Firepower NGFW Internet Edge Deployment Scenarios

Jeff Fanelli - Principal Systems Engineer [email protected] BRKSEC-2050

#jefanell Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

Jeff Fanelli Principal Systems Engineer Cisco Global Security Sales Organisation

My city was was founded in 1701 by Antoine de la Mothe Cadillac (some French guy)

BRKSEC-2050 Detroit, Michigan Important: Hidden Slide Alert

Look for this “For Your Reference” Symbol in your PDF’s

There is a tremendous amount of hidden content, for you to use later! (60+ slides)

• Firepower Software & Platforms

• ASA & Firepower NGFW Platforms

• Management Options

• Cisco & 3rd Party Integration

• Deployment Use Cases Firepower NGFW Software Firepower Threat Defence

CISCO COLLECTIVE SECURITY INTELLIGENCE

WWW

Malware High Intrusion URL Filtering Protection Availability Prevention

Analytics & Network Application Automation Firewall and Visibility Network IdentityIdentity-Policy Based Profiling Routing &Control Profiling PolicyControl Control

Integrated Software - Single Management

Cisco Next Generation Firewall Operational Shared Threat Third-Party Manageability Performance Simplicity Intelligence Recognition

Expanded set of security policies on Unmask threats with Easy single-hop hardware-based FDM, the on-box IBM and Cisco Cisco NGFW and upgrade to 6.2.3, SSL decryption; manager NGIPS NGIPS recognised with minimised performance collaboration by analysts Flexibility to manage downtime upgrade of 3-5x local devices using throughput REST API

ASA with Firepower Firepower Threat Defence Services Single Converged OS Firepower (L7) Full Feature Set • Threat-Centric NGIPS • AVC, URL Filtering for NGFW • Advanced Malware Protection Continuous Feature Firewall URL Visibility Threats ASA (L2-L4) Migration • L2-L4 Stateful Firewall • Scalable CGNAT, ACL, routing • Application inspection Firepower Management Centre (FMC)

Independent Configuration Full Packet Copy FirePOWER FirePOWER Mid-Flow Pickup w/Policy Reevaluation Functional Overlap 1 2 No AVC Verdict on Mid-Flow Pickup

Single Uplink Queue IP-Based Load-Balancing

HA/CCL Full ASA Feature Set ASA 1 ASA 2 Configuration/State Replication

Functionality vs Performance Leaning toward NGIPS use case

Advanced Advanced Inspection Inspection Modules Modules (“Snort”) (“Snort”) Load-Based Distribution

HA/CCL Multiple Work Queues Configuration Replication IP/TCP/UDP Load-Balancing NGFW/NGIPS State Replication

Based on ASA Software Data Plane Data Plane Packets Stay in Data Plane (“Lina”) (“Lina”) FTD 1 FTD 2

Balanced Functionality and Performance True NGFW use case

• User and App control policies • Web category / reputation policies

• TLS Decryption policies Threat License (Subscription)

Remote Access (Term or Perpetual) • Intrusion Prevention System (IPS)

• AnyConnect Base / Plus / Apex • Security Intelligence Feed Service

• Must have export-control flag set on • Threat Intelligence Director Smart License account! Malware License (Subscription) Firepower Management Center • Advanced Malware Protection • No license needed, included. • Threat Grid File Submissions

Firepower Threat Defence for Firepower 4100 Series Firepower 2100 Series ASA 5500-X and Firepower 9300

250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb (NGFW + IPS Throughput) (NGFW + IPS Throughput) 93xx = 24 Gb -> 53Gb

NGFW capabilities all managed by Firepower Management Centre

ASAv

Firepower NGIPSv (FTD)

Firepower NGFWv (FTD)

On-box Centralised On-box

Firepower Device Firepower Management ASDM with Manager Centre FirePOWER Services

Enables easy on-box Enables comprehensive Enables easy on- management of security administration box migration and common security and and automation of management of ASA policy tasks multiple appliances with Firepower

On-box Centralised On-box Firepower Device Firepower Management ASDM with Manager Centre FirePOWER Services

• On-box manager for managing a single Firepower Threat Defence device

• Targeted for SMB market

• Designed for Networking Security Administrator

• Simple & Intuitive

• Mutually Exclusive from FMC

• CLI for troubleshooting

On-box Centralised On-box

Firepower Device Firepower Management ASDM with Manager Centre FirePOWER Services

On-box Centralised On-box

Firepower Device Firepower Management ASDM with Manager Centre FirePOWER Services

SNMP, Syslog, NetFlow or eStreamer SNMP, Syslog, NetFlow or eStreamer SNMP support for:

• Firepower NGFW Software

• FXOS / Chassis Manager • (2100, 4100, 9300)

• Firepower Management Centre Firepower NGFW also supports:

• NetFlow Security Event Logging

• Syslog (for all event types)

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Syslog and eStreamer for Events eStreamer APIs • Intrusion Events FMC Syslog • Intrusion Event Packet Data (optional) FTD Syslog & NetFlow • Intrusion Event Extra Data Malware Events • Connection Logs • File Events- SHA, SPERO • 5 tuple • Health • Connection Logs and Security • NAT • IPS (including Impact Intelligence Events • Routing flags) • Correlation and White List Events • VPN • Malware (network, • Impact Flag Alerts • IP retrospective) • HA • Discovery events (Host • Connection Events (optional) • sessions profiles, IOC , port, etc..) • URL categories • other stateful • Rule ids features • AMP endpoint detectors • Sinkhole Metadata • SSL • Network Analysis, Discovery events

• Firepower App – November • Dashboard with 6 components • Intrusion Events by Impact • Indicators of Compromise • Malware Sources • Malware Recipients • Malware hashed

Shows hosts that are Malware observed most Shows hosts that are know to be often on my network potentially compromised compromised

Which hosts on my network have sent the most malware Intrusion events by ‘Impact’ or likelihood of an attack impacting the targeted system

BRKSEC-2050 53 Cisco eStreamer app for Splunk

52 Cisco eStreamer app for Splunk

53 54 LiveAction 55 Deployment Designs Use Case Use Case Internet Edge Firewall ISP Requirement Service Provider Connectivity and Availability Requirement: • High Availability ROUTED mode • Firewall should support Router or Transparent Mode

Routing Requirements: • Static and BGP Routing • Dynamic NAT/PAT and Static NAT Internet Security Requirements: Edge • Application Control + URL Acceptable Use enforcement • IPS and Malware protection DMZ Network • SSL Decryption

Authentication Requirements: FW in HA • User authentication and device identity Solution Security Application: Firepower Threat Defence application with Campus/Priv FMC Port- ate Network Private Network Channel

• Routed Mode is the traditional mode of the firewall. Two or 10.1.1.0/24 more interfaces that separate L3 domains – Firewall is the Router and Gateway for local hosts. 10.1.1.1 NAT DRP

• Transparent Mode is where the firewall acts as a bridge 192.168.1.1 functioning at L2. • Transparent mode firewall offers some unique benefits in the DC. 192.168.1.0/24 • Transparent deployment is tightly integrated with our ‘best practice’ data centre designs. IP:192.168.1.100 GW: 192.168.1.1 • Integrated Routing and Bridging (IRB) combines both modes. Helpful for grouping “switchports” in routed mode.

Link Redundancy Active / Standby HA Inter-chassis Clustering

LACP Link Resiliency Aggregation with link Combine up to Control failures Protocol 16 LACP Link 9300 blades or Redundancy 4100 chassis

• Full flow state replication with NGFW policy verdicts

• Active/Standby operation in all NGFW/NGIPS interface modes • Interfaces are always up on standby, but any transit traffic is dropped • MAC learning/spoofing on switchover in transparent NGFW, inline NGIPS • GARP on switchover in routed NGFW vPC • Interface and Snort instance (at least 50%) status monitoring

• Zero-downtime upgrades for most applications HA Link • Some packet loss is always expected with failover A S FTD FTD

vPC

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Routing Requirements Dynamic NAT for Direct Internet Access Automatic and Manual (complex) NAT Support for FTD including IPv6

• OSPF and OSPFv3 (IPv6)

• BGP (IPv4 & IPv6)

• Static Route • Tunneled Route support for VPNs • Reverse Route Injection for VPNs

• Multicast Routing • IGMP • PIM

• EIGRP via FlexConfig

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Rate limiting Cloud File Sharing Traffic QOS Policy is a new policy type with separate policy table Not associated with an Access Control Policy – directly associated with devices

• Provides a way to configure ASA features not exposed directly by Firepower Management Centre

• EIGRP Routing • ALG inspections • Policy Based Routing • IPv6 header inspection • ISIS Routing • BGP-BFD • NetFlow (NSEL) export • Platform Sysopt commands • VXLAN • WCCP

• Device-level free form CLI policies that follow ASA syntax • Supports pre-defined object templates and completely custom objects • Natively managed feature commands are blacklisted • Must push an object with negated commands to remove

• FlexConfig is only supported on best-effort basis • Assume no validation and no interoperability guarantees • When in doubt, don’t use it

• Deploy Once; Everytime is for interactions with managed features

• Always select Append rather than Prepend type

• Decryption Policy (optional)

• IPS Policy (optional, use default)

• File (AMP) Policy

• Prefilter Policy (optional)

• Access Policy

• Security Intelligence Policy

• Threat Intelligence Director

77 Identity Requirements

Authentication and Authorisation Identity Use Cases

• Associate traffic to users and devices (IoT etc) • Access based on users, groups and TrustSec TAG

Method Source LDAP/AD Authoritative?

Active Forced authentication through device LDAP and AD yes

Passive Identity and IP mapping from AD Agent AD yes

User Discovery Username scraped from traffic. LDAP and AD, no passive from the wire

• Deduces user identity by passively analysing network traffic • Considered non- authoritative • Cannot be used in access control policies

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Active and Passive Authentication • Passive authentication • IP-to-user mappings are learned from ISE or Firepower User Agent • Active authentication • Also called captive portal • Redirects user to HTTPS server running on the firewall • User authenticates with username and password • Identity policy • Specifies what traffic requires active, passive or no authentication • Attached to an access control policy

• The agent monitors users when they log in and out of hosts or authenticate with Active Directory credentials • The User Agent does not report failed login attempts • The agents associate users with IP addresses • Can use one agent to monitor user activity • Up to five Active Directory servers • Send encrypted data to up to five Firepower Management Centres

Uses pxGrid protocol to All ISE retrieved attributes retrieve: can be used in: • ISE username (can map to • Access Policies Active Directory) • Decryption Policies • Device type profile & location • QoS Policies • TrustSec Scalable Group Tag (SGT) • FMC has 64k user limit • ISE-PIC provides username • Mappings sent to all identity only firewalls

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Active Authentication (Captive Portal) Captive Portal Use Cases • Can be used for non-domain endpoints • Enforces authentication through the browser • Can augment passive authentication (Fall-back to Active feature) • Various Supported Authentication types (Basic, NTLM, Kerberos, Form) • Guest / Non Windows Device Authentication Support • Multi-realm Support

Must create, attaches to Access Control Policy

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 TrustSec Security Group Tag based identity from ISE Can also reference Identity Services Engine identified Device Profiles

• Protect the network from threats from remote TLS servers • Called the outbound or unknown key case • Example: Malware downloaded over HTTPS by users surfing the web. • Protect the network from attacks on internal TLS servers • Called the inbound or known key case • Example: Protect DMZ HTTPS servers from intrusion attacks

• Inspection fails for some applications • No end-user notifications unless traffic is decrypted • Inspection fails for some client/server combinations • Load on firewall creates throughput degradation • Currently TLS is being performed in software • TLS decryption will be in hardware (roadmap / release beta)

• Block TLS traffic without decrypting • Block URL categories • Block Application (approx. 400 applications can be identified) • Block based on certificate status, TLS version or cipher suite • Use Replace Key Only feature • Enable logging to help troubleshooting

Decrypt Cert required!

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114 What’s in the Default IPS & Network Access Policies? Connectivity Over Security • CVSS Score 10. 2 years • 499 rules • 15 preprocessors enabled Balanced Security and Connectivity • CVSS Score 9 or higher. 2 years • 9250 rules • 15 preprocessors enabled Security Over Connectivity • CVSS Score 8 or higher. 3 years • 12706 rules • 17 preprocessors enabled

• First access control phase in Data Plane for each new flow • Block: Deny the flow without any further processing • Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload • Analyse: Pass for evaluation in Main AP, optionally assign tunnel zone

• Use correctly -- not a “high performance” substitute to NGFW policies • Limited early IP blacklisting • Tunneled traffic inspection • Allowing high-bandwidth and low latency trusted flows (Flow Offload)

• Primary access control phase in Snort • Block [with reset]: Deny connection [and TCP RST] • Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST] • Monitor: Log event and continue policy evaluation • Trust: Push all subsequent flow processing into Data Plane only • Allow: Permit connection to go through NGIPS/File inspection

• Appropriate place for implementing NGFW policy rules • Full NGFW traffic selection criteria • Decisions may need multiple packets

• Block traffic to IP addresses and URLs with bad reputation

• TALOS dynamic feed, 3rd party feeds

• Multiple Actions: Allow, Monitor, Block, Interactive Block,…

• Policy configured via Access Rules or black-list

• IoC tags for CnC and Malware matches

• Black/White-list IP / URL with one click

• Blocked traffic not subject to additional inspection. Logged separately! URL-SI Categories

Category Description Attacker Active scanners and blacklisted hosts known for outbound malicious activity Malware Sites that host malware binaries or exploit kits Phishing Sites that host phishing pages Spam Mail hosts that are known for sending spam Bots Sites that host binary malware droppers CnC Sites that host command and control servers for botnets Open Proxy Open proxies that allow anonymous web browsing Open Relay Open mail relays that are known to be used for spam Tor Exit Node Tor exit nodes Bogon Bogon networks and unallocated IP addresses BRKSEC-2050 125123 DNS Inspection

• Security Intelligence support for domains

• Addresses challenges with fast-flux domains

• Cisco provided and user defined DNS lists: CnC, Spam, Malware, Phishing

• Multiple Actions: Block, Domain Not Found, Sinkhole, Monitor

• Indications of Compromise extended with DNS Security Intelligence DNS List Action

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126 Additional Categories for DNS Security Intelligence Feeds Same categories as Network and URL feeds plus the following:

Category Description DGA Malware algorithms used to generate a large number of domain names acting as rendezvous points with their command and control servers Exploit Kit Software kit designed to identify software vulnerabilities in client machines Response A list of IP/ URLs which seems to be actively participation in the malicious/ suspicious activity Suspicious Files that appear to be suspicious and have characteristics that resembles known malware

• Uses customer threat intelligence to identify threats • Automatically blocks supported indicators on Cisco NGFW • Provides a single integration point for all STIX and CSV intelligence sources

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129 129 Branch Firewall Use Cases Site to Site and Remote Access VPN Branch Use Case WAN Edge Firewall with Direct Internet Access

Requirement Firewall Internet “Outside” Connectivity and Availability Requirement: • MPLS Primary Network Connectivity • Direct Internet Access for LAN Traffic VPN • VPN Tunnel as WAN Backup (Hub and Spoke) Tunnel • Standalone or High Availability NGFW Internet • Will manage Firewall over VPN Edge

Routing Requirements: • OSPF Routing (or BGP) for MPLS WAN MPLS WAN • Static or learned routes for Internet • Dynamic NAT/PAT for outbound Internet traffic NGFW Firewall OSPF Routing Security Requirements: “MPLS” • Application Control + URL Acceptable Use enforcement Local Area • IPS and Malware protection Network • SSL Decryption Solution Authentication Requirements: Security Application: Firepower Threat Defence application with • User authentication and device identity FMC Firewall “Inside” LAN

• Add firewalls to management console

• Configure Interfaces and static routes on each firewall

• Configure dynamic routing for dedicated WAN (optional)

• Configure Shared VPN Policy

• Deploy policies

• Re-address firewalls for remote site and bring on-line! Headquarters and Branch NGFW Example Shared Access Policy for all sites • Allow traffic from all Branch and HQ LAN subnets to each other

• Host = Out of band management IP

• Must be reachable by FMC

• Can add with temporary “staging” IP if ”NAT ID” field is used (don’t forget this!)

• Device can be set to “offline” in FMC. Devices -> Device Management -> Device TAB -> Management

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138 Branch NGFW Use Case – Interface Configuration Outside / Inside / MPLS Interfaces configuration (Static IP) • Can have dual MPLS and multiple inside interfaces / LAN segments

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139137 Headquarters and Branch NGFW Example HUB (Headquarters) Static Routes: • Note “floating static routes” for all remote branch subnets to Internet gateway!

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140 Headquarters and Branch NGFW Example HQ & Branch OSPF Routing Configuration for MPLS: • Redistributing ”connected” and “static” routes to OSPF

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141 Headquarters and Branch NGFW Example Single Hub & Spoke Site to Site VPN Configuration • Static ”outside” IP Addresses on HUB and all Spoke firewalls

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142 Headquarters and Branch NGFW Example Create Hub and Spoke IKEv2 VPN Topology with all default settings • DISABLE Reverse Route Injection on IPSec Tab or OSPF routes are ignored

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 Headquarters and Branch NGFW Example Dynamic Endpoint option for sites with DHCP Outside Interface • Set Crypto Map type to Dynamic in IPSec Tab. Hub + Spokes as Bi-directional

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144 Headquarters and Branch NGFW Example Best Practice: Disable Health Monitoring Interface Warnings • Will prevent FMC warnings when no traffic seen on an interface

• FTD configurations are pushed to firewalls via “STUNNEL” secure communications channel via management interface

• After configuration deployment, management interface can be changed for target site

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146 Manually Changing FTD Management IP Address Information Serial Console connection to firewall is easiest (can be done via ssh)

• configure network ipv4 manual

Both IPv4 and IPv6 management addresses may be configured and used for SSH to Firewall.

Only IPv4 -or- IPv6 will be used for SFTUNNEL communication to Firepower Manager Centre

After connecting interface cables, firewall should come online (verify ICMP ping to next hop on all interfaces) If no dedicated WAN, spoke VPN tunnel should immediately come up. Optional: Verify with “show crypto ipsec sa” via CLI.

BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148 Headquarters and Branch NGFW Example Best Practice: Use of Groups in FMC for organisation • GREEN status bubble indicates firewall is online and reachable from FMC

• Same policy sets applied to all branch firewalls

• OSPF routes from private WAN will always be preferred

• Routing “failover” time to VPN tunnel will depend upon OSPF Hello & Dead Interval values (must use FlexConfig to change)

• Spoke-to-spoke traffic will transit VPN hub for sites with WAN down (only for static IP spokes!)

• Use dynamic spoke option for DHCP addressed sites.

• Static spoke supports tunnel creation from hub or spoke

• Add “VPN only” network route to keep tunnels forced up

Secure access using Firepower • Secure SSL/IPsec AnyConnect access to corporate Internet network Edge • Support for Split Tunnelling or Backhauling to handle traffic from remote uses to Internet. • AMP and File inspection Policy to monitor roaming user data. • Easy RA VPN Wizard to configure AnyConnect Remote Access VPN FP2100 in • Advanced Application level inspection can be HA enabled to enforce security on inbound Remote Access User data. • Monitoring and Troubleshooting to monitor remote Campus/Priv access activity and simplified tool for troubleshooting. ate Network Private Network

• AnyConnect client- based VPN

• Limitations: • No clientless VPN support (client download only) • No legacy Cisco IPsec IKEv1 client support • No Dynamic Access Policies

1. Configure Realm or RADIUS 3. Have Firepower device interfaces Server Group for authentication and routing configured

2. Upload AnyConnect package(s) 4. Install Self-Signed Certificate or (can pull from Cisco during wizard) enroll device with public CA

1. (Group) Policy Assignment

2. Connection Profile Creation

3. AnyConnect package selection

4. Access & Certificates

1. Name (mandatory)

2. Authentication Method (AAA = username + password)

3. IPv4 / IPv6 Address Pool(s)

4. Group Policy Selection (can use default)

• Upload from your workstation

• Download from Cisco.com using Wizard (need CCO credentials)

1. Choose Interface / Zone

2. Choose Interface Identity Certificate

3. Optional: Create Self- Signed Certificate

4. Can also enroll device in public Certificate Authority *best practice

• Configuration Summary

• Recommended Next Steps

1. Allow VPN traffic from Outside zone in your Access Policy!

2. Exempt traffic to and from your VPN subnet from NAT!

3. Disable proxy ARP in your NAT Exempt rule

• Powerful Threat Defence Capabilities Flexible Deployment • Advanced Site to Site VPN and routing protocol support Robust NGFW • AnyConnect Remote Access Feature set

Unified Management

• Give us your feedback and receive a Cisco Live 2018 Cap by completing the overall event evaluation and 5 session evaluations. • All evaluations can be completed via the Cisco Live Mobile App.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Global.

• Demos on the Cisco stand

• Walk-in Self-Paced Labs

• Meet the Expert 1:1 meetings

• Related sessions