Professional Documents
Culture Documents
Introduction To Firepower Services
Introduction To Firepower Services
Introduction To Firepower Services
Services
Omar Santos
os@cisco.com
Cisco Product Security Incident Response Team (PSIRT)
Security Research & Operations
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Firepower or FirePOWER?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Integrated Threat Defense Across the Attack
Continuum
Attack Continuum
Advanced Malware
Firewall/VPN NGIPS Protection
IoCs/Incident
Modern Threat Control Web Security Response
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco NGFW Platforms
Firepower Threat Defense for FirePOWER Services Firepower 4100 Series
ASA 5500-X on ASA 5500-X and 5585-X and Firepower 9300
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco Firepower 9300
High-speed, scalable security
Multiservice
Modular Carrier Class
Security
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
Firepower Management
Center (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Software Support – Physical Platforms
ASA with Firepower
Firepower
ASA FirePOWER Threat
NGIPS
Services Defense
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Software Support - Virtual Platforms
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower 6.x on ASA – Upgrade vs Migrate
Choose Firepower Services or unified Threat Defense Software
FirePOWER
Services 5.4
ASA 9.5.x
Upgrade Re-Image**
FirePOWER
*Firepower Services
6.x compatible ASA
Services 6.x or Firepower
Threat Defense
**All shipping ASA 5500-
X supported, except
Version Required 5585-X and 5505
ASA 9.5.x+ * 6.x
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
12
Firepower Threat Defense for VMware
Firepower
ASAv
NGIPSv
9.x
5.4
Migrate Upgrade
Upgrade
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
FTD Deployment Options
ASA with Firepower Firepower Threat Defense
Services (Unified Software Image)
FirePOWER
Services 6.0 Firepower
Threat Defense
Firepower NGIPS ASA 9.5.x 6.x
Appliances
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / New Models
vSphere / AWS
All Managed by Firepower Management Center 6 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cisco Firepower Threat Defense for ISR
ISR 4000 Series
Firepower Threat
Defense UCS-E Series
+ OR
AppX + Security
License ISR G2 Series
Security Intelligence
Unparalleled knowledge about the Internet
+ AMP
Integration
Sandbox dynamic analysis,
locally and in the cloud
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Summary of Capabilities in Firepower 6
Threat Innovation Enterprise Management Unified Image
DNS Inspection and Sinkholing Domains with Role-Based Unified ASA and Firepower
Access Rules
URL-based Security Intelligence Unified ASA and Firepower
Policy Hierarchy with Objects
SSL Decryption Inheritance
Transparent and Routed
ThreatGRID Analysis Deployment
Captive Portal
Active Authentication
and Guest support
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Integrated SSL Decryption
• Multiple Deployment modes
• Passive Inbound (known keys)
• Inbound Inline (with or without keys)
• Outbound Inline (without keys)
• Flexible SSL support for HTTPS & StartTLS based apps
• E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS
• Decrypt by URL category and other attributes
• Centralized enforcement of SSL certificate policies
• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites,
unapproved mobile devices
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
URL-Based Security Intelligence
• Extension of IP-based SI
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
DNS Sinkhole Sinkhole
DNS
CnC
X Internet Malicious
Site
Endpoint NGFW
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
OpenAppID Integration
Open source application-focused detection language that enables users to create, share and implement custom application detection.
• What is OpenAppID ?
• Open source app-focused detection language
• Simple Language
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Captive Portal / Active Authentication
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Management Platform
Options
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Firepower Management Center 6.x: Overview
• Unified policy management for Firepower appliances and Firepower Threat Defense
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
1
Multi-domain
Global Policies
Global Objects
2
3
USA JAPAN UK
Device onboarding
Policy change Policy modeling, Policy Scalable • Import from offline
management analysis and monitoring and orchestration
optimization reporting of changes • Discover direct from
device
Security policy
management
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Onboard Security Devices Easily in One of Two Ways
Cisco® Defense
Orchestrator
Secure
Data
Connector
Customer Network
Secure
Data
Connector
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Security Policy Management
Defense Orchestrator helps you manage your security policy holistically
Device Onboarding
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Effectively Analyze Policies and Objects Across
Your Entire Infrastructure
Optimize your firewall by correcting duplicates
Quickly see
Policie duplicate objects
s Duplicate Object 1
Object 1
Inconsistent Object 1
Rename
Policy
Unused
Edit
Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Effectively Analyze Policies and Objects Across
Your Entire Infrastructure
Address inconsistencies
see
Quickly see
Policie Duplicate Policies
inconsistent policies
s Duplicate Policy 11
Policy
Objects
Policy 2
Objects
Policy
§ 1 1 § 1
§ 2 § 2
Inconsistent Policy
§ 3 1
§ 3b
Rename
Policy
Unused
Edit
Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Effectively Analyze Policies and Objects Across
Your Entire Infrastructure
Remove unused policies to instantly improve your
security posture
Quickly see
see
Policie Inconsistent
Duplicate
unused Policies
Policies
policies
s Duplicate 1
Policy 5
Objects
Policy 1
Objects
Policy
• 1 6 • 1
• 2 • 2
Inconsistent Policy 7
• 3 • 3b
Delete
Policy
Unused
Edit
Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Defense Orchestrator Device Support For your reference
Product ASA software version FirePOWER Services on ASA Firepower Threat Defense
software version software version
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
FTD Deployment Modes
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or more
10.1.1.0/24
interfaces that separate L3 domains – Firewall is the Router and Gateway
for local hosts. 10.1.1.1
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Firewall Design: Modes of Operation 192.168.1.1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
NGIPS Deployment Modes
IPS
• Next Generation IPS / IDS modes:
• Inline (interface pairing)
• Inline Tap (external TAP, IDS only)
IDS
• Passive (SPAN, IDS only)
+
You can mix and match on same hardware to maximize value and visibility
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Mix and Match Interface Modes
Routed or Transparent
Interfaces
Passive Policy Tables
Inline Pair 1
Inline Set
Inline Pair 2
Inline Tap
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
BRKSEC-2020 40
FTD Security Zones
• True zone based firewall
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
BRKSEC-2020 41
Firepower Threat Defense High Availability
• Active/Standby only
• Stateful failover mode only
• Primary’s policies are synchronized to Secondary’s
FMC
• Two nodes connected by one or two dedicated
connections called “failover links” FTD FTD
Active Standby
• Management interface on each unit has/maintains a
distinct management IP address
• Config/Policy updates are sent to the current active node
by FMC
• On the Firepower 9300 platforms, failover is only
supported:
• across blades in different chassis
• in non-cluster mode
• with matching interfaces on separate blades © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Policies
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
NGFW Policy Types in FTD
Policy Type Function
Access Control Specify, inspect and log network traffic
Intrusion Inspect traffic for security violations (including block or alter)
Malware & File Detect and inspect files for malware (including block)
SSL Inspect encrypted traffic (including decrypt and block)
DNS Controls whitelisting or blacklisting of traffic based on domain
Identity Collect identity information via captive portal
Prefilter Early handling of traffic based L1-L4 criteria
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Access Control Policy Overview
• Controls what and how traffic is allowed, blocked, inspected and logged
• Complex policies can contain multiple rules, inherit settings from other access control policies
and specify other policy types that should be used for inspection
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Access Control Policy
Displays block
page over HTTP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Access Control Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Access Control Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Access Control Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Access Control Policy – The Big Picture
The glue that ties everything together
Inspection Options
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51