Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339
Agenda Introduction to Lab Exercises Platforms and Solutions ASA with Firepower Services Architecture 3
Introduction to Lab Exercises 4
Session Objectives Upon successful completion of this session, the attendee will be able to understand how Sourcefire technologies are deployed on the ASA. In addition, many of the new Firepower 6.0 features will be covered The lab assumes some familiarity with the ASA. Familiarity with Sourcefire is useful, but not necessary. Disclaimer: This is neither comprehensive ASA training nor comprehensive Sourcefire training. The focus of this lab is how the two are integrated. 5
Expectations There are 8 labs You should be able to complete the first 4 lab exercises in the time allotted If you want to have more time to work on a lab, you can: Work on these labs from your hotel over the rest of the week. Contact me erkostla@cisco.com starting next week, and we can work something out. The lab exercise flow is shown below. More details about lab exercise dependencies appear on Page 3 of the Student Guide.
Lab Exercises Lab Exercise 1: Initial SFR Configuration Lab Exercise 2: Basic Policy Configuration Lab Exercise 3: Security Intelligence Lab Exercise 4: Snort and OpenAppID Lab Exercise 5: SSL Decryption Lab Exercise 6: File Policy Configuration Lab Exercise 7: Identity Lab Exercise 8: Domains 7
Lab Exercises and new 6.0 features Lab Exercise 1: Initial SFR Configuration One box management Lab Exercise 2: Basic Policy Configuration Policy Hierarchy Lab Exercise 3: Security Intelligence URL based SI, DNS sinkholing Lab Exercise 4: Snort and OpenAppID AVC using OpenAppID Lab Exercise 5: SSL Decryption SSL Decryption on ASA with FP Lab Exercise 6: File Policy Configuration Enhanced AMP capabilities Lab Exercise 7: Identity Active authentication, ISE for passive authentication Lab Exercise 8: Domains Multi-tenancy for management 8
Platforms and Solutions 9
What is Cisco Firepower? Historical perspective Snort created Created by Martin Roesch in 1998 Snort is both a language and an engine Open source rapidly adopts and develops Snort Sourcefire founded Founded in 2001 by Martin Roesch Created a commercial version of Snort Sourcefire acquires Immunet cloud based anti-malware vendor Acquisition completed 2011 Cisco acquires Sourcefire Acquisition completed 2013 for $2,700,000,000 10
Cisco IPS and firewall offerings ASA Traditional firewall Firepower appliances Stand alone NGIPS Limited firewall capabilities ASA with Firepower Services Combination of ASA and Firepower Complete feature set from both solutions Next Generation Firewall (NGFW) to be released in March Integrated data plane Integrated management 11
Cisco ASA Firewalls Next-Generation ASA 5508-X (1Gbps, 10K conn/s) ASA 5515-X (750 Mbps, 15K conn/s) ASA 5516-X (1.8 Gbps, 20K conn/s) ASA 5525-X (2 Gbps, 20K conn/s) ASA 5555-X (4 Gbps, ASA 5545-X50K conn/sec) (3 Gbps, 30K conn/s) ASA 5585 SSP20 (10 Gbps, 140K conn/s) ASA 5585 SSP10 (4 Gbps, 65K conn/s) ASA 5585 SSP60 (40 Gbps, 350K conn/s) ASA 5585 SSP40 (20 Gbps, 240K conn/s) ASA 5506-X (750 Mbps, 5K conn/s) ASA 5512-X (500 Mbps, 10K conn/s) Firewall and VPN Teleworker Branch Office Internet Edge Campus Data Center 12
Scaling Provided by Clustering Up to 16 ASAs-X For ASA 5586-X FW MAX Throughput: 640 Gbps FirePOWER IPS 440 Byte Throughput: 96 Gbps Each Sourcefire Sensor is an independent instance ASAs share connection state information Sourcefire Sensors do not share signature state information State-sharing between firewalls for symmetry and high availability Every session has a Primary Owner Ownership managed by Director node ASA provides traffic symmetry to FirePOWER module 13
Multi-Context Support Security contexts share a single Sourcefire instance Context IDs are passed from the ASA to Sourcefire when ASA interfaces are discovered. Events passed to FireSIGHT conclude Context IDs. 14
Firepower Integration into Cisco Products FP 8000 Series 2 Gbps 60 Gbps NGIPS 15
Securing the Internet of Things Industrial Security Appliance (ISA) Software Firewall: ASA IPS: Sourcefire FirePOWER Services Identify and block threats Generic OT protocol specific OT application specific Application Visibility and Control Protocols Applications Individual commands 16
ASA with Firepower Services Architecture 17
ASA with FirePOWER Services Functional Distribution of Features URL Category/Reputation NGIPS Application Visibility and Control Advanced Malware Protection Security Intellegence SSL decryption File Type filtering File capture FirePOWER Services TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet Traffic Filter NAT Routing ACL VPN Termination ASA 18
ASA 5585-X with FirePOWER Services Packet flow overview ASA Module processes all ingress and egress packets No packets are directly processed by FirePOWER except for the FirePOWER management port ASA configures and controls the FirePOWER Services Module Logical flow is similar for mid-range ASAs 19
ASA with FirePOWER Services 5.4 FirePOWER physical appliances Packet flow between the solution components 1. Ingress processing inbound ACLs, IP defragmentation, TCP normalization, TCP intercept, protocol inspection, clustering/ha traffic control, VPN decryption, etc. 2. Sourcefire Services processing URL filtering, AVC, NGIPS, AMP, etc. 3. Egress processing outbound ACLs, NAT, routing, VPN encryption, etc. Packets are redirected using the Cisco ASA Modular Policy Framework (MPF) MPF supports fail-open, fail-closed and monitor only options MPF determines which traffic is send to the FirePOWER Services module 20
Sample Solution Architecture with Management
Sample Solution Architecture with Management
Call to Action Visit the World of Solutions for Cisco Campus Walk in Labs Technical Solution Clinics Meet the Engineer Lunch and Learn Topics DevNet zone related sessions
Complete Your Online Session Evaluation Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt. All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Thank you
What is Snort? Snort is an engine Parses network protocols Snort is a language Rules to analyze network traffic Snort is a community More that 400,000 active members DAQ libraries Network network Packet decoder Preprocessors Detection engine Output module Alert and log files 27
Best Practice physical configuration (5500-X) ASA managed in-band (from the inside interface) FirePOWER module managed via the M0/0 Management Interface No nameif assigned to the ASA M0/0 Interface ASA Inside Interface and FirePOWER Management can share the same Layer 2 domain and IP subnet Access from the inside to the FirePOWER module through switch/router, without ASA involvement 28