and ASAv in Amazon Web Services (AWS) and Azure Jesper Rathsach jrathsac@cisco.com Consulting cybersecurity systems engineer, Cisco Systems 29 th August 2018
Introduktion til public cloud Overblik over, FMCv og ASAv Dagens Agenda & ASAv I Azure med use-cases & ASAv I AWS med use-cases Licensing og diverse Tak for I dag
Public cloud has great benefits Public Cloud Applications or Workload Application agility Customers Scalability Scale-up and scale-down Employees High availability Regions and Availability zones Partners Data Center Applications Or Workload Cost effectiveness Per-hour, per-minute and per-second billing options 5
Public cloud comes with challenges L2 abstraction Connection to Data Center (IPSEC, DX or Express Route) New Services/Environment 6
Shared security model in Firewall, AVC, Threat-Centric Customer Responsibility Network URL filtering, AMP & VPN NSG SG NACL ASAv Firewall & VPN Physical Infrastructure Network Infrastructure Virtualization Layer 7
AWS components
AWS components Overview Code us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 Name US East (N. Virginia) US East (Ohio) US West (N. California) US West (Oregon) Canada (Central) EU (Frankfurt) EU (Ireland) EU (London) EU (Paris) ap-northeast-1 Asia Pacific (Tokyo) ap-northeast-2 Asia Pacific (Seoul) ap-northeast-3 Asia Pacific (Osaka-Local) ap-southeast- 1 ap-southeast- 2 ap-south-1 sa-east-1 Asia Pacific (Singapore) Asia Pacific (Sydney) Asia Pacific (Mumbai) South America (São Paulo) 9
AWS components Overview Virtual Private Cloud inside-1c mgmt-1c Elastic IP Availability Zone VPC workload1 inside-2c outside-1c us-east-1c mgmt-2c LB Direct Connect Virtual Private Gateway IGW Subnet EC2 Instance Workload Elastic IP Load Balancer NLB, CLB and ALB Internet Gateway workload2 outside-2c us-east-2c destination Route Table: RT next-hop 0.0.0.0 IGW Route Table VGW & Direct Connect 10
Route Table and VPC Limitations Route Table Route table is associated to a subnet User defined route can be added Route Table destination subnet next-hop 192.168.0.0/16 local CIDR - 192.168.0.0/16 EC2 instance VPC More specific routes are not permit 0.0.0.0/0 IGW 192.168.2.0/24 x.x.x.x Network limitation No link local multicast or broadcast No IGPs No Proxy ARP and Gratuitous ARP Complex environment for native HA support but workarounds are available for resilient and scalable design IGW More specific route is not permitted in route table 192.168.1.0/24 Group 192.168.2.0/24 Network ACL Reference: AWS RT 17
Workload security in AWS Groups (SG) and Network ACL (NACL) Group SG acts as a virtual firewall for instance to control inbound and outbound traffic, only L4 rules groups are can only have allow action not deny SGs are stateful SG limit per region 50 Maximum rule per SG 100 Network ACL Same as SG but applied to subnet L4 visibility Action Allow or Deny EC2 instance 192.168.1.0/24 Group 192.168.2.0/24 Network ACL VPC Reference: AWS Service Limits 18
Azure components
Azure components Region and Availability Zone 27
Azure components New: Availability Zone vnet Resource Group WEB APP WEB-UDR Destination Next Hop x.x.x.x NVA (Internal) APP-UDR Destination Next Hop x.x.x.x NVA (Internal) ASAv Network Virtual Appliance (NVA) LB Virtual Network vnet Subnet Workload VM User Defined Route UDR Network Virtual Appliance NVA DB Destination x.x.x.x DB-UDR Next Hop NVA (Internal) Availability Set Virtual Network Gateway Gateway Subnet Azure Express Route Availability Set Load Balancer Internal and External Express Route 28
Workload security in Azure Network Group (NSG) NSG restricts traffic to resources in a virtual network Action Allow or Deny Direction Inbound and outbound L4 rules Source IP Destination IP Port Protocol NSG limit 5000 (per region per subscription) NSG rule limit 1000 (per NSG) NSG eth0 eth1 10.0.1.0/24 10.0.2.0/24 NSG NSG vnet Reference: Azure Limits and Quotas 29
Azure components Route Table and vnet Route Table Route table is associated to subnet User defined route can be added in RT UDRs takes precedence over system routes API integration with UDR Network limitation No link local multicast or broadcast No IGPs No Proxy ARP and Gratuitous ARP No native high availability support for NVA ASAv HA is available ERSPAN is not support because GRE is blocked Destination x.x.x.x Destination x.x.x.x Destination x.x.x.x WEB-UDR Next Hop NVA (Internal) APP-UDR Next Hop NVA (Internal) DB-UDR Next Hop NVA (Internal) vnet- 10.0.0.0/16 Web 10.0.1.0/24 App 10.0.2.0/24 Db 10.0.3.0/24 30
Azure and AWS components are similar Virtual Network vnet Availability Set Subnet Azure Virtual Machine VM User Defined Route UDR ARM Template Load Balancer Internal, external and ILB Standard ExpressRoute Public IP Group NACL Network Group Virtual Private Cloud VPC Availability Zone AZ Subnet EC2 Instance Route Table RT CloudFormation Template CF template Load Balancer NLB, CLB, ALB, Internal and External Direct Connect Elastic IP EIP 37
and ASAv Overview
Why are we here? Let s begin journey towards secured cloud environment 39
model in public cloud is not enough Cloud Providers Customer Physical Infrastructure Network and Workload NSG SG NACL Layer 4 Visibility Network Infrastructure ASAv Virtualization Layer Firewall, AVC, NGIPS, AMP VPN and URL Filtering (L4-L7 visibility) Cisco for Stateful firewall, NAT, Routing, ACL and VPN 40
/FTDv overview NGIPS Firewall URL AVC AMP AVC - Application Visibility and Control NGIPS Next-Generation Intrusion Prevention System AMP Advanced Malware Protection VPN Virtual Private Network URL URL filtering VPN (IPSEC and SSL) FTD Appliance Managed by Firepower Management Center (FMC) 41
Firepower Management Center Centralized Management Total Visibility Real-time threat management Automation FMC Appliance 42
ASAv overview Stateful F/W, NAT, Routing and ACL ASAv 9.9.x VPN IPSEC and SSL REST API Route based VPN VTI ASA Appliance 44
ASAv Management options Cisco ASDM (on-box manager) Cisco Manager (Centralized Manager) Cisco Defense Orchestrator (Cloud Based) For easy on-box management of common security and policy tasks and CLI based configuration Helps administrators enforce consistent access policies, rapidly troubleshoot security events, and view summarized reports across the deployment For centralized cloud-based policy management of multiple deployments *only for ASA 45
and ASAv In public cloud
, FMCv and ASAv in Instance types Instance (Marketplace) ASA instance (Marketplace) c3.xlarge, c4.xlarge c3.large, c3.xlarge FMCv Instance (Marketplace) c4. large, c4.xlarge c3.xlarge, c3.2xlarge m4.large, m4.xlarge c4.xlarge, c4.2xlarge large instance is ASAv10, xlarge instance is ASAv30 SSD storage on c3 instance and EBS storage on c4 or m4 instance Instance (Marketplace) Standard D3 and Dv2 ASAv Instance (Marketplace) Standard D3 and D3v2 D3 and D3v2 instance is ASAv30 49
in AWS Deploy in routed or passive mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities An elastic IP (static persistent public IP) is required for either or Cisco Firepower Management Centre Virtual remote admin access. AWS Group Access control must permit SSH/HTTPs access to your instances and 8305 for SF tunnel Two management interfaces required for AWS eth0 eth1 eth2 eth3 Interface eth0 and eth1 are mgmt. interfaces Interface eth2 and eth3 are data interfaces Instance Type Interfaces Number of vcpus RAM (GB) FMCv & FMCv c3.xlarge c4.xlarge c3.2xlarge c4.2xlarge 2 + 2* 4 7.5 8 4 15 52
in Azure Deploy in Routed Mode supports Routed mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities NSG should allow SSH/HTTPs and TCP 8305 (SF-Tunnel) access to your instances on eth0 interface for management access. Two management interfaces required for in Azure North/South, East/West traffic inspection and Microsegmentation eth0 eth1 eth2 eth3 Interface eth0 and eth1 are mgmt. interfaces Interface eth2 and eth3 are data interfaces Supported Machine Size Number of Interfaces (Subnets) NGFW Platform Number of vcpus Standard D3 & D3v2 4 (2+2*) 4 14 RAM (GB) * Management interface 53
& ASAv Datasheet Numbers Instance Instance type Throughput Interfaces VPN endpoint AWS c3.xlarge, c4.xlarge 1 Gbps 2 + 2* 250 FMCv c3.xlarge, c4.xlarge c3.2xlarge, c4.2xlarge (-) Management (-) ASAv c3/c4/m4.large (ASAv10) 1 Gbps 2 + 1* 250 c3/c4/m4.xlarge (ASAv30) 1 Gbps 3 + 1* 750 Azure Instance Instance type Throughput Interfaces VPN endpoint Standard D3, D3v2 1 Gbps 2 + 2* 250 ASAv Standard D3, D3v2 (ASAv30) Note: Maximum throughput is measured with traffic under ideal conditions Standard D3, D3v2 supports ASAv5, ASAv10 and ASAv30 license entitlement 100 Mbps (ASAv5) 1 Gbps (ASAv10, ASAv30) 3 + 1* 50, 250 or 750 * Management interface 58
Deployment modes
Deployment Modes in Routed mode () - AWS Passive mode () - AWS Routed mode () - Azure Passive mode is only applicable to in AWS 60
ASAv Deployment Modes in Routed mode (ASAv) - AWS Routed mode (ASAv) - Azure 61
in Azure Routed Mode Deployment Deploy in routed mode (L3) available in Azure marketplace Next hop for workloads in Azure vnet Internal Management Managed by FMC or FMCv Public or private IP for Management Use cases VPN (S2S and RA VPN) Firewall, NGIPS, URL-filtering & AMP integration eth1 (diagnostic interface) Internet & RA users eth3 eth2 External Internet FMC 62
ASAv in Azure Routed Mode Deployment Deploy in routed mode (L3) ASAv is available in Azure marketplace (ASAv30) Next hop for workloads in AWS ASAv HA (Active/Standby) vnet Inside Management Management interface can be used as a data interface DMZ2 ASAv DMZ2 Use cases Management VPN (S2S and RA VPN) and Firewall Option of installing license for 250 or 750 VPN endpoint Internet & RA users Internet 63
in AWS Routed Mode Deployment Deploy in routed mode (L3) and FMCv available in AWS marketplace Next hop for workloads in AWS VPC Internal Management Managed by FMC or FMCv Elastic or private IP for Management Mgmt FMC Use cases VPN (S2S and RA VPN) Firewall, IPS, URL & AMP integration Internet & RA users External IGW 64
in AWS Passive Mode Deployment Deploy in Passive Mode Management Managed by FMC or FMCv Elastic or private IP for Management VPC Internal Passive mode requirement Cisco Cloud Services Router forward copy of the traffic to passively inspects traffic sent over ERSPAN session sets interface type as ERSPAN and sets MTU 1600 and assigns IP address Internet & RA users CSRv External IGW 65
ASAv in AWS Routed Mode Deployment Deploy ASAv in routed mode (L3) Next hop for workloads in AWS VPC Inside Management Elastic or private IP for Management Managed using CLI, Cisco Manager, ASDM, REST-API and Cisco Defense Orchestrator (CDO) Use cases VPN (S2S and RA VPN) Inter-subnet filtering DMZ1 Internet & RA users ASAv Management/Outside IGW DMZ2 66
Management access
Management access AWS vnet Azure Internet Internet Manage using private IP (AWS Direct Connect DX) IGW Manage using public IP (Internet) FMC Manage using private IP (Azure Express Route) Manage using public IP (Internet) FMC Direct Connect Data Center Virtual Network Gateway Gateway Subnet Azure Express Route Data Center 68
Use cases (Azure)
Azure User defined route (UDR) Traffic is forwarded based on the routes in the UDR UDR overrides system routes Destination Default route Default gateway on WebServer01 is 192.168.1.1 WEB-UDR Next Hop ASAv Inside WebServer01 WEB 192.168.1.0/24 Associated to a subnet APP, DB ASAv Inside Next-hop option (virtual appliance, VNG, vnet, Internet and none) APP ASAv DB vnet API integration to modify routes Internet 72
E/W traffic inspection - vnet Youtube: Demo Destination WEB-UDR Next Hop Highlighted routes are required for Micro Segmentation WEB Internet, WEB, DB & DC WEB (Internal) (Internal) Internet & RAVPN users APP-UDR Destination Internet, WEB, DB & DC Next Hop (Internal) Internal External Internet APP APP (Internal) SF tunnel between FMC and (management) DB-UDR GW-Subnet-UDR FMC DB Destination Internet, WEB, APP & DC DB Next Hop (Internal) (Internal) Destination WEB, APP & DB Next Hop (Internal) Azure Express Route Virtual Network Gateway Gateway Subnet Data Center 73
E/W traffic inspection - ASAv vnet WEB WEB-UDR Destination Next Hop Internet, WEB, DB & DC ASAv (Inside) DB ASAv (Inside) Highlighted routes are required for Micro Segmentation Internet & RAVPN users APP-UDR Destination Internet, WEB, DB & DC Next Hop ASAv (Inside) Inside ASAv Outside Internet APP DB ASAv (Inside) DB-UDR GW-Subnet-UDR DB Destination Internet, WEB, APP & DC DB Next Hop ASAv (Inside) ASAv (Inside) Destination WEB, APP & DB Next Hop ASAv (Inside) Azure Express Route Virtual Network Gateway same-security-traffic permit intra-interface command is required on ASA for hairpinning Gateway Subnet Data Center 74
/ASAv scalable design using Azure ILB with HA ports Azure ILB standard with HA ILB is next hop in UDR ILB load balances complete IP traffic ILB is design to provide traffic symmetry WEB 10.82.1.0/24 10.82.1.50 Nva-subnet 10.82.2.0/24 Destination APP Destination WEB WEB-UDR Next Hop ILB VIP APP-UDR Next Hop ILB VIP Azure ILB with HA ports 10.82.2.100 APP 10.82.0.0/24 10.82.0.50 10.82.2.10 10.82.2.11 10.82.2.12 10.82.2.13 FWv01 ilb-ha-fw1 FWv02 ilb-ha-fw2 FWv03 ilb-ha-fw3 FWv04 ilb-ha-fw4 Default route on FWs 10.82.2.1 82
Service vnet and ASAv Scalable design vnet01 Multiple Subnet Destination All-Subnets All-Subnets-UDR Next Hop ILB VIP Spoke Destination All-Subnets All-Subnets-UDR Next Hop ILB VIP Multiple Subnet vnet02 service vnet Gateway Subnet Virtual Network Gateway Hub ILB HA 10.82.2.100 Default route on FWs 10.82.2.1 FWv01 ilb-ha-fw1 FWv02 ilb-ha-fw2 Nva-Subnet 10.82.2.0/24 FWv03 ilb-ha-fw3 FWv04 ilb-ha-fw4 83
Interconnecting vnet UDR detail FMC Internal vnet1 vnet2 Internal External Site to Site VPN Tunnel External Internal-UDR Internal-UDR Destination Next Hop Destination Next Hop Internet (Inside) Internet (Inside) vnet2 subnets (Inside) vnet1 subnets (Inside) 84
Site-to-site and RAVPN UDR detail Internal Internal-UDR RA VPN Users Destination Internet RAVPN Pool Datacenter (DC) Next Hop (Inside) (Inside) (Inside) External Site to Site VPN Tunnel Internet and RAVPN Internet ASAv USE cases Network Address Translation (NAT) Site to Site Tunnel NGFW vnet Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC Data Centre 85
Inter subnet filtering APP USE cases Network Address Translation (NAT) Site to Site Tunnel Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC WEB Internet Internet users APP-UDR WEB-UDR Destination Next Hop Destination Next Hop Internet (Inside) Internet -edge(inside) vnet WEB (Inside) WEB -Internal(Outside) 86
and ASAv scalable design Azure internal load balancer (ILB) standard & external load balancer WEB APP Destination Default/Internet DB, APP and DC Destination Default/Internet DB, WEB and DC WEB-UDR APP-UDR Next Hop ILB VIP ILB VIP Next Hop ILB VIP ILB VIP ILB Standard x (VIP) HA Port FW01 FW02 FW..n Firewalls in Availability Set ExternalL B vnet Internet Stateless Switchover Internet Users DB DB-UDR Destination Next Hop Default/Internet ILB VIP APP, WEB & DC ILB VIP NVA Subnet (inside) Destination WEB, APP & DB GW-UDR Next Hop ILB VIP Azure Express Route Virtual Network Gateway Gateway Subnet Youtube: overview FMC Data Center 87
ARM template deployment
Azure Resource Manager (ARM) Template JSON based template for deploying and ASAv Multiple/repeated deployments Add firewall to exiting resource group Add additional attributes for scalable deployment i.e. Availability Set Publish tested templates Deploy multiple Azure resources using single ARM template Create following resources before deploying ASA or using template Resource group, availability set, vnet, subnet and storage account ASAv ASAv ASAv ASAv 89
Azure Resource Manager Template ARM templates and demo videos ARM Template: http://cs.co/armtemplate Youtube: Demo ASAv ARM Template: http://cs.co/asavarmtemplate Youtube: Demo ARM Template (LB Sandwich): coming soon Youtube: coming soon 90
Use cases (AWS)
CloudFormation Template CF template deploys resources in AWS Group of resources in template are called stack Resources are added using JSON object Publish CF template using S3 bucket Advantage of using CF template Simplified infrastructure management Repeated or multiple deployment Reduced human errors Version control using template Update stack and track changes 92
Intersubnet filtering VPC CIDR - 192.168.0.0/16 DB 192.168.100.0/24 CIDR has a local route for VPC Specific route is not allowed in route table Default route will not cover local network Host routes are required to enable Intersubnet filtering destination subnet RT-DB next-hop 192.168.0.0/16 local 0.0.0.0/0 eningfwv(internal) destination subnet RT-WEB next-hop 192.168.0.0/16 local 0.0.0.0/0 eni-asav(inside) WEB- 192.168.2.0 ASAv External IGW 93
Secure Transit VPC - VPC A VPC B Spoke VPC AZ1 AZ2 CSRv CSRv Internet RT Transit VPC 94
Scalable design
scalable design using AWS NLB Network Load Balancer (NLB) VPC inside-1c management-1c FMCv Elastic IP outside-1c Stateless switchover WebServer01 us-east-1c inside-1d management-1d NLB IGW WebServer02 outside-1d us-east-1d Route Table: RT subnet next-hop 0.0.0.0 IGW Youtube: Demo 96
scalable design using AWS NLB Network Load Balancer (NLB) VPC inside-1c management-1c FMCv Elastic IP outside-1c Stateless switchover WebServer01 us-east-1c inside-1d management-1d NLB IGW WebServer02 outside-1d Route Table: RT subnet next-hop 0.0.0.0 IGW us-east-1d Multiple firewalls can be added per Availability Zone to provide AZ level scalability Youtube: Demo 97
Advanced Malware protection in Azure and AWS
integration with AMP AWS and Azure integrates with AMP solution and provide following features VPC CIDR - 192.168.0.0/16 DB 192.168.100.0/24 AMP for network Continuous analysis Retrospective security Reduce event notifications Integrated malware analysis WEB- 192.168.2.0 Malware is detected and dropped by File capture allows you to store and retrieve files for further analysis. The integration of Threat Grid allows you to examine unknown and suspicious files in a safe, highly secure sandbox environment, either in the cloud or locally IGW 99
Licensing
Licensing Base License (Firewall and AVC) Standard License (Firewall and throughput) NGFW Term based (Threat, URL and AMP) ASA Anyconnect Apex License (SSL and IPSEC) AWS Cisco Smart Licensing Bring your own license (BYOL) Pay as you go model Hourly and annual license Azure Cisco Smart Licensing Bring your own license (BYOL) Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one year TAC support from listed partner: https://aws.amazon.com/marketplace/pp/b01hqprqmq?qid=1522335115947&sr=0-7&ref_=srh_res_product_title 101
Important Resources
YouTube Channel Youtube Channel: http://cs.co/dcandcloud 103
and ASAv Marketplace Listings Product Marketplace listing BYOL Marketplace listing Hourly & Annual FMCv Marketplace listing BYOL ASAv Marketplace listing BYOL, Hourly & Annual Product Marketplace listing BYOL ASAv Marketplace listing BYOL ASAv HA Marketplace listing - BYOL AWS Marketplace Listing http://cs.co/ciscobyol http://cs.co/ciscohourlyannual http://cs.co/ciscofmcvbyol http://cs.co/ciscoasavbyolhourlyannual Azure Marketplace Listing http://cs.co/cisco http://cs.co/ciscoasav http://cs.co/azureasavha 104
Importance Links in public cloud Youtube channel http://cs.co/dcandcloud Cisco, ASAv and FMC Chalk talk in http://cs.co/publiccloudsecchalktalk Technical Decision Maker Deck (TDM) (Partner level access required) http://cs.co/azure-aws-publiccloudtdms Cisco ASAv licensing (BYOL) http://cs.co/asavlicensing Cisco licensing (BYOL) http://cs.co/ciscolicensing ARM Template http://cs.co/armtemplate ASAv ARM Template http://cs.co/asavarmtemplate 105