Firepower NGFW Internet Edge Deployment Scenarios Jeff Fanelli - Principal Systems Engineer [email protected] BRKSEC-2050 #jefanell Cisco Spark Questions? Use Cisco Spark to communicate with the speaker after the session How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public About Your Speaker Jeff Fanelli Principal Systems Engineer Cisco Global Security Sales Organisation My city was was founded in 1701 by Antoine de la Mothe Cadillac (some French guy) BRKSEC-2050 Detroit, Michigan Important: Hidden Slide Alert Look for this “For Your Reference” Symbol in your PDF’s There is a tremendous amount of hidden content, for you to use later! (60+ slides) BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Complete Your Online Session Evaluation BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Today’s Agenda • Firepower Software & Platforms • ASA & Firepower NGFW Platforms • Management Options • Cisco & 3rd Party Integration • Deployment Use Cases Firepower NGFW Software Firepower Threat Defence CISCO COLLECTIVE SECURITY INTELLIGENCE WWW Malware High Intrusion URL Filtering Protection Availability Prevention Analytics & Network Application Automation Firewall and Visibility Network IdentityIdentity-Policy Based Profiling Routing &Control Profiling PolicyControl Control Integrated Software - Single Management BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 What’s New with Cisco NGFW and NGIPS Cisco Next Generation Firewall Operational Shared Threat Third-Party Manageability Performance Simplicity Intelligence Recognition Expanded set of security policies on Unmask threats with Easy single-hop hardware-based FDM, the on-box IBM and Cisco Cisco NGFW and upgrade to 6.2.3, SSL decryption; manager NGIPS NGIPS recognised with minimised performance collaboration by analysts Flexibility to manage downtime upgrade of 3-5x local devices using throughput REST API BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Firepower Threat Defence ASA with Firepower Firepower Threat Defence Services Single Converged OS Firepower (L7) Full Feature Set • Threat-Centric NGIPS • AVC, URL Filtering for NGFW • Advanced Malware Protection Continuous Feature Firewall URL Visibility Threats ASA (L2-L4) Migration • L2-L4 Stateful Firewall • Scalable CGNAT, ACL, routing • Application inspection Firepower Management Centre (FMC) BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 ASA with FirePOWER Services old ”marketing” spelling! Independent Configuration Full Packet Copy FirePOWER FirePOWER Mid-Flow Pickup w/Policy Reevaluation Functional Overlap 1 2 No AVC Verdict on Mid-Flow Pickup Single Uplink Queue IP-Based Load-Balancing HA/CCL Full ASA Feature Set ASA 1 ASA 2 Configuration/State Replication Functionality vs Performance Leaning toward NGIPS use case BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Firepower Threat Defence Advanced Advanced Inspection Inspection Modules Modules (“Snort”) (“Snort”) Load-Based Distribution HA/CCL Multiple Work Queues Configuration Replication IP/TCP/UDP Load-Balancing NGFW/NGIPS State Replication Based on ASA Software Data Plane Data Plane Packets Stay in Data Plane (“Lina”) (“Lina”) FTD 1 FTD 2 Balanced Functionality and Performance True NGFW use case BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Capabilities and Licensing Summary Base License (Perpetual) URL License (Subscription) • User and App control policies • Web category / reputation policies • TLS Decryption policies Threat License (Subscription) Remote Access (Term or Perpetual) • Intrusion Prevention System (IPS) • AnyConnect Base / Plus / Apex • Security Intelligence Feed Service • Must have export-control flag set on • Threat Intelligence Director Smart License account! Malware License (Subscription) Firepower Management Center • Advanced Malware Protection • No license needed, included. • Threat Grid File Submissions BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 ASA & Firepower Platforms Up to 16x with clustering! Cisco NGFW Platforms Firepower Threat Defence for Firepower 4100 Series Firepower 2100 Series ASA 5500-X and Firepower 9300 250 Mb -> 1.75 Gb 2 Gb -> 8 GB 41xx = 10 Gb -> 24 Gb (NGFW + IPS Throughput) (NGFW + IPS Throughput) 93xx = 24 Gb -> 53Gb NGFW capabilities all managed by Firepower Management Centre BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Software Support - Virtual Platforms Amazon Microsoft Hyper-V KVM VMWare Web Azure Services ASAv Firepower NGIPSv (FTD) Firepower NGFWv (FTD) BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Management Platform Options Management Options On-box Centralised On-box Firepower Device Firepower Management ASDM with Manager Centre FirePOWER Services Enables easy on-box Enables comprehensive Enables easy on- management of security administration box migration and common security and and automation of management of ASA policy tasks multiple appliances with Firepower BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Firepower Management Centre Management Options On-box Centralised On-box Firepower Device Firepower Management ASDM with Manager Centre FirePOWER Services Enables easy on-box Enables comprehensive Enables easy on- management of security administration box migration and common security and and automation of management of ASA policy tasks multiple appliances with Firepower BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Firepower Device Manager • On-box manager for managing a single Firepower Threat Defence device • Targeted for SMB market • Designed for Networking Security Administrator • Simple & Intuitive • Mutually Exclusive from FMC • CLI for troubleshooting BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Management Options On-box Centralised On-box Firepower Device Firepower Management ASDM with Manager Centre FirePOWER Services Enables easy on-box Enables comprehensive Enables easy on- management of security administration box migration and common security and and automation of management of ASA policy tasks multiple appliances with Firepower BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 ASDM (managing FirePOWER Services) Management Options On-box Centralised On-box Firepower Device Firepower Management ASDM with Manager Centre FirePOWER Services Enables easy on-box Enables comprehensive Enables easy on- management of security administration box migration and common security and and automation of management of ASA policy tasks multiple appliances with Firepower BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 3rd Party Integration SNMP, Syslog, NetFlow or eStreamer SNMP, Syslog, NetFlow or eStreamer SNMP support for: • Firepower NGFW Software • FXOS / Chassis Manager • (2100, 4100, 9300) • Firepower Management Centre Firepower NGFW also supports: • NetFlow Security Event Logging • Syslog (for all event types) BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Syslog and eStreamer for Events eStreamer APIs • Intrusion Events FMC Syslog • Intrusion Event Packet Data (optional) FTD Syslog & NetFlow • Intrusion Event Extra Data Malware Events • Connection Logs • File Events- SHA, SPERO • 5 tuple • Health • Connection Logs and Security • NAT • IPS (including Impact Intelligence Events • Routing flags) • Correlation and White List Events • VPN • Malware (network, • Impact Flag Alerts • IP retrospective) • HA • Discovery events (Host • Connection Events (optional) • sessions profiles, IOC , port, etc..) • URL categories • other stateful • Rule ids features • AMP endpoint detectors • Sinkhole Metadata • SSL • Network Analysis, Discovery events BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 IBM QRadar Firepower App • Firepower App – November • Dashboard with 6 components • Intrusion Events by Impact • Indicators of Compromise • Malware Sources • Malware Recipients • Malware hashed BRKSEC-2050 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Firepower App for Qradar Shows hosts that are Malware observed most Shows hosts that are know to be often on my network potentially compromised compromised Which hosts on my network have sent the most malware Intrusion events by ‘Impact’ or likelihood of an attack impacting the targeted system BRKSEC-2050 53 Cisco eStreamer app for Splunk 52 Cisco eStreamer app for Splunk 53 54 LiveAction 55 Deployment Designs Use Case Use Case Internet Edge Firewall ISP Requirement Service Provider Connectivity and Availability Requirement: • High Availability ROUTED mode • Firewall should support Router or Transparent Mode Routing Requirements: • Static and BGP Routing • Dynamic NAT/PAT and Static NAT Internet Security Requirements: Edge • Application Control + URL Acceptable Use enforcement • IPS and Malware protection DMZ Network • SSL Decryption Authentication Requirements: FW in HA • User authentication and device identity Solution Security Application: Firepower