Cisco Firepower Thread Defence - BRINEL · ASA 5515-X ASA 5512-X ASA 5555-X ASA 5545-X ASA 5525-X SMB/SOHO Branch Internet Edge ASA 5585-X SSP60 ASA 5585-X SSP40 ASA 5585-X SSP20

Cisco Firepower Thread Defence

Claudiu Boar

©2017 BRINEL. All rights reserved www.brinel.com

Find and contain problems

fast

Simplifynetwork

segmentation

Control who gets onto your network

Protect users wherever they work

Stop threats at the edge

Security everywhere


Portfolio

ASA 5515-X

ASA 5512-X

ASA 5555-X

ASA 5545-X

ASA 5525-X

Branch Internet EdgeSMB/SOHO

ASA 5585-X SSP60

ASA 5585-X SSP40

ASA 5585-X SSP20

ASA 5585-X SSP10

Data Center

ASA 5505


Portfolio

ASA 5515-X

ASA 5512-X

ASA 5555-X

ASA 5545-X

ASA 5525-X


ASA 5585-X SSP60

ASA 5585-X SSP40

ASA 5585-X SSP20

ASA 5585-X SSP10

Data Center

ASA 5505

ASA 5506-X

ASA 5508-X

ASA 5516-X


Portfolio

ASA 5515-X

ASA 5512-X

ASA 5555-X

ASA 5545-X

ASA 5525-X


ASA 5585-X SSP60

ASA 5585-X SSP40

ASA 5585-X SSP20

ASA 5585-X SSP10

Data Center

ASA 5505

ASA 5506-X

ASA 5508-X

ASA 5516-X

FPR 9300 -SM-24

FPR 9300 -SM-36

FPR 9300 -SM-44

Service Provider


Portfolio

ASA 5515-X

ASA 5512-X

ASA 5555-X

ASA 5545-X

ASA 5525-X


ASA 5585-X SSP60

ASA 5585-X SSP40

ASA 5585-X SSP20

ASA 5585-X SSP10

Data Center

ASA 5505

ASA 5506-X

ASA 5508-X

ASA 5516-X

FPR 9300 -SM-24

FPR 9300 -SM-36

FPR 9300 -SM-44

Service Provider

FPR 4110

FPR 4120

FPR 4140

FPR 4150


Portfolio

ASA 5515-X

ASA 5512-X

ASA 5555-X

ASA 5545-X

ASA 5525-X


ASA 5585-X SSP60

ASA 5585-X SSP40

ASA 5585-X SSP20

ASA 5585-X SSP10

Data Center

ASA 5505

ASA 5506-X

ASA 5508-X

ASA 5516-X

FPR 9300 -SM-24

FPR 9300 -SM-36

FPR 9300 -SM-44

Service Provider

FPR 4110

FPR 4120

FPR 4140

FPR 4150

FPR 2100 Series


Firepower 2100, 4100, 9300 Snapshot

Features FPR 2100 FPR 4100 FPR 9300

Throughput rangeFirewall + AVC

2 to 8 Gbps 12 to 30 Gbps 30 to 54 Gbps

Throughput rangeFirewall + AVC+IPS

2 to 8 Gbps 10 to 24 Gbps 24 to 53 Gbps

Interface Speed 1/10 Gbps 1/10/40 Gbps 1/10/ 40/100 Gbps

Rack Unit size 1 RU 1 RU 3 RU

Clustering Roadmap Yes (6.2) Yes (6.2)

Other Apps No Yes (Radware DDoS) Yes (Radware DDoS)

Chassis Manager Unified With FMC / FDM

Yes Yes


Firepower 2100 Series

FPR 2110 16x 1G Port

FPR 2120 16x 1G Port

FPR 2140 12x 1G 12x 10G Port

High Performance, Purpose Built Hardware for Cisco NGFW

Available in 4 Platforms

Higher Port Density in 1 Rack Unit

10 Gbps Support (2130 and 2140)

Firepower2100

Firepower2100

Firepower2100

FPR 2130 12x-1G 12x 10G Port

Firepower2100


Firepower 2100 Series Performance

FPR 2110 FPR 2120 FPR 2130 FPR 2140

Throughput FW + AVC

1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Throughput FW + AVC + NGIPS

1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps

Maximum concurrent sessions, with AVC

1 M 1.2 M 2 M 3.5 M

Maximum new connections per

second, with AVC 12000 16000 24000 40000


Hardware Architecture Overview

Stateful Inspection(Octeon NPU)

Advance Inspection(x86 CPU)

NM Slot

4 port 10GE -8 Port12 Port GE RJ45

SSD

SSD

4 Port SFP+

Fabric

USB CON

MGMT GE RJ45

Console

Dual CPU X86 CPU for Advanced Inspections NPU for Stateful Firewall




NM Slot


SSD

SSD

4 Port SFP+

Fabric

USB CON

MGMT GE RJ45

Console


Prefilter Action: Block, Fastpath, Analyze

NAT VPN Routing QoS Stateful Firewall High Availability





NM Slot


SSD

SSD

4 Port SFP+

Fabric

USB CON

MGMT GE RJ45

Console

Advance Inspection AVC with OpenAppID NGIPS Malware & File inspection

(AMP) Security Intelligence URL Filter User Identity


FPR 2100 with Firepower Threat Defense

New in FTD 6.2.x RA VPN S2S VPN Packet tracer and Capture


Management Options

Enables easy on-box

management of

common security and

policy tasks

Enables comprehensive

security administration

and automation of

multiple appliances

Firepower Management Center

Enables centralized

cloud-based policy

management of

multiple

deployments

On-box Centralized Cloud-based

Firepower Device

ManagerCisco Defense

Orchestrator


On-box vs Off-box

Firepower Management Center (Off-box) Firepower Device Manager (On-box)

NAT & Routing

Access Control

Intrusion & Malware

Device & Events Monitoring

VPN - Site to Site & RA

Security Intelligence

Other Policies: SSL, Identity, Rate Limiting (QoS) etc.

Active/Passive Authentications

Firewall Mode Router / Transparent Routed

Threat Intelligence & Analytics

Correlation & Remediation

Risk Reports

Device Setup Wizard

Interface Port-Channel

High Availability


FTD Licensing Structure

• Base License enables NGFW

• Networking, Firewall and Application Visibility &

Control

• Perpetual License - included with Appliance

purchase

• Term-based licenses for advanced protection

• Threat, Malware and URL Filtering

• VPN License

• VPN only

• AnyConnect Plus

• AnyConnect Apex

Base (NGFW)

Thre

at(I

PS

/ SI

/ D

NS)

Mal

war

e(A

MP

/ T

G)

UR

L Fi

lter

ing

Blue = Term-basedGreen = Perpetual

VP

N

On

ly

An

yCo

nn

ect

Plu

sA

pex


Migration Capabilities

Migration of ASA Configuration to FTD

• ACL • Ability to migrate Access Control Rules

• NAT • Ability to migrate NAT rules

• Objects• Support for migrating objects corresponding to ACL, NAT rules

• Except Time Range, FQDN

• ASA Versions• Support for ASA 8.4+ versions


Migration Process Overview

ASA .cfg or .txr file

Migration Tool

FMC .sfo file

Migration Report

FMC( Managing FTD Device )

ASA

Firepower 2100

RegisterApply Migrated Policy

Import as Access Control Policy or Prefilter policy


Firepower 2100 Physical Characteristics

• FPR 2100 Series • 1RU x 16.89” x 19.8” Chassis Design

• Front to back cooling

• FIPS opacity optional kit

• Dual SSD

• Fixed ports• 12x RJ45 ports, 4xSFP(+) and USB2.0

• Management Ethernet & Console Port

• Rack Mount Rails Kit optional

• FPR 2130 / 2140• 1x Network Module

• Dual PSU

• DC PSU support

16.89”

1RU


Firepower 4100 Hardware Overview

• 1RU x 16.89” x 29.9” - Front to Back Cooling (6x dual fan)

• Built-in modules • Supervisor Module• Security Engine • 8x SFP+ (10G) fixed ports

• Modular system• 2x Network Modules (NetMod) slots• (Common across Firepower Platform)• 2x 2.5” SSD Slot • 2x Universal 950 DC PSU• (or) • 2x Universal 1100W AC PSU• FAN Units

• Note: Except power supply unit, all the physical specifications are same • for FP4110, FP4120, FP4140 and FP4150

1RU tall (1.73”)


Firepower 4120, 4140 and 4150 - Hardware Components

Supervisor Module:• Console and Management Port• 8 10G Fixed Ethernet Ports • 2 x Network Modules

Security Engine:• Dual CPU, each connected with a Smart NIC and Crypto accelerator card • Two SSD - 1 Default + 1 Optional (For AMP

service)• SSD Size

• 200GB for 4120• 400GB for 4140

Backplane • 80GB Backplane support

Internal 720G Switch Fabric

Security Engine

RAMSmart NIC + Crypto Accelerator

2x40Gpbs

2x100Gbps

Built-in 8x10GE

interfaces

NMSlot 1

X86 CPU

NMSlot 2

80G

8x 10G (or) 4x 40G Network Module

…… ……

Console Mgmt. Port

200G2x40Gbps 5x40Gbps 200G 5x40Gbps

SSD

SSD


FP 4100 Series Performance Specification

Category FP 4110 FP 4120 FP 4140

Large Packet Firewall (1500 byte UDP) 20Gbps 40Gbps 60Gbps

Firewall Throughput 10Gbps 20Gbps 30Gbps

Firewall Packet Per Second (64byte UDP) 3 M 6 M 10 M

UDP Latency (1500 LDR) 18 µ sec 31 µ sec 30 µ sec

Connections per Second 150K 250K 350K

Concurrent Connections 10M 15M 25M

NGFW - FW+AVC Perf. (440byte) 3.5 Gbps 7 Gbps 10 Gbps

NGFW - FW+AVC+IPS Perf.(440byte) 2.5 Gbps 4.5 Gbps 6.5 Gbps


Firepower 4100 Software

• FP 4100 Series of platform supported from FXOS 1.1.4

• FXOS provides interface for device management and provisioning of the security application on security engine.

• All images are digitally signed and validated through Secure Boot.

• Security application images are in Cisco Secure Package (CSP) format

• Multiple version of same application can be stored in Supervisor. It can deployed to Security Engine on demand

• Contains system (i.e. ASA, FTD) and other images (i.e. ASDM, REST, and so on)

Decorator application from third-party (KVM)

Primary application from Cisco (Native)

DDoS (Radware)

ASA or FTD

FXOS

Firepower Extensible Operating System (FXOS)

Supervisor

Security Engine


DDoS Attacks breaking all layers of the DC

IPS/IDSInternet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server

9

DDoS Protection on the Firewall protects from 64% of the DDoS attacks. Pipe Saturation attacks require an

integrated cloud protection


Firepower Threat Defense


Advanced Malware Risk Report


Network Risk Report


Attack Risk Report

Thank you!

Parteneri media

Documents

Cisco Firepower Thread Defence - BRINEL · ASA 5515-X ASA 5512-X ASA 5555-X ASA 5545-X ASA 5525-X SMB/SOHO Branch Internet Edge ASA 5585-X SSP60 ASA 5585-X SSP40 ASA 5585-X SSP20