Cisco ASA 5500-X NGFW Sieťová ochrana pre malé a stredné podniky pred modernými hrozbami Peter Mesjar CCIE 17428, Systémový Inžinier, Cisco
What are we going to talk about Problem is THREATS How today s malware works? What is the impact? Cisco Solution Layered approach Multiple services Demo time! See the solution 2
Problem is THREATS
You heard about these in the news! 95% of large companies are targeted by malicious traffic, and 100% of organizations have interacted with websites that host malware. -2014 Cisco Annual Security Report! Sony Pictures, December 2014! Personal employee information, email exchanges and movies before premiere leaked! Target Breach, December 2013! 40 million credit cards stolen! 70 million personal records stolen http://www.businessweek.com/articles/2014-03-13/targetmissed-alarms-in-epic-hack-of-credit-card-data and many more 4
http://blogs.cisco.com/ talos/teslacrypt http://blogs.cisco.com/ security/talos/ctb-lockerwin10 Cisco ASA for S MB and Di stribu buted En ter pri se Pre sentat tation 2015 Cisco and/o d/or its affiliates. All rights reserved. Cisco Public 5
Anatomy of Data Breach Perimeter (Inbound) 1 Infiltration and Backdoor or establishment 2 Reconnaissance and Network Traversal enterprise erp e network Attacker C2 Server 5 Data Exfiltration Perimeter (Outbound) 4 Admin Node 3 Staging and Persistence (Repeat 2,3,4) Exploitation and Privilege Elevation 6
Anatomy of Data Breach 7
How much money are attackers making? http://talosintel.com/angler-exposed/ http://blogs.cisco.com/security/talos/ project-aspis 8
Malvertising Compromise via legitimate websites 9
How does malvertising work? 10
Cisco: Covering the entire continuum Attack Continuum BEFORE DIscover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate ASA VPN NGIPS Advanced Malware Protection NGFW Meraki ESA/WSA Cognitive Secure Access + Identity Services CWS ThreatGRID FireSIGHT & PXGrid Services 11
Cisco Solution
Start with the right appliance Features ASA 5506-X 5506W-X 5506H-X ~1.5x ASA 5508-X ~1.5x ASA 5516-X Max stateful inspection throughput 750 Mbps to 2x 1 Gbps to 2x 1.8 Gbps VPN throughput 100 Mbps 175 Mbps 250 Mbps Max AVC throughput 250 Mbps 450 Mbps 850 Mbps Max AVC and NGIPS throughput 125 Mbps 250 Mbps 450 Mbps AVC or IPS sizing throughput [440B] 90 Mbps 180 Mbps 300 Mbps Max concurrent sessions 50,000 100,000 250,000 Max connections per second (CPS) 5,000 10,000 20,000 Cisco Trust Anchor validates the source of the image file and protects against hardware tampering and counterfeiting 13
Add security services to help defend your network Services FirePOWER Services Subscription URL services that run on the ASA and provide enhanced levels of threat protection and network visibility Filtering Next-Generation NGIPS Advanced Malware Application URL Filtering Intrusion Prevention Protection Visibility and Control System AMP Foundational Functionality AVC Built-in firewall services to provide base protection and connect with other security solutions Stateful Firewalling Stateful Firewalling VPN Capabilities VPN Capabilities Policy Enforcement Point for ISE Included by default 14
Back it up with world s largest threat intelligence 15
Back it up with world s largest threat intelligence 16
No other firewall offers extensive contextual visibility The more infrastructure you see, the better protection you get Operating systems Client applications Threats Typical IPS Users File transfers Application protocols Web applications C & C Servers Malware Routers & switches Mobile Devices Printers Typical NGFW Network Servers Cisco ASA with FirePOWER Services VOIP phones 17
How to manage Cisco s solution Adaptive Security Device Manager (ASDM) on-box manager FireSIGHT Management Center 18
Off-box Firesight Management Center IT Insight Spot rogue hosts, anomalies, policy violations, and more Automated Tuning Adjust IPS policies automatically based on network change Indications of Compromise Identify the machines most likely to be owned Impact Assessment Reduce actionable events by up to 99% with correlation User Identification Associate users with security and compliance events 19
NSS Labs: Next-Generation Firewall Security Value Map The NGFW Security Value Map shows the placement of Cisco ASA with FirePOWER Services and the FirePOWER 8350 as compared to other vendors. All products achieved 99.2 percent in security effectiveness. Now customers can be confident they ll get the best protections possible, regardless of deployment. Source: NSS Labs 2014 20
NSS Labs: Intrusion Prevention Systems Security Value Map Based on individual and comparative testing of vendors in the IPS market Cisco FirePOWER NGIPS* leads the Security Value Map and provides the best protection possible while also leading the class in total cost of ownership. Sourcefire Virtual IPS Sourcefire 3D8120 Sourcefire 3D8250 Sourcefire 3D8260 * Formerly Sourcefire FirePOWER Source: NSS Labs 2014 21
NSS Labs: Breach Detection Systems Security Value Map For the second year in a row, we have thirdparty validation from NSS Labs that we provide the most effective security available in the market today. Cisco Advanced Malware Protection (AMP) was tested along with seven other vendors and achieved a 99.2% security effectiveness score the highest of all vendors tested in the 2015 NSS Labs Security Value Map (SVM) for Breach Detection Systems. Source: http://blogs.cisco.com/tag/nss-labs 22
Check out these additional resources Cisco Security Blogs: http://blogs.cisco.com/security Cisco ASA NGFW Data Sheet: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/ datasheet-c78-733916.html Cisco Talos Security Intelligence & Research: http://www.cisco.com/c/en/us/products/security/talos.html http://www.talosintel.com/ Cisco Security Advisories & Alerts: http://tools.cisco.com/security/center/home.x BRKSEC-2010 Emerging Threats The State of Cyber Security (Cisco Live 2015 San Diego): https://www.ciscolive.com/online/connect/sessiondetail.ww?session_id=84150&backbtn=true 23