Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1 2014 Frontal Communication. All rights reserved
New methods to protect the network. Deeper visibility with Cisco NGFW – Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014
2 2014 Frontal Communication. All rights reserved
Agenda
• Frontal Communication: Who we are?
- Key points
- Competencies Areas
- Cisco Partnership
• Cisco NGFW – Next Generation Firewall.
- Introduction
- Hardware overview
- Packet flow
- Management architecture
3 2014 Frontal Communication. All rights reserved
‣ Established in 1994
‣ Top Romanian SYSTEM INTEGRATOR
‣ Cisco GOLD Partner
‣ Oracle Gold Partner
‣ VMware Partner Enterprise Solution Provider
‣ EMC Premier Velocity Partner
‣ Areas of competency in Infrastructure, Datacenter, Multiservice, Security
‣ VMware Training Center due to strategic partnership with Omnilogic and Cisco Authorized
Training Center
‣ Testing Center PEARSON VUE and PROMETRIC due to strategic partnership with Omnilogic
‣ VCE partner
‣ Citrix Silver Solution Advisor Partner
Key Points
4 2014 Frontal Communication. All rights reserved
DATA CENTER
Storage
Switching
Applications
Security
Network Managementt
UNIFIED COMMUNICATION
IP Telephony
Applications
Contact Center
Voice Management
Call accounting
SECURITY
Firewall
Attack and Intrusion Prevention
Spam and Virus Protection
Virtual Private Networks
Network Admission Control
Security Management
Physical Security
Web and Email security
Video Surveillance
Identity Services Engine
MOBILITY SOLUTIONS
Wireless LAN
Remote Access
Business Class Teleworker Solutions
Mobile Solutions for
Unified Communications
NETWORK SYSTEMS
Routing
LAN Switching
Network Management
Competencies Areas
5 2014 Frontal Communication. All rights reserved
Cisco Partnership
Certifications
• Gold Certified Partner
Specialization
• Advanced Collaboration
Architecture (1st in Romania
and Region)
• Advanced Borderless
Architecture
• Advanced Routing & Switching
• Advanced Security
• Advanced Data Center
Architecture
Other Authorizations
• Cisco Learning Partner
Associate
• Smart Care Registered Partner
• Academy Network Partner
• Customer Satisfaction
Excellence
• ATP Telepresence Express
• ATP Identity Services Engine
• ATP IP Interoperability and
Collaborative System (the
only one in Romania)
6 2014 Frontal Communication. All rights reserved
Cisco NGFW – Next Generation Firewall
- Introduction
- Hardware overview
- Packet flow
- Management architecture
7 2014 Frontal Communication. All rights reserved
IP & Ports
Phase 1 Phase 2
Applications &
Users
Full Context-
Awareness
Phase 3
Firewall Evolution
ASA NGFW adds context-aware security to the ASA
product line.
PRSM provides common management experience.
8 2014 Frontal Communication. All rights reserved
Cisco Next Generation Firewall
• Build on the best-of-breed ASA stateful inspection
firewall
• Applies NAT to embedded application protocol data
• Integrates with many other solutions, including:
Unified Communications technologies, Active
Directory, etc.
• Acts as a VPN termination:
Site-to-site, remote access, and clientless SSL
VPN
• Provides next-generation firewall (NGFW) services:
Web reputation for malware protection
URL filtering to enforce acceptable use
Application visibility and control (AVC)
Threat protection (NGFW IPS)
9 2014 Frontal Communication. All rights reserved
HowASA NGFW Addresses Access Control
• Beyond ports and protocols
Who: Identity and Authentication
What: Application, URL Category, Reputation
How: Device, OS, User Agent, Posture
Where: Local, Remote
10 2014 Frontal Communication. All rights reserved
Application Visibility and Control
• Enforcing acceptable usage
150,000+ MicroApps
Application Behavior
1,200+ apps
• Greatest control and visibility
over mobile, collaborative,
and web 2.0 applications
• Ensures security of (and from)
port-hopping applications, such
as Skype and BitTorrent
• Granular enforcement of
behaviors within applications
• Visibility of activity across the
network
• Visit http://asacx-cisco.com
11 2014 Frontal Communication. All rights reserved
Supported approximately 1200 applications
• By default, PRSM and ASA NGFW check for application signature updates every 5 minutes
Powered by the Cisco® Security Intelligence Operation (SIO)
Supported applications are recognized on any port
Supported 3 levels of granularity
• Application type
Examples: Collaboration, Facebook, games, social networking
• Application
Examples: BitTorrent, Cisco phones, ftp-agent, ftp-agent, Google Translate, iTunes, LDAP, oracle-sqlnet, RADIUS, WCCP, WebEx®
• Application behavior
For example, you could allow the collaboration application type, but not allow uploads
Application Visibility and Control
12 2014 Frontal Communication. All rights reserved
Default web reputation profile Suspicious
(-10 through -6) Not suspicious (-5.9 through +10)
-10 +10 -5 +5 0
Dedicated or hijacked sites persistently distributing key loggers, root kits and other malware. Almost guaranteed malicious.
Aggressive Ad syndication and user tracking networks. Sites suspected to be malicious, but not confirmed
Sites with some history of Responsible behavior or 3rd party validation
Phishing sites, bots, drive by installers. Extremely
likely to be malicious.
Well managed, Responsible content Syndication networks and user generated content
Sites with long history of Responsible behavior. Have significant volume and are widely accessed
Web Security Essentials Reputation
13 2014 Frontal Communication. All rights reserved
Used to enforce acceptable use
Predefined and custom URL categories
Utilizes application signatures
By default, PRSM and NGFW check for updates
every 5 minutes
78 predefined URL categories
20,000,000+ URLs categorized
60+ languages
Powered by the Cisco® Security Intelligence Operation (SIO)
Web Security Essentials
URL Filtering
14 2014 Frontal Communication. All rights reserved
New with
NGFW 9.2
Simplified Operation
Rich Policy Options
Highly Dynamic
• Policy is driven by
risk acceptance
• Threats are the
focus, not
signatures
• IPS policy is part of
the overall NGFW
access policy
• References application
awareness
• References source
reputation
• Daily and hourly
updates
available:
Threats /
signatures
Reputation
feeds
Parsing
engines
Cisco NGFW IPS
15 2014 Frontal Communication. All rights reserved
Cisco NGFW – Next Generation Firewall
- Introduction
- Hardware overview
- Packet flow
- Management architecture
16 2014 Frontal Communication. All rights reserved
ASA NGFW – Front View
Two Hard Drives Raid 1 (Event Data)
10GE and GE ports Two GE Management Ports
8 GB eUSB (System)
17 2014 Frontal Communication. All rights reserved
200 Mbps NGFW 60 Mbps NGFW + IPS 100K Connections 10,000 CPS
Branch Locations Small / Medium Internet Edge
ASA 5512-X
350 Mbps NGFW 90 Mbps NGFW + IPS 250K Connections 15,000 CPS
ASA 5515-X
650 Mbps NGFW 300 Mbps NGFW + IPS 500K Connections 20,000 CPS
1 Gbps NGFW 450 Mbps NGFW + IPS 750K Connections 30,000 CPS
1.4 Gbps NGFW 600 Mbps NGFW + IPS 1M Connections 50,000 CPS
ASA 5525-X
ASA 5545-X
ASA 5555-X
Cisco MultiScale Performance Next-Generation Security for the Internet Edge
18 2014 Frontal Communication. All rights reserved
Medium Internet Edge
2 Gbps NGFW 1 Gbps NGFW + IPS 500K Connections 40,000 CPS
ASA 5585-SSP10
Medium Internet Edge
5 Gbps NGFW 1.5 Gbps NGFW + IPS 1 Million Connections 75,000 CPS
ASA 5585-SSP20
9 Gbps NGFW 2.5 Gbps NGFW + IPS 1.8 Million Connections 120,000 CPS
ASA 5585-SSP40 13 Gbps NGFW 4 Gbps NGFW + IPS 4 Million Connections 160,000 CPS
ASA 5585-SSP60
New with 9.2
New with 9.2
Cisco MultiScale Performance Next-Generation Security for the Internet Edge
19 2014 Frontal Communication. All rights reserved
Cisco NGFW – Next Generation Firewall
- Introduction
- Hardware overview
- Packet flow
- Management architecture
20 2014 Frontal Communication. All rights reserved
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing
Botnet Traffic Filter
TCP Proxy
TLS Proxy
AVC Multiple Policy Decision Points
HTTP Inspection
URL Category/Reputation
NGFW IPS
NGFW Services Module
ASA Module
Functional Distribution
21 2014 Frontal Communication. All rights reserved
Day-in-the-life of a packet -- example
• Note: Details of flow differs for different traffic characteristics
Auth/Access Policy
Broad AVC TLS Proxy TCP
Proxy
Access Policy
HTTP Inspector
Packet Egress
Active Auth
Determine Protocol and Application
Check L3/L4 and Identity Access Policies
Handle TCP 3-way handshake
Proxy encryption to decrypt traffic for inspection
Determine Application, URL Category, Reputation, User Agent
If passive auth not available, authenticate using NTLM, Kerberos, or Basic auth
Allow or Deny verdict based on access policy
Return packet back to the ASA SSP with an allow verdict
22 2014 Frontal Communication. All rights reserved
• Two separate sessions, separate certificates, and keys
• ASA NGFW acts as a CA, and issues a certificate for the web server
Corporate Network Web
Server TLS
Proxy
4. Client authenticates “server” certificate
Certificate is generated dynamically with
destination name but signed by ASA NGFW
1. Negotiate algorithms
3. Generate proxied server certificate
5. Generate encryption keys
6. Encrypted data channel established
1. Negotiate algorithms
3. Authenticate server certificate
5. Generate encryption keys
6. Encrypted data channel established
TLS Proxy acts as a Liason
23 2014 Frontal Communication. All rights reserved
Decrypts SSL and TLS traffic across any port
• Self-signed certificate can be downloaded and added to trusted root certificate store on client
Self-signed (default) certificate or customer certificate and key
Decryption policies determine which traffic to decrypt
• ASA NGFW cannot determine the host name in the client request to choose a decryption policy because the traffic is encrypted
• FQDN and URL Category are determined using the server certificate
If the decision is made to decrypt, ASA NGFW acts the liaison
• A new certificate is created, signed by ASA NGFW or by the customer CA
• Information such as FQDN and validity dates are copied from original certificate
• Name mismatches and expired certificate errors are ignored
• Name mismatches and expired certificate errors must be handled by the client
TLSProxy Extends NGFW Services
to TLS Traffic
24 2014 Frontal Communication. All rights reserved
Requires HTTP request to initiate authentication
1. ASA NGFW sees HTTP request from a client to a remote website
2. ASA NGFW redirects the client to the ASA inside interface (port 885 by default)
Redirect is accomplished by sending a proxy redirect to the client (HTTP return code 307) - spoofing the remote website
3. ASA sends a client authentication request (HTTP return code 401)
4. After authentication, the ASA NGFW redirects the client back to the remote website (HTTP return code 307)
After authentication, the ASA NGFW uses the IP address to track the user
• Both HTTP and non-HTTP traffic will now be associated with the user
Integrates with enterprise infrastructure
Supported directories include:
• Microsoft Active Directory
• OpenLDAP
• IBM Tivoli Directory Server
ActiveAuthentication
25 2014 Frontal Communication. All rights reserved
Client HTTP Request
Forward HTTP traffic
ASA CX-Policy Active Authentication required
Client
HTTP (307) redirect to ASA CT-Proxy Port/default port 885
HTTP (407) Auth. required
Forward Authentication Data
Validate Credentials with ADI Service
HTTP (307) redirect again to final destination
Regular HTTP traffic
ASA & CX Target Server
Example active authentication
26 2014 Frontal Communication. All rights reserved
Passive Authentication
Endpoint must be a domain member
Supported for all traffic and all clients
• Standalone, Linux-based server that can be run as
a virtual machine (VM)
• Intuitive, web-based GUI, and Cisco IOS®
Software-style CLI
Utilizes the Cisco® Context Directory Agent (CDA), which includes:
• CDA gathers information from Active Directory
server
• CDA caches information
• ASA NGFW/PRSM queries CDA for user
information
• ASA NGFW/PRSM queries Active Directory server
for group membership information
27 2014 Frontal Communication. All rights reserved
Cisco NGFW – Next Generation Firewall
- Introduction
- Hardware overview
- Software overview
- Packet flow
- Management architecture
28 2014 Frontal Communication. All rights reserved
Cisco Prime Security Manager (PRSM)
• Build-in
– Configuration
– Eventing
– Reporting
• Off-box
– Configuration
– Eventing
– Reporting
– Multi-device Manager for ASA NGFW (CX)
– Role Based Access Control
– Virtual Machine or UCS Appliance
– PRSM Virtual Machine supports VMWare ESX 4.1+
29 2014 Frontal Communication. All rights reserved
PRSM ASA CX communication
RESTful XML [REST = Representational State Transfer]
ASA NGFW PRSM
Reliable Binary Logging
Cisco SIO
Application Identification Updates
HTTPS HTTPS
30 2014 Frontal Communication. All rights reserved
Q & A