Click here to load reader
Upload
cisco-public-sector
View
1.472
Download
7
Embed Size (px)
Citation preview
Cisco Confidential 1C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower NGFW Solutions
Jim KotantoulasConsulting SE – Cisco [email protected] 2016
Cisco Confidential 2C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Integrated Threat Defense Across the Attack Continuum
Firewall/VPN NGIPS
Security Intelligence
Web Security
Advanced MalwareProtection
BEFOREControlEnforceHarden
DURINGDetectBlock
Defend
AFTERScope
ContainRemediate
Attack Continuum
Visibility and Automation
Granular App Control
Modern Threat Control
Retrospective Security
IoCs/IncidentResponse
Cisco Confidential 3C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
NGFW Firepower Appliances
Cisco Confidential 4C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Introduction
Industry’s First Threat-Focused Next-Generation Firewall (NGFW)
#1 Cisco® security announcement of the year
Integrate defense layers so that organizations get the best visibility
Help enable dynamic controls to automatically adapt
Protect against advanced threats acrossthe entire attack continuum
Proven Cisco ASA firewalling
Industry-leading NGIPS and AMP
Cisco ASA with FirePOWER™ Services
Cisco Confidential 5C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Superior Integrated and Multilayered Protection
Cisco ASA
Identity-Policy Control and VPN
URL Filtering(Subscription)
FireSIGHT™Analytics and Automation
Advanced Malware
Protection(Subscription)
Application Visibility and
Control
Network FirewallRouting | Switching
Clustering and High Availability
WWW
Cisco® Collective Security Intelligence Enabled
Built-in Network Profiling
Intrusion Prevention
(Subscription)
World’s most widely deployed,enterprise-class, ASA stateful firewall
Granular Cisco Application Visibility and Control (AVC)
Industry-leading FirePOWER™ next-generation IPS (NGIPS)
Reputation- and category-based URL filtering
Advanced malware protection
Cisco Confidential 6C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Deployment options and New Appliances
Cisco Confidential 7C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Security Modules• Embedded Smart NIC and crypto hardware• Cisco (ASA, FTD) and third-party (Radware DDoS) applications• Standalone or clustered within and across chassis
Supervisor• Application deployment and orchestration• Network attachment and traffic distribution• Clustering base layer for ASA/FTD
Introducing the Firepower 9300
Network Modules• 10GE, 40GE, and 100GE• Hardware bypass for inline NGIPS
3RU
Cisco Confidential 8C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Same modules must be installed across entire chassis or cluster SM-36: 72 x86 CPU cores SM-24: 48 x86 CPU cores, NEBS Ready
x86 Turbo Mode for all security modules (FXOS 2.0.1) Triggered when 25% of ASA cores reach 80% load Disabled when all ASA cores drop below 60% load Increases performance by 10-20%
Firepower 9300 Security Modules
Cisco Confidential 9C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Introducing the Firepower 4100
1RU
Built-in Supervisor and Security Module• Same hardware and software architecture as 9300• Fixed configurations (4110, 4120, 4140, 4150)• FXOS 1.1.4 for 4110-4140, 2.0.1 for 4150
Solid State Drives• Independent operation (no RAID)• Slot 1 today provides limited AMP storage• Slot 2 will add 400GB of AMP storage in FXOS 2.0.1
Network Modules• 10GE/40GE interchangeable with 9300• Partially overlapping fail-to-wire controller options
Cisco Confidential 10C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
All external network modules require fiber or copper transceivers Support online insertion and removal
Standard Network Modules
8x10GE 4x40GE 2x100GE
• Firepower 4100 and 9300• Single width• 4x10GE breakouts for
each 40GE port
• Firepower 9300 only• Double width• QSFP28 connector
• Firepower 4100 and 9300• Single width• 1GE/10GE SFP
FXOS 1.1.4
Cisco Confidential 11C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Fixed interfaces, no removable SFP support NGIPS inline interfaces for standalone FTD 6.1 only Sub-second reaction time to application, software, or hardware failure
Fail-to-Wire Network Modules
6x1GE 6x10GE 2x40GE• Firepower 4100 and 9300• Single width• 10GE SR or LR
• Firepower 4100 and 9300• Single width• 40GE SR4• No 10GE breakout support
• Firepower 4100 only• Single width• 1GE fiber SX
FXOS 2.0.1
Cisco Confidential 12C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
4110 4120 4140 SM-24 SM-36 SM-36x3Stateful inspection firewall throughput (maximum) 20Gbps 40Gbps 60Gbps 75Gbps 80Gbps 225Gbps
Stateful inspection firewall throughput (multiprotocol) 10Gbps 20Gbps 30Gbps 50Gbps 60Gbps 130Gbps
Concurrent firewall connections 10M 15M 25M 55M 60M 70M
New connections per second 150K 250K 350K 0.6M 0.9M 2M
Security contexts 250 250 250 250 250 250
Virtual Interfaces 1024 1024 1024 1024 1024 1024
IPSec 3DES/AES VPN Throughput 8Gbps 10Gbps 14Gbps 15Gbps 18Gbps 54Gbps
Firepower 4100 and 9300 Series - ASA Performance
Cisco Confidential 13C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Firepower 4100 and 9300 Series – Firepower Threat Defense Performance
4110 4120 4140 SM-24 SM-36 SM-36x3Max Throughput: Application Control (AVC) 12Gbps 20Gbps 25Gbps 25Gbps 35Gbps 100Gbps
Max Throughput: Application Control (AVC) and IPS 10Gbps 15Gbps 20Gbps 20Gbps 30Gbps 90Gbps
Sizing Throughput: AVC (450B) 4Gbps 8Gbps 10Gbps 9Gbps 12.5Gbps 30Gbps
Sizing Throughput: AVC+IPS (450B) 3Gbps 5Gbps 6Gbps 6Gbps 8Gbps 20Gbps
Maximum concurrent sessions w/AVC 4.5M 11M 14M 28M 29M 57M
Cisco Confidential 14C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Trusted flow processing at ultra-high speed using SMART NIC• Hardware-based offload with no x86
dependency • 30-40Gbps per single TCP/UDP flow, <5us
latency.
Use Cases: • High Frequency Trading• High Performance Computing Research Sites • Intra/Inter DC storage Backup or Database Sync• GRE Tunneled Packets
Flow Offload Operation for the FP9300/FP4100
Security Engine
Supervisor Module
Hardware Accelerator
ASA
40Gpbs single flow
Policy
Policy matched flows
Flow processed by the Hardware NIC
Source Destination
1
2
Cisco Confidential 15C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Firepower 5500-X – Firepower Threat Defense Performance
5506 (all variants)
5508 5516 5525 5545 5555Max Throughput: Application Control (AVC) 250Mbps 450Mbps 850Mbps 1.1Gbps 1.5Gbps 1.75Gbps
Max Throughput: Application Control (AVC) and IPS 125Mbps 250Mbps 450Mbps 650Mbps 1Gbps 1.25Gbps
Sizing Throughput: AVC or IPS (440B) 90Mbps 180Mbps 300Mbps 375Mbps 575Mbps 725Mbps
Sizing Throughput: AVC and IPS (440B) 65Mbps 115Mbps 200Mbps 255Mbps 360Mbps 450Mbps
Note: Firepower Threat Defense performance numbers and sizing guidance for 5500-X are the same as for Firepower Services for ASA. Refer to the “Cisco ASA with FirePOWER Services Data Sheet” for performance numbers.
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html
Cisco Confidential 16C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER Services Support All Current ASA Deployment Models
Multi-context mode for policy flexibility
Each ASA Interface appears as a separate interface to FirePOWER Services module
Allows for granular policy enforcement on both ASA and FirePOWER services
*State sharing does not occur between FirePOWER Services Modules
Clustering for linear scalability
Up to 16x ASA in clusterEliminates Asymmetrical traffic issuesEach FirePOWER Services module inspects traffic independently
HA for increased redundancy
Redundancy and state sharing (A/S & A/A pair)L2 and L3 designs
Cisco Confidential 17C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER Services Features
Cisco Confidential 18C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Application Identification
Cisco Confidential 19C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved. 19
Application Identification and Control
Reduce attack surface and inspection requirements
Reclaim bandwidth from streaming /
sharing apps
Limit social media to control malware and
data leakageRestrict mobile apps in BYOD
environments
Deep visibility into app usage, regardless of
port/protocol
Cisco Confidential 20C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
OpenAppID
The power of Open Source comes toapplication-layer security
• Create, share and implement custom application detections
• Put control into the hands of customers and the larger security community
• Community development accelerates the creation of detectors and controls
Library of OpenAppID Detectors
• Extendable sample detectors
• > 3000 detectors contributed by Cisco
• Thousands of downloads of the detection pack since last September
Open source application-focused detection language that enables users tocreate, share and implement custom application detection.
Cisco Confidential 21C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
URL Filtering
Cisco Confidential 22C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
URL Filtering
• Block non-business-related sites by category
• Based on user and user group
Cisco Confidential 23C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
URL Filtering
• Dozens of Content Categories
• URLs Categorized by Risk
Cisco Confidential 24© 2015 Cisco and/or its affiliates. All rights reserved.
> 30% of Internet traffic is SSL encrypted, hiding it from inspection Google, Facebook, Office 365
Expected to increase by 50% in 2017 Google to prioritize sites using SSL
Increasing % of malware is hiding in SSL tunnels Malware downloads CnC connections Data exfiltration
Integrated SSL Decryption –
Cisco Confidential 25© 2015 Cisco and/or its affiliates. All rights reserved.
Multiple Deployment modes Passive Inbound (known keys) Inbound Inline (with or without keys) Outbound Inline (without keys)
Flexible SSL support for HTTPS & StartTLS based apps E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS
Decrypt by URL category and other attributes Centralized enforcement of SSL certificate policies
e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites, unapproved mobile devices
Integrated SSL Decryption
Cisco Confidential 26© 2015 Cisco and/or its affiliates. All rights reserved.
Attackers are leveraging DNS ! Blacklist domains and URLs associated with Bots,
CnC, Malware Delivery Fast-flux: High Frequency DNS Record Changes Control C&C traffic Seize control of Botnets Restrict access to domains violating corporate
policy
URL and DNS Protection
Cisco Confidential 27© 2015 Cisco and/or its affiliates. All rights reserved.
Security Intelligence support for domains
Addresses challenges with fast-flux domains
Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor
Indications of Compromise extended with DNS Security Intelligence
Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing
New Dashboard widget for URL/DNS SI
DNS Inspection
DNS List Action
Cisco Confidential 28© 2015 Cisco and/or its affiliates. All rights reserved.
DNS Inspection: Domain Not Found
Local DNS Server
NGFW
tbhatc.mxp2398.com tbhatc.mxp2398.com
NGFW PolicyCan configure: Lists/Feeds/Global listsAction: DNS NXDOMAINGenerates SI events
NXDOMAINNXDOMAIN
Cisco Confidential 29© 2015 Cisco and/or its affiliates. All rights reserved.
DNS Inspection: DNS SinkholeLocal DNS Server
NGFW
Sinkhole
X
C&C Over DNS
C&C Over DNS
Sinkhole IP Sinkhole IP
Connection to Sinkhole IP
NGFW PolicyDNS SI: C&C servers Action: DNS SinkholeGenerates SI events & IOC’s
Endpoint (10.15.0.21) Malware Download
Cisco Confidential 30© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 31© 2015 Cisco and/or its affiliates. All rights reserved.
Receive identity data from pxGrid / ISE More than just AD
Receive device-type/network Security Group Tags from pxGrid / ISE Ability to exert control based on the above in rules
i.e. block HR users from using personal iPads
ISE Integration
Cisco Confidential 32© 2015 Cisco and/or its affiliates. All rights reserved.
ISE Integration for Rapid Threat Containment
Cisco Confidential 33© 2015 Cisco and/or its affiliates. All rights reserved.
RTC Use CaseDynamic Segmentation using TrustSec
1100
0011
1000
110000111000
110000111000
Ops
Backbone
ThreatDetection
SIEM
Floor 1 SW
Floor 2 SW
Data Center
DC FW
Sinkhole
High Security
DB
ISE
OS Type: Windows XP EmbeddedUser: MaryAD Group: EmployeeAsset Registration: YesMAC Address: aa:bb:cc:dd:ee:ff
TSServer
GFEWorkstation
PxGrid/EPS
Change SGT to:Non-Compliant
Source: FirePowerEvent: TCP SYNC ScanSource IP: 1.2.3.4Response: Quarantine
Security Group = Non-Compliant
Contain and/or use Non-Compliant
tag for further forensics
Non-Complianttag follows compromised endpoint
Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123
SGACL Policy
Cisco Confidential 34© 2015 Cisco and/or its affiliates. All rights reserved.
Migration to ThreatGRID for Dynamic File Analysis/Sandboxing Cisco owned Sandboxing Technology Ability to use on-premise (private) sandbox appliances as well as public sandbox cloud Seamless migration requiring no customer intervention
Public AMP / Public ThreatGRID Public AMP / Private ThreatGRID Use of Private AMP Cloud is currently not supported in Drambuie
ThreatGRID Integration
Cisco Confidential 35© 2015 Cisco and/or its affiliates. All rights reserved.
How Cisco AMP Works: Network File Trajectory Use Case
Cisco Confidential 36© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 37© 2015 Cisco and/or its affiliates. All rights reserved.
An unknown file is present on IP: 10.4.10.183, having been downloaded from Firefox
Cisco Confidential 38© 2015 Cisco and/or its affiliates. All rights reserved.
At 10:57, the unknown file is from IP 10.4.10.183 to IP: 10.5.11.8
Cisco Confidential 39© 2015 Cisco and/or its affiliates. All rights reserved.
Seven hours later the file is then transferred to a third device (10.3.4.51) using an SMB application
Cisco Confidential 40© 2015 Cisco and/or its affiliates. All rights reserved.
The file is copied yet again onto a fourth device (10.5.60.66) through the same SMB application a half hour later
Cisco Confidential 41© 2015 Cisco and/or its affiliates. All rights reserved.
The Cisco Talos Intelligence has learned this file is malicious and a retrospective event is raised for all four devices immediately.
Cisco Confidential 42© 2015 Cisco and/or its affiliates. All rights reserved.
At the same time, a device with the AMP endpoint connector reacts to the retrospective event and immediately stops and quarantines the newly detected malware
Cisco Confidential 43© 2015 Cisco and/or its affiliates. All rights reserved.
8 hours after the first attack, the Malware tries to re-enter the system through the original point of entry but is recognized and blocked.
Cisco Confidential 44© 2015 Cisco and/or its affiliates. All rights reserved.
ThreatGRID Integration – Summary Threat Report
Cisco Confidential 45© 2015 Cisco and/or its affiliates. All rights reserved.
ThreatGRID Integration – Full Threat Report
Cisco Confidential 46© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 47© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 48© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 49© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 50© 2015 Cisco and/or its affiliates. All rights reserved.
AMP at the Endpoint
Cisco Confidential 51© 2015 Cisco and/or its affiliates. All rights reserved.
AMP for Endpoint – Public + Private Cloud Options
Cisco Confidential 52© 2015 Cisco and/or its affiliates. All rights reserved.
AMP for Endpoint – Indicators of Compromise
Cisco Confidential 53© 2015 Cisco and/or its affiliates. All rights reserved.
AMP for Endpoint - Stop malware and provide visibility
Cisco Confidential 54© 2015 Cisco and/or its affiliates. All rights reserved.
With AMP for NGFW + AMP for Endpoints…
NGFW AMP + Endpoint AMP = Better Context in FMC
Detecting malware is great, but it could have been blocked on the client by AV or AMP for Endpoint
Knowing the malware executed makes prioritizing response much easier
Cisco Confidential 55© 2015 Cisco and/or its affiliates. All rights reserved.
A device with the AMP for Endpoints connector reacts to a retrospective event and immediately stops and quarantines the newly detected malware
NGFW AMP + Endpoint AMP = Better Context in FMC
Cisco Confidential 56© 2015 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center
Cisco Confidential 57C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT
Cisco Confidential 58C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
ThreatsUsers
Web ApplicationsApplication Protocols
File TransfersMalware
Command & Control
Operating Systems
Client Applications
Network Servers
Mobile Devices
Cisco FireSIGHT Provides Unmatched Visibility for Accurate Threat Detection and Adaptive Defense
Cisco Confidential 59C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors
SI Events
Connections to Known CnC IPs
MalwareEvents
Cisco Confidential 60C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
1
2
3
4
0
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act Immediately, Vulnerable
Event corresponds to vulnerability mapped to host
Investigate, Potentially Vulnerable
Relevant port open or protocol in use, but no vuln mapped
Good to Know, Currently Not Vulnerable
Relevant port not open or protocol not in use
Good to Know, Unknown Target
Monitored network, but unknown host
Good to Know, Unknown Network
Unmonitored network
Cisco Confidential 61C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
FireSIGHT Management CenterSingle console for event, policy, and configuration management
Cisco Confidential 62C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Awareness Delivers Insight
OS & version Identified
Server applications and version
Client Applications
Who is at the host
Client Version
Application
What other systems / IPs did user have, when?
Cisco Confidential 63C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Use cases Large Enterprises MSSP
Benefits Segmentation Granular RBAC Overlapping IP Addresses Maintaining Privacy
Multi-Tenancy through Domains and Multiple Network Maps
Cisco Confidential 64C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
UK/London
Domain Overview
AnalyticsObjectsPolicies
AnalyticsObjectsPolicies
AnalyticsObjectsPolicies
West Region East Region
Global Policies
Global Objects
Global Analytics
Supports up to 50 domains and 3 levelsAvailable for all platforms running 6.0
UK
UK/Oxford
1
23
Thank You