisco ASA with FirePOWER Services

Cisco Firepower 9300 Security Appliance

Data Center Security. Fuat KILIÇ Consulting Systems

Cisco ASA with FirePOWER Services

Design and Deployment of SourceFire NGIPS and NGFWL

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Traffic Flow, Inspection, and Device Behavior During Upgrade

Firepower Platform Deep Dive

Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015

Segmentation. Threat Defense. Visibility

Firepower 9300 Deep Dive

The Internet of Everything is changing Everything

Cisco ASA 5500-X NGFW

Contain known and unknown malware with leading Cisco Advanced Malware Protection (AMP) and sandboxing.

Before You Update: Important Notes

Contain known and unknown malware with leading Cisco Advanced Malware Protection (AMP) and sandboxing.

Cisco Comstor

Cisco Network Admission Control (NAC) Solution

Snort: The World s Most Widely Deployed IPS Technology

Cisco Security Exposed Through the Cyber Kill Chain

Cisco ASA with FirePOWER Services

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Introduction to the Cisco ASAv

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Cisco ASA 5500 Series IPS Solution

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Device Management Basics

There are two ways for a sensor device to detect the Security Group Tag (SGT) assigned to the traffic:

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Cisco - ASA Lab Camp v9.0

Configure FTD Interfaces in Inline-Pair Mode

Stop Threats Before They Stop You

FireSIGHT Virtual Installation Guide

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Chapter 1: Content Security

Cisco NGFW and UTM update Security Expert Call series

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Connection Logging. About Connection Logging

Implementing Cisco Network Security (IINS) 3.0

VM-SERIES FOR VMWARE VM VM

McAfee Network Security Platform

McAfee Network Security Platform

FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer

Cisco Firewall Basics

Device Management Basics

Features. HDX WAN optimization. QoS

Appliance Comparison Chart

Connection Logging. Introduction to Connection Logging

Cisco Firepower Next-Generation Firewall (NGFW)

NGFWv & ASAv in Public Cloud (AWS & Azure)

Cisco Cyber Threat Defense Solution 1.0

Implementing Cisco Edge Network Security Solutions ( )

Compare Security Analytics Solutions

Appliance Comparison Chart

Cisco NAC Network Module for Integrated Services Routers

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX

Cisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3

Networking Drivers & Trends

User Identity Sources

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

The following topics describe how to manage various policies on the Firepower Management Center:

STONESOFT. New Appliances2012

Service Provider Security Architecture

ASA5525-FPWR-K9 Datasheet. Overview. Check its price: Click Here. Quick Specs

The Future of Threat Prevention

Features and Functionality

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

Licensing the Firepower System

Cisco Advanced Malware Protection against WannaCry

New Features for ASA Version 9.0(2)

Easy Setup Guide. Cisco ASA with Firepower Services. You can easily set up your ASA in this step-by-step guide.

Identity Based Network Access

CISCO CATALYST 4500-X SERIES FIXED 10 GIGABIT ETHERNET AGGREGATION SWITCH DATA SHEET

Cisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin

Cisco ASA Next-Generation Firewall Services

A Pragmatic Approach to HealthCare Security. Hans Mathys CSE, Cybersecurity, Cisco Switzerland

Wireless LAN Solutions

Cisco Next Generation Firewall Services

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

ASA5508-FTD-K9. ASA 5508-X with Firepower Threat Defense. 8GE. AC. 450 Mbps. 250 Mbps. 1 Gbps. 500 Mbps. 100 Mbps. Unlimited

Cisco Self Defending Network

NGFWv and ASAv in Public Cloud

PrepKing. PrepKing

Subscriber Data Correlation

Transcription:

Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer

Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability Network Firewall Routing Switching Intrusion Prevention (Subscription) Application Visibility & Control FireSIGHT Analytics & Automation Cisco ASA Advanced Malware Protection (Subscription) Built-in Network Profiling WWW URL Filtering (Subscription) Identity-Policy Control & VPN World s most widely deployed, enterprise-class ASA stateful firewall Granular Cisco Application Visibility and Control (AVC) Industry-leading FirePOWER nextgeneration IPS (NGIPS) Reputation- and category-based URL filtering Advanced malware protection

Next Generation Firewall and IPS ASA 5506-X ISA3000 ASA 5508-X ASA 5512/15-X ASA 5516-X ASA 5525-X ASA 5545-X ASA 5555-X SMB/Teleworker Branch Office Internet Edge ASA 5585-X SSP10 SSP20 FirePOWER 7000/8000 NGIPS ASA 5585-X SSP40 SSP60 NGIPSv Campus Data Center

Performance Highlights ASA 5500-X Model For Your Reference Cisco ASA 5500-X Model Performance 5506-X 5508-X 5516-X 5525-X 5545-X 5555-X Firewall Throughput (ASA) Throughput: FW + AVC 1 Throughput: FW + AVC + NGIPS1 750 Mbps 1 Gbps 1.8 Gbps 2 Gbps 3 Gbps 4 Gbps 250 Mbps 450 Mbps 850 Mbps 1100 Mbps 1500 Mbps 1750 Mbps 125 Mbps 250 Mbps 450 Mbps 650 Mbps 1000 Mbps 1250 Mbps 1 HTTP sessions with an average packet size of 1024 bytes.

Security Software Convergence Two Appliances Two Management Consoles One Appliance Two Images Two Management Consoles One Appliance One Image One Management Console ASA FW Firepower NGIPS ASA with Firepower Services Firepower NGIPS ASA FW Firepower Threat Defense (FTD)

Firepower Threat Defense Granular Cisco Application Visibility and Control (AVC) Industry-leading FirePOWER nextgeneration IPS (NGIPS) Reputation- and categorybased URL filtering Advanced malware protection

Security Software Convergence ASA L2-L4 Stateful Firewall Scalable CGNAT, ACL, routing Application inspection FirePOWER Threat-centric NGIPS AVC, URL Filtering for NGFW Advanced Malware Protection Firepower Threat Defense (FTD) New converged NGFW/NGIPS image Full FirePOWER functionality for NGFW/NGIPS deployments ASA Datapath with TCP Normalizer, NAT, ACL, dynamic routing, failover functions

Firepower 9300 High-end Platform Supervisor Application deployment and orchestration Network attachment and traffic distribution Clustering base layer for ASA/FTD Network Modules 10GE, 40GE, and 100GE Hardware bypass for inline NGIPS 3RU Security Modules Embedded Smart NIC and crypto hardware Cisco (ASA, FTD) and third-party (Radware DDoS) applications Standalone or clustered within and across chassis

Supervisor Simplified Hardware Diagram Security Module 1 Security Module 2 2x40Gbps 2x40Gbps 2x40Gbps Security Module 3 RAM System Bus Ethernet Internal Switch Fabric (up to 24x40GE) x86 CPU 2x40Gbps 5x40Gbps 5x40Gbps On-board 8x10GE interfaces NM Slot 1 NM Slot 2

Firepower 9300 Security Modules Same modules must be installed across entire chassis or cluster SM-44: 88 x86 CPU cores (10-15% higher performance than SM-36) SM-36: 72 x86 CPU cores SM-24: 48 x86 CPU cores x86 Turbo Mode for all security modules Triggered when 25% of ASA cores reach 80% load Disabled when all ASA cores drop below 60% load Increases performance by 10-20%

Security Module Simplified Diagram RAM 256GB x86 CPU 1 SM24: 24cores SM36: 36cores SM44: 44cores x86 CPU 2 SM24: 24cores SM36: 36cores SM44: 44cores System Bus Ethernet 2x100Gbps Smart NIC and Crypto Accelerator 2x40Gbps Backplane Supervisor Connection

Performance Highlights Cisco Firepower Model For Your Reference Cisco Firepower 9300 performance 9300 with 1 SM-24 9300 with 1 SM-36 9300 with 1 SM-44 9300 with 3 SM-44 Firewall Throughput (ASA) 75 Gbps 80 Gbps 80 Gbps 234 Gbps Throughput: FW + AVC (FTD)1 30 Gbps 42 Gbps 54 Gbps 135 Gbps Throughput: FW + AVC + NGIPS (FTD)1 24 Gbps 34 Gbps 53 Gbps 133 Gbps 1 HTTP sessions with an average packet size of 1024 bytes.

Next Generation Firewall and IPS Firepower 9300 ASA 5508-X ASA 5516-X ASA 5585-X SSP10/20/40/60 ASA 5506-X ISA3000 ASA 5512/15-X ASA 5525-X ASA 5545-X ASA 5555-X FirePOWER 7000/8000 NGIPS SMB/Teleworker Branch Office Internet Edge FTDv NGIPSv Campus Data Center

Firepower 4100 Overview Built-in Supervisor and Security Module Same hardware and software architecture as 9300 Fixed configurations (4110, 4120, 4140, 4150) Solid State Drives Independent operation (no RAID) Slot 1 today provides limited AMP storage Slot 2 provides optional AMP storage 1RU Onboard Connectivity 8 x 10G SFP Network Modules 10GE/40GE interchangeable with 9300 Partially overlapping fail-to-wire controller options

Firepower 4100 Logical Diagram RAM 4110: 64Gb 4120: 128Gb 4140: 256Gb 4150: 256Gb x86 CPU 1 4110: 12 cores 4120: 12 cores 4140: 36 cores 4150: 44 cores x86 CPU 2 4110: N/A 4120: 12 cores 4140: 36 cores 4150: 44 cores 4110: 1x100Gbps 4120-4150: 2x100Gbps Smart NIC and Crypto Accelerator 4110: 1x40Gbps 4120-4150: 2x40Gbps RAM System Bus Ethernet Internal Switch Fabric (up to 18x40GE) x86 CPU 2x40Gbps 5x40Gbps 5x40Gbps On-board 8x10GE interfaces NM Slot 1 NM Slot 2

Firepower 9300 and 4100 series performance For Your Reference Cisco Firepower Model 9300 with 9300 with 9300 with 9300 with 4110 4120 4140 4150 1 SM-24 1 SM-36 1 SM-44 3 SM-44 Firewall Throughput (ASA) Throughput: FW + AVC (FTD)1 Throughput: FW + AVC + NGIPS (FTD)1 35 Gbps 60 Gbps 70 Gbps 75 Gbps 75 Gbps 80 Gbps 80 Gbps 234 Gbps 12 Gbps 20 Gbps 25 Gbps 30 Gbps 30 Gbps 42 Gbps 54 Gbps 135 Gbps 10 Gbps 15 Gbps 20 Gbps 24 Gbps 24 Gbps 34 Gbps 53 Gbps 133 Gbps 1 HTTP sessions with an average packet size of 1024 bytes.

Next Generation Firewall and IPS Firepower 9300 Firepower 4110/20/40/50 ASA 5516-X ASA 5508-X ASA 5545-X ASA 5506-X ASA 5525-X ASA 5512/15-X ISA3000 ASA 5555-X ASA 5585-X SSP10/20/40/60 FirePOWER 7000/8000 NGIPS FTDv NGIPSv SMB/Teleworker Branch Office Internet Edge Data Center Campus

FPR 2100 with Firepower Threat Defense

Cisco Firepower 2100 Purpose Build Hardware for Cisco NGFW Fixed configurations (2110, 2120, 2130, 2140) Dual Power Supplies 2130-2140 Solid State Drives Independent operation (no RAID) Slot 1 provides default storage Slot 2 provides optional AMP storage 1RU Onboard Connectivity 12 x 1G RJ45 4 x 1G SFP Management and Console Port Network Modules (2130 and 2140 Only) 8 x 10GE SFP module Fail-to-wire options (future)

Firepower 2100 Logical Diagram RAM x86 CPU System Bus Ethernet Octeon NPU RAM Internal Switch Fabric On-board 12x1GE interfaces On-board 4x1GE SPF interfaces NM Slot 2130-2140

Firepower 2100, 4100, 9300 Snapshot For Your Reference Features FPR 2100 FPR 4100 FPR 9300 Throughput range Firewall + AVC Throughput range Firewall + AVC+IPS 2 to 8 Gbps 12 to 30 Gbps 30 to 54 Gbps 2 to 8 Gbps 10 to 24 Gbps 24 to 53 Gbps Interface Speed 1/10 Gbps 1/10/40 Gbps 1/10/ 40/100 Gbps Rack Unit size 1 RU 1 RU 3 RU Clustering Roadmap Yes (6.2) Yes (6.2) Other Apps No Yes (Radware DDoS) Yes (Radware DDoS) Chassis Manager Unified With FMC / FDM Yes Yes

Next Generation Firewall and IPS ASA 5516-X Firepower 2100 Series Firepower 4110/20/40/50 ASA 5506-X ISA3000 ASA 5508-X ASA 5512/15-X SMB/Teleworker 100-250Mb ASA 5525-X ASA 5545-X Branch Office 450Mb-1Gb ASA 5555-X ASA 5585-X SSP10/20/40/60 FirePOWER 7000/8000 NGIPS Internet Edge + Campus 1.2Gb-60Gb ASAv FTDv NGIPSv Data Center Up to 225Gb

Software Support by Platform For Your Reference Firepower Threat Defense Firepower NGIPS ASA Firewall Firepower Services on ASA FirePOWER 7000 Series FirePOWER 8000 Series ASA Low-end (5506/08/16) ASA Mid-Range (5512/15/25/45/55) ASA High-end (5585 SSP-10/20/40/60) Firepower 2100 Firepower 4100, 9300 (SSP 3RU - SM-24/36) VMware AWS

Firewall Design: Modes of Operation Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains Firewall is the Router and Gateway for local hosts 10.1.1.0/24 10.1.1.1 NAT DRP 192.168.1.1 192.168.1.0/24 IP:192.168.1.100 GW: 192.168.1.1

Firewall Design: Modes of Operation Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains Firewall is the Router and Gateway for local hosts Transparent Mode is where the firewall acts as a bridge functioning at L2 Transparent mode firewall offers some unique benefits in the DC Transparent deployment is tightly integrated with our best practice data center designs Note: No multiple context mode and RA VPN available on FTD today Routed or transparent mode configured with setup dialog Changing between these modes requires re-registering with FMC Policies will be re-deployed 192.168.1.1 VLAN192 VLAN1920 192.168.1.0/24 IP:192.168.1.100 GW: 192.168.1.1

FTD - Mix and Match Interface Modes A Passive B Routed/Transparent Policy Tables F G Interfaces C D Inline Pair 1 Inline Pair 2 H I Inline Set E Inline Tap J

Integrated Routing and Bridging Allows configuration of bridges in routed firewall mode Regular routed interfaces can now co-exist with BVI interfaces and interfaces that are members of bridge groups. Available with FTD 6.2 release FTD BVI 1 BVI 2 DMZ Outside

Flow Offload Use Cases Trusted flow processing with limited security visibility Maximize single-flow throughput and packet rate, minimize latency High performance compute, frequency trading, demanding data center applications DC1 DC2

Flow Offload Operation Full Inspection Dynamically program offload engine after flow establishment Bring flows out of and back to full inspection on demand Application Instance Incoming traffic NPU Classifier New and fully inspected flows Offload instructions Full Cisco ASA, NGFW, or NGIPS Engine Flow updates Established trusted and jumbo flows Lightweight Data Path Flow Offload Limited pseudo-stateful inspection in x86 or NPU Bidirectional byte count and TCP state tracking

Reduce complexity with simplified, consistent management Unified Network-to-endpoint visibility Manages firewall, applications, threats, and files Track, contain, and recover remediation tools Scalable Central, role-based management Multitenancy Policy inheritance Automated Impact assessment Rule recommendations Remediation APIs Cisco Firepower Management Center

Why Recommended rules are important Context enabled the detections that are relevant to your specific network Firepower Recommendations makes sure your system has the right detections enabled

Impact Assessment How Relevant is the Attack? Prevents information overload IMPACT FLAG ADMINISTRATOR ACTION WHY 1 Act Immediately, Host vulnerable or Compromised Event corresponds to vulnerability mapped to host 2 Investigate, Potentially Vulnerable Relevant port open or protocol in use, but no vulnerability mapped 3 Good to Know, Currently Not Vulnerable Relevant port not open or protocol not in use 4 Good to Know, Unknown Target Monitored network, but unknown host 0 Good to Know, Unknown Network Unmonitored network Event outside profiled networks If you have a fully profiled network this may be a critical event!

Correlation Rules / Correlation Policy Respond in real time to threats and network traffic deviates from its normal profile Correlation Policy Correlation Rule Correlation Rule Correlation Event Action Email Syslog SNMP Remediation Module

Network traffic deviates from its normal For Your Reference Correlation Rule to: Ensure only HTTPS traffic is used on port 443 Ensure traffic is initiated by a Host with a defined Location (host Attribute) is POS Ensure the HTTPS traffic from the POS host is received on hosts in the PCI network. Any traffic outside this profile will generate an event. TECSEC-2600 35

Production Network Change For Your Reference As new IP addresses appear on the network, Firepower Correlation Polices can trigger Nmap to perform an active scan of the new hosts

Correlation Rule example

Ensure compliance before granting access Identity Services Engine (ISE) ISE pxgrid TrustSec BYOD Employee Tag Guest Tag Guest Access Segmentation Propagate User Context Supplier Tag Server Tag Quarantine Tag Suspicious Tag ISE Firepower Management Center Device context Access policies Policy automation Set access control policies Propagate rules and context Establish a secure network Remediate breaches automatically

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback