Weitere ähnliche Inhalte Ähnlich wie Cisco Connect Vancouver 2017 - Putting firepower into the next generation firewall (20) Mehr von Cisco Canada (20) Kürzlich hochgeladen (20) Cisco Connect Vancouver 2017 - Putting firepower into the next generation firewall1. Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Cisco
Connect Your Time
Is Now
Putting Firepower into the
Next Generation Firewall
Rob Bleeker
Consulting Systems Engineer Cybersecurity
CCIE #2926
November 16, 2017
2. Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 2
Today’s agenda Connect
Cisco
• Firepower Software Overview
• ASA and Firepower NGFW platforms
• Management options
• Deployment Design Use-case
• Policies
5. Cisco Confidential 5© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Threat Defense
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
• RA + L2L VPN
• Multi-Context
Firepower (L7)
• Threat-Centric NGIPS
• AVC, URL Filtering for NGFW
• Advanced Malware Protection
Full Feature Set
Continuous Feature
Migration
Firepower Threat Defense
Single Converged OS
Firewall URL Visibility Threats
Firepower Management
Center (FMC)
ASA with Firepower
Services
6. Cisco Confidential 6© 2016 Cisco and/or its affiliates. All rights reserved.
What are the Firepower Deployment Options?
Firepower Appliances Firepower Threat Defense
ASA with Firepower
Services
FirePOWER
Services
ASA 9.5.x
Firepower
Threat Defense
Firepower
Appliances
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual
Firepower 2100 / 4100 / 9300
5585 cannot run FTD Image!
All Managed by Firepower Management Center
7. Cisco Confidential 7© 2016 Cisco and/or its affiliates. All rights reserved.
Feature Comparison: ASA with Firepower Services and Firepower Threat Defense
Features Firepower Threat Defense Firepower Services for ASA
SIMILARITIES
Routing +NAT
✔
(OSPF, BGP, Static, RIP, Multicast, EIGRP/PBR
via FlexConfig)
✔
(OSPF, BGP, EIGRP, static, RIP,
Multicast)
OnBox Management ✔ ✔
HA (Active/Passive) ✔ ✔
Clustering (Active/Active) ✔ ✔
Site to Site and Remote Access VPN ✔ ✔
Policy based on SGT tags ✔ ✔
DIFFERENCES
Unified ASA and Firepower rules and
objects
✔ ✘
Hypervisor Support ✔
(AWS, VMware, KVM, Azure 6.2)
✘
Smart Licensing Support ✔ ✘
Multi-Context Support ✘(Coming Soon!) ✔
Note: Not an exhaustive feature list
8. Cisco Confidential 8© 2016 Cisco and/or its affiliates. All rights reserved.
OpenAppID
Next-generation visibility with OpenAppID
Application Visibility & Control
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database
• 4,000+ apps
Network & users
1
2
Rate-limit traffic
9. Cisco Confidential 9© 2016 Cisco and/or its affiliates. All rights reserved.
Web acceptable use controls and threat prevention
URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Category-based
Policy Creation
Allow Block
Admin
Cisco URL Database
DNS Sinkhole
01001010100
00100101101
Security feeds
URL | IP | DNS
NGFW
Filtering
BlockAllow
Safe Search
…………
10. Cisco Confidential 10© 2016 Cisco and/or its affiliates. All rights reserved.
Decrypt 3.5 Gbps traffic over
five million simultaneous flows
Granular SSL Decryption Capabilities
SSL TLS handshake certificate inspection and TLS decryption engine
Log
SSL
decryption engine
Enforcement
decisions
Encrypted Traffic
AVC
http://www.%$&^*#$@#$.com
http://www.%$&^*#$@#$.com
Inspect deciphered packets Track and log all SSL sessions
NGIPS
gambling
elicit
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
http://www.%$*#$@#$.com
11. Cisco Confidential 11© 2016 Cisco and/or its affiliates. All rights reserved.
Application and Context aware Intrusion Prevention
Next-Generation Intrusion Prevention System (NGIPS)
Communications
App & Device Data
01011101001
010
010001101
010010 10 10
Data packets
Prioritize
response
Blended threats
• Network
profiling
• Phishing
attacks
• Innocuous
payloads
• Infrequent
callouts
3
1
2
Accept
Block
Automate
policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority
12. Cisco Confidential 12© 2016 Cisco and/or its affiliates. All rights reserved.
c
File Reputation
Malware and ransomware detection and blocking
Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
• Known Signatures
• Fuzzy Fingerprinting
• Indications of compromise
Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device Trajectory
AMP for
Network Log
Threat Grid Sandboxing
• Advanced Analytics
• Dynamic analysis
• Threat intelligence
?
AMP for
Endpoint Log
Threat Disposition
Enforcement across
all endpoints
RiskySafeUncertain
Sandbox Analysis
13. Cisco Confidential 13© 2016 Cisco and/or its affiliates. All rights reserved.
FlexConfig
• Provides a way to configure ASA features not exposed directly by Firepower
Management Center
• EIGRP Routing
• PBR
• ISIS Routing
• NetFlow (NSEL) export
• VXLAN
• ALG inspections
• IPv6 header inspection
• Platform Sysopt commands
• WCCP
15. Cisco Confidential 15© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco ASA 5500-X
5506 / 5508 / 5516
Performance
Unified Management
• 1-Gbp interfaces
• Up to 1.2 Gbps throughput
• 5545 / 5555 Redundant
Power Supply and SSD
option
• Firepower Threat Defense or
ASA Software Options
• 1-Gbp interfaces
• Up to 450 Mbps throughput
• Wireless Option for 5506-X
• Software Switching capability
• Firepower Threat Defense or
ASA Software Options
• Firepower Management Center
(Enterprise Management)
• Firepower Device Manager
(On Box Manager)
• Cisco Defense Orchestrator
(Cloud Management)
SMB and Enterprise Branch NGFW
5525 / 5545 / 5555
Performance
16. Cisco Confidential 16© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower 2100 Series
Performance and
Density Optimization
Unified ManagementPurpose Built NGFW
• Integrated inspection engines
for FW, NGIPS, Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• 1-Gbp and 10-Gbps interfaces
• Up to 8.5-Gbps throughput
• 1-rack-unit (RU) form factor
• Dual SSD slots
• 12x RJ45 ports, 4xSFP(+)
• 2130 / 2140 Models
• 1x Network Module
• Fail to Wire Option*
• DC & Dual PSU support
• Firepower Management Center
(Enterprise Management)
• Firepower Device Manager
(On Box Manager)
• Cisco Defense Orchestrator
(Cloud Management)
Introducing four high-performance models
17. Cisco Confidential 17© 2016 Cisco and/or its affiliates. All rights reserved.
FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput
NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Throughput
NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions 1 M 1.2 M 2 M 3.5 M
Maximum new
connections per
second 12000 16000 24000 40000
NO DROP IN
PERFORMACE!
Firepower 2100 Series Performance
18. Cisco Confidential 18© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower 4100 Series
High performance campus and data center
Performance and
Density Optimization
Unified Management
Multiservice
Security
• Integrated inspection engines
for FW, NGIPS, Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• Radware DefensePro DDoS
and other future third party
• 10-Gb and 40-Gb interfaces
• Up to 24-Gbps throughput
• 1-rack-unit (RU) form factor
• Low latency
• Firepower Management Center
(Enterprise Management)
• Firepower Device Manager
(On Box Manager)
• Cisco Defense Orchestrator
(Cloud Management)
19. Cisco Confidential 19© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Firepower 9300
Platform
Benefits
• Integration of best-in-class security
• Dynamic service stitching
Features
• ASA container option
• Firepower™ Threat Defense:
• NGIPS, AMP, URL, AVC
• Third-party containers:
• Radware DDoS
Benefits
• Standards and interoperability
• Flexible architecture
Features
• Template-driven security
• Secure containerization for
customer apps
• RESTful/JSON API
• Third-party orchestration and
management
Features
• Compact, 3RU form factor
• 10-Gbps/40-Gbps I/O; 100-Gbps
• Terabit backplane
• Low latency, intelligent fast path
• Network Equipment-Building
System (NEBS) ready
Modular Carrier Class
Multiservice
Security
High performance data center
20. Cisco Confidential 20© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco NGFW Platforms
NGFW capabilities all managed by Firepower Management Center
250 Mb -> 1.75 Gb
(NGFW + IPS Throughput)
Firepower Threat Defense for
ASA 5500-X
2 Gb -> 8 GB
(NGFW + IPS Throughput)
Firepower 2100 Series
41xx = 10 Gb -> 24 Gb
93xx = 24 Gb -> 53Gb
Firepower 4100 Series
and Firepower 9300
Up to 6x with clustering!
21. Cisco Confidential 21© 2016 Cisco and/or its affiliates. All rights reserved.
Software Support – Physical Platforms
ASA
Firepower
NGIPS
ASA with
FirePOWER
Services
Firepower
Threat
Defense
ASA 5506X -> 5555X (all models) ✓ ✓ ✓
Firepower 2100 (all models) ✓ ✓
Firepower 4100 (all models) ✓ ✓
Firepower 9300 (all models) ✓ ✓
ASA 5585 (With SSP blade) ✓ ✓
Firepower 7000 / 8000 (IPS
appliances)
✓
22. Cisco Confidential 22© 2016 Cisco and/or its affiliates. All rights reserved.
Software Support - Virtual Platforms
ASA
Firepower
NGIPS
Firepower Threat
Defense
ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓
Firepower NGIPSv (vSphere + ISR UCS-E) ✓
Firepower NGFWv (vSphere, AWS, Azure, KVM) ✓
23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
FTD Deployment Modes
• FTD can act as both NGFW and NGIPS on different network interfaces
NGIPS operates as standalone Firepower with limited ASA data plane functionality
NGIPSNGFW
FTDInline
Eth1/1 Eth1/2
FTDInline Tap
Eth1/1 Eth1/2
Passive
Routed
inside outside
FTD
DMZ
Transparent
inside outside
FTD
DMZ
10.1.1.0/24 10.1.2.0/24
10.1.3.0/24
10.1.1.0/24
FTD
Eth1/1
24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Segmentation
VLAN Stitching
APP
IPS
AMP
APP
IPS
AMP
APP
IPS
AMP
Database Zone
Application Zone
Web Zone
Campus Zone
FTD
FTD
FTD
FTD
FTD
Cluster
How do I insert this into the Datacenter
without having to change the physical
infrastructure or move the routing?
25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Segmentation
VLAN Stitching - Before
Database Zone
Application Zone
Web Zone
FTD
FTD
FTD
FTD
FTD
Cluster
How do I insert this into the Datacenter
without having to change the physical
infrastructure or move the routing?
L3
High Speed
Switch
192.168.100.0/24
VLAN100 = 192.168.100.0/24
SVI = 192.168.100.1
VLAN100
Traffic never hits FW
unless you change the
routing or try to insert
into the physical path
26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Segmentation
VLAN Stitching - After
Database Zone
Application Zone
Web Zone
FTD
FTD
FTD
FTD
FTD
Cluster
How do I insert this into the Datacenter
without having to change the physical
infrastructure or move the routing?
L3
High Speed
Switch
192.168.100.0/24
VLAN100 = 192.168.100.0/24
SVI = 192.168.100.1
VLAN101 = 192.168.100.10-50
VLAN102 = 192.168.100.51-100
VLAN103 = 192.168.100.101-110
Ex: Web Zone to get to App Zone has to go
through policy on FTD. FTD stitches VLAN 101,
102 and 103. Now I can add additional L7
Inspection.
27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
The Security-Performance Problem
Security
Performance
28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Fail-to-Wire Interfaces Bypass traffic upon appliance failure, including loss of
power.
Automatic Application Bypass Restarts Snort processes upon degraded performance
Intelligent Application Bypass Application-specific acceleration of defined applications if
performance is degraded
Trust Rules Acceleration defined traffic but still apply Security
Intelligence
Prefilter Policy Bypass deep inspection and Security Intelligence based on
Port / Protocol / IP Address / Zone
Bypass Options
30
30. Cisco Confidential 32© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management
Center
Cisco Defense
Orchestrator
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
31. Cisco Confidential 33© 2016 Cisco and/or its affiliates. All rights reserved.
• On-box manager for
managing a single
Firepower Threat Defense
device
• Targeted for SMB market
• Designed for Networking
Security Administrator
• Simple & Intuitive
• Mutually Exclusive from
FMC
• CLI for troubleshooting
Firepower Device Manager
32. Cisco Confidential 34© 2016 Cisco and/or its affiliates. All rights reserved.
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management
Center
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
33. Cisco Confidential 35© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center
• Single manager for Firepower Threat Defense
• Can also manage Firepower appliance and “Services” deployments
• Broadest set of security capabilities for Firepower platforms!
34. Cisco Confidential 36© 2016 Cisco and/or its affiliates. All rights reserved.
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management
Center
Cisco Defense
Orchestrator
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
35. Cisco Confidential 37© 2016 Cisco and/or its affiliates. All rights reserved.
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Firepower Management
Center
Cisco Defense
Orchestrator
Enables centralized
cloud-based policy
management of
multiple
deployments
On-box Centralized Cloud-based
Management Options
CDO
Firepower Device Manager
36. Cisco Confidential 38© 2016 Cisco and/or its affiliates. All rights reserved.
On-box vs Off-box
Firepower Management Center (Off-box) Firepower Device Manager (On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
VPN - Site to Site & RA
Security Intelligence
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
Active/Passive Authentications
Firewall Mode Router / Transparent Routed
Threat Intelligence & Analytics
Correlation & Remediation
Risk Reports
Device Setup Wizard
IPS Tuning
High Availability
38. Cisco Confidential 40© 2016 Cisco and/or its affiliates. All rights reserved.
Troubleshooting: Packet Tracer
• Displays logs for a single simulated (virtual) packet
• Tracing data will include information from Snort & preprocessors about
verdicts and actions taken while processing a packet
39. Cisco Confidential 41© 2016 Cisco and/or its affiliates. All rights reserved.
Troubleshooting: Packet Capture with Trace
• Captures and displays packets from live traffic
• Allows PCAP file download of the capture buffer
40. Cisco Confidential 42© 2016 Cisco and/or its affiliates. All rights reserved.
Lookup features – Geolocation & WHOIS
42. Cisco Confidential 44© 2016 Cisco and/or its affiliates. All rights reserved.
ISE remediation in using pxGrid
43. Cisco Confidential 45© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Threat Intelligence Director (CTID)
• Uses customer threat intelligence to
identify threats
• Automatically blocks supported
indicators on Cisco NGFW
• Provides a single integration point for all
STIX and CSV intelligence sources
44. Cisco Confidential 46© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Threat Intelligence Director Overview
Cisco Threat
Intelligence
Director
45. Cisco Confidential 47© 2016 Cisco and/or its affiliates. All rights reserved.
Hail a TAXII !!
• Free source of TAXII feeds
• Website URL: http://hailataxii.com
• Multiple feeds
• To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest
47. Cisco Confidential 49© 2016 Cisco and/or its affiliates. All rights reserved.
Use Case
Internet Edge Firewall
Requirement
Connectivity and Availability Requirement:
• High Availability ROUTED mode
• Firewall should support Router or Transparent Mode
Routing Requirements:
• Static and BGP Routing
• Dynamic NAT/PAT and Static NAT
Security Requirements:
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection
• SSL Decryption
Authentication Requirements:
• User authentication and device identity
Solution
Security Application: Firepower Threat Defense application with
FMC
ISP
FW in HA
Private Network
Service
Provider
Campus/Priv
ate Network
DMZ Network
Port-
Channel
Internet Edge
49. Cisco Confidential 51© 2016 Cisco and/or its affiliates. All rights reserved.
10.1.1.0/24
192.168.1.0/24
192.168.1.1
10.1.1.1
IP:192.168.1.100
GW: 192.168.1.1
NAT
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or
more interfaces that separate L3 domains – Firewall is the
Router and Gateway for local hosts.
• Transparent Mode is where the firewall acts as a bridge
functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC.
• Transparent deployment is tightly integrated with our ‘best practice’
data center designs.
50. Cisco Confidential 52© 2016 Cisco and/or its affiliates. All rights reserved.
Link Redundancy
Resiliency
with link
failures
Link and Platform Redundancy Capabilities
Firewall Link Aggregation – High Availability - Clustering
Inter-chassis Clustering
Combine up to
6
9300 blades or
4100 appliances
Active / Standby HA
LACP Link
Redundancy
LACP Link
Aggregation
Control
Protocol
51. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Firepower 4100/9300
Clustering
Inside
Switch
FTD
FTD
FTD
FTD
FTD
FTD
Outside
Switch
Port-channel6
Port-channel5
Spanned EtherChannel
(recommended)
Inside
Switch
Outside
Switch
Note: L3 PBR and ECMP models are
supported
Benefits
• High Scale: NGFW
• Network Integration: Routing,
switching, inter-site DC extensions
• High Density: 40G/100G
• Clustering: Intra-chassis, Inter-
chassis, Inter-site
• Consistent Policy Management
Pay-As-You-Grow
- Traditional ASA 16 node cluster
- FTD 6 nodes today will scale to16
in the near future
Out_P02
200.1.1.1/24
In_P01
10.1.1.1/24
VSS/VPC
complianttotheIEEEstandard(802.3ad)
VSS/VPC
complianttotheIEEEstandard(802.3ad)
Cisco Security Chalk Talk - NGFW Clustering Technology
https://www.youtube.com/watch?v=yt8Cc4tS0kE&t=38s&index=3&list=PL
FT-9JpKjRTANXKBmLbQ611TPYLXbUL_0
53. Cisco Confidential 55© 2016 Cisco and/or its affiliates. All rights reserved.
Routing Protocol support
• OSPF and OSPFv3 (IPv6)
• BGP (IPv4 & IPv6)
• Static Route
• Tunneled Route support for VPNs
• Reverse Route Injection for VPNs
• Multicast Routing
• IGMP
• PIM
• EIGRP via FlexConfig
54. Cisco Confidential 56© 2016 Cisco and/or its affiliates. All rights reserved.
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6
55. Cisco Confidential 57© 2016 Cisco and/or its affiliates. All rights reserved.
Rate limiting Cloud File Sharing Traffic
• QOS Policy is a new policy type with separate policy table
• Not associated with an Access Control Policy – directly associated with devices
57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy
Access Control
Rule
Inspection Options
Access Control Policy
The glue that ties everything together
Prefilter
Policy
SSL
Policy
Identity
Policy
Malware & File
Policy
Criteria
(to match) Intrusion
Policy
Action
DNS Policy
TECSEC-2600 59
58. Cisco Confidential 60© 2016 Cisco and/or its affiliates. All rights reserved.
Access Control Policy blocking inappropriate content
59. Cisco Confidential 61© 2016 Cisco and/or its affiliates. All rights reserved.
Granular SSL Decrypt
Can specify by application, certificate fields / status, ciphers, etc.
61. Cisco Confidential 63© 2016 Cisco and/or its affiliates. All rights reserved.
Malware and File Analysis
Attached to Access Policy
62. Cisco Confidential 64© 2016 Cisco and/or its affiliates. All rights reserved.
URL-Based Security Intelligence
• Extension of IP-based SI
• TALOS dynamic feed, 3rd party feeds and
lists
• Multiple categories: Malware, Phishing,
CnC,…
• Multiple Actions: Allow, Monitor, Block,
Interactive Block,…
• Policy configured via Access Rules or black-
list
• IoC tags for CnC and Malware URLs
• New Dashboard widget for URL SI
• Black/White-list URL with one click URL-SI
Categories
63. Cisco Confidential 65© 2016 Cisco and/or its affiliates. All rights reserved.
DNS Inspection
• Security Intelligence support for
domains
• Addresses challenges with fast-flux
domains
• Cisco provided and user defined
DNS lists: CnC, Spam, Malware,
Phishing
• Multiple Actions: Block, Domain Not
Found, Sinkhole, Monitor
• Indications of Compromise extended
with DNS Security Intelligence DNS List Action
65. Cisco Confidential 67© 2016 Cisco and/or its affiliates. All rights reserved.
Identity Policy based on Passive Authentication
Attaches to Access Control Policy
66. Cisco Confidential 68© 2016 Cisco and/or its affiliates. All rights reserved.
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)
67. Cisco Confidential 69© 2016 Cisco and/or its affiliates. All rights reserved.
Active Directory “Realm” Configuration
• Multiple Entries
• LDAP / LDAPS
• Assigned to Identity
Policy for Active or
Passive Authentication
68. Cisco Confidential 70© 2016 Cisco and/or its affiliates. All rights reserved.
ISE Integration
• pxGrid feed to retrieve from ISE:
• AD Username (Group lookup via AD Realm)
• Device type profile & location
• TrustSec Security Group Tag (SGT)
• Ability to exert control based on the above in rules
• i.e. block HR users from using personal iPads
• Reduces ACL size and complexity
69. Cisco Confidential 71© 2016 Cisco and/or its affiliates. All rights reserved.
Identity Services Engine pxGrid Integration
• MUST install ROOT
certificate (chain) on FMC
that signed ISE pxGrid
Cert
• MUST install ROOT
certificate (chain) on ISE
that signed FMC Cert
• Private keys not needed
(of course!)
70. Cisco Confidential 72© 2016 Cisco and/or its affiliates. All rights reserved.
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles
71. Cisco Confidential 73© 2016 Cisco and/or its affiliates. All rights reserved.
External Authentication
for Administration
• LDAP / AD or RADIUS
• Example allows “External Users” to
be defined that exist in Active-
Directory for FMC or shell login
• Can stack multiple methods
72. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
• Designed for use with Terminal
Services Agent
• Can also be used by custom
integrations
• Uses certificate-based
authentication
• User information is sent to the
passive ID node over SSL in
JSON format
REST API Provider
73. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Enables you to interface with network applications such as the TS-Agent
on a Citrix server, where all users have the same IP address but are
assigned unique ports.
VDI Environments
75. Cisco Confidential 78© 2016 Cisco and/or its affiliates. All rights reserved.
“DDoS Remains Biggest Threat of all Cyber-Attacks“
DDoS is increasingly moving away from Denial and into Ransom as a Motive or a
smokescreen
Cyber criminals now maintain, and rent out botnets to mount DDoS attacks
78
No One Immune,
Few Prepared
0%
20%
40%
60%
DDoS continues to remain a top concern
* Source Radware ERT Report 2016
76. Cisco Confidential 79© 2016 Cisco and/or its affiliates. All rights reserved.
In-Line: Protects against 75% of DDoS Attacks
DDoS Attack Surface – Hybrid mitigation strategy
Where
DDoS
Strikes:
Cloud: For volumetric DDoS
attack mitigation
In-Line: Protects against both network and application attacks
23% Firewall 7% IDS/IPS 6% Load
Balancer
35% Server
Under Attack
Cloud: Protects
against 25% of DDoS
attacks
4% SQL Server
25% Internet Pipe
77. Cisco Confidential 80© 2016 Cisco and/or its affiliates. All rights reserved.
• Cisco Firepower is a scalable, carrier &
enterprise -grade, multi-service security
appliance featuring:
• Radware DDoS Decorator App (OEM)
• Cisco ASA firewall
• Cisco NGIPS (Sourcefire – Threat Defense)
• What is required?
• Firepower Chassis (FXOS 1.1.4+)
• DDoS License (Virtual DefensePro)
• Vision Management Software
• Cloud DDoS *CSCO FY18 Q1 (Oct 15, 2017)
• Hybrid, Always on & On Demand
Firepower DDoS Solution Components
DDoS FW NGIPS
Firepower 4100/9300
78. Cisco Confidential 81© 2016 Cisco and/or its affiliates. All rights reserved.
The Firepower 4100/9300 Transforms
Security Service Integration
Limited effectiveness Increased latency Slows network Static & Manual
Unified Threat Platform w/Integrated Security
Data
Packet
1001
000101
111000
101110
SSL FW WAF NGIPSDDoS AMP
Maximum protection Highly efficient Scalable processing Dynamic
Key:
Cisco Service
3rd Party Service
• Radware vDP is our first 3rd Party component of the new Architecture
• We are adding DDoS Application Services to the ingress interfaces of the Firepower 4100/930
79. Cisco Confidential 82© 2016 Cisco and/or its affiliates. All rights reserved.
Security Services Architecture with
DDoS running
Supervisor
Ethernet 1/1-8 Ethernet 2/1-4
ASA Cluster
Security Module 1
Ethernet 3/1-4
Security Module 2 Security Module 3
Application
Image Storage
PortChannel1
DDoS DDoS DDoS
Ethernet1/7
(Management)
Data Inside
Logical
Device
Logical
Device Unit
Link
Decorator
Application
Connector
External
Connector
Primary
Application
Decorator
Application
On-board
8x10GE
interfaces
4x40GE NM
Slot 1
4x40GE NM
Slot 2
Logical
Packet Flow
PortChannel1
ASA ASA ASA
Data Outside
81. Cisco Confidential 85© 2016 Cisco and/or its affiliates. All rights reserved.
Abbreviation Key!
ASA = Adaptive Security Appliance
FTD = Firepower Threat Defense
FPS = Firepower Services
FMC = Firepower Management Center
FDM = Firepower Device Manager
NGFW = Next Generation Firewall
NGIPS = Next Generation Intrusion
Prevention System
AMP = Advanced Malware Protection
API = Application Programming Interface
ISE = Identity Services Engine
IoC = Indicator of Compromise
PAN = Place to cook your eggs
82. Cisco Confidential 86© 2016 Cisco and/or its affiliates. All rights reserved.
Useful links
FTD: Common Practices Guide:
http://cisco.lookbookhq.com/ngfw_ftd_common-practices/ftd-common-
practices
Short how-to videos:
https://www.youtube.com/channel/UCwnm1oSSz8pPwDyfzFS5k3w/playlists
Lab minutes videos: www.labminutes.com
BU videos:
https://www.youtube.com/channel/UCxTz5VApACLnh5_SDjtfoNg/videos?view
_as=subscriber
85. Cisco Confidential 89© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center
Site 2 Site VPN
86. Cisco Confidential 90© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center
Remote Access VPN
87. Cisco Confidential 91© 2016 Cisco and/or its affiliates. All rights reserved.
Firepower Management Center
Cisco Threat Intelligence Director