Best Security and deployment strategies SMB NGFW deployment

Best Security and deployment strategies SMB NGFW deployment Anant Mathur, Manager Technical Marketing

Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, 2017. cs.co/ciscolivebot# 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

SESSION ID SESSION DESCRIPTION SPEAKER BRKSEC-1020 Cisco Firewall Basics Mark Cairns BRKSEC-2020 Firepower NGFW Deployment in Data Center and Enterprise Steve Chimes Best Security and deployment strategies SMB NGFW Deployment Anant Mathur BRKSEC-2050 Firepower NGFW Internet Edge Deployment Scenarios Jeff Fanelli BRKSEC-2058 A Deep Dive into using Firepower Manager Will Young BRKSEC-2064 NGFWv and ASAv in Public Cloud (AWS and Azure) Anubhav Swami BRKSEC-2501 Deploying AnyConnect SSL VPN with ASA and FTD Hakan Nohre BRKSEC-3020 NGFW Clustering Deep Dive Kevin Klous BRKSEC-3035 Firepower Platforms Deep Dive Andrew Ossipov BRKSEC-3300 Advanced IPS Deployment Gary Halleen BRKSEC-3455 Dissecting Firepower NGFW Installation & Troubleshooting Veronika Klauzova 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Agenda Types of security threats and attacks in SMB Technologies used to mitigate and stop attacks Best practices to a use security technologies with Cisco NGFW for SMB And how to choose right NGFW for your requirement.

How we define SMB?

What is SMB SMB often refers to companies with less than 100 employees, while mediumsized business often refers to those with less than 500 employees. Cisco defines SMB pretty much along the lines of the EU definition Gartner definition Small Organizations have less than 100 employees and Medium Organizations have employees between 100 and 1000 Small Organizations have revenue less than $50 m and Medium Organizations have revenue less than $ 1billion 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

News SMBs have not historically been the target of cybercrime but in 2015 something drastically changed The latest Government Security Breaches Survey found that nearly 74% of small organization reported security breach in 2015. About half of all cyberattacks target small businesses Cyber Attacks on Small Businesses on the Rise. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Why SMBs 90% Admins in SMB are not security experts Lack in Security Infrastructure Lack of Security knowledge Constraint by budget and resources Compromise on security for network performance 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Common Attacks in SMB

Client Side Attacks Bob receives an email from what appears to be a legitimate user in your network. The email explains it is important for you to visit the new customer service link for your organization. You click on the link and are presented with a web site appearing to be legitimate (malicious web sites are pretty easy to make look legitimate). At this point your system may have already been exploited and the attacker has access to your operating system. How you ask? 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Client Side attacks Client machines running software like PDF, MS Office etc.. might be vulnerable to exploits Use bait the user techniques. Piggy back on Social Media requests Tools and techniques to execute these are getting better day by day Vulnerable software (due to lack of upgrades and patches) Buffer Overflow Session Hijacking SQL Injections Cross Site Scripting 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Fake App Attacks Attackers are using fake applications to bait the user. There can be fake AV applications, ex Fake AV Website 32. Fake Apps try to connect to CNC server, Open remote shell to the server. Mobile platforms are susceptible to such kind of attacks 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Virus A computer virus is a program or piece of code that is loaded onto your computer without your knowledge or permission Viruses are usually hidden in a commonly used program, such as a game or PDF viewer, or you may receive an infected file attached to an email or from another file you downloaded from the Internet ILoveYou, Code Red etc.. are known viruses Virus is a legacy code, not used by hackers/attackers a lot. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Malware Malware is a malicious software that is specifically designed to gain or damage computer and information asset without knowledge of the owner Malware are highly sophisticated behavior based attacks. Files, Software downloaded from the internet usually carries malware Malwares are binary code that cannot be inspected static tools Malware examples Virus Adware Spyware Botnets 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Security Technologies

Intrusion Prevention System (IPS) Stops attacks like DOS Exploits (buffer Overflow, session high jacking, Cross site scripting, etc...) Worms Virus Signature based engine that sniff packets to find abnormalities Signatures are regular expression that matches the pattern in the traffic. Classic IPS generates alerts based on signature match, result is enormous events. NGIPS is a game changer. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Gateway Anti Virus Anti Virus are traditional way to fight against computer malware Anti virus are signature based, and sometimes combined with heuristic engine. Use deep packet inspection to find tools used to exploit hosts. Cannot detect sophisticated Malwares 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Protection against Malware Cannot be stopped by legacy Anti Virus, or IPS technologies There are many technologies that used to identify Malware. Sandboxing, Reputation of network connection, IOC There is no silver bullet to kill the Malware SMBs/Branches are very much prone to Malware attack. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Sandboxing Method to run executable code in isolated environment to analyze the behavior Sandbox runs the Malware in the isolated machines, and reads the behavior of the file installed. Based on the execution patterns it verdicts. These days Malwares are also very much aware of Sandbox Environment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Security Intelligence Assigns reputation to the IP and Domains. There are different levels of reputation. Saves lots of computational power on the box. Blocks bad domains, CnC servers. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Access Control: Application Visibility and Control (AVC) Capabilities to control Applications and Microapplications. Reduces attack surface Improves business productivity Application visibility is like IPS, a deep packet inspection that looks for application patterns in the traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

URL Filtering and Protection Method to block the web page based on reputation. Block URL and Categories to control business requirements Ex Adult Content, Gambling, Job portals etc.. Also reduce attack surface 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Key Products covering Security Technology

Unified Threat Management Unified threat management (UTM) is a converged platform of point security products Typical set of AV, Web gateway security, Anti Spam, URL filtering, IPS, Firewall. Though not very optimized to run all features. UTM is known for all feature convergence not for Security effectiveness. UTM solely compete on price 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Next Generation Firewall Provide superior security with high detection rate Extends beyond policy enforcements Provides greater contextual data for use in policy decision NGIPS, Malware, Analytics, etc. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Cisco Next Generation Firewall for SMB/Branch Office

Extend the value of your NGFW Start with the hardware option that fits best All with built-in Application Visibility and Control (AVC), network firewalling, and VPN capabilities Desktop 5506-X Wireless AP 5506W-X Ruggedized 5506H-X Rackmount 5508-X/5516-X 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Offering extensive contextual visibility The more you see, the better you can protect Client applications Operating systems Threats Typical IPS User s Applicatio n protocols File transfers Web applications C & C Servers Malware Router and switches Mobile Devices Printers Typical NGFW Network Servers Cisco Firepower NGFW VOIP phones 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Block or allow access to URLs and domains Web controls Filtering 01001010100 00100101101 NGFW Security feeds URL IP DNS Safe Search Cisco URL Database gambling Allow Block Allow Block DNS Sinkhole Category-based Policy Creation Admin Classify 280M+ URLs Filter sites using 80+ categories Manage allow/block lists easily Block latest malicious URLs 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Provide next-generation visibility into app usage Application Visibility & Control Cisco database 4,000+ apps 180,000+ Micro-apps 1 Network & users Unmapped 2 Prioritize traffic See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Understand threat details and quickly respond Next-Generation Intrusion Prevention System (NGIPS) App & Device Data ISE 01011101001 010 010001101 010010 10 10 Blended threats 1 2 Prioritize response Automate policies Block Data packets Communications Network profiling Phishing attacks Innocuous payloads Infrequent callouts 3 Accept Scan network traffic Correlate data Detect stealthy threats Respond based on priority 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Uncover hidden threats in the environment Advanced Malware Protection (AMP) File Engines c File & Device Trajectory AMP for Endpoint Log AMP for Network Log? Known Signatures Fuzzy Fingerprinting Indications of compromise Threat Grid Sandboxing Advanced Analytics Dynamic analysis Threat intelligence Threat Disposition Uncertain Safe Risky Sandbox Analysis Enforcement across all endpoints Block known malware Investigate files safely Detect new threats Respond to alerts 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Get real-time protection against global threats Tales Threat Intelligence Security Coverage Research Response 1.5 million daily malware samples WWW Endpoints Web 250+ Researchers 600 billion daily email messages Networks NGIPS Jan 24 x 7 x 365 Operations 16 billion daily web requests Devices Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Choosing the Right Manager

Firepower Device Manager & Firepower Management Center Designed for SMB customers Easy Deployment Single Device Manager Intuitive GUI Simplified User policies Contextual Visibility Extensive Eventing and Reporting Deeper configuration tunings Multi Device Manager Automation IOC, Impact Analysis 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Quick Recommendation to choose right manager Centralized- FMC Local - FDM Multiple Device Deployment Tuning Security Policies like IPS rule tuning, Custom Signatures File Policy tuning to detect and block files, white listing, leverage engines like machine learning, Dynamic analysis, and visibility into patient zero Visibility into network is required Extensive Eventing and Reporting capabilities. Network Operation managing Security Rely on pre-canned profiles for IPS and File policies Wanted to block malware, not interested in advance inspection Rely on intuitive GUI and wizard to create policies Requirement is simplicity. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Cisco Defense Orchestrator Defense Orchestrator Helps You Manage All of Your Security Policy Change management: Get visibility into the impact of change on affected security services and devices Change Impact Modeling Object and Policy Analysis Cisco Defense Orchestrator Auditing: Gain policy awareness and identify issues Security Policy Management Reports Device Onboarding Import from offline Discover directly from device Optimization: Adjust security policy rule sets to optimize performance OOB Notifications Monitoring: Track policy implementation and activity across all affected security services and devices 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

NGFW deployments using FDM

Basic NGFW deployment Internet/ Cloud Services Internet/ Cloud Services Inline or Passive Inline 202.10.23.11 Inline Tap VPN, NAT, Routing, IPS, AMP, URL, AVC, Access Control etc.. 192.168.10.12 IPS, AMP, Routing, URL, AVC, Access Control etc.. Passive Routed Mode Transparent Mode 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Bob, an IT admin of a small firms just bought 5506-X

Deploy the Box

Default device Setup 1. Connect Management port and data port G1/2 to the L2 Switch, in same VLAN. 2. Connect G 1/1 to the ISP. 3. Switch is required to send management traffic to internet 4. Management port is not routable, because of security. Post 6.2 you can choose data port for management connectivity and get rid of switch 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Will my Box stop attack with default configuration By default the box drops everything IPS profile, Security Intelligence, Access Control must be configured By default the box drops everything Default Access Policies, Default IPS policies. No Rules 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Bob wants to Allow Dropbox Download :- Controlling the access

Bob wants to inspect files getting downloaded from Dropbox :- Inspecting allowed Traffic

IPS Policies on FDM Security over Connectivity Maximum Detection Pre-canned Profiles Connectivity Over Security Balanced Security and connectivity Security Over Connectivity Maximum detection Intrusion Policy part of Access Rule IPS has performance overhead Connectivity over security Balanced Security and connectivity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Understand IPS profiles Security over Connectivity Maximum Detection Balanced Security and Connectivity has mix of rule set that address need for SMB organizations. Rules are set to drop and generate events It has ~7000 rules, that stop attacks like exploits, Virus, Worms, Trojans etc. Connectivity over security Balanced Security and connectivity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

Bob wants to restrict access to online Games: Control the web access

Bob realized wants to save the network from Advance attacks like malwares

Controlling and Blocking Malware: FDM Pre-canned Profiles Connects to the cloud to detect malware. Cloud runs powerful engine for malware detection 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Controlling and Blocking Malware: FMC Allows to perform Dynamic Analysis, Machine learning. Allow to capture files Allow to choose file types and Categories Custom black list. Watch Threat Score Patient Zero 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

Bob is at the branch and he want to connect to the head office

Bob wants to secure his remote users

RAVPN support on FTD Secured Access AnyConnect Client SSL, IPsec AAA LDAP/AD/Radius, certificates Radius Authorization Attribute- DACL, Group Policy Address Assignment Radius Accounting Connectivity Experience Split Tunneling, DNS, Address Assignment, Access Hours, ACLs, Time outs Troubleshooting & Reporting User, User Activity, Usage etc. Availability FTD-HA, Dual ISP, multiple AAA servers Smart Licensing Apex, Plus, VPN only Management Intuitive GUI 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

Remote Access VPN AnyConnect Client Configuration Device Identity and Client Addressing Connection Settings Summary & Instructions User can t use RA VPN if his FTD is in Evaluation mode of Smart Licensing. A user needs to have a Smart Licensing account and he should have a valid licensing token for the RA-VPN feature to work with FDM 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

Step3: Connection Settings Timeouts Dealing with Browser Proxy During VPN Session Address Pool Split Tunneling NAT exemption Inside Network AnyConnect Client Profile(Optional) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Useful CLI commands.. vpn-sessiondb anyconnect vpn-sessiondb detail anyconnect vpn-sessiondb licensesummary ssl errors ssl ciphers aaa-server asp table socket crypto ca certificates crypto ca crls crypto ca trustpoints webvpn anyconnect webvpn group-alias webvpn group-url webvpn hostscan webvpn statistics webvpn saml idp uauth ip local pool <name of ipv4 pool> 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

Bob must backup configuration- Backup Restore

Monitoring & Troubleshooting

Understanding Performance

Performance 3000 2500 2000 1500 1000 500 0 1750 1500 1100 850 450 575 725 250 300 375 180 90 5506-X 5508-X 5516-X 5525-X 5545-X 5555-X Datasheet numbers are for RFPs, References Real world numbers must be considered for sizing Each service degrades performance by some percentage. Performance Degrades with smaller packet size. Real World IPS DataSheet IPS 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96

Evaluating NGFW for SMB

Evaluating Features Evaluating Features Application Control Web Filtering IPS Malware Easy Deployment VPN Manageability You Need UTM if All Above mediocre and Email Anti Virus 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

Performance Evaluate Device Performance with Sizing data. Always plan for all feature enabled (Suggested) Consider the degrades by enabling the services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

Plan for future Security requirements are changing: today, still virus can be buying criteria, but in year or two it will not be. Have a contingency for performance. Check if hardware can adopt to future requirements: upgrades etc.. How frequent is the updates. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101

What we have learned

Security Beta Programs Security Beta Products Customer Benefits ASA AMP for Endpoints ISE Firepower NGFW/NGIPS ISR OpenDNS Firepower Platforms ESA Stealthwatch Learning Networks Free test hardware Early experience with and training on new features and functionality Demos and feedback sessions on product usability, design, and roadmaps Risk-free testing in the customer environment prior to FCS To participate in Beta: http://cs.co/security-beta-nomination or email ask-sbg-beta@cisco.com Beta customer S1-3 issues fixed in GA release I've been involved in many beta programs I must say that this one has been the best organized. This beta has taken a very active, hands-on approach. - Liberal Arts College Customer Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on www.ciscolive.com/us. Don t forget: Cisco Live sessions will be available for viewing on demand after the event at www.ciscolive.com/online. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Thank you

Appendix

Bob must also know best practice to secure Wireless

Brief on Setup Integrated Cisco 702i AP, as hardware module AP is by default Off. Use CLI to AP console to enable Dot11radio Use IP to connect to AP to create SSIDs etc.. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111

Securing SSID Human Error Rogue Access Points WEP/WPA cracking Pre-Shared Key guess WPA2-AES the "gold standard" for data encryption 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112

Other Cisco Security Products

Umbrella Protection when off the VPN no additional agents required Visibility and enforcement at the DNS-layer Block requests to malicious domains and IPs Predictive intelligence uncover current and emergent threats Subscription based Model Integrated with AnyConnect 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114

Meraki Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS, Anti-Malware, Geo-Firewall Networking NAT/DHCP, 3G/4G Cellular, Intelligent WAN (IWAN) Application Control Web Caching, Traffic Shaping, Content Filtering 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115

Cisco Integrated Services Router (ISR) For the ISR 4k, services are deployed on a UCS-E blade Blade contains Six hypervisor Architecture similar to ASA with Firepower Services Also called Cisco Firepower Threat Defense for ISR Snort integration is road-mapped for lower-end ISR routers Similar to Meraki Snort deployment Snort without the full Sourcefire sensor 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116