Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Putting Firepower into the Next Generation Firewall

446 vues

Publié le

Putting Firepower into the Next Generation Firewall

Publié dans : Technologie
  • Is Your Ex With a Man? Don't lose your Ex girlfriend! This weird trick will get her back! ♥♥♥ http://ow.ly/f23I301xGAo
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

Putting Firepower into the Next Generation Firewall

  1. 1. © 2017 Cisco and/or its affiliates. All rights reserved. 1 Putting Firepower into the Next Generation Firewall February 1, 2018 Consulting Systems Engineer Cybersecurity CCIE #2926 Rob Bleeker
  2. 2. Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 2 • Firepower Software Overview • ASA and Firepower NGFW platforms • Management options • New Capabilities in 6.2.2 • Deployment Design Use-case • Policies Today’s agenda
  3. 3. Cisco Confidential 3© 2016 Cisco and/or its affiliates. All rights reserved.
  4. 4. Cisco Confidential 4© 2016 Cisco and/or its affiliates. All rights reserved. Firepower Threat Defense (FTD)
  5. 5. Cisco Confidential 5© 2016 Cisco and/or its affiliates. All rights reserved. Firepower Threat Defense ASA (L2-L4) • L2-L4 Stateful Firewall • Scalable CGNAT, ACL, routing • Application inspection • RA + L2L VPN • Multi-Context Firepower (L7) • Threat-Centric NGIPS • AVC, URL Filtering for NGFW • Advanced Malware Protection Full Feature Set Continuous Feature Migration Firepower Threat Defense Single Converged OS Firewall URL Visibility Threats Firepower Management Center (FMC) ASA with Firepower Services
  6. 6. Cisco Confidential 6© 2016 Cisco and/or its affiliates. All rights reserved. What are the Firepower Deployment Options? Firepower Appliances Firepower Threat Defense ASA with Firepower Services FirePOWER Services ASA 9.5.x Firepower Threat Defense Firepower Appliances 7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual Firepower 2100 / 4100 / 9300 5585 cannot run FTD Image! All Managed by Firepower Management Center
  7. 7. Cisco Confidential 7© 2016 Cisco and/or its affiliates. All rights reserved. Feature Comparison: ASA with Firepower Services and Firepower Threat Defense Features Firepower Threat Defense Firepower Services for ASA SIMILARITIES Routing +NAT ✔ (OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR via FlexConfig) ✔ (OSPF, BGP, EIGRP, static, RIP, Multicast) OnBox Management ✔ ✔ HA (Active/Passive) ✔ ✔ Clustering (Active/Active) ✔ ✔ Site to Site and Remote Access VPN ✔ ✔ Policy based on SGT tags ✔ ✔ DIFFERENCES Unified ASA and Firepower rules and objects ✔ ✘ Hypervisor Support ✔ (AWS, VMware, KVM, Azure 6.2) ✘ Smart Licensing Support ✔ ✘ Multi-Context Support ✘(Coming Soon!) ✔ Note: Not an exhaustive feature list
  8. 8. Cisco Confidential 8© 2016 Cisco and/or its affiliates. All rights reserved. OpenAppID Next-generation visibility with OpenAppID Application Visibility & Control See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps Cisco database • 4,000+ apps Network & users        1 2 Rate-limit traffic
  9. 9. Cisco Confidential 9© 2016 Cisco and/or its affiliates. All rights reserved. Web acceptable use controls and threat prevention URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs Category-based Policy Creation Allow Block Admin Cisco URL Database DNS Sinkhole 01001010100 00100101101 Security feeds URL | IP | DNS NGFW Filtering BlockAllow Safe Search …………  
  10. 10. Cisco Confidential 10© 2016 Cisco and/or its affiliates. All rights reserved. Decrypt 3.5 Gbps traffic over five million simultaneous flows Granular SSL Decryption Capabilities SSL TLS handshake certificate inspection and TLS decryption engine Log SSL decryption engine Enforcement decisions Encrypted Traffic AVC http://www.%$&^*#$@#$.com http://www.%$&^*#$@#$.com Inspect deciphered packets Track and log all SSL sessions NGIPS gambling elicit http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com http://www.%$*#$@#$.com          
  11. 11. Cisco Confidential 11© 2016 Cisco and/or its affiliates. All rights reserved. Application and Context aware Intrusion Prevention Next-Generation Intrusion Prevention System (NGIPS) Communications App & Device Data 01011101001 010 010001101 010010 10 10 Data packets Prioritize response Blended threats • Network profiling • Phishing attacks • Innocuous payloads • Infrequent callouts 3 1 2 Accept Block Automate policies ISE Scan network traffic Correlate data Detect stealthy threats Respond based on priority
  12. 12. Cisco Confidential 12© 2016 Cisco and/or its affiliates. All rights reserved. c File Reputation Malware and ransomware detection and blocking Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing) • Known Signatures • Fuzzy Fingerprinting • Indications of compromise  Block known malware Investigate files safely Detect new threats Respond to alerts File & Device Trajectory AMP for Network Log  Threat Grid Sandboxing • Advanced Analytics • Dynamic analysis • Threat intelligence ? AMP for Endpoint Log Threat Disposition Enforcement across all endpoints RiskySafeUncertain Sandbox Analysis
  13. 13. Cisco Confidential 13© 2016 Cisco and/or its affiliates. All rights reserved. FlexConfig • Provides a way to configure ASA features not exposed directly by Firepower Management Center • EIGRP Routing • PBR • ISIS Routing • NetFlow (NSEL) export • VXLAN • ALG inspections • IPv6 header inspection • Platform Sysopt commands • WCCP
  14. 14. Cisco Confidential 14© 2016 Cisco and/or its affiliates. All rights reserved.
  15. 15. Cisco Confidential 15© 2016 Cisco and/or its affiliates. All rights reserved. Cisco ASA 5500-X 5506 / 5508 / 5516 Performance Unified Management • 1-Gbp interfaces • Up to 1.2 Gbps throughput • 5545 / 5555 Redundant Power Supply and SSD option • Firepower Threat Defense or ASA Software Options • 1-Gbp interfaces • Up to 450 Mbps throughput • Wireless Option for 5506-X • Software Switching capability • Firepower Threat Defense or ASA Software Options • Firepower Management Center (Enterprise Management) • Firepower Device Manager (On Box Manager) • Cisco Defense Orchestrator (Cloud Management) SMB and Enterprise Branch NGFW 5525 / 5545 / 5555 Performance
  16. 16. Cisco Confidential 16© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Firepower 2100 Series Performance and Density Optimization Unified ManagementPurpose Built NGFW • Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP) • 1-Gbp and 10-Gbps interfaces • Up to 8.5-Gbps throughput • 1-rack-unit (RU) form factor • Dual SSD slots • 12x RJ45 ports, 4xSFP(+) • 2130 / 2140 Models • 1x Network Module • Fail to Wire Option* • DC & Dual PSU support • Firepower Management Center (Enterprise Management) • Firepower Device Manager (On Box Manager) • Cisco Defense Orchestrator (Cloud Management) Introducing four high-performance models
  17. 17. Cisco Confidential 17© 2016 Cisco and/or its affiliates. All rights reserved. FPR 2110 FPR 2120 FPR 2130 FPR 2140 Throughput NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps Throughput NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps Maximum concurrent sessions 1 M 1.2 M 2 M 3.5 M Maximum new connections per second 12000 16000 24000 40000 NO DROP IN PERFORMACE! Firepower 2100 Series Performance
  18. 18. Cisco Confidential 18© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Firepower 4100 Series High performance campus and data center Performance and Density Optimization Unified Management Multiservice Security • Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP) • Radware DefensePro DDoS and other future third party • 10-Gb and 40-Gb interfaces • Up to 24-Gbps throughput • 1-rack-unit (RU) form factor • Low latency • Firepower Management Center (Enterprise Management) • Firepower Device Manager (On Box Manager) • Cisco Defense Orchestrator (Cloud Management)
  19. 19. Cisco Confidential 19© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Firepower 9300 Platform Benefits • Integration of best-in-class security • Dynamic service stitching Features • ASA container option • Firepower™ Threat Defense: • NGIPS, AMP, URL, AVC • Third-party containers: • Radware DDoS Benefits • Standards and interoperability • Flexible architecture Features • Template-driven security • Secure containerization for customer apps • RESTful/JSON API • Third-party orchestration and management Features • Compact, 3RU form factor • 10-Gbps/40-Gbps I/O; 100-Gbps • Terabit backplane • Low latency, intelligent fast path • Network Equipment-Building System (NEBS) ready Modular Carrier Class Multiservice Security High performance data center
  20. 20. Cisco Confidential 20© 2016 Cisco and/or its affiliates. All rights reserved. Cisco NGFW Platforms NGFW capabilities all managed by Firepower Management Center 250 Mb -> 1.75 Gb (NGFW + IPS Throughput) Firepower Threat Defense for ASA 5500-X 2 Gb -> 8 GB (NGFW + IPS Throughput) Firepower 2100 Series 41xx = 10 Gb -> 24 Gb 93xx = 24 Gb -> 53Gb Firepower 4100 Series and Firepower 9300 Up to 6x with clustering!
  21. 21. Cisco Confidential 21© 2016 Cisco and/or its affiliates. All rights reserved. Software Support – Physical Platforms ASA Firepower NGIPS ASA with FirePOWER Services Firepower Threat Defense ASA 5506X -> 5555X (all models) ✓ ✓ ✓ Firepower 2100 (all models) ✓ ✓ Firepower 4100 (all models) ✓ ✓ Firepower 9300 (all models) ✓ ✓ ASA 5585 (With SSP blade) ✓ ✓ Firepower 7000 / 8000 (IPS appliances) ✓
  22. 22. Cisco Confidential 22© 2016 Cisco and/or its affiliates. All rights reserved. Software Support - Virtual Platforms ASA Firepower NGIPS Firepower Threat Defense ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓ Firepower NGIPSv (vSphere + ISR UCS-E) ✓ Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
  23. 23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 FTD Deployment Modes • FTD can act as both NGFW and NGIPS on different network interfaces NGIPS operates as standalone Firepower with limited ASA data plane functionality NGIPSNGFW FTDInline Eth1/1 Eth1/2 FTDInline Tap Eth1/1 Eth1/2 Passive Routed inside outside FTD DMZ Transparent inside outside FTD DMZ 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 10.1.1.0/24 FTD Eth1/1
  24. 24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Segmentation VLAN Stitching APP IPS AMP APP IPS AMP APP IPS AMP Database Zone Application Zone Web Zone Campus Zone FTD FTD FTD FTD FTD Cluster How do I insert this into the Datacenter without having to change the physical infrastructure or move the routing?
  25. 25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Segmentation VLAN Stitching - Before Database Zone Application Zone Web Zone FTD FTD FTD FTD FTD Cluster How do I insert this into the Datacenter without having to change the physical infrastructure or move the routing? L3 High Speed Switch 192.168.100.0/24 VLAN100 = 192.168.100.0/24 SVI = 192.168.100.1 VLAN100 Traffic never hits FW unless you change the routing or try to insert into the physical path
  26. 26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Segmentation VLAN Stitching - After Database Zone Application Zone Web Zone FTD FTD FTD FTD FTD Cluster How do I insert this into the Datacenter without having to change the physical infrastructure or move the routing? L3 High Speed Switch 192.168.100.0/24 VLAN100 = 192.168.100.0/24 SVI = 192.168.100.1 VLAN101 = 192.168.100.10-50 VLAN102 = 192.168.100.51-100 VLAN103 = 192.168.100.101-110 Ex: Web Zone to get to App Zone has to go through policy on FTD. FTD stitches VLAN 101, 102 and 103. Now I can add additional L7 Inspection.
  27. 27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 The Security-Performance Problem Security Performance
  28. 28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of power. Automatic Application Bypass Restarts Snort processes upon degraded performance Intelligent Application Bypass Application-specific acceleration of defined applications if performance is degraded Trust Rules Acceleration defined traffic but still apply Security Intelligence Prefilter Policy Bypass deep inspection and Security Intelligence based on Port / Protocol / IP Address / Zone Bypass Options 30
  29. 29. Cisco Confidential 31© 2016 Cisco and/or its affiliates. All rights reserved.
  30. 30. Cisco Confidential 32© 2016 Cisco and/or its affiliates. All rights reserved. Firepower Device Manager Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center Cisco Defense Orchestrator Enables centralized cloud-based policy management of multiple deployments On-box Centralized Cloud-based Management Options
  31. 31. Cisco Confidential 33© 2016 Cisco and/or its affiliates. All rights reserved. • On-box manager for managing a single Firepower Threat Defense device • Targeted for SMB market • Designed for Networking Security Administrator • Simple & Intuitive • Mutually Exclusive from FMC • CLI for troubleshooting Firepower Device Manager
  32. 32. Cisco Confidential 34© 2016 Cisco and/or its affiliates. All rights reserved. Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center Enables centralized cloud-based policy management of multiple deployments On-box Centralized Cloud-based Management Options
  33. 33. Cisco Confidential 35© 2016 Cisco and/or its affiliates. All rights reserved. Firepower Management Center • Single manager for Firepower Threat Defense • Can also manage Firepower appliance and “Services” deployments • Broadest set of security capabilities for Firepower platforms!
  34. 34. Cisco Confidential 36© 2016 Cisco and/or its affiliates. All rights reserved. Enables easy on-box management of common security and policy tasks Enables comprehensive security administration and automation of multiple appliances Firepower Management Center Cisco Defense Orchestrator Enables centralized cloud-based policy management of multiple deployments On-box Centralized Cloud-based Management Options
  35. 35. Cisco Confidential 38© 2016 Cisco and/or its affiliates. All rights reserved. On-box vs Off-box Firepower Management Center (Off-box) Firepower Device Manager (On-box) NAT & Routing Access Control Intrusion & Malware Device & Events Monitoring VPN - Site to Site & RA Security Intelligence Other Policies: SSL, Identity, Rate Limiting (QoS) etc. Active/Passive Authentications Firewall Mode Router / Transparent Routed Threat Intelligence & Analytics Correlation & Remediation Risk Reports Device Setup Wizard IPS Tuning High Availability
  36. 36. Cisco Confidential 39© 2016 Cisco and/or its affiliates. All rights reserved.
  37. 37. Cisco Confidential 40© 2016 Cisco and/or its affiliates. All rights reserved. Troubleshooting: Packet Tracer • Displays logs for a single simulated (virtual) packet • Tracing data will include information from Snort & preprocessors about verdicts and actions taken while processing a packet
  38. 38. Cisco Confidential 41© 2016 Cisco and/or its affiliates. All rights reserved. Troubleshooting: Packet Capture with Trace • Captures and displays packets from live traffic • Allows PCAP file download of the capture buffer
  39. 39. Cisco Confidential 42© 2016 Cisco and/or its affiliates. All rights reserved. Lookup features – Geolocation & WHOIS
  40. 40. Cisco Confidential 43© 2016 Cisco and/or its affiliates. All rights reserved. Lookup Feature: URL
  41. 41. Cisco Confidential 44© 2016 Cisco and/or its affiliates. All rights reserved. ISE remediation in using pxGrid
  42. 42. Cisco Confidential 45© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Threat Intelligence Director (CTID) • Uses customer threat intelligence to identify threats • Automatically blocks supported indicators on Cisco NGFW • Provides a single integration point for all STIX and CSV intelligence sources
  43. 43. Cisco Confidential 46© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Threat Intelligence Director Overview Cisco Threat Intelligence Director
  44. 44. Cisco Confidential 47© 2016 Cisco and/or its affiliates. All rights reserved. Hail a TAXII !! • Free source of TAXII feeds • Website URL: http://hailataxii.com • Multiple feeds • To configure the TAXII intelligence source • URL: http://hailataxii.com/taxii-discovery-service • USERNAME: guest • PASSWORD: guest
  45. 45. Cisco Confidential 48© 2016 Cisco and/or its affiliates. All rights reserved.
  46. 46. Cisco Confidential 49© 2016 Cisco and/or its affiliates. All rights reserved. Use Case Internet Edge Firewall Requirement Connectivity and Availability Requirement: • High Availability ROUTED mode • Firewall should support Router or Transparent Mode Routing Requirements: • Static and BGP Routing • Dynamic NAT/PAT and Static NAT Security Requirements: • Application Control + URL Acceptable Use enforcement • IPS and Malware protection • SSL Decryption Authentication Requirements: • User authentication and device identity Solution Security Application: Firepower Threat Defense application with FMC ISP FW in HA Private Network Service Provider Campus/Priv ate Network DMZ Network Port- Channel Internet Edge
  47. 47. Cisco Confidential 51© 2016 Cisco and/or its affiliates. All rights reserved. 10.1.1.0/24 192.168.1.0/24 192.168.1.1 10.1.1.1 IP:192.168.1.100 GW: 192.168.1.1 NAT Firewall Design: Modes of Operation • Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts. • Transparent Mode is where the firewall acts as a bridge functioning at L2. • Transparent mode firewall offers some unique benefits in the DC. • Transparent deployment is tightly integrated with our ‘best practice’ data center designs.
  48. 48. Cisco Confidential 52© 2016 Cisco and/or its affiliates. All rights reserved. Link Redundancy Resiliency with link failures Link and Platform Redundancy Capabilities Firewall Link Aggregation – High Availability - Clustering Inter-chassis Clustering Combine up to 6 9300 blades or 4100 appliances Active / Standby HA LACP Link Redundancy LACP Link Aggregation Control Protocol
  49. 49. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53 Firepower 4100/9300 Clustering Inside Switch FTD FTD FTD FTD FTD FTD Outside Switch Port-channel6 Port-channel5 Spanned EtherChannel (recommended) Inside Switch Outside Switch Note: L3 PBR and ECMP models are supported Benefits • High Scale: NGFW • Network Integration: Routing, switching, inter-site DC extensions • High Density: 40G/100G • Clustering: Intra-chassis, Inter- chassis, Inter-site • Consistent Policy Management Pay-As-You-Grow - Traditional ASA 16 node cluster - FTD 6 nodes today will scale to16 in the near future Out_P02 200.1.1.1/24 In_P01 10.1.1.1/24 VSS/VPC complianttotheIEEEstandard(802.3ad) VSS/VPC complianttotheIEEEstandard(802.3ad) Cisco Security Chalk Talk - NGFW Clustering Technology https://www.youtube.com/watch?v=yt8Cc4tS0kE&t=38s&index=3&list=PL FT-9JpKjRTANXKBmLbQ611TPYLXbUL_0
  50. 50. Cisco Confidential 54© 2016 Cisco and/or its affiliates. All rights reserved.
  51. 51. Cisco Confidential 55© 2016 Cisco and/or its affiliates. All rights reserved. Routing Protocol support • OSPF and OSPFv3 (IPv6) • BGP (IPv4 & IPv6) • Static Route • Tunneled Route support for VPNs • Reverse Route Injection for VPNs • Multicast Routing • IGMP • PIM • EIGRP via FlexConfig
  52. 52. Cisco Confidential 56© 2016 Cisco and/or its affiliates. All rights reserved. Dynamic NAT for Direct Internet Access Automatic and Manual (complex) NAT Support for FTD including IPv6
  53. 53. Cisco Confidential 57© 2016 Cisco and/or its affiliates. All rights reserved. Rate limiting Cloud File Sharing Traffic • QOS Policy is a new policy type with separate policy table • Not associated with an Access Control Policy – directly associated with devices
  54. 54. Cisco Confidential 58© 2016 Cisco and/or its affiliates. All rights reserved.
  55. 55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Access Control Policy Access Control Rule Inspection Options Access Control Policy The glue that ties everything together Prefilter Policy SSL Policy Identity Policy Malware & File Policy Criteria (to match) Intrusion Policy Action DNS Policy TECSEC-2600 59
  56. 56. Cisco Confidential 60© 2016 Cisco and/or its affiliates. All rights reserved. Access Control Policy blocking inappropriate content
  57. 57. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61 Security Intelligence & DNS Global Settings Whitelist / Blacklist capabilities
  58. 58. Cisco Confidential 62© 2016 Cisco and/or its affiliates. All rights reserved. Granular SSL Decrypt Can specify by application, certificate fields / status, ciphers, etc.
  59. 59. Cisco Confidential 63© 2016 Cisco and/or its affiliates. All rights reserved. Custom IPS Policy
  60. 60. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64 Intrusion Policy and Network Discovery Policy . BRKSEC-330064 Firepower Recommended Rules automatically tunes your Snort rules for the applications, servers, and hosts on your network
  61. 61. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65 FirePower NGFW Intrusion events Impact Flag Administrator Action Why 1 Act immediately, vulnerable Event corresponds to vulnerability mapped to host 2 Investigate, potentially vulnerable Relevant port open or protocol in use, but no vuln mapped 3 Good to know, currently not vulnerable Relevant port not open or protocol not in use 4 Good to know, unknown target Monitored network, but unknown host 0 Good to know, unknown network Unmonitored network
  62. 62. Cisco Confidential 66© 2016 Cisco and/or its affiliates. All rights reserved. Malware and File Analysis Attached to Access Policy
  63. 63. Cisco Confidential 67© 2016 Cisco and/or its affiliates. All rights reserved. URL-Based Security Intelligence • Extension of IP-based SI • TALOS dynamic feed, 3rd party feeds and lists • Multiple categories: Malware, Phishing, CnC,… • Multiple Actions: Allow, Monitor, Block, Interactive Block,… • Policy configured via Access Rules or black- list • IoC tags for CnC and Malware URLs • New Dashboard widget for URL SI • Black/White-list URL with one click URL-SI Categories
  64. 64. Cisco Confidential 68© 2016 Cisco and/or its affiliates. All rights reserved. DNS Inspection • Security Intelligence support for domains • Addresses challenges with fast-flux domains • Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing • Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor • Indications of Compromise extended with DNS Security Intelligence DNS List Action
  65. 65. Cisco Confidential 69© 2016 Cisco and/or its affiliates. All rights reserved. Identity Policy based on Passive Authentication
  66. 66. Cisco Confidential 70© 2016 Cisco and/or its affiliates. All rights reserved. Access Control Policy Identity Control Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
  67. 67. Cisco Confidential 72© 2016 Cisco and/or its affiliates. All rights reserved. ISE Integration • pxGrid feed to retrieve from ISE: • AD Username (Group lookup via AD Realm) • Device type profile & location • TrustSec Security Group Tag (SGT) • Ability to exert control based on the above in rules • i.e. block HR users from using personal iPads • Reduces ACL size and complexity
  68. 68. Cisco Confidential 74© 2016 Cisco and/or its affiliates. All rights reserved. TrustSec Security Group Tag based identity from ISE Can also reference Identity Services Engine identified Device Profiles
  69. 69. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76 • Designed for use with Terminal Services Agent • Can also be used by custom integrations • Uses certificate-based authentication • User information is sent to the passive ID node over SSL in JSON format REST API Provider
  70. 70. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77 Enables you to interface with network applications such as the TS-Agent on a Citrix server, where all users have the same IP address but are assigned unique ports. VDI Environments
  71. 71. Cisco Confidential 78© 2016 Cisco and/or its affiliates. All rights reserved.
  72. 72. Cisco Confidential 80© 2016 Cisco and/or its affiliates. All rights reserved. In-Line: Protects against 75% of DDoS Attacks DDoS Attack Surface – Hybrid mitigation strategy Where DDoS Strikes: Cloud: For volumetric DDoS attack mitigation In-Line: Protects against both network and application attacks 23% Firewall 7% IDS/IPS 6% Load Balancer 35% Server Under Attack Cloud: Protects against 25% of DDoS attacks 4% SQL Server 25% Internet Pipe
  73. 73. Cisco Confidential 81© 2016 Cisco and/or its affiliates. All rights reserved. • Cisco Firepower is a scalable, carrier & enterprise -grade, multi-service security appliance featuring: • Radware DDoS Decorator App (OEM) • Cisco ASA firewall • Cisco NGIPS (Sourcefire – Threat Defense) • What is required? • Firepower Chassis (FXOS 1.1.4+) • DDoS License (Virtual DefensePro) • Vision Management Software • Cloud DDoS *CSCO FY18 Q1 (Oct 15, 2017) • Hybrid, Always on & On Demand Firepower DDoS Solution Components DDoS FW NGIPS Firepower 4100/9300
  74. 74. Cisco Confidential 82© 2016 Cisco and/or its affiliates. All rights reserved. The Firepower 4100/9300 Transforms Security Service Integration Limited effectiveness Increased latency Slows network Static & Manual Unified Threat Platform w/Integrated Security Data Packet 1001 000101 111000 101110 SSL FW WAF NGIPSDDoS AMP Maximum protection Highly efficient Scalable processing Dynamic Key: Cisco Service 3rd Party Service • Radware vDP is our first 3rd Party component of the new Architecture • We are adding DDoS Application Services to the ingress interfaces of the Firepower 4100/9300
  75. 75. Cisco Confidential 83© 2016 Cisco and/or its affiliates. All rights reserved. Security Services Architecture with DDoS running Supervisor Ethernet 1/1-8 Ethernet 2/1-4 ASA Cluster Security Module 1 Ethernet 3/1-4 Security Module 2 Security Module 3 Application Image Storage PortChannel1 DDoS DDoS DDoS Ethernet1/7 (Management) Data Inside Logical Device Logical Device Unit Link Decorator Application Connector External Connector Primary Application Decorator Application On-board 8x10GE interfaces 4x40GE NM Slot 1 4x40GE NM Slot 2 Logical Packet Flow PortChannel1 ASA ASA ASA Data Outside
  76. 76. Cisco Confidential 84© 2016 Cisco and/or its affiliates. All rights reserved.
  77. 77. Cisco Confidential 86© 2016 Cisco and/or its affiliates. All rights reserved. Abbreviation Key! ASA = Adaptive Security Appliance FTD = Firepower Threat Defense FPS = Firepower Services FMC = Firepower Management Center FDM = Firepower Device Manager NGFW = Next Generation Firewall NGIPS = Next Generation Intrusion Prevention System AMP = Advanced Malware Protection API = Application Programming Interface ISE = Identity Services Engine IoC = Indicator of Compromise PAN = Place to cook your eggs
  78. 78. Cisco Confidential 87© 2016 Cisco and/or its affiliates. All rights reserved. Useful links FTD: Common Practices Guide: http://cisco.lookbookhq.com/ngfw_ftd_common-practices/ftd-common- practices Short how-to videos: https://www.youtube.com/channel/UCwnm1oSSz8pPwDyfzFS5k3w/playlists Lab minutes videos: www.labminutes.com BU videos: https://www.youtube.com/channel/UCxTz5VApACLnh5_SDjtfoNg/videos?view _as=subscriber
  79. 79. Thank you.

×