Upload
cisco-public-sector
View
454
Download
2
Embed Size (px)
Citation preview
Dan Reed – Security Consulting Systems [email protected]
March 2016
Cisco Threat-Focused Next Generation Firewall
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Typical Firewall Features
• Application Visibility & Control
• Integrated Network IPS
• Extra Firewall Intelligence
What is a NGFW?
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Focus on the Apps…
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011
01000 01000111 0100 11101 1000111010011101 1000111010011101 1100001 1100 0111010011101 1100001110001110 1001 1101 11
The Problem with Legacy Next-Generation Firewalls
Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.
01000 01000111 0100 1110101001 1101 111 0011 101001 110011
100 0111100 011 1010011101 1 100 0111100 011 101001111 01
000 01000111 0100 111001 1001 11 111 0 01000 01000 111010
…But Miss the Threat
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attack Continuum
GAP
They protect before an attack but are less effective during or after one
Enable applications
Typical NGFW
BEFORE AFTERDURING
Silos
DDoS SandboxURLIPS Incident Response
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stop more threats across the entire attack continuum
Remediate breaches and prevent future attacks
Detect, block, and defend against attacks
Discover threats and enforcesecurity policies
Cisco Firepower™ NGFW
BEFORE AFTERDURING
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“You can’t protect what you can’t see”
Gain more insight with increased visibility
Malware
Client applications
Operating systems
Mobile devices
VoIP phones
Routers and switches
Printers
Command and control
servers
Network servers
Users
File transfers
Web applications
Applicationprotocols
Threats
Typical IPS
Typical NGFW
Cisco Firepower™ NGFW
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Firepower™ Management Center
Reduce complexity with simplified, consistent management
• Network-to-endpoint visibility• Manages firewall, applications, threats, and files• Track, contain, and recover remediation tools
Unified
• Central, role-based management• Multitenancy• Policy inheritance
Scalable
• Impact assessment• Rule recommendations• Remediation APIs
Automated
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco: 17.5 hoursIndustry TTD rate:* 100 days
Detect infections earlier and act faster• Automated attack
correlation
• Indications of compromise
• Local or cloud sandboxing
• Malware infection tracking
• Two-click containment
• Malware analysis
Source: Cisco® 2016 Annual Security Report*Median time to detection (TTD)
JANMONDAY
1JAN
FEB
MAR
APR
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Services
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Services
AMP
Stateful Firewalling
AVC
URLFiltering
NGIPS
VPNCapabilities
Foundational FunctionalityBuilt-in firewall services to provide base protection and connect with other security solutions
Stateful Firewalling VPN CapabilitiesPolicy Enforcement Pointfor ISE
FirePOWER Services Subscription services that run on the ASA and provide enhanced levels of threat protection and network visibility
Advanced Malware Protection
Next-Generation Intrusion Prevention System
URL FilteringApplicationVisibility and Control
Add security services to help defend your network
Included by default
Foundational FunctionalityBuilt-in firewall services to provide base protection and connect with other security solutions
Stateful Firewalling VPN CapabilitiesPolicy Enforcement Pointfor ISE
FirePOWER Services Subscription services that run on the ASA and provide enhanced levels of threat protection and network visibility
Advanced Malware Protection
Next-Generation Intrusion Prevention System
URL FilteringApplicationVisibility and Control
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Minimize your exposure to web-based threats
Restrict categories of URLs
Filter out over 280 million URLs based on any of the 80+ categories into which they are grouped; new URLs are added daily
Block specific URLs
Restrict access to specific sitesand subsites
bad_url.com
office365.com
Social MediaGambling
Health
Drug UseGaming
Change policies easily
Use the refined user interface to make additions or changes with just a few clicks
Allowed Restricted
Services
AMP
Stateful Firewalling
VPNCapabilities
AVC
URLFiltering
NGIPS
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protect the network more effectively
Reduce IT management burden
Gain unmatched visibility and threat detection
NGIPS automatically correlates information from intrusion events with network assets to prioritize threat investigation
Priority 1
Priority 2
Priority 3
Blended threats and attacks coming through multiple vectors are quickly identified
www…
Policies can be updated automatically based on vulnerabilities and previous intrusion events
Admins can make adjustments to policies and system settings across locations from a single location, even offsite
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Protect against the most advanced forms of malware and remediate after a breach
Identify malware that other solutions miss by analyzing files based on reputation or suspicious behavior. AMP is continuously updated to ensure that it can stop the latest and most advanced forms of malware.
Point-in-time Protection
Defend against attacks even after a file passes the perimeter. AMP tracks files as they move around network; if they turn out to be malicious, you can quickly determine areas of impact and remediate quickly.
Continuous Protection
Trajectory
BehavioralIndications
of Compromise Breach
Hunting RetrospectionAttack Chain
Weaving
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
Fuzzy Finger-printing
Machine
Learning
Dynamic Analysis
Indications of Compromise
Device Flow Correlation
Advanced Analytics
One-to-OneSignature
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Reduce attack surfaces by controlling application access
Control port- and protocol-hopping apps that evade traditional firewalls
Limit the exposure created by socialmedia applications
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
Enforce acceptable use policies with granular control over applications and micro-applications
Apps
Use custom application detectors /Open App ID
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Leverage the proven ASA Firewall capabilities
Standard Functions New ASA Features
• Clientless tagging, WebVPN support for OWA2013 and XenDesktop7.5
• TLS 1.2
• ECMP Support, IPV6 BGP
• Std. based IKEv2 support. Citrix HTML5 browser support
• VPN Clients Win7, 8.1, 8.1 phone client, iOS8, Knox and Strong Swan
• Full VX LAN support
• Policy-based Routing
• REST API and SNMP enhancement
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
Routing
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Extend protection to off-site users
ThreatProtection Data-loss
Prevention AcceptableUse Access
Control
Diverse Endpoint Support Broad VPN Deployment Split Tunneling Capabilities
Mobile and non-mobile devices
Cisco and non-Cisco devices
AnyConnect 4.0 and 3rd-party VPNs
Single- and Multi-site deployments
Corporate and sensitive information
Personal and generic information
ServicesURLFiltering
NGIPS
AMP
Stateful Firewalling
AVC
VPNCapabilities
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FireSIGHT
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ThreatsUsers
Web ApplicationsApplication Protocols
File TransfersMalware
Command & Control
Operating Systems
Client Applications
Network Servers
Mobile Devices
Cisco FireSIGHT Provides Unmatched Visibility for Accurate Threat Detection and Adaptive Defense
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Impact Assessment
Correlates all intrusion events to an impact of the attack against the target
1
2
3
4
0
IMPACT FLAG ADMINISTRATOR ACTION WHY
Act Immediately, Vulnerable
Event corresponds to vulnerability mapped to host
Investigate, Potentially Vulnerable
Relevant port open or protocol in use, but no vuln mapped
Good to Know, Currently Not Vulnerable
Relevant port not open or protocol not in use
Good to Know, Unknown Target
Monitored network, but unknown host
Good to Know, Unknown Network
Unmonitored network
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Indications of Compromise (IoCs)
IPS Events
Malware Backdoors CnC Connections
Exploit Kits Admin Privilege Escalations
Web App Attacks
SI Events
Connections to Known CnC IPs
MalwareEvents
Malware Detections
Malware Executions
Office/PDF/Java Compromises Dropper Infections
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firepower Management CenterSingle console for event, policy, and configuration management
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Awareness Delivers Insight
OS & version Identified
Server applications and version
Client Applications
Who is at the host
Client Version
Application
What other systems / IPs did user have, when?
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Platforms
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Perf
orm
ance
and
Sca
labi
lity
ASA 5506-X
ASA 5508-X
ASA 5525-XASA 5545-X
ASA 5555-X
ASA 5585-SSP10
ASA 5585-SSP20
ASA 5585-SSP40
ASA 5506W-XASA 5516-X
SMB & Distributed Enterprise Commercial & Enterprise Data Center, High Performance
Computing, Service Provider
ASA 5585-SSP60
ASA low-end, including hardened FW for IOT/E
Cisco NGFW Product Family: Four Categories(Select Models Pictured)
New Appliances
Cisco Firepower™ 4100 Series and 9300
Virtual Appliances
ASAv FTDv
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Firepower 4100 SeriesIntroducing four new high-performance models
Performance and Density Optimization Unified Management Multiservice
Security
• Integrated inspection engines for FW, NGIPS, Application Visibility and Control (AVC), URL, Cisco Advanced Malware Protection (AMP)
• Radware DefensePro DDoS• ASA and other future
third party
• 10-Gbps and 40-Gbps interfaces
• Up to 80-Gbps throughput• 1-rack-unit (RU) form factor• Low latency
• Single management interface with Firepower Threat Defense
• Unified policy with inheritance• Choice of management
deployment options
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Firepower 9300 Platform
Benefits• Integration of best-in-class security• Dynamic service stitching
Features*• Cisco® ASA container• Cisco Firepower™ Threat Defense
containers:• NGIPS, AMP, URL, AVC
• Third-party containers:• Radware DDoS• Other ecosystem partners
Benefits• Standards and interoperability• Flexible architecture
Features• Template-driven security• Secure containerization for
customer apps• RESTful/JSON API• Third-party orchestration and
management
Benefits• Industry-leading performance:
• 600% higher performance• 30% higher port density
Features• Compact, 3RU form factor• 10-Gbps/40-Gbps I/O; 100-Gbps
ready• Terabit backplane• Low latency, intelligent fast path• Network Equipment-Building
System (NEBS) ready
* Contact Cisco for services availability
Modular Carrier ClassMultiservice Security
High-speed, scalable security
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firepower Threat Defense
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Fully Integrated Threat Focused Unified Management• FW / applications / IPS
• Cisco® AMP – network / endpoint
• Analysis and remediation
• Cisco security solutions
• Application-aware DDoS
• Networkwide visibility• Industry-best threat
protection• Known and unknown
threats• Track / contain / recover
• Across attack continuum• Manage, control, and
investigate• Automatically prioritize• Automatically protect
Introducing Cisco Firepower Threat Defense
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
New FeaturesFirePOWERASA
New Converged Software Image:Firepower Threat Defense
• Contains all Firepower Services plus select ASA capabilities
• Single Manager: Firepower Management Center*
Same subscriptions as FirePOWER Services, enabled by Smart Licensing:
• Threat (IPS + SI + DNS)• Malware (AMP + ThreatGrid)• URL Filtering
Converged Software – Firepower Threat Defense
* Also manages Firepower Appliances, Firepower Services (not ASA Software)
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Basic deployment modes: Firewall modes (choose one)• Routed • Transparent
• Other interface modes: IPS/IDS modes• Inline• Inline Tap• Passive
Deployment Modes
31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Firepower Threat Defense interface modes
Routed/TransparentA
B
C
D
F
G
H
I
Inline Pair 1
Inline Pair 2Inline Set
E J
Policy TablesPassive
Interfaces
Inline Tap
32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What Platforms run Firepower Threat Defense?
*5585-X ASA module management being investigated for 2HCY16
All* Managed by Cisco Firepower Management Center
Cisco Firepower Threat Defense on Firepower™ 4100
Series and 9300
Cisco FirePOWER Services on ASA 5585-X
Cisco FirePOWER on 7000/8000 Series Appliances
Cisco Firepower Threat Defense on ASA 5500-X
New Appliances
33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco FirePOWER Threat Defense for ISR
Network Visibility
Granular App Control
Modern Threat Control
NGIPS
Security Intelligence
URL Filtering
BEFOREDiscover EnforceHarden
DURINGDetect Block Defend
AFTERScope
ContainRemediate
Visibility and AutomationOR
Cisco ISR G2 Series
FirePOWER Threat Defense
AppX + Security License
+
Cisco® 4000 Series ISR
Cisco UCS®
Advanced Malware Protection
Retrospective Security
IoCs/Incident Response