NGFWv and ASAv in Public Cloud

Similar documents
NGFWv & ASAv in Public Cloud (AWS & Azure)

Advanced CSR Lab with High Availability and Transit VPC

Deploy the Firepower Management Center Virtual On the AWS Cloud

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

NGF0502 AWS Student Slides

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

EdgeConnect for Amazon Web Services (AWS)

LTRDCN-2100 Cloud networking solutions with Cisco Cloud Services Router (CSR 1000V) on AWS and Azure

MyIGW Main. Oregon. MyVPC /16. MySecurityGroup / us-west-2b. Type Port Source SSH /0 HTTP

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

AWS Networking Fundamentals

Next-Generation Security Platform on Azure Reference Architecture

Firepower Techupdate April Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017

Extending Enterprise Security to Multicloud and Public Cloud

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

Data Center Security. Fuat KILIÇ Consulting Systems

Networking in AWS. Carl Simpson Technical Architect, Zen Internet Limited

Cisco Firepower Thread Defence. Claudiu Boar

Deploying Transit VPC for Amazon Web Services

AWS Direct Connect Deep Dive

Best Practices for Extending the WAN into AWS (IaaS) with SD-WAN

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Microsoft Networking Academy

Microsoft Networking Academy

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Segmentation. Threat Defense. Visibility

MarkLogic Cloud Service Pricing & Billing Effective: October 1, 2018

Private Cloud Public Cloud Edge. Consistent Infrastructure & Consistent Operations


How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

SECURING THE MULTICLOUD

Firebox Cloud. Deployment Guide. Firebox Cloud for AWS and Microsoft Azure

25 Best Practice Tips for architecting Amazon VPC

Introduction to Amazon Cloud & EC2 Overview

WHITEPAPER AMAZON ELB: Your Master Key to a Secure, Cost-Efficient and Scalable Cloud.

Getting started with AWS security

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMware Cloud on AWS Adoption in the Enterprise

The Great Azure Networking Tour. Morgan Simonsen Innofactor

How to Configure Azure Route Tables (UDR) using Azure Portal and ARM

Data Sheet Gigamon Visibility Platform for AWS

Azure Compute. Azure Virtual Machines

AWS Networking & Hybrid Cloud Connectivity

ExpressRoute Fridays. with the C+E Black Belts

AGENDA Introduction Pivotal Cloud Foundry NSX-V integration with Cloud Foundry New Features in Cloud Foundry Networking NSX-T with Cloud Fou

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Nuts & Bolts of Networking in Azure. Pracheta Budhwar Technology Evangelist, Microsoft

Amazon Virtual Private Cloud Deep Dive

Security & Compliance in the AWS Cloud. Amazon Web Services

Amazon Web Services and Feb 28 outage. Overview presented by Divya

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Silver Peak EC-V and Microsoft Azure Deployment Guide

CloudEdge SG6000-VM Installation Guide

BERLIN. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Extending Enterprise Network into Public Cloud with Cisco CSR1000v

VMware Cloud on AWS The Next Generation Hybrid Cloud Architecture

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Security for shared infrastructure in Cisco ONE Enterprise Cloud Suite BRKPCA-2040

Advanced Techniques for DDoS Mitigation and Web Application Defense

Implementing Cisco Edge Network Security Solutions ( )

Exam : Implementing Microsoft Azure Infrastructure Solutions

Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014

HOW TO PLAN & EXECUTE A SUCCESSFUL CLOUD MIGRATION

Agenda. This Session: Azure Networking Basics, On-prem connectivity options DEMO Create VNET/Gateway Cost-estimation for VNET/Gateways

Amazon AWS-Solutions-Architect-Professional Exam

Azure Everywhere. Brandon Murray, Cami Williams, David Haver, Kevin Carter, Russ Henderson

Amazon Web Services. Foundational Services for Research Computing. April Mike Kuentz, WWPS Solutions Architect

Deploying the Cisco CSR 1000v on Amazon Web Services

CloudEdge Deployment Guide

AWS: Basic Architecture Session SUNEY SHARMA Solutions Architect: AWS

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Configuring Aviatrix Encryption

Pexip Infinity and Amazon Web Services Deployment Guide

Cisco Multicloud Portfolio: Cloud Connect

Virtual Private Cloud. User Guide

Srinath Vaddepally.

New Features and Functionality

Service Graph Design with Cisco Application Centric Infrastructure

Configuring a Palo Alto Firewall in AWS

Introduction to Amazon Cloud & EC2 Overview

Creating your Virtual Data Centre

Introduction to the Cisco ASAv

Course Outline. Module 1: Microsoft Azure for AWS Experts Course Overview

Getting Started with AWS Security

S U M M I T B e r l i n

Multicloud Networking: An Overview. Shannon McFarland CCIE #5245 Distinguished

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Expected Learning Outcomes Introduction To AWS

lab Highly Available and Fault Tolerant Architecture for Web Applications inside a VPC V1.01 AWS Certified Solutions Architect Associate lab title

Cloud and Storage. Transforming IT with AWS and Zadara. Doug Cliche, Storage Solutions Architect June 5, 2018

DocAve Online 3. Release Notes

Networking Lecture 11

Transcription:

and ASAv in Amazon Web Services (AWS) and Azure Jesper Rathsach jrathsac@cisco.com Consulting cybersecurity systems engineer, Cisco Systems 29 th August 2018

Introduktion til public cloud Overblik over, FMCv og ASAv Dagens Agenda & ASAv I Azure med use-cases & ASAv I AWS med use-cases Licensing og diverse Tak for I dag

Public cloud has great benefits Public Cloud Applications or Workload Application agility Customers Scalability Scale-up and scale-down Employees High availability Regions and Availability zones Partners Data Center Applications Or Workload Cost effectiveness Per-hour, per-minute and per-second billing options 5

Public cloud comes with challenges L2 abstraction Connection to Data Center (IPSEC, DX or Express Route) New Services/Environment 6

Shared security model in Firewall, AVC, Threat-Centric Customer Responsibility Network URL filtering, AMP & VPN NSG SG NACL ASAv Firewall & VPN Physical Infrastructure Network Infrastructure Virtualization Layer 7

AWS components

AWS components Overview Code us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 Name US East (N. Virginia) US East (Ohio) US West (N. California) US West (Oregon) Canada (Central) EU (Frankfurt) EU (Ireland) EU (London) EU (Paris) ap-northeast-1 Asia Pacific (Tokyo) ap-northeast-2 Asia Pacific (Seoul) ap-northeast-3 Asia Pacific (Osaka-Local) ap-southeast- 1 ap-southeast- 2 ap-south-1 sa-east-1 Asia Pacific (Singapore) Asia Pacific (Sydney) Asia Pacific (Mumbai) South America (São Paulo) 9

AWS components Overview Virtual Private Cloud inside-1c mgmt-1c Elastic IP Availability Zone VPC workload1 inside-2c outside-1c us-east-1c mgmt-2c LB Direct Connect Virtual Private Gateway IGW Subnet EC2 Instance Workload Elastic IP Load Balancer NLB, CLB and ALB Internet Gateway workload2 outside-2c us-east-2c destination Route Table: RT next-hop 0.0.0.0 IGW Route Table VGW & Direct Connect 10

Route Table and VPC Limitations Route Table Route table is associated to a subnet User defined route can be added Route Table destination subnet next-hop 192.168.0.0/16 local CIDR - 192.168.0.0/16 EC2 instance VPC More specific routes are not permit 0.0.0.0/0 IGW 192.168.2.0/24 x.x.x.x Network limitation No link local multicast or broadcast No IGPs No Proxy ARP and Gratuitous ARP Complex environment for native HA support but workarounds are available for resilient and scalable design IGW More specific route is not permitted in route table 192.168.1.0/24 Group 192.168.2.0/24 Network ACL Reference: AWS RT 17

Workload security in AWS Groups (SG) and Network ACL (NACL) Group SG acts as a virtual firewall for instance to control inbound and outbound traffic, only L4 rules groups are can only have allow action not deny SGs are stateful SG limit per region 50 Maximum rule per SG 100 Network ACL Same as SG but applied to subnet L4 visibility Action Allow or Deny EC2 instance 192.168.1.0/24 Group 192.168.2.0/24 Network ACL VPC Reference: AWS Service Limits 18

Azure components

Azure components Region and Availability Zone 27

Azure components New: Availability Zone vnet Resource Group WEB APP WEB-UDR Destination Next Hop x.x.x.x NVA (Internal) APP-UDR Destination Next Hop x.x.x.x NVA (Internal) ASAv Network Virtual Appliance (NVA) LB Virtual Network vnet Subnet Workload VM User Defined Route UDR Network Virtual Appliance NVA DB Destination x.x.x.x DB-UDR Next Hop NVA (Internal) Availability Set Virtual Network Gateway Gateway Subnet Azure Express Route Availability Set Load Balancer Internal and External Express Route 28

Workload security in Azure Network Group (NSG) NSG restricts traffic to resources in a virtual network Action Allow or Deny Direction Inbound and outbound L4 rules Source IP Destination IP Port Protocol NSG limit 5000 (per region per subscription) NSG rule limit 1000 (per NSG) NSG eth0 eth1 10.0.1.0/24 10.0.2.0/24 NSG NSG vnet Reference: Azure Limits and Quotas 29

Azure components Route Table and vnet Route Table Route table is associated to subnet User defined route can be added in RT UDRs takes precedence over system routes API integration with UDR Network limitation No link local multicast or broadcast No IGPs No Proxy ARP and Gratuitous ARP No native high availability support for NVA ASAv HA is available ERSPAN is not support because GRE is blocked Destination x.x.x.x Destination x.x.x.x Destination x.x.x.x WEB-UDR Next Hop NVA (Internal) APP-UDR Next Hop NVA (Internal) DB-UDR Next Hop NVA (Internal) vnet- 10.0.0.0/16 Web 10.0.1.0/24 App 10.0.2.0/24 Db 10.0.3.0/24 30

Azure and AWS components are similar Virtual Network vnet Availability Set Subnet Azure Virtual Machine VM User Defined Route UDR ARM Template Load Balancer Internal, external and ILB Standard ExpressRoute Public IP Group NACL Network Group Virtual Private Cloud VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation Template CF template Load Balancer NLB, CLB, ALB, Internal and External Direct Connect Elastic IP EIP 37

and ASAv Overview

Why are we here? Let s begin journey towards secured cloud environment 39

model in public cloud is not enough Cloud Providers Customer Physical Infrastructure Network and Workload NSG SG NACL Layer 4 Visibility Network Infrastructure ASAv Virtualization Layer Firewall, AVC, NGIPS, AMP VPN and URL Filtering (L4-L7 visibility) Cisco for Stateful firewall, NAT, Routing, ACL and VPN 40

/FTDv overview NGIPS Firewall URL AVC AMP AVC - Application Visibility and Control NGIPS Next-Generation Intrusion Prevention System AMP Advanced Malware Protection VPN Virtual Private Network URL URL filtering VPN (IPSEC and SSL) FTD Appliance Managed by Firepower Management Center (FMC) 41

Firepower Management Center Centralized Management Total Visibility Real-time threat management Automation FMC Appliance 42

ASAv overview Stateful F/W, NAT, Routing and ACL ASAv 9.9.x VPN IPSEC and SSL REST API Route based VPN VTI ASA Appliance 44

ASAv Management options Cisco ASDM (on-box manager) Cisco Manager (Centralized Manager) Cisco Defense Orchestrator (Cloud Based) For easy on-box management of common security and policy tasks and CLI based configuration Helps administrators enforce consistent access policies, rapidly troubleshoot security events, and view summarized reports across the deployment For centralized cloud-based policy management of multiple deployments *only for ASA 45

and ASAv In public cloud

, FMCv and ASAv in Instance types Instance (Marketplace) ASA instance (Marketplace) c3.xlarge, c4.xlarge c3.large, c3.xlarge FMCv Instance (Marketplace) c4. large, c4.xlarge c3.xlarge, c3.2xlarge m4.large, m4.xlarge c4.xlarge, c4.2xlarge large instance is ASAv10, xlarge instance is ASAv30 SSD storage on c3 instance and EBS storage on c4 or m4 instance Instance (Marketplace) Standard D3 and Dv2 ASAv Instance (Marketplace) Standard D3 and D3v2 D3 and D3v2 instance is ASAv30 49

in AWS Deploy in routed or passive mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities An elastic IP (static persistent public IP) is required for either or Cisco Firepower Management Centre Virtual remote admin access. AWS Group Access control must permit SSH/HTTPs access to your instances and 8305 for SF tunnel Two management interfaces required for AWS eth0 eth1 eth2 eth3 Interface eth0 and eth1 are mgmt. interfaces Interface eth2 and eth3 are data interfaces Instance Type Interfaces Number of vcpus RAM (GB) FMCv & FMCv c3.xlarge c4.xlarge c3.2xlarge c4.2xlarge 2 + 2* 4 7.5 8 4 15 52

in Azure Deploy in Routed Mode supports Routed mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities NSG should allow SSH/HTTPs and TCP 8305 (SF-Tunnel) access to your instances on eth0 interface for management access. Two management interfaces required for in Azure North/South, East/West traffic inspection and Microsegmentation eth0 eth1 eth2 eth3 Interface eth0 and eth1 are mgmt. interfaces Interface eth2 and eth3 are data interfaces Supported Machine Size Number of Interfaces (Subnets) NGFW Platform Number of vcpus Standard D3 & D3v2 4 (2+2*) 4 14 RAM (GB) * Management interface 53

& ASAv Datasheet Numbers Instance Instance type Throughput Interfaces VPN endpoint AWS c3.xlarge, c4.xlarge 1 Gbps 2 + 2* 250 FMCv c3.xlarge, c4.xlarge c3.2xlarge, c4.2xlarge (-) Management (-) ASAv c3/c4/m4.large (ASAv10) 1 Gbps 2 + 1* 250 c3/c4/m4.xlarge (ASAv30) 1 Gbps 3 + 1* 750 Azure Instance Instance type Throughput Interfaces VPN endpoint Standard D3, D3v2 1 Gbps 2 + 2* 250 ASAv Standard D3, D3v2 (ASAv30) Note: Maximum throughput is measured with traffic under ideal conditions Standard D3, D3v2 supports ASAv5, ASAv10 and ASAv30 license entitlement 100 Mbps (ASAv5) 1 Gbps (ASAv10, ASAv30) 3 + 1* 50, 250 or 750 * Management interface 58

Deployment modes

Deployment Modes in Routed mode () - AWS Passive mode () - AWS Routed mode () - Azure Passive mode is only applicable to in AWS 60

ASAv Deployment Modes in Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure 61

in Azure Routed Mode Deployment Deploy in routed mode (L3) available in Azure marketplace Next hop for workloads in Azure vnet Internal Management Managed by FMC or FMCv Public or private IP for Management Use cases VPN (S2S and RA VPN) Firewall, NGIPS, URL-filtering & AMP integration eth1 (diagnostic interface) Internet & RA users eth3 eth2 External Internet FMC 62

ASAv in Azure Routed Mode Deployment Deploy in routed mode (L3) ASAv is available in Azure marketplace (ASAv30) Next hop for workloads in AWS ASAv HA (Active/Standby) vnet Inside Management Management interface can be used as a data interface DMZ2 ASAv DMZ2 Use cases Management VPN (S2S and RA VPN) and Firewall Option of installing license for 250 or 750 VPN endpoint Internet & RA users Internet 63

in AWS Routed Mode Deployment Deploy in routed mode (L3) and FMCv available in AWS marketplace Next hop for workloads in AWS VPC Internal Management Managed by FMC or FMCv Elastic or private IP for Management Mgmt FMC Use cases VPN (S2S and RA VPN) Firewall, IPS, URL & AMP integration Internet & RA users External IGW 64

in AWS Passive Mode Deployment Deploy in Passive Mode Management Managed by FMC or FMCv Elastic or private IP for Management VPC Internal Passive mode requirement Cisco Cloud Services Router forward copy of the traffic to passively inspects traffic sent over ERSPAN session sets interface type as ERSPAN and sets MTU 1600 and assigns IP address Internet & RA users CSRv External IGW 65

ASAv in AWS Routed Mode Deployment Deploy ASAv in routed mode (L3) Next hop for workloads in AWS VPC Inside Management Elastic or private IP for Management Managed using CLI, Cisco Manager, ASDM, REST-API and Cisco Defense Orchestrator (CDO) Use cases VPN (S2S and RA VPN) Inter-subnet filtering DMZ1 Internet & RA users ASAv Management/Outside IGW DMZ2 66

Management access

Management access AWS vnet Azure Internet Internet Manage using private IP (AWS Direct Connect DX) IGW Manage using public IP (Internet) FMC Manage using private IP (Azure Express Route) Manage using public IP (Internet) FMC Direct Connect Data Center Virtual Network Gateway Gateway Subnet Azure Express Route Data Center 68

Use cases (Azure)

Azure User defined route (UDR) Traffic is forwarded based on the routes in the UDR UDR overrides system routes Destination Default route Default gateway on WebServer01 is 192.168.1.1 WEB-UDR Next Hop ASAv Inside WebServer01 WEB 192.168.1.0/24 Associated to a subnet APP, DB ASAv Inside Next-hop option (virtual appliance, VNG, vnet, Internet and none) APP ASAv DB vnet API integration to modify routes Internet 72

E/W traffic inspection - vnet Youtube: Demo Destination WEB-UDR Next Hop Highlighted routes are required for Micro Segmentation WEB Internet, WEB, DB & DC WEB (Internal) (Internal) Internet & RAVPN users APP-UDR Destination Internet, WEB, DB & DC Next Hop (Internal) Internal External Internet APP APP (Internal) SF tunnel between FMC and (management) DB-UDR GW-Subnet-UDR FMC DB Destination Internet, WEB, APP & DC DB Next Hop (Internal) (Internal) Destination WEB, APP & DB Next Hop (Internal) Azure Express Route Virtual Network Gateway Gateway Subnet Data Center 73

E/W traffic inspection - ASAv vnet WEB WEB-UDR Destination Next Hop Internet, WEB, DB & DC ASAv (Inside) DB ASAv (Inside) Highlighted routes are required for Micro Segmentation Internet & RAVPN users APP-UDR Destination Internet, WEB, DB & DC Next Hop ASAv (Inside) Inside ASAv Outside Internet APP DB ASAv (Inside) DB-UDR GW-Subnet-UDR DB Destination Internet, WEB, APP & DC DB Next Hop ASAv (Inside) ASAv (Inside) Destination WEB, APP & DB Next Hop ASAv (Inside) Azure Express Route Virtual Network Gateway same-security-traffic permit intra-interface command is required on ASA for hairpinning Gateway Subnet Data Center 74

/ASAv scalable design using Azure ILB with HA ports Azure ILB standard with HA ILB is next hop in UDR ILB load balances complete IP traffic ILB is design to provide traffic symmetry WEB 10.82.1.0/24 10.82.1.50 Nva-subnet 10.82.2.0/24 Destination APP Destination WEB WEB-UDR Next Hop ILB VIP APP-UDR Next Hop ILB VIP Azure ILB with HA ports 10.82.2.100 APP 10.82.0.0/24 10.82.0.50 10.82.2.10 10.82.2.11 10.82.2.12 10.82.2.13 FWv01 ilb-ha-fw1 FWv02 ilb-ha-fw2 FWv03 ilb-ha-fw3 FWv04 ilb-ha-fw4 Default route on FWs 10.82.2.1 82

Service vnet and ASAv Scalable design vnet01 Multiple Subnet Destination All-Subnets All-Subnets-UDR Next Hop ILB VIP Spoke Destination All-Subnets All-Subnets-UDR Next Hop ILB VIP Multiple Subnet vnet02 service vnet Gateway Subnet Virtual Network Gateway Hub ILB HA 10.82.2.100 Default route on FWs 10.82.2.1 FWv01 ilb-ha-fw1 FWv02 ilb-ha-fw2 Nva-Subnet 10.82.2.0/24 FWv03 ilb-ha-fw3 FWv04 ilb-ha-fw4 83

Interconnecting vnet UDR detail FMC Internal vnet1 vnet2 Internal External Site to Site VPN Tunnel External Internal-UDR Internal-UDR Destination Next Hop Destination Next Hop Internet (Inside) Internet (Inside) vnet2 subnets (Inside) vnet1 subnets (Inside) 84

Site-to-site and RAVPN UDR detail Internal Internal-UDR RA VPN Users Destination Internet RAVPN Pool Datacenter (DC) Next Hop (Inside) (Inside) (Inside) External Site to Site VPN Tunnel Internet and RAVPN Internet ASAv USE cases Network Address Translation (NAT) Site to Site Tunnel NGFW vnet Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC Data Centre 85

Inter subnet filtering APP USE cases Network Address Translation (NAT) Site to Site Tunnel Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC WEB Internet Internet users APP-UDR WEB-UDR Destination Next Hop Destination Next Hop Internet (Inside) Internet -edge(inside) vnet WEB (Inside) WEB -Internal(Outside) 86

and ASAv scalable design Azure internal load balancer (ILB) standard & external load balancer WEB APP Destination Default/Internet DB, APP and DC Destination Default/Internet DB, WEB and DC WEB-UDR APP-UDR Next Hop ILB VIP ILB VIP Next Hop ILB VIP ILB VIP ILB Standard x (VIP) HA Port FW01 FW02 FW..n Firewalls in Availability Set ExternalL B vnet Internet Stateless Switchover Internet Users DB DB-UDR Destination Next Hop Default/Internet ILB VIP APP, WEB & DC ILB VIP NVA Subnet (inside) Destination WEB, APP & DB GW-UDR Next Hop ILB VIP Azure Express Route Virtual Network Gateway Gateway Subnet Youtube: overview FMC Data Center 87

ARM template deployment

Azure Resource Manager (ARM) Template JSON based template for deploying and ASAv Multiple/repeated deployments Add firewall to exiting resource group Add additional attributes for scalable deployment i.e. Availability Set Publish tested templates Deploy multiple Azure resources using single ARM template Create following resources before deploying ASA or using template Resource group, availability set, vnet, subnet and storage account ASAv ASAv ASAv ASAv 89

Azure Resource Manager Template ARM templates and demo videos ARM Template: http://cs.co/armtemplate Youtube: Demo ASAv ARM Template: http://cs.co/asavarmtemplate Youtube: Demo ARM Template (LB Sandwich): coming soon Youtube: coming soon 90

Use cases (AWS)

CloudFormation Template CF template deploys resources in AWS Group of resources in template are called stack Resources are added using JSON object Publish CF template using S3 bucket Advantage of using CF template Simplified infrastructure management Repeated or multiple deployment Reduced human errors Version control using template Update stack and track changes 92

Intersubnet filtering VPC CIDR - 192.168.0.0/16 DB 192.168.100.0/24 CIDR has a local route for VPC Specific route is not allowed in route table Default route will not cover local network Host routes are required to enable Intersubnet filtering destination subnet RT-DB next-hop 192.168.0.0/16 local 0.0.0.0/0 eningfwv(internal) destination subnet RT-WEB next-hop 192.168.0.0/16 local 0.0.0.0/0 eni-asav(inside) WEB- 192.168.2.0 ASAv External IGW 93

Secure Transit VPC - VPC A VPC B Spoke VPC AZ1 AZ2 CSRv CSRv Internet RT Transit VPC 94

Scalable design

scalable design using AWS NLB Network Load Balancer (NLB) VPC inside-1c management-1c FMCv Elastic IP outside-1c Stateless switchover WebServer01 us-east-1c inside-1d management-1d NLB IGW WebServer02 outside-1d us-east-1d Route Table: RT subnet next-hop 0.0.0.0 IGW Youtube: Demo 96

scalable design using AWS NLB Network Load Balancer (NLB) VPC inside-1c management-1c FMCv Elastic IP outside-1c Stateless switchover WebServer01 us-east-1c inside-1d management-1d NLB IGW WebServer02 outside-1d Route Table: RT subnet next-hop 0.0.0.0 IGW us-east-1d Multiple firewalls can be added per Availability Zone to provide AZ level scalability Youtube: Demo 97

Advanced Malware protection in Azure and AWS

integration with AMP AWS and Azure integrates with AMP solution and provide following features VPC CIDR - 192.168.0.0/16 DB 192.168.100.0/24 AMP for network Continuous analysis Retrospective security Reduce event notifications Integrated malware analysis WEB- 192.168.2.0 Malware is detected and dropped by File capture allows you to store and retrieve files for further analysis. The integration of Threat Grid allows you to examine unknown and suspicious files in a safe, highly secure sandbox environment, either in the cloud or locally IGW 99

Licensing

Licensing Base License (Firewall and AVC) Standard License (Firewall and throughput) NGFW Term based (Threat, URL and AMP) ASA Anyconnect Apex License (SSL and IPSEC) AWS Cisco Smart Licensing Bring your own license (BYOL) Pay as you go model Hourly and annual license Azure Cisco Smart Licensing Bring your own license (BYOL) Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one year TAC support from listed partner: https://aws.amazon.com/marketplace/pp/b01hqprqmq?qid=1522335115947&sr=0-7&ref_=srh_res_product_title 101

Important Resources

YouTube Channel Youtube Channel: http://cs.co/dcandcloud 103

and ASAv Marketplace Listings Product Marketplace listing BYOL Marketplace listing Hourly & Annual FMCv Marketplace listing BYOL ASAv Marketplace listing BYOL, Hourly & Annual Product Marketplace listing BYOL ASAv Marketplace listing BYOL ASAv HA Marketplace listing - BYOL AWS Marketplace Listing http://cs.co/ciscobyol http://cs.co/ciscohourlyannual http://cs.co/ciscofmcvbyol http://cs.co/ciscoasavbyolhourlyannual Azure Marketplace Listing http://cs.co/cisco http://cs.co/ciscoasav http://cs.co/azureasavha 104

Importance Links in public cloud Youtube channel http://cs.co/dcandcloud Cisco, ASAv and FMC Chalk talk in http://cs.co/publiccloudsecchalktalk Technical Decision Maker Deck (TDM) (Partner level access required) http://cs.co/azure-aws-publiccloudtdms Cisco ASAv licensing (BYOL) http://cs.co/asavlicensing Cisco licensing (BYOL) http://cs.co/ciscolicensing ARM Template http://cs.co/armtemplate ASAv ARM Template http://cs.co/asavarmtemplate 105

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback