Upload
trananh
View
232
Download
0
Embed Size (px)
Citation preview
Cisco ASA with FirePOWER services
Eric Kostlan, Technical Marketing Engineer
Security Technologies Group, Cisco Systems
LABSEC-2339
• Introduction to Lab Exercises
• Platforms and Solutions
• ASA with Firepower Services Architecture
Agenda
3
Introduction to Lab Exercises
4
Session Objectives
5
Upon successful completion of this session, the attendee will be able to understand how Sourcefire technologies are deployed on the ASA.
In addition, many of the new Firepower 6.0 features will be covered
The lab assumes some familiarity with the ASA. Familiarity with Sourcefire is useful, but not necessary.
Disclaimer:This is neither comprehensive ASA training nor comprehensive Sourcefire training. The focus of this lab is how the two are integrated.
Expectations
• There are 8 labs
• You should be able to complete the first 4 lab exercises in the time allotted
• If you want to have more time to work on a lab, you can:
• Work on these labs from your hotel over the rest of the week.
• Contact me [email protected] starting next week, and we can work something out.
• The lab exercise flow is shown below. More details about lab exercise dependencies appear on Page 3 of the Student Guide.
Lab Exercises
7
• Lab Exercise 1: Initial SFR Configuration
• Lab Exercise 2: Basic Policy Configuration
• Lab Exercise 3: Security Intelligence
• Lab Exercise 4: Snort and OpenAppID
• Lab Exercise 5: SSL Decryption
• Lab Exercise 6: File Policy Configuration
• Lab Exercise 7: Identity
• Lab Exercise 8: Domains
Lab Exercises and new 6.0 features
8
• Lab Exercise 1: Initial SFR Configuration One box management
• Lab Exercise 2: Basic Policy Configuration Policy Hierarchy
• Lab Exercise 3: Security Intelligence URL based SI, DNS sinkholing
• Lab Exercise 4: Snort and OpenAppID AVC using OpenAppID
• Lab Exercise 5: SSL Decryption SSL Decryption on ASA with FP
• Lab Exercise 6: File Policy Configuration Enhanced AMP capabilities
• Lab Exercise 7: Identity Active authentication, ISE for passive authentication
• Lab Exercise 8: Domains Multi-tenancy for management
Platforms and Solutions
9
What is Cisco Firepower?
10
• Snort created
• Created by Martin Roesch in 1998
• Snort is both a language and an engine
• Open source rapidly adopts and develops Snort
• Sourcefire founded
• Founded in 2001 by Martin Roesch
• Created a commercial version of Snort
• Sourcefire acquires Immunet cloud based anti-malware vendor
• Acquisition completed 2011
• Cisco acquires Sourcefire
• Acquisition completed 2013 for $2,700,000,000
• Historical perspective
Cisco IPS and firewall offerings
11
• ASA
• Traditional firewall
• Firepower appliances
• Stand alone NGIPS
• Limited firewall capabilities
• ASA with Firepower Services
• Combination of ASA and Firepower
• Complete feature set from both solutions
• Next Generation Firewall (NGFW) – to be released in March
• Integrated data plane
• Integrated management
Cisco ASA Firewalls
ASA 5585 SSP20 (10 Gbps,
140K conn/s)
ASA 5585 SSP40(20 Gbps,
240K conn/s)
ASA 5585 SSP60(40 Gbps,
350K conn/s)
ASA 5585 SSP10(4 Gbps,
65K conn/s)
Teleworker Branch Office Internet Edge Data CenterCampus
Firewall and VPN
Next-Generation
ASA 5515-X(750 Mbps, 15K conn/s)
ASA 5525-X(2 Gbps,
20K conn/s)
ASA 5545-X(3 Gbps,
30K conn/s)
ASA 5512-X(500 Mbps, 10K conn/s)
ASA 5555-X(4 Gbps,
50K conn/sec)
ASA 5506-X (750 Mbps, 5K conn/s)
ASA 5508-X (1Gbps,
10K conn/s)
ASA 5516-X (1.8 Gbps,
20K conn/s)
12
Scaling Provided by Clustering• Up to 16 ASAs-X
• For ASA 5586-X• FW MAX Throughput: 640 Gbps• FirePOWER IPS 440 Byte
Throughput: 96 Gbps
• Each Sourcefire Sensor is anindependent instance• ASAs share connection state
information• Sourcefire Sensors do not share
signature state information
• State-sharing between firewalls for symmetry and high availability• Every session has a Primary Owner Ownership managed
by Director node• ASA provides traffic symmetry to FirePOWER module
13
Multi-Context Support
14
• Security contexts share a single Sourcefire instance
• Context IDs are passed from the ASA to Sourcefire when ASA interfaces are discovered.
• Events passed to FireSIGHT conclude Context IDs.
Firepower Integration into Cisco Products
FP 8000 Series
2 Gbps – 60 Gbps
NGIPS
15
Securing the Internet of Things
16
• Software
• Firewall: ASA
• IPS: Sourcefire FirePOWER Services
• Identify and block threats
• Generic
• OT protocol specific
• OT application specific
• Application Visibility and Control
• Protocols
• Applications
• Individual commands
• Industrial Security Appliance (ISA)
ASA with Firepower Services Architecture
17
ASA with FirePOWER Services
18
• Functional Distribution of Features
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
Botnet Traffic Filter
Advanced Malware Protection
File Type filteringApplication Visibility and Control
NGIPS
URL Category/Reputation
File captureFirePOWER Services
ASA
SSL decryption
Security Intellegence
ASA 5585-X with FirePOWER Services
19
• ASA Module processes all ingress and egress packets
• No packets aredirectly processedby FirePOWERexcept for theFirePOWER management port
• ASA configuresand controls theFirePOWERServices Module
• Logical flowis similar formid-range ASAs
• Packet flow overview
ASA with FirePOWER Services
20
• Packet flow between the solution components
1. Ingress processing – inbound ACLs, IP defragmentation, TCP normalization, TCP intercept, protocol inspection, clustering/HA traffic control, VPN decryption, etc.
2. Sourcefire Services processing – URL filtering, AVC, NGIPS, AMP, etc.
3. Egress processing – outbound ACLs, NAT, routing, VPN encryption, etc.
• Packets are redirected using the Cisco ASA Modular Policy Framework (MPF)
• MPF supports fail-open, fail-closed and monitor only options
• MPF determines which traffic is send to the FirePOWER Services module
• 5.4 FirePOWER physical appliances
Sample Solution Architecture with Management
Sample Solution Architecture with Management
Call to Action
• Visit the World of Solutions for
• Cisco Campus
• Walk in Labs
• Technical Solution Clinics
• Meet the Engineer
• Lunch and Learn Topics
• DevNet zone related sessions
Complete Your Online Session Evaluation
• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.
• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations
Thank you
What is Snort?
27
• Snort is an engine
• Parses network protocols
• Snort is a language
• Rules to analyze network traffic
• Snort is a community
• More that 400,000 active members
network
Packet decoder
Alert and log files
Preprocessors
Detection engine
Output module
DAQ libraries
Network
Best Practice physical configuration (5500-X)
28
• ASA managed in-band (from the “inside” interface)
• FirePOWER module managed via the M0/0 Management Interface
• No nameif assigned to the ASA M0/0 Interface
• ASA Inside Interface and FirePOWER Management can share the same Layer 2 domain and IP subnet
• Access from the “inside” to the FirePOWER module through switch/router, without ASA involvement