Introduction To Firepower Services

Introduction to Firepower
Services
Omar Santos
os@cisco.com
Cisco Product Security Incident Response Team (PSIRT)
Security Research & Operations
Agenda
•  Introduction to Firepower Next Generation Security

•  Deployment Options
•  Management Options
•  Deployment Modes
•  Introduction to Access Policies
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Firepower or FirePOWER?
Integrated Threat Defense Across the Attack
Continuum
Attack Continuum
BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate
Advanced Malware
Firewall/VPN NGIPS Protection
Granular App Control Security Intelligence Retrospective Security
IoCs/Incident
Modern Threat Control Web Security Response
Visibility and Automation

Cisco ASA and Firepower NGFWs
World’s most widely deployed,
enterprise-class, ASA stateful firewall
Cisco® Collective Security Intelligence Enabled
Advanced WWW Granular Cisco Application

Clustering and Intrusion Malware Visibility and Control (AVC)
Prevention Protection URL Filtering
High Availability (Subscription) (Subscription)
(Subscription) FMC and CDO
Analytics and
Automation Industry-leading Firepower
next-generation IPS (NGIPS)
Application
Network Firewall Visibility and Built-in Network Identity-Policy
Routing | Switching Control Profiling Control and VPN
Reputation- and category-based
URL filtering
Cisco ASA and Firepower NGFWs
Advanced malware protection
Cisco NGFW Platforms
Firepower Threat Defense for FirePOWER Services Firepower 4100 Series
ASA 5500-X on ASA 5500-X and 5585-X and Firepower 9300
250 Mb -> 1.75 Gb 4.5 Gb -> 15 Gb 41xx = 12 Gb -> 25 Gb

(Max AVC throughput) (Max AVC throughput) 93xx = 25 Gb -> 100Gb
NGFW capabilities all managed by Firepower Management Center

Firepower 4100 Series
Four high-performance models
Performance and Multiservice

Unified Management
Density Optimization Security
•  10-Gbps and 40-Gbps •  Integrated inspection engines •  Single management interface

interfaces for FW, NGIPS, Application with Firepower Threat Defense
•  Up to 80-Gbps throughput Visibility and Control (AVC), •  Unified policy with inheritance
•  1-rack-unit (RU) form factor URL, Cisco Advanced •  Choice of management
•  Low latency Malware Protection (AMP) deployment options
•  Radware DefensePro DDoS
•  ASA and other future
third party
Cisco Firepower 9300
High-speed, scalable security
Multiservice
Modular Carrier Class
Security
Benefits Benefits Benefits

•  Standards and interoperability •  Integration of best-in-class security •  Industry-leading performance:
•  Flexible architecture •  Dynamic service stitching •  600% higher performance
•  30% higher port density
Features Features*
•  Template-driven security •  Cisco® ASA container Features
•  Secure containerization for •  Cisco Firepower™ Threat Defense •  Compact, 3RU form factor
customer apps containers: •  10-Gbps/40-Gbps I/O; 100-Gbps
•  RESTful/JSON API •  NGIPS, AMP, URL, AVC ready
•  Third-party orchestration and •  Third-party containers: •  Terabit backplane
management •  Radware DDoS •  Low latency, intelligent fast path
•  Other ecosystem partners •  Network Equipment-Building
System (NEBS) ready
Firepower Threat Defense (FTD) Software
Firepower (L7) Firepower Threat Defense

•  Threat-Centric NGIPS
•  AVC, URL Filtering for NGFW Full Feature Set Single Converged OS
•  Advanced Malware Protection
ASA (L2-L4)
•  L2-L4 Stateful Firewall
•  Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
•  Application inspection Migration
Firepower Management
Center (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
Software Support – Physical Platforms
ASA with Firepower
Firepower
ASA FirePOWER Threat
NGIPS
Services Defense
ASA 5506X -> 5555X (all models) ✓ ✓ ✓

ASA 5585 (With SSP blade) ✓ ✓
Firepower 4100 (all models) ✓ ✓
Firepower 9300 (all models) ✓ ✓
Firepower 7000 ✓
Firepower 8000 ✓
Software Support - Virtual Platforms
Firepower Firepower Threat

ASA
NGIPS Defense
ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

Firepower NGIPSv (vSphere + ISR UCSE) ✓
Firepower NGFWv (vSphere, AWS, KVM) ✓
Firepower 6.x on ASA – Upgrade vs Migrate
Choose Firepower Services or unified Threat Defense Software
Firepower Software on ASA Platforms
FirePOWER
Services 5.4
ASA 9.5.x
Upgrade Re-Image**
FirePOWER
*Firepower Services
6.x compatible ASA
Services 6.x or Firepower
Threat Defense
**All shipping ASA 5500-
X supported, except
Version Required 5585-X and 5505
ASA 9.5.x+ * 6.x
12
Firepower Threat Defense for VMware
Firepower
ASAv
NGIPSv
9.x
5.4
Migrate Upgrade
Upgrade
Firepower Firepower Threat

Defense Virtual 6.x ASAv
NGIPSv
9.x+
6.0
FTD Deployment Options
ASA with Firepower Firepower Threat Defense
Services (Unified Software Image)
FirePOWER
Services 6.0 Firepower
Threat Defense
Firepower NGIPS ASA 9.5.x 6.x
Appliances
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / New Models
vSphere / AWS
Note: 5585 cannot run the FTD Image!
All Managed by Firepower Management Center 6 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cisco Firepower Threat Defense for ISR
ISR 4000 Series
Firepower Threat
Defense UCS-E Series
+ OR
AppX + Security
License ISR G2 Series
Free Up Valuable Square Footage

Generate More Revenue $$$
Next Generation Feature Overview
Snort
Cisco Application IDS and much more
URL & DNS Visibility and Control
Protection (AVC) with
IoCs and Sink-holing OpenAppID
malicious Domains Custom and Open Source
application detections
Security Intelligence
Unparalleled knowledge about the Internet
+ AMP
Integration
Sandbox dynamic analysis,
locally and in the cloud
Summary of Capabilities in Firepower 6
Threat Innovation Enterprise Management Unified Image
DNS Inspection and Sinkholing Domains with Role-Based Unified ASA and Firepower
Access Rules
URL-based Security Intelligence Unified ASA and Firepower
Policy Hierarchy with Objects
SSL Decryption Inheritance
Transparent and Routed
ThreatGRID Analysis Deployment
OpenAppID ASA NAT (Policy & Static)
Captive Portal / Active Auth ASA Routing: RIP, OSPF, BGP,

Static (no EIGRP or Multicast)
File Property Analysis with Local
Malware Checks ASA SYN Cookies / Anti-
Spoofing
ISE Identity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Common Across Firepower Platforms Threat Defense Only
17
Key Firepower 6.x Capabilities
Flexible Deployment
Multi-Domain SSL Decryption
Management Threat detection inside SSL
encrypted traffic
Separated Event Data,
SOC OPERATORS
Reports and Network
Maps, with RBAC
Integrated Protection
CUSTOMER / NETWORK 3 Advanced Access Control with
CUSTOMER / NETWORK 1
ISE Device Profiling
and Security Group Tags
CUSTOMER / NETWORK 2
Captive Portal
Active Authentication
and Guest support
Integrated SSL Decryption
•  Multiple Deployment modes
•  Passive Inbound (known keys)
•  Inbound Inline (with or without keys)
•  Outbound Inline (without keys)
•  Flexible SSL support for HTTPS & StartTLS based apps
•  E.g. SMTPS, POP3S, FTPS, IMAPS, TelnetS
•  Decrypt by URL category and other attributes
•  Centralized enforcement of SSL certificate policies
•  e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites,
unapproved mobile devices
URL-Based Security Intelligence
•  Extension of IP-based SI
•  TALOS dynamic feed, 3rd party feeds and

lists
•  Multiple categories: Malware, Phishing,
CnC,…
•  Multiple Actions: Allow, Monitor, Block,
Interactive Block
•  Policy configured via Access Rules or black-
list
•  IoC tags for CnC and Malware URLs
•  New Dashboard widget for UR SI
•  Black/White-list URL with one click

URL-SI
Categories
DNS Inspection
•  Security Intelligence support for domains
•  Addresses challenges with fast-flux domains
•  Cisco provided and user defined DNS lists:

CnC, Spam, Malware, Phishing
•  Multiple Actions: Block, Domain Not Found,
Sinkhole, Monitor
•  Indications of Compromise extended with
DNS Security Intelligence
•  New Dashboard widget for DNS SI
DNS List Action
DNS Sinkhole Sinkhole
DNS
CnC
X Internet Malicious
Site
Endpoint NGFW
OpenAppID Integration
Open source application-focused detection language that enables users to create, share and implement custom application detection.
•  What is OpenAppID ?
•  Open source app-focused detection language
•  > 2500 detectors contributed by Cisco
•  > 20,000 downloads of the detection pack since last

September
•  Snort-community supported
•  Simple Language
•  Reduced dependency on vendor release cycles
•  Written using the Lua scripting language
Captive Portal / Active Authentication
•  Enforces Authentication through the appliance
•  Multiple Authentication modes (Passive, Active, Passive with Active Fallback)
•  Various Supported Authentication types (e.g. Basic, NTLM, Advanced, Form)
•  Guest / Non Windows Device Authentication Support
•  Multi Realm Support
Method Source LDAP/AD Authoritative?
Active Forced authentication through device LDAP and AD yes
Passive Identity and IP mapping from AD Agent AD yes
User Discovery Username scraped from traffic. LDAP and AD, no

passive from the
wire
ISE Integration
•  Receive identity data from pxGrid / ISE

•  Receive device-type/network Security Group Tags
from pxGrid / ISE
•  Ability to exert control based on the above in rules
•  i.e. block HR users from using personal iPads
•  Reduces ACL size and complexity
Management Platform
Options
Firepower Management Center 6.x: Overview
•  Single manager for Firepower Threat Defense
•  Can also manage Firepower appliance and “Services” deployments
•  Unified policy management for Firepower appliances and Firepower Threat Defense
1
Multi-domain
Global Policies
Global Objects
Management Global Analytics
2
3
Policies Policies Policies

UK/London UK/Oxford
Objects Objects Objects
Analytics Analytics Analytics
USA JAPAN UK
Supports up to 50 domains and 3 levels

Available for all platforms running 6.0
Cisco Defense Orchestrator:
Security Policy Management Simplified
Reports Simple search Notifications
Device onboarding
Policy change Policy modeling, Policy Scalable •  Import from offline
management analysis and monitoring and orchestration
optimization reporting of changes •  Discover direct from
device
Security policy
management
Onboard Security Devices Easily in One of Two Ways
Get started through Choose between cloud or

a simple interface on-premises connection
Cisco® Defense
Orchestrator
Secure
Data
Connector
Customer Network
Secure
Data
Connector
1 Connect directly through the

cloud 2 Set up a secure connection
within your data center
Security Policy Management
Defense Orchestrator helps you manage your security policy holistically
Change Management: Get

Auditing: Gain policy
visibility to change impact
awareness and identify
across affected security
issues
services and devices
Change Impact Object & Policy
Modeling Analysis
Cisco Defense Orchestrator
Device Onboarding
•  Import From Offline

•  Discover Direct From Device
Security Policy
Reports
Management
Monitoring: Track policy

implementation and
Optimization: Adjust
security policy rulesets to activity across all
OOB impacted security
optimize performance Notifications
services and devices
Effectively Analyze Policies and Objects Across
Your Entire Infrastructure
Optimize your firewall by correcting duplicates
Quickly see
Policie duplicate objects
s Duplicate Object 1
Object 1
Inconsistent Object 1
Rename
Policy
Unused
Edit
Policy
Address inconsistencies
see
Quickly see
Policie Duplicate Policies
inconsistent policies
s Duplicate Policy 11
Policy
Objects
Policy 2
Objects
Policy
§  1 1 §  1
§  2 §  2
Inconsistent Policy
§  3 1
§  3b
Rename
Policy
Unused
Edit
Policy
Remove unused policies to instantly improve your
security posture
Quickly see
see
Policie Inconsistent
Duplicate
unused Policies
Policies
policies
s Duplicate 1
Policy 5
Objects
Policy 1
Objects
Policy
•  1 6 •  1
•  2 •  2
Inconsistent Policy 7
•  3 •  3b
Delete
Policy
Unused
Edit
Policy
Defense Orchestrator Device Support For your reference
Product ASA software version FirePOWER Services on ASA Firepower Threat Defense
software version software version
ASA 5505, 5510, 5520, 5540, 8.4 and later NA NA

5550
ASA 5506-X, ASA 5508-X, ASA 9.2.2 and later 5.4.1 or later 6.1.x and later
5516-X
ASA 5512-X, 5515-X, 5525-X, 9.2.2 and later 6.0.0 or later 6.1.x and later
5545-X, 5555-X
ASA 5585-10, 5585-20, 5585-40, 9.2.2 and later NA NA

5585-60
Firepower 4110, Firepower 4120, 9.6.x and later NA 6.1.x and later
Firepower 4140, Firepower 4150
Firepower 9300 9.6.x and later NA 6.1.x and later
FTD Deployment Modes
Firewall Design: Modes of Operation
•  Routed Mode is the traditional mode of the firewall. Two or more
10.1.1.0/24
interfaces that separate L3 domains – Firewall is the Router and Gateway
for local hosts. 10.1.1.1
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
Firewall Design: Modes of Operation 192.168.1.1
•  Routed Mode is the traditional mode of the firewall. Two or more

interfaces that separate L3 domains – Firewall is the Router and Gateway
VLAN192
for local hosts.
•  Transparent Mode is where the firewall acts as a bridge functioning at
L2.
•  Transparent mode firewall offers some unique benefits in the DC.
•  Transparent deployment is tightly integrated with our ‘best practice’ data VLAN1920
center designs.
192.168.1.0/24
•  Note:
•  No multiple context mode available on FTD today.
IP:192.168.1.100
•  Routed or transparent mode configured with setup dialog. GW: 192.168.1.1
•  Changing between these modes requires re-registering with FMC.

•  Policies will be re-deployed.
NGIPS Deployment Modes
IPS
•  Next Generation IPS / IDS modes:
•  Inline (interface pairing)
•  Inline Tap (external TAP, IDS only)
IDS
•  Passive (SPAN, IDS only)
+
You can mix and match on same hardware to maximize value and visibility
Mix and Match Interface Modes
Routed or Transparent
Interfaces
Passive Policy Tables
Inline Pair 1
Inline Set
Inline Pair 2
Inline Tap
BRKSEC-2020 40
FTD Security Zones
•  True zone based firewall
•  Security Zones are collections of interfaces or sub-interfaces
•  Policy rules can apply to source and/or destination security zones
•  Security levels are not used
BRKSEC-2020 41
Firepower Threat Defense High Availability
•  Active/Standby only
•  Stateful failover mode only
•  Primary’s policies are synchronized to Secondary’s
FMC
•  Two nodes connected by one or two dedicated
connections called “failover links” FTD FTD
Active Standby
•  Management interface on each unit has/maintains a
distinct management IP address
•  Config/Policy updates are sent to the current active node
by FMC
•  On the Firepower 9300 platforms, failover is only
supported:
•  across blades in different chassis
•  in non-cluster mode
•  with matching interfaces on separate blades © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Policies
NGFW Policy Types in FTD
Policy Type Function
Access Control Specify, inspect and log network traffic
Intrusion Inspect traffic for security violations (including block or alter)
Malware & File Detect and inspect files for malware (including block)
SSL Inspect encrypted traffic (including decrypt and block)
DNS Controls whitelisting or blacklisting of traffic based on domain
Identity Collect identity information via captive portal
Prefilter Early handling of traffic based L1-L4 criteria
Access Control Policy Overview
•  Controls what and how traffic is allowed, blocked, inspected and logged
•  Simplest policy contains only default action:

•  Block All Traffic
•  Trust All Traffic – Does not pass through Intrusion and Malware & File inspection
•  Network Discovery – Discovery applications, users and devices on the network only
•  Intrusion Prevention – Using a specific intrusion policy
•  Criteria can includes zones, networks, VLAN tags, applications, ports, URLs and SGT/ISE
attributes
•  The same Access Control Policy can be applied to one or more device
•  Complex policies can contain multiple rules, inherit settings from other access control policies
and specify other policy types that should be used for inspection
Access Control Policy
Rules below are

still processed
Displays block
page over HTTP
Determines if rule can be

overridden by child policy
Logging will increase the number of

events the FMC must handle. Be
sure to consider your logging
requirements when sizing your FMC
Access Control Policy – The Big Picture
The glue that ties everything together
Prefilter SSL Identity

DNS Policy
Policy Policy Policy
Inspection Options
Access Control Criteria

Action
Rule (to match) Intrusion Malware & File
Policy Policy

Introduction To Firepower Services

Uploaded by

Copyright:

Available Formats

You might also like

Introduction To Firepower Services

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Firepower Services

Uploaded by

Copyright:

Available Formats

Introduction to Firepower

• Introduction to Firepower Next Generation Security

BEFORE DURING AFTER

Granular App Control Security Intelligence Retrospective Security

Visibility and Automation

Advanced WWW Granular Cisco Application

Advanced malware protection

250 Mb -> 1.75 Gb 4.5 Gb -> 15 Gb 41xx = 12 Gb -> 25 Gb

NGFW capabilities all managed by Firepower Management Center

Performance and Multiservice

• 10-Gbps and 40-Gbps • Integrated inspection engines • Single management interface

Benefits Benefits Benefits

Firepower (L7) Firepower Threat Defense

• Application inspection Migration

ASA 5506X -> 5555X (all models) ✓ ✓ ✓

Firepower Firepower Threat

ASAv (vSphere, AWS, Azure, Hyper-V, KVM) ✓

Firepower Software on ASA Platforms

Firepower Firepower Threat

Note: 5585 cannot run the FTD Image!

Free Up Valuable Square Footage

OpenAppID ASA NAT (Policy & Static)

Captive Portal / Active Auth ASA Routing: RIP, OSPF, BGP,

• TALOS dynamic feed, 3rd party feeds and

• New Dashboard widget for UR SI

• Black/White-list URL with one click

• Addresses challenges with fast-flux domains

• Cisco provided and user defined DNS lists:

• > 2500 detectors contributed by Cisco

• > 20,000 downloads of the detection pack since last

• Reduced dependency on vendor release cycles

• Written using the Lua scripting language

• Enforces Authentication through the appliance

• Multiple Authentication modes (Passive, Active, Passive with Active Fallback)

• Various Supported Authentication types (e.g. Basic, NTLM, Advanced, Form)

• Guest / Non Windows Device Authentication Support

• Multi Realm Support

Method Source LDAP/AD Authoritative?

Active Forced authentication through device LDAP and AD yes

Passive Identity and IP mapping from AD Agent AD yes

User Discovery Username scraped from traffic. LDAP and AD, no

• Receive identity data from pxGrid / ISE

• Reduces ACL size and complexity

• Single manager for Firepower Threat Defense

• Can also manage Firepower appliance and “Services” deployments

Management Global Analytics

Policies Policies Policies

Supports up to 50 domains and 3 levels

Reports Simple search Notifications

Get started through Choose between cloud or

1 Connect directly through the

Change Management: Get

Cisco Defense Orchestrator

• Import From Offline

Monitoring: Track policy

ASA 5505, 5510, 5520, 5540, 8.4 and later NA NA

ASA 5585-10, 5585-20, 5585-40, 9.2.2 and later NA NA

Firepower 9300 9.6.x and later NA 6.1.x and later

•  Introduction to Firepower Next Generation Security

•  10-Gbps and 40-Gbps •  Integrated inspection engines •  Single management interface

•  Application inspection Migration

•  TALOS dynamic feed, 3rd party feeds and

•  New Dashboard widget for UR SI

•  Black/White-list URL with one click

•  Addresses challenges with fast-flux domains

•  Cisco provided and user defined DNS lists:

•  > 2500 detectors contributed by Cisco

•  > 20,000 downloads of the detection pack since last

•  Reduced dependency on vendor release cycles

•  Written using the Lua scripting language

•  Enforces Authentication through the appliance

•  Multiple Authentication modes (Passive, Active, Passive with Active Fallback)

•  Various Supported Authentication types (e.g. Basic, NTLM, Advanced, Form)

•  Guest / Non Windows Device Authentication Support

•  Multi Realm Support

•  Receive identity data from pxGrid / ISE

•  Reduces ACL size and complexity

•  Single manager for Firepower Threat Defense

•  Can also manage Firepower appliance and “Services” deployments

•  Import From Offline

•  Routed Mode is the traditional mode of the firewall. Two or more

•  Changing between these modes requires re-registering with FMC.

•  Security Zones are collections of interfaces or sub-interfaces

•  Policy rules can apply to source and/or destination security zones

•  Security levels are not used

•  Simplest policy contains only default action: