New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

Similar documents
Cisco Next Generation Firewall Services

Improving Security with Cisco ASA Firepower Services Claudiu Onisoru, Senior Solutions Engineer Cisco Connect - 18 March 2015

Cisco ASA Next-Generation Firewall Services

Cisco - ASA Lab Camp v9.0

Cisco s Appliance-based Content Security: IronPort and Web Security

Cisco AnyConnect Secure Mobility Solution. György Ács Regional Security Consultant

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

New Features for ASA Version 9.0(2)

All-in one security for large and medium-sized businesses.

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Most Common Security Threats (cont.)

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Threat Control Solutions. Version: Demo

Paloalto Networks PCNSA EXAM

Implementing Cisco Edge Network Security Solutions ( )

Deploying Next Generation Firewalling

Use Cases for Firepower Threat Defense

BIG-IP Access Policy Manager : Secure Web Gateway. Version 12.1

Managing SSL/TLS Traffic Flows

SRX als NGFW. Michel Tepper Consultant

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Deploying Next Generation Firewalling with ASA-CX

Create Decryption Policies to Control HTTPS Traffic

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

User Identity Sources

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

SSL VPNs or IPsec VPNs The Challenges of Remote Access. February 2 nd, 2007 Chris Witeck- Director of Product Marketing

Managing CX Devices in Multiple Device Mode

Palo Alto Networks PCNSE7 Exam

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

Cisco NAC Network Module for Integrated Services Routers

Use Cases for Firepower Threat Defense

Access Control. Access Control Overview. Access Control Rules and the Default Action

Firewalls for Secure Unified Communications

Stonesoft Management Center. Release Notes Revision A

Access Control. Access Control Overview. Access Control Rules and the Default Action

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

Subscriber Data Correlation

CyberP3i Course Module Series

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Web Security Deployment. Ryan Wager Technical Marketing Engineer

Disclaimer CONFIDENTIAL 2

Understanding Cisco Unified Communications Security

Cisco Network Admission Control (NAC) Solution

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Chapter 1: Content Security

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Stonesoft Next Generation Firewall. Release Notes Revision C

Stonesoft Management Center. Release Notes Revision A

TECHNOLOGY Introduction The Difference Protection at the End Points Security made Simple

Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

McAfee Next Generation Firewall 5.9.1

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Stonesoft Next Generation Firewall. Release Notes Revision B

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Network. Arcstar Universal One

Check Point Virtual Systems & Identity Awareness

Realms and Identity Policies

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Clientless SSL VPN Overview

Borderless Networks. Tom Schepers, Director Systems Engineering

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Release Notes for Cisco IronPort AsyncOS for Web

McAfee Network Security Platform 8.3

Implementing Cisco Network Security (IINS) 3.0

Realms and Identity Policies

McAfee Network Security Platform 8.3

Release Notes for Cisco IronPort AsyncOS for Web

Release Notes for Cisco IronPort AsyncOS for Web

Cisco Exam Questions & Answers

CertKiller q

CISCO EXAM QUESTIONS & ANSWERS

McAfee Network Security Platform 9.1

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Security+ SY0-501 Study Guide Table of Contents

CISCO EXAM QUESTIONS & ANSWERS

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Configuring F5 for SSL Intercept

Release Notes for Cisco IronPort AsyncOS for Web

Security Assessment Checklist

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Fireproofing your network Do your own security check

KASPERSKY ANTI-MALWARE PROTECTION SYSTEM BE READY FOR WHAT S NEXT. Kaspersky Open Space Security

Port Mirroring in CounterACT. CounterACT Technical Note

Cisco Passguide Exam Questions & Answers

Palo-Alto PCNSE7. Palo Alto Networks Certified Network Security Engineer.

Designing Workspace of the Future for the Mobile Worker

Next Generation Firewall

How to Configure Authentication and Access Control (AAA)

How to Configure Virus Scanning in the Firewall for FTP Traffic

Compare Security Analytics Solutions

Introduction to Cisco ASA Firewall Services

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Cisco Self Defending Network

SAML-Based SSO Solution

Transcription:

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014 1

Agenda Frontal Communication: Who we are? - Key points - Competencies Areas - Cisco Partnership Cisco NGFW Next Generation Firewall. - Introduction - Hardware overview - Packet flow - Management architecture 2

Key Points Established in 1994 Top Romanian SYSTEM INTEGRATOR Cisco GOLD Partner Oracle Gold Partner VMware Partner Enterprise Solution Provider EMC Premier Velocity Partner Areas of competency in Infrastructure, Datacenter, Multiservice, Security VMware Training Center due to strategic partnership with Omnilogic and Cisco Authorized Training Center Testing Center PEARSON VUE and PROMETRIC due to strategic partnership with Omnilogic VCE partner Citrix Silver Solution Advisor Partner 3

Competencies Areas DATA CENTER Storage Switching Applications Security Network Managementt NETWORK SYSTEMS Routing LAN Switching Network Management MOBILITY SOLUTIONS Wireless LAN Remote Access Business Class Teleworker Solutions Mobile Solutions for Unified Communications SECURITY Firewall Attack and Intrusion Prevention Spam and Virus Protection Virtual Private Networks Network Admission Control Security Management Physical Security Web and Email security Video Surveillance Identity Services Engine UNIFIED COMMUNICATION IP Telephony Applications Contact Center Voice Management Call accounting 4

Cisco Partnership Certifications Gold Certified Partner Specialization Advanced Collaboration Architecture (1st in Romania and Region) Advanced Borderless Architecture Advanced Routing & Switching Advanced Security Advanced Data Center Architecture Other Authorizations Cisco Learning Partner Associate Smart Care Registered Partner Academy Network Partner Customer Satisfaction Excellence ATP Telepresence Express ATP Identity Services Engine ATP IP Interoperability and Collaborative System (the only one in Romania) 5

Cisco NGFW Next Generation Firewall - Introduction - Hardware overview - Packet flow - Management architecture 6

Firewall Evolution IP & Ports Applications & Users Full Context- Awareness Phase 1 Phase 2 Phase 3 ASA NGFW adds context-aware security to the ASA product line. PRSM provides common management experience. 7

Cisco Next Generation Firewall Build on the best-of-breed ASA stateful inspection firewall Applies NAT to embedded application protocol data Integrates with many other solutions, including: Unified Communications technologies, Active Directory, etc. Acts as a VPN termination: Site-to-site, remote access, and clientless SSL VPN Provides next-generation firewall (NGFW) services: Web reputation for malware protection URL filtering to enforce acceptable use Application visibility and control (AVC) Threat protection (NGFW IPS) 8

Beyond ports and protocols How ASA NGFW Addresses Access Control Who: Identity and Authentication What: Application, URL Category, Reputation How: Device, OS, User Agent, Posture Where: Local, Remote 9

Application Visibility and Control Enforcing acceptable usage 1,200+ apps 150,000+ MicroApps Application Behavior Greatest control and visibility over mobile, collaborative, and web 2.0 applications Ensures security of (and from) port-hopping applications, such as Skype and BitTorrent Granular enforcement of behaviors within applications Visibility of activity across the network Visit http://asacx-cisco.com 10

Application Visibility and Control Supported approximately 1200 applications Powered by the Cisco Security Intelligence Operation (SIO) By default, PRSM and ASA NGFW check for application signature updates every 5 minutes Supported applications are recognized on any port Supported 3 levels of granularity Application type Examples: Collaboration, Facebook, games, social networking Application Examples: BitTorrent, Cisco phones, ftp-agent, ftp-agent, Google Translate, itunes, LDAP, oracle-sqlnet, RADIUS, WCCP, WebEx Application behavior For example, you could allow the collaboration application type, but not allow uploads 11

Web Security Essentials Reputation Dedicated or hijacked sites persistently distributing key loggers, root kits and other malware. Almost guaranteed malicious. Aggressive Ad syndication and user tracking networks. Sites suspected to be malicious, but not confirmed Sites with some history of Responsible behavior or 3 rd party validation -10-5 0 +5 +10 Phishing sites, bots, drive by installers. Extremely likely to be malicious. Well managed, Responsible content Syndication networks and user generated content Sites with long history of Responsible behavior. Have significant volume and are widely accessed Suspicious (-10 through -6) Default web reputation profile Not suspicious (-5.9 through +10) 12

Web Security Essentials URL Filtering Used to enforce acceptable use Predefined and custom URL categories 78 predefined URL categories 20,000,000+ URLs categorized 60+ languages Powered by the Cisco Security Intelligence Operation (SIO) Utilizes application signatures By default, PRSM and NGFW check for updates every 5 minutes 13

Cisco NGFW IPS New with NGFW 9.2 Simplified Operation Rich Policy Options Highly Dynamic Policy is driven by risk acceptance Threats are the focus, not signatures IPS policy is part of the overall NGFW access policy References application awareness References source reputation Daily and hourly updates available: Threats / signatures Reputation feeds Parsing engines 14

Cisco NGFW Next Generation Firewall - Introduction - Hardware overview - Packet flow - Management architecture 15

ASA NGFW Front View Two Hard Drives Raid 1 (Event Data) 8 GB eusb (System) 10GE and GE ports Two GE Management Ports 16

Cisco MultiScale Performance Next-Generation Security for the Internet Edge 200 Mbps NGFW 60 Mbps NGFW + IPS 100K Connections 10,000 CPS 350 Mbps NGFW 90 Mbps NGFW + IPS 250K Connections 15,000 CPS 650 Mbps NGFW 300 Mbps NGFW + IPS 500K Connections 20,000 CPS ASA 5525-X 1 Gbps NGFW 450 Mbps NGFW + IPS 750K Connections 30,000 CPS ASA 5545-X 1.4 Gbps NGFW 600 Mbps NGFW + IPS 1M Connections 50,000 CPS ASA 5555-X ASA 5515-X ASA 5512-X Branch Locations Small / Medium Internet Edge 17

Cisco MultiScale Performance Next-Generation Security for the Internet Edge New with 9.2 New with 9.2 ASA 5585-SSP60 ASA 5585-SSP10 2 Gbps NGFW 1 Gbps NGFW + IPS 500K Connections 40,000 CPS ASA 5585-SSP20 5 Gbps NGFW 1.5 Gbps NGFW + IPS 1 Million Connections 75,000 CPS ASA 5585-SSP40 9 Gbps NGFW 2.5 Gbps NGFW + IPS 1.8 Million Connections 120,000 CPS 13 Gbps NGFW 4 Gbps NGFW + IPS 4 Million Connections 160,000 CPS Medium Internet Edge Medium Internet Edge 18

Cisco NGFW Next Generation Firewall - Introduction - Hardware overview - Packet flow - Management architecture 19

Functional Distribution URL Category/Reputation HTTP Inspection AVC TLS Proxy TCP Proxy Multiple Policy Decision Points NGFW IPS NGFW Services Module TCP Normalization TCP Intercept IP Option Inspection IP Fragmentation Botnet Traffic Filter NAT Routing ACL VPN Termination ASA Module 20

Day-in-the-life of a packet -- example Note: Details of flow differs for different traffic characteristics Auth/Access Policy Broad AVC TCP Proxy TLS Proxy Check L3/L4 and Identity Access Policies Determine Protocol and Application Handle TCP 3-way handshake Proxy encryption to decrypt traffic for inspection HTTP Inspector Active Auth Access Policy Packet Egress Determine Application, URL Category, Reputation, User Agent If passive auth not available, authenticate using NTLM, Kerberos, or Basic auth Allow or Deny verdict based on access policy Return packet back to the ASA SSP with an allow verdict 21

TLS Proxy acts as a Liason Corporate Network TLS Proxy Web Server 4. Client authenticates server certificate Certificate is generated dynamically with destination name but signed by ASA NGFW 1. Negotiate algorithms 3. Generate proxied server certificate 5. Generate encryption keys 6. Encrypted data channel established 1. Negotiate algorithms 3. Authenticate server certificate 5. Generate encryption keys 6. Encrypted data channel established Two separate sessions, separate certificates, and keys ASA NGFW acts as a CA, and issues a certificate for the web server 22

TLS Proxy Extends NGFW Services to TLS Traffic Decrypts SSL and TLS traffic across any port Self-signed (default) certificate or customer certificate and key Self-signed certificate can be downloaded and added to trusted root certificate store on client Decryption policies determine which traffic to decrypt ASA NGFW cannot determine the host name in the client request to choose a decryption policy because the traffic is encrypted FQDN and URL Category are determined using the server certificate If the decision is made to decrypt, ASA NGFW acts the liaison A new certificate is created, signed by ASA NGFW or by the customer CA Information such as FQDN and validity dates are copied from original certificate Name mismatches and expired certificate errors are ignored Name mismatches and expired certificate errors must be handled by the client 23

Requires HTTP request to initiate authentication 1. ASA NGFW sees HTTP request from a client to a remote website 2. ASA NGFW redirects the client to the ASA inside interface (port 885 by default) Redirect is accomplished by sending a proxy redirect to the client (HTTP return code 307) - spoofing the remote website 3. ASA sends a client authentication request (HTTP return code 401) 4. After authentication, the ASA NGFW redirects the client back to the remote website (HTTP return code 307) After authentication, the ASA NGFW uses the IP address to track the user Both HTTP and non-http traffic will now be associated with the user Integrates with enterprise infrastructure Supported directories include: Microsoft Active Directory OpenLDAP IBM Tivoli Directory Server Active Authentication 24

Example active authentication Client Forward HTTP traffic ASA & CX Target Server Client HTTP Request ASA CX-Policy Active Authentication required HTTP (307) redirect to ASA CT-Proxy Port/default port 885 HTTP (407) Auth. required Forward Authentication Data Validate Credentials with ADI Service HTTP (307) redirect again to final destination Regular HTTP traffic 25

Passive Authentication Endpoint must be a domain member Supported for all traffic and all clients Utilizes the Cisco Context Directory Agent (CDA), which includes: Standalone, Linux-based server that can be run as a virtual machine (VM) Intuitive, web-based GUI, and Cisco IOS Software-style CLI CDA gathers information from Active Directory server CDA caches information ASA NGFW/PRSM queries CDA for user information ASA NGFW/PRSM queries Active Directory server for group membership information 26

Cisco NGFW Next Generation Firewall - Introduction - Hardware overview - Software overview - Packet flow - Management architecture 27

Cisco Prime Security Manager (PRSM) Build-in Configuration Eventing Reporting Off-box Configuration Eventing Reporting Multi-device Manager for ASA NGFW (CX) Role Based Access Control Virtual Machine or UCS Appliance PRSM Virtual Machine supports VMWare ESX 4.1+ 28

PRSM ASA CX communication Cisco SIO ASA NGFW Application Identification Updates RESTful XML [REST = Representational State Transfer] Reliable Binary Logging PRSM HTTPS HTTPS 29

Q & A 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback