New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014 1
Agenda Frontal Communication: Who we are? - Key points - Competencies Areas - Cisco Partnership Cisco NGFW Next Generation Firewall. - Introduction - Hardware overview - Packet flow - Management architecture 2
Key Points Established in 1994 Top Romanian SYSTEM INTEGRATOR Cisco GOLD Partner Oracle Gold Partner VMware Partner Enterprise Solution Provider EMC Premier Velocity Partner Areas of competency in Infrastructure, Datacenter, Multiservice, Security VMware Training Center due to strategic partnership with Omnilogic and Cisco Authorized Training Center Testing Center PEARSON VUE and PROMETRIC due to strategic partnership with Omnilogic VCE partner Citrix Silver Solution Advisor Partner 3
Competencies Areas DATA CENTER Storage Switching Applications Security Network Managementt NETWORK SYSTEMS Routing LAN Switching Network Management MOBILITY SOLUTIONS Wireless LAN Remote Access Business Class Teleworker Solutions Mobile Solutions for Unified Communications SECURITY Firewall Attack and Intrusion Prevention Spam and Virus Protection Virtual Private Networks Network Admission Control Security Management Physical Security Web and Email security Video Surveillance Identity Services Engine UNIFIED COMMUNICATION IP Telephony Applications Contact Center Voice Management Call accounting 4
Cisco Partnership Certifications Gold Certified Partner Specialization Advanced Collaboration Architecture (1st in Romania and Region) Advanced Borderless Architecture Advanced Routing & Switching Advanced Security Advanced Data Center Architecture Other Authorizations Cisco Learning Partner Associate Smart Care Registered Partner Academy Network Partner Customer Satisfaction Excellence ATP Telepresence Express ATP Identity Services Engine ATP IP Interoperability and Collaborative System (the only one in Romania) 5
Cisco NGFW Next Generation Firewall - Introduction - Hardware overview - Packet flow - Management architecture 6
Firewall Evolution IP & Ports Applications & Users Full Context- Awareness Phase 1 Phase 2 Phase 3 ASA NGFW adds context-aware security to the ASA product line. PRSM provides common management experience. 7
Cisco Next Generation Firewall Build on the best-of-breed ASA stateful inspection firewall Applies NAT to embedded application protocol data Integrates with many other solutions, including: Unified Communications technologies, Active Directory, etc. Acts as a VPN termination: Site-to-site, remote access, and clientless SSL VPN Provides next-generation firewall (NGFW) services: Web reputation for malware protection URL filtering to enforce acceptable use Application visibility and control (AVC) Threat protection (NGFW IPS) 8
Beyond ports and protocols How ASA NGFW Addresses Access Control Who: Identity and Authentication What: Application, URL Category, Reputation How: Device, OS, User Agent, Posture Where: Local, Remote 9
Application Visibility and Control Enforcing acceptable usage 1,200+ apps 150,000+ MicroApps Application Behavior Greatest control and visibility over mobile, collaborative, and web 2.0 applications Ensures security of (and from) port-hopping applications, such as Skype and BitTorrent Granular enforcement of behaviors within applications Visibility of activity across the network Visit http://asacx-cisco.com 10
Application Visibility and Control Supported approximately 1200 applications Powered by the Cisco Security Intelligence Operation (SIO) By default, PRSM and ASA NGFW check for application signature updates every 5 minutes Supported applications are recognized on any port Supported 3 levels of granularity Application type Examples: Collaboration, Facebook, games, social networking Application Examples: BitTorrent, Cisco phones, ftp-agent, ftp-agent, Google Translate, itunes, LDAP, oracle-sqlnet, RADIUS, WCCP, WebEx Application behavior For example, you could allow the collaboration application type, but not allow uploads 11
Web Security Essentials Reputation Dedicated or hijacked sites persistently distributing key loggers, root kits and other malware. Almost guaranteed malicious. Aggressive Ad syndication and user tracking networks. Sites suspected to be malicious, but not confirmed Sites with some history of Responsible behavior or 3 rd party validation -10-5 0 +5 +10 Phishing sites, bots, drive by installers. Extremely likely to be malicious. Well managed, Responsible content Syndication networks and user generated content Sites with long history of Responsible behavior. Have significant volume and are widely accessed Suspicious (-10 through -6) Default web reputation profile Not suspicious (-5.9 through +10) 12
Web Security Essentials URL Filtering Used to enforce acceptable use Predefined and custom URL categories 78 predefined URL categories 20,000,000+ URLs categorized 60+ languages Powered by the Cisco Security Intelligence Operation (SIO) Utilizes application signatures By default, PRSM and NGFW check for updates every 5 minutes 13
Cisco NGFW IPS New with NGFW 9.2 Simplified Operation Rich Policy Options Highly Dynamic Policy is driven by risk acceptance Threats are the focus, not signatures IPS policy is part of the overall NGFW access policy References application awareness References source reputation Daily and hourly updates available: Threats / signatures Reputation feeds Parsing engines 14
Cisco NGFW Next Generation Firewall - Introduction - Hardware overview - Packet flow - Management architecture 15
ASA NGFW Front View Two Hard Drives Raid 1 (Event Data) 8 GB eusb (System) 10GE and GE ports Two GE Management Ports 16
Cisco MultiScale Performance Next-Generation Security for the Internet Edge 200 Mbps NGFW 60 Mbps NGFW + IPS 100K Connections 10,000 CPS 350 Mbps NGFW 90 Mbps NGFW + IPS 250K Connections 15,000 CPS 650 Mbps NGFW 300 Mbps NGFW + IPS 500K Connections 20,000 CPS ASA 5525-X 1 Gbps NGFW 450 Mbps NGFW + IPS 750K Connections 30,000 CPS ASA 5545-X 1.4 Gbps NGFW 600 Mbps NGFW + IPS 1M Connections 50,000 CPS ASA 5555-X ASA 5515-X ASA 5512-X Branch Locations Small / Medium Internet Edge 17
Cisco MultiScale Performance Next-Generation Security for the Internet Edge New with 9.2 New with 9.2 ASA 5585-SSP60 ASA 5585-SSP10 2 Gbps NGFW 1 Gbps NGFW + IPS 500K Connections 40,000 CPS ASA 5585-SSP20 5 Gbps NGFW 1.5 Gbps NGFW + IPS 1 Million Connections 75,000 CPS ASA 5585-SSP40 9 Gbps NGFW 2.5 Gbps NGFW + IPS 1.8 Million Connections 120,000 CPS 13 Gbps NGFW 4 Gbps NGFW + IPS 4 Million Connections 160,000 CPS Medium Internet Edge Medium Internet Edge 18
Cisco NGFW Next Generation Firewall - Introduction - Hardware overview - Packet flow - Management architecture 19
Functional Distribution URL Category/Reputation HTTP Inspection AVC TLS Proxy TCP Proxy Multiple Policy Decision Points NGFW IPS NGFW Services Module TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet Traffic Filter NAT Routing ACL VPN Termination ASA Module 20
Day-in-the-life of a packet -- example Note: Details of flow differs for different traffic characteristics Auth/Access Policy Broad AVC TCP Proxy TLS Proxy Check L3/L4 and Identity Access Policies Determine Protocol and Application Handle TCP 3-way handshake Proxy encryption to decrypt traffic for inspection HTTP Inspector Active Auth Access Policy Packet Egress Determine Application, URL Category, Reputation, User Agent If passive auth not available, authenticate using NTLM, Kerberos, or Basic auth Allow or Deny verdict based on access policy Return packet back to the ASA SSP with an allow verdict 21
TLS Proxy acts as a Liason Corporate Network TLS Proxy Web Server 4. Client authenticates server certificate Certificate is generated dynamically with destination name but signed by ASA NGFW 1. Negotiate algorithms 3. Generate proxied server certificate 5. Generate encryption keys 6. Encrypted data channel established 1. Negotiate algorithms 3. Authenticate server certificate 5. Generate encryption keys 6. Encrypted data channel established Two separate sessions, separate certificates, and keys ASA NGFW acts as a CA, and issues a certificate for the web server 22
TLS Proxy Extends NGFW Services to TLS Traffic Decrypts SSL and TLS traffic across any port Self-signed (default) certificate or customer certificate and key Self-signed certificate can be downloaded and added to trusted root certificate store on client Decryption policies determine which traffic to decrypt ASA NGFW cannot determine the host name in the client request to choose a decryption policy because the traffic is encrypted FQDN and URL Category are determined using the server certificate If the decision is made to decrypt, ASA NGFW acts the liaison A new certificate is created, signed by ASA NGFW or by the customer CA Information such as FQDN and validity dates are copied from original certificate Name mismatches and expired certificate errors are ignored Name mismatches and expired certificate errors must be handled by the client 23
Requires HTTP request to initiate authentication 1. ASA NGFW sees HTTP request from a client to a remote website 2. ASA NGFW redirects the client to the ASA inside interface (port 885 by default) Redirect is accomplished by sending a proxy redirect to the client (HTTP return code 307) - spoofing the remote website 3. ASA sends a client authentication request (HTTP return code 401) 4. After authentication, the ASA NGFW redirects the client back to the remote website (HTTP return code 307) After authentication, the ASA NGFW uses the IP address to track the user Both HTTP and non-http traffic will now be associated with the user Integrates with enterprise infrastructure Supported directories include: Microsoft Active Directory OpenLDAP IBM Tivoli Directory Server Active Authentication 24
Example active authentication Client Forward HTTP traffic ASA & CX Target Server Client HTTP Request ASA CX-Policy Active Authentication required HTTP (307) redirect to ASA CT-Proxy Port/default port 885 HTTP (407) Auth. required Forward Authentication Data Validate Credentials with ADI Service HTTP (307) redirect again to final destination Regular HTTP traffic 25
Passive Authentication Endpoint must be a domain member Supported for all traffic and all clients Utilizes the Cisco Context Directory Agent (CDA), which includes: Standalone, Linux-based server that can be run as a virtual machine (VM) Intuitive, web-based GUI, and Cisco IOS Software-style CLI CDA gathers information from Active Directory server CDA caches information ASA NGFW/PRSM queries CDA for user information ASA NGFW/PRSM queries Active Directory server for group membership information 26
Cisco NGFW Next Generation Firewall - Introduction - Hardware overview - Software overview - Packet flow - Management architecture 27
Cisco Prime Security Manager (PRSM) Build-in Configuration Eventing Reporting Off-box Configuration Eventing Reporting Multi-device Manager for ASA NGFW (CX) Role Based Access Control Virtual Machine or UCS Appliance PRSM Virtual Machine supports VMWare ESX 4.1+ 28
PRSM ASA CX communication Cisco SIO ASA NGFW Application Identification Updates RESTful XML [REST = Representational State Transfer] Reliable Binary Logging PRSM HTTPS HTTPS 29
Q & A 30