Upload
cisco-canada
View
13.832
Download
9
Embed Size (px)
Citation preview
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
NGFW Update and Deployment ScenariosMichael MercierConsulting Systems Engineer – Security Solutions
May 19, 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Agenda
Firepower NGFWFirepower Threat Defense
Software Overview
Firepower 4100Next-Generation Security Architecture
Firepower 9300Next-Generation Security Architecture
FTDv
Licensing
Performance
Deployment Modes / Use Cases
Deployment Considerations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Firepower Threat Defense (FTD)• Unified codebase software image
Firepower 4100 Series and 9300 Appliances• Brand for new hardware product offerings which run FTD or ASA
“Firepower Next-Generation Firewall (NGFW)”• FTD + Hardware appliance
Firepower Management Center (FMC)• Formerly FireSIGHT. Unified manager for NGFW, NGIPS, AMP, FirePOWER on ISR
ASA with FirePOWER Services• Two managers, full firewall feature set
Relevant Terminology
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Detect earlier, act faster
Gain more insight
Reducecomplexity
Get more fromyour network
Stop more threats
Enable your business with a fully integrated, threat-focused solution
Threat Focused Fully Integrated
Cisco Firepower™ NGFW
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Stop more threats across the entire attack continuum
Remediate breaches and prevent future attacks
Detect, block, and defend against attacks
Discover threats and enforcesecurity policies
Cisco Firepower™ NGFW
BEFORE AFTERDURING
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
“You can’t protect what you can’t see”
Gain more insight with increased visibility
Malware
Client applications
Operating systems
Mobile devices
VoIP phones
Routers and switches
Printers
Command and control
servers
Network servers
Users
File transfers
Web applications
Applicationprotocols
Threats
Typical IPS
Typical NGFW
Cisco Firepower™ NGFW
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Cisco: 17.5 hoursIndustry TTD rate:* 100 days
Detect infections earlier and act faster• Automated attack
correlation
• Indications of compromise
• Local or cloud sandboxing
• Malware infection tracking
• Two-click containment
• Malware analysis
Source: Cisco® 2016 Annual Security Report*Median time to detection (TTD)
JANMONDAY
1JAN
FEB
MAR
APR
Cisco Confidential 9© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Cisco Firepower™ Management Center
Reduce complexity with simplified, consistent management
• Network-to-endpoint visibility• Manages firewall, applications, threats, and files• Track, contain, and recover remediation tools
Unified
• Central, role-based management• Multitenancy• Policy inheritance
Scalable
• Impact assessment• Rule recommendations• Remediation APIs
Automated
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Shared intelligence
Shared contextual awareness
Consistent policy enforcement
Cisco Firepower™ Management Center
Get more from your network through integrated defenses
Talos
Firepower 4100 Series Firepower 9300 Platform
Visibility Radware DDoS
Network analysis Email Threats Identity
and NAC DNS FirewallURL
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
FS750 FS2000 FS4000 Virtual
Maximum devices managed*
10 70 300Virtual FireSIGHT®
Management CenterUp to 25 managed devices
ASA or FirePOWER appliancesEvent storage 100 GB 1.8 TB 3.2 TB
Maximum network map (hosts/users)
2000/2000 150,000/150,000
600,000/600,000
Virtual FireSIGHT®
Management for 2 or 10 ASA devices only!
Not upgradeableFS-VMW-2-SW-K9FS-VMW-10-SW-K9
Events per second (EPS) 2000 12,000 20,000
Max number of devices is dependent upon sensor type and event rate
ManagementFirepower Management Center Appliances
12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Cisco NGFW Platforms
*5585-X management available 2H CY16
All* Managed by Cisco Firepower Management Center
Cisco Firepower™ 4100 Series and 9300
Cisco FirePOWER™ Services on ASA 5585-X
Cisco Firepower Threat Defense on ASA 5500-X
New Appliances
Cisco Confidential 14© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
New Converged Software Image:Firepower Threat Defense
Contains all Firepower Services plusselect ASA capabilities
Single Manager:Firepower Management Center*
Same subscriptions as FirePOWER Services, enabled by Smart Licensing:
Threat (IPS + SI + DNS)Malware (AMP + ThreatGrid)URL Filtering
Converged Software – Firepower Threat Defense
* Also manages Firepower Appliances, Firepower Services (not ASA Software)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Everything from Firepower 6.0.1
• Phased introduction of features from ASA
• FTD 6.0.1IPv4 and IPv6 Connection state tracking and TCP normalizationAccess ControlNAT (Full support)Unicast Routing (except EIGRP)ALGs (only default configuration)Intra chassis Clustering on Firepower 9300Stateful Failover (HA)
What features are available?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
High-Level Feature Comparison: ASA with FirePOWER Services, Firepower Threat Defense
Feature FirepowerServices for ASA
Firepower Threat Defense
Notes for Firepower Threat Defense
HA, NAT ✔ ✔
Routing ✔ ✔ Multicast in 6.1, No EIGRPUnified ASA and Firepower rules/objects ✘ ✔
Local Management ✔ ✔ In 6.1, features differMulti-Context ✔ ✘
Inter-chassis Clustering ✔ ✘
VPN ✔ ✔ Site-to-Site VPN in 6.1
Hypervisor Support ✘ ✔ AWS, VMware; KVM in 6.1
Smart Licensing support ✘ ✔
Note: Not an exhaustive list of differences between these offerings.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Firepower Threat Defense – Phased Delivery
• Remote Access VPN• Device Clustering• SSL Acceleration• Traffic QoS• Time-based Policies• Hyper-V / Azure• MS Exchange
identity• Pkt Trace/Capture• Configuration CLI
• Site-to-Site VPN• Rate-Limiting• Multicast and EIGRP• VDI User Identity• AMP Private Cloud• ISE Remediation• X-Forwarded-For• Web Safe Search• Built-in Risk Reports• KVM Virtual platform• On-box Web UI• FMC HA, Scale and
API
General AvailabilityV6.0.1 – Mar. 2016
• FP 9300/4100 platforms• ASA Low/Mid platforms• All of FP Services 6.0• ASA+FP Rules/Objects• Transp/Routed Deploy• Active/Passive HA• NAT (Dynamic/Static)• OSPF, BGP, RIP, Static• ALGs (fixed config)• Syn Cookie/Anti-Spoof
V6.1 - Q4FY16 1HFY17High-Priority NGFW Feature Parity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
What Platforms run Firepower Threat Defense?
*5585-X ASA module management being investigated for 2HCY16
All* Managed by Cisco Firepower Management Center
Cisco Firepower Threat Defense on Firepower™ 4100
Series and 9300
Cisco FirePOWER Services on ASA 5585-X
Cisco FirePOWER on 7000/8000 Series Appliances
Cisco Firepower Threat Defense on ASA 5500-X
New Appliances
Cisco Confidential 20© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense Software Overview
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• New Next Generation Firewall offering
• Brings together the best features from ASA and Firepower, all under one OS
• Zero-copy packet inspection
• Single management application
• Duplicate functionality removed
Advantages of Firepower Threat Defense
FirepowerThreatDefense
L2-L4Inspections
(ASATechnology)
AdvancedInspections(FirePOWERTechnology)
FirepowerManagementCenter
ASA
FirePOWERServices
CSM/ASDM FireSIGHT
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
ASA with FirePOWER Services Packet flow
Ingress NIC
L2/L3 Decode
L4 Decode
Flow Lookup Route Lookup
NAT Lookup
Inspection checks
Routing
NAT
Egress NIC
Flow Update
File/AMP
IPS
AVC
KernelVirtual TAP
FirePOWER Services
Event Database
Virtual Container2 OS, ASA & FP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Firepower Threat Defense Packet Flow
Ingress NIC
L2/L3 Decode
L4 Decode
Flow Lookup Route Lookup
NAT Lookup
Inspection checks
Routing
NAT
Egress NIC
Flow Update
File/AMP
IPS
AVC
FirePOWER Services
Event Database
Pack
et L
ibra
ry (P
DTS
)
Zero Copy Single OS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Access policies broken down into 2 sets of rules
• Advanced ACLs - Evaluate L2 – L4 attributes and give a verdictPermitDenyTrust
• NGFW ACLs – Evaluate L7 attributesAllowBlockTrustPath
Unified Access Control policies
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Unified Objects ConfigurationObjects in 5.4
Objects in 6.0
Cisco Confidential 26© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower 4100Next Generation Firewall
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Cisco Firepower 4100 SeriesIntroducing four new high-performance models
Performance and Density Optimization Unified Management Multiservice
Security
• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)
• Radware DefensePro DDoS• ASA and other future
third party
• 10-Gbps and 40-Gbps interfaces
• Up to 80-Gbps throughput• 1-rack-unit (RU) form factor• Low latency
• Single management interface with Firepower Threat Defense
• Unified policy with inheritance• Choice of management
deployment options
Cisco Confidential 28© 2015 Cisco and/or its affiliates. All rights reserved.
Hardware Overview
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Firepower 4100 Series Front and Rear ViewSSD1 SSD2
1 3 5 7 NetMod 1 (Slot)NetMod 2 (Slot)
2 4 6 8
PS1 PS2 FAN1 FAN2 FAN3 FAN4 FAN5 FAN6
PowerConsole
Mgmt. SYS
ACT SSD Status
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Supervisor Module:Console and Management Port8 10G Fixed Ethernet Ports 2 x Network Modules
Security Engine:Dual CPU, each connected with a Smart NIC and Crypto accelerator card Two SSD - 1 Default + 1 Optional (For AMP service)SSD Size
200GB for 4120400GB for 4140
Backplane 80GB Backplane support
Firepower 4110/20/40/50 - Hardware Components
Internal 720G Switch Fabric
Security Engine
RAMSmart NIC + Crypto Accelerator
2x40Gpbs
2x100Gbps
Built-in 8x10GE
interfaces
NMSlot 1
X86 CPU
NMSlot 2
80G
8x 10G (or) 4x 40G Network Module
…… ……
Console Mgmt. Port
200G2x40Gbps5x
40Gbps 200G5x
40Gbps
SSDSSD
Cisco Confidential 31© 2015 Cisco and/or its affiliates. All rights reserved.
Software Overview
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
§ FP 4100 Series of platform supported from FXOS 1.1.4
§ FXOS provides interface for device management and provisioning of the security application on security engine.
§ All images are digitally signed and validated through Secure Boot.
§ Security application images are in Cisco Secure Package (CSP) format§ Multiple version of same application can be
stored in Supervisor. It can deployed to Security Engine on demand
§ Contains system (i.e. ASA, FTD) and other images (i.e. ASDM, REST, and so on)
Firepower 4100 Software
Decorator application from third-party (KVM)
Primary application from Cisco (Native)
DDoS
ASA or FTDFXOS
Firepower Extensible Operating System (FXOS)
Supervisor
Security Engine
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Security Service Architecture for Firepower 4100 Series Platform
Supervisor
Ethernet 1/1-8 Ethernet 2/1-8
Standalone/ClusterSecurity Module 1
Ethernet 3/1-4
Application Image Storage
PortChannel1Ethernet1/7(Management)
Data
Logical Device
Link Decorator
External Connector
Primary Application
Decorator Application
On-board 8x10GE interfaces
8x10GE NMSlot 1
4x40GE NMSlot 2
ASA/FTD
Packet Flow
Security Engine
Radware vDP
Cisco Confidential 34© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower 9300 Next Generation Firewall
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Cisco Firepower 9300 Platform
Benefits• Integration of best-in-class security• Dynamic service stitching
Features*• Cisco® ASA container• Cisco Firepower™ Threat Defense
containers:• NGIPS, AMP, URL, AVC
• Third-party containers:• Radware DDoS• Other ecosystem partners
Benefits• Standards and interoperability• Flexible architecture
Features• Template-driven security• Secure containerization for
customer apps• RESTful/JSON API• Third-party orchestration and
management
Benefits• Industry-leading performance:
• 600% higher performance• 30% higher port density
Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps
ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building
System (NEBS) ready
* Contact Cisco for services availability
Modular Carrier ClassMultiservice Security
High-speed, scalable security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Cisco Firepower 9300 Overview
Supervisor§ Application deployment and orchestration§ Network attachment (10/40/100GE) and traffic distribution§ Clustering base layer for Cisco® ASA, NGFW, and NGIPS
1
3
2
Security Modules
§ Embedded packet and flow classifier and crypto hardware§ Cisco (ASA, NGFW, and NGIPS) and third-party (DDoS, load-balancer) applications§ Standalone or clustered within (up to 240 Gbps) and across (1 Tbps+) chassis
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Cisco Firepower 9300 Chassis Hardware§ 19-inch 3RU rack (32 in. deep, 17.5 in. wide, and
135 lb fully loaded)
§ Four FRU fan modules with OIR§ N+1 redundancy
§ Front-to-back airflow
§ Dual redundant power supplies with load sharing and OIR§ 2500 and 1300W AC power supplies initially; 2500W DC to
follow
§ Single supply at 110V is not enough for full chassis; 220V is required
§ Scalable backplane support up to 200 Gbps per security module
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Supervisor Module
Overall chassis management and network interaction§ Network interface allocation and security module connectivity (960-Gbps internal fabric)§ Application image storage, deployment, provisioning, and service chaining§ Clustering infrastructure for supported applications§ Cisco® Smart Licensing and NTP for entire chassis
RJ-45 Console
1 GE Management (SFP)
Built-in 10 GE Data (SFP+) Optional Network Modules (NMs)
1 2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Supervisor Simplified Hardware Diagram
Internal Switch Fabric (up to 24x40GE)
Security Module 1 Security Module 2 Security Module 3
On-Board 8 x 10 GE Interfaces Network Module 1 Network Module 2
2 x 40 Gbps 2 x 40 Gbps 2 x 40 Gbps
2 x 40 Gbps 5 x 40 Gbps 5 x 40 Gbps
x86 CPU
RAM
System Bus Ethernet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Network Modules
§ Supervisor configures interfaces and directs traffic to security modules
§ All interfaces are called “Ethernet” and 1 referenced (for example, Ethernet1/1)
§ Hardware OIR support; software support to follow
§ Mix and match up to two 10 and 40 GE half-width modules
§ 8 x 10 GE SFP or SFP+ per module
§ 4 x 40 GE QSFP per module; each port can be split to 4 x 10 GE
§ 100 GE modules
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Security Modules
§ Three security module configurations
§ SM36: 72 x86 CPU cores for up to 80 Gbps of firewalled throughput
§ SM24: 48 x86 CPU cores for up to 60 Gbps of firewalled throughput
§ (Future) NEBS: SM24 NEBS certification
§ Dual 800GB SSD in RAID1 by default
§ Built-in hardware packet and flow classifier and crypto accelerator
§ Hardware VPN acceleration is targeted for a subsequent software release
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Security Module Simplified Diagram
System Bus
x86 CPU 124 or 36 Cores
Packet and Flow Classifier and
Crypto Accelerator
Backplane Supervisor Connection
x86 CPU 224 or 36 Cores
2 x 100 Gbps
2 x 100 Gbps
RAM
Ethernet
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Cisco Firepower 9300 Software§ Supervisor and security modules use multiple
independent images§ Infrastructure software bundle for supervisor§ Security module firmware bundle§ Security application images bundles for modules
§ All images are digitally signed and validated through Secure Boot
§ Service application images are in Cisco® Secure Package (CSP) format§ Stored on supervisor and deployed to security module on
demand§ Multiple versions of the same application may be stored§ Contains system (for example, Cisco ASA) and other
images (Cisco ASDM, REST, etc.)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Security Services Architecture on Firepower 9300Cisco® ASA Cluster
Security Module 1 Security Module 2 Security Module 3
Supervisor
On-Board 8 x 10 GE Interfaces
8 x 10 GE NMSlot 1
Application Image Storage
4 x 40 GE NMSlot 2
Ethernet 1/7(Management)
Ethernet 1/1-8 Ethernet 2/1-8 Ethernet 3/1-4
Logical Device
Logical Device Unit
Link Decorator
Application Connector
External Connector
Packet Flow
Primary Application
Decorator Application
PortChannel1
Data
DDoS DDoS DDoS
ASA ASA ASA
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Management Overview§ Chassis management is independent from applications
§ On-box chassis manager UI and CLI § Cisco® ASDM is the only management GUI for
Cisco ASA initially§ Future off-box Cisco Firepower Device Manager for
both chassis and Cisco applications§ SNMP and syslog support for chassis-level counters
and events on supervisor§ REST API on supervisor for third-party service
management§ SDN orchestration enablement for security services
on demand
Cisco Confidential 46© 2015 Cisco and/or its affiliates. All rights reserved.
FTDv
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
FTDv
FMC
Cisco FTDv for Vmware: Routed, Transparent, Inline Mode
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
FTDv for Vmware: Passive mode
FTDv
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
BD1
BD2BD1
BD2
• Routed Mode (Go-To)
• Transparent Mode (Go-Through)
FTDv Service Graph in the ACI Fabric
EPGApp
EPGDBFTDv
GraphB10.0.0.0/24
TenantB
External Internal
EPGWeb
EPGApp
GraphA10.0.0.0/24 10.0.0.1 20.0.0.1 20.0.0.0/24
TenantA
External InternalFTDv
Bridge Domains need flooding turned on, to allow ASA to see and
bridge packets between two EPGsBVI10.0.0.10
Use port-channels on ESXi hosts instead of NIC teaming. It can break Go-Through mode.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
• FTDv can connect to Amazon Virtual Private Cloud (VPC) network which closely resembles a traditional network topology.
• The FTDv and FMCv run as guests in AWS private Xen Hypervisor* environment.
• Protect your AWS environment by controlling and monitoring traffic. All features, Stateful L3 mode and ERSPAN Passive modes supported.
• FTDv Transparent Mode and Active/Standby HA is NOT supported (Roadmap)
Cisco FMCv/FTDv in AWS
*Note: The FTDv and FMCv do not support the Xen Hypervisor outside of the AWS environment.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
AWS FMCv is optional as many organizations like to use their on premises FMC.
• Cisco Smart Licensing, AWS hourly coming soon
• AWS Security Group Access control must permit SSH/HTTPs access to your instances
• Create and attach Network interfaces and add Route table entry for Internet access
• An Elastic IP (Static persistent Public IP) is required for either FTDv or FMCv remote admin access
• * 2 management interfaces required for AWS FTDv
Cisco FMCv/FTDv in AWSInstance Type Interf. Subnets vCPUs RAM (GB)
FMCv m3.large 3 2 7.5FMCv m3.xlarge 3 4 15
FMCv & FTDv* c3.xlarge 2 4 7.5FMCv c3.2xlarge 8 4 15
Cisco Confidential 52© 2015 Cisco and/or its affiliates. All rights reserved.
Licensing
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Firepower Threat Defense Smart Licensing Structure
• Base License enables NGFW• Networking, Firewall and Application Visibility &
Control
• Perpetual license - included with appliance purchase
• Term-based licenses for advanced protection• Threat, Malware and URL Filtering
• Smart License Enabled onlyBase (NGFW)
Thre
at(IP
S / S
I / D
NS)
Mal
war
e(A
MP
/ TG
)
UR
L Fi
lterin
g
Blue = Term-basedGreen = Perpetual
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Mapping Classic Licenses to new Smart LicensesFunctionality Traditional Licensing Smart Licensing
Base License (includes AVC)
Protect + Control Base
IPS (SI, DNS) (EULA Enforced) Threat
AMP/Threat GRID Malware Malware
URL Filtering URL Filtering URL Filtering
Management FireSIGHT Built into Firepower Management Center
Cisco Confidential 55© 2015 Cisco and/or its affiliates. All rights reserved.
Performance:Firepower 4100 and 9300
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Performance Highlights
4110 4120 4140 SM-24 SM-36 SM-36x3
Highlights Max FW 20G 40G 60G 75G 80G 225G
1024 AVC 12G 20G 25G 25G 35G 100G
1024 AVC+IPS 10G 15G 20G 20G 30G 90G
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
FTD Performance
4110 4120 4140 SM-24 SM-36 SM-36x3MaxThroughput:ApplicationControl(AVC) 12G 20G 25G 25G 35G 100G
MaxThroughput:ApplicationControl(AVC)andIPS 10G 15G 20G 20G 30G 90G
SizingThroughput:AVC(450B) 4G 8G 10G 9G 12.5G 30G
SizingThroughput:AVC+IPS(450B) 3G 5G 6G 6G 8G 20G
Maximumconcurrentsessionsw/AVC 4.5M 11M 14M 28M 29M 57M
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
ASA Performance4110 4120 4140 SM-24 SM-36 SM-36x3
Stateful inspectionfirewallthroughput(maximum) 20G 40G 60G 75G 80G 225G
Stateful inspectionfirewallthroughput(multiprotocol) 10G 20G 30G 50G 60G 100G
Concurrentfirewallconnections 10M 15M 25M 55M 60M 70M
Newconnectionspersecond 150K 250K 350K 0.6M 0.9M 2M
Securitycontexts 250 250 250 250 250 250
VirtualInterfaces 1024 1024 1024 1024 1024 1024
IPSec3DES/AESVPNThroughput 8G 10G 14G 15G 18G 18G
Cisco Confidential 59© 2015 Cisco and/or its affiliates. All rights reserved.
Deployment Modes and Use Cases
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Branding Terms: Review
Firepower NGFWNew NGFW brand (Unified ASA+Firepower)
Firepower Threat Defense New unified appliance software
Firepower Management CenterNew unified manager
Firepower AppliancesNew Firepower 4100 Series and Firepower 9300 appliances.
ASA with FirePOWER Services
• ASA Appliances with ASA and Firepower software, application firewalling and threat defense.
• The ASA and FirePOWER functions have separate managers.
Today Recently Announced
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Deployment Modes• Basic deployment modes: Firewall modes (choose one)
Routed Transparent
• Other interface modes: IPS/IDS modesInlineInline TapPassive
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Firepower Threat Defense interface modes
Routed/TransparentA
B
C
D
F
G
H
I
Inline Pair 1
Inline Pair 2Inline Set
E J
Policy TablesPassive
Interfaces
Inline Tap
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Malware Protection
Firepower Threat Defense
Network Profiling
CISCO COLLECTIVE SECURITY INTELLIGENCE
URL Filtering
Integrated Software - Single Management
WWW
Identity-Policy Control
Identity Based Policy Control
Network Profiling
Analytics & AutomationApplication
Visibility &Control
Intrusion Prevention
High Availability
Network Firewall and
Routing
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Internet Edge Use CaseFirepower NGFW
RequirementsConnectivity and Availability Requirements:• Firewall for High Availability (Redundancy) • Firewall should support Routed Mode• Port-Channel for interface redundancy and link speed aggregation• Dynamic Routing Support (OSPF / BGP)
Security Requirements:• Single Context mode• Dynamic NAT/PAT and Static NAT• Identity based AVC, URL filtering, IPS and Malware protection• SSL Decryption
SolutionSecurity Application: Firepower NGFW appliances with Firepower Management Center
VPN connections via separate appliance until until 6.1+
ISP
FW in HA
Private Network
Service Provider
Campus/Private Network
DMZ Network
Port-Channel
Internet Edge
HSRP
Caveats
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Cloud Data Center EdgeFirepower NGFWv
RequirementsConnectivity and Availability Requirements:• Virtual appliance form factor AWS / vSphere• Firewall for High Availability (Redundancy) • Firewall in router or transparent mode• Support for both North/South and East/West deployments
Security Requirements:• Single Context mode• Identity based AVC, IPS and Malware & CnC protection• SSL Decryption• TrustSec Security Group Tag Support
SolutionSecurity Application: Firepower NGFWv virtual appliance with Firepower Management Center
KVM support in 6.1 and Microsoft Azure in 6.2Not suitable for Micro-Segmentation / per server firewalling.
ISP
FW in HA
Service Provider
Data Center Network
vPC / Port-Channel
Data Center Edge Traffic Zone
StorageApp Servers
WWW Server
Caveats
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Local Data Center EdgeAppliance & Virtual Firepower NGFW
RequirementsConnectivity and Availability Requirements:• Firewall for High Availability (Redundancy) • Firewall in router or transparent mode• High bandwidth interfaces (10/40Gb/100Gb) and throughput• High bandwidth flow offload support (fast path)• Support for both North/South and East/West deployments
Security Requirements:• Single Context mode• Identity based AVC, IPS and Malware & CnC protection• SSL Decryption• TrustSec Security Group Tag Support
SolutionSecurity Application: Firepower Threat Defense physical or virtual appliance for Amazon Web Services (AWS) with FMC management
Active / Standy Failover only, no clustering until future release.No VXLAN support.
ISP
FW in HA
Service Provider
Data Center Network
vPC / Port-Channel
Data Center Edge Traffic Zone
StorageApp Servers
WWW Server
Caveats
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Campus NGFWFirepower NGFW
RequirementsConnectivity and Availability Requirements:• Firewall for High Availability (Redundancy) • Firewall in router or transparent mode• Dynamic Routing Support (OSPF / BGP) • High bandwidth interfaces (10/40Gb) and throughput• Port-Channel for interface redundancy and firewall-on-a-stick
Security Requirements:• Firewall support between security domains within campus• Campus edge firewall• Single Context mode• Identity based AVC, IPS and Malware & CnC protection• TrustSec Security Group Tag Support
Security Application: Firepower NGFW appliances with Firepower Management Center
Active / Standy Failover only, no clustering until future release.HA for FMC in 6.1+No EIGRP Support
DC / Internet
FW in HA
Access Layer
Port-Channel
Data Center Edge
CampusDistriubtion
Core
FW in A/S HA
NGFW
DatabaseApp
ServersWWW Database
App Servers
WWW
vPC / Port-Channel
Caveats
Solution
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
ASA
ASDM/CSM/RESTful API for Management
HA and Clustering
Network Firewall[Routing | Switching]
Data Center Security
Service Provider Security
ProtocolInspection
Identity Based Policy Control
VPN
Mix Multi Context Mode
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Use CaseInternet Edge Firewall with VPN Support
RequirementConnectivity and Availability Requirement:• Firewall for High Availability (Redundancy) • Firewall in the Router Mode• vPC/Port-Channel for interface redundancy and link speed
aggregation
Security Requirement:• Dynamic NAT/PAT and Static NAT• Application Inspection • ACL to control the traffic flows• VPN support (S2S, SSL and AnyConnect)
Solution
Security Application: ASA Firewall
ISP
FW in HA
Private Network
Service Provider
Campus/Private Network
DMZ Network
vPC / Port-Channel
Internet Edge
Remote VPN Users
Branch Office
HSRP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Map Product to Use Case
5585-X Firepower 4100 & 9300
Firepower 4100 & 9300
ASA with Firepower Services ASA Software Firepower Threat Defense Software
NGFW for Data Center & Enterprise Core; anywhere
clustering, VPN, on-box management are required.
Dedicated ASA Service Provider, Data
Center (Firewall only)
Firepower NGFWHigh-speed Internet Edge (where
clustering, VPN, multi-context, and on-box management are not
required)
Cisco’s driving rapid feature parity between ASA with FirePOWER Services and Firepower NGFW, with two additional major releases planned for this year.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
• There are no EOS/EOL plans: won’t be considered until CY2017
• Superior reputation: 5585-X cited in Nov. 2015 Gartner Research Highlight for Carrier Class Firewalls: our market share is near 50%
• As customers migrate to newer platforms over the next 5 years, long-term evolution and protection is assured
• Investment protection built into the engineering plan: threat defense innovation will continue to come regularly to both ASA with FirePOWER Services and Firepower NGFWs
• Firepower Management Center expected to support mgmt. of key ASA features on 5585-X Q4CY2016*
ASA5585-X: 2016 and BeyondASA5585– X:
üProven
üReliable
üSupported
* Pre-Commit Date
Cisco Confidential 72© 2015 Cisco and/or its affiliates. All rights reserved.
Deployment Considerations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Software Support by Platform
FirepowerNGFW
(Firepower Threat
Defense)
FirepowerNGIPS/
AMP Appliance
ASA with FirePOWER
ServicesASA
RadwarevDP
DDoS
FirePOWER 7000/8000 Series ✓
ASA Low/Mid Range (5506/08/16/25/45/55) ✓ ✓ ✓
ASA High-end (5585 SSP-10/20/40/60) ✓ ✓
Firepower 4100/9300 (4110/20/40/ FPR9K, SM-24/36) ✓ ✓ ✓
*Subject to Compliance Hold
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Deployment Considerations - Migration• New Deployments
All hardware and software options depending on the requirementsFirepower appliances for 40/100 Gb interfaces
• ASA RefreshAll hardware options – ASA and Fireppwer appliancesSoftware Migration
ASA to ASA softwareLimited migration from ASA to FTD in July timeframeNative migration from ASA to FTD in the November timeframe
Cisco Confidential 75© 2015 Cisco and/or its affiliates. All rights reserved.
Security Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
More than just an NGFW• When considering the move to an NGFW
Think about more than just the firewall featuresConsider the various use cases and integration opportunitiesUse an architectural approach to ensure the NGFW meets the capabilities required
Cisco Confidential 77© 2015 Cisco and/or its affiliates. All rights reserved.
Thank you.